35,99 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
Do you want to effectively implement and maintain secure virtualized systems? This book will give you a comprehensive understanding of Microsoft virtual endpoints, from the fundamentals of Windows 365 and Azure Virtual Desktop to advanced security measures, enabling you to secure, manage, and optimize virtualized environments in line with contemporary cybersecurity challenges.
You’ll start with an introduction to Microsoft technologies, gaining a foundational understanding of their capabilities. Next, you’ll delve into the importance of endpoint security, addressing the challenges faced by companies in safeguarding their digital perimeters. This book serves as a practical guide to securing virtual endpoints, covering topics such as network access, data leakage prevention, update management, threat detection, and access control configuration. As you progress, the book offers insights into the nuanced security measures required for Windows 365, Azure Virtual Desktop, and the broader Microsoft Azure infrastructure. The book concludes with real-world use cases, providing practical scenarios for deploying Windows 365 and Azure Virtual Desktop.
By the end of this book, you’ll be equipped with practical skills for implementing and evaluating robust endpoint security strategies.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 316
Veröffentlichungsjahr: 2024
Ähnliche
Securing Cloud PCs and Azure Virtual Desktop
Start implementing and optimizing security for Windows 365 and AVD infrastructure
Dominiek Verham
Johan Vanneuville
Securing Cloud PCs and Azure Virtual Desktop
Copyright © 2024 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Group Product Manager: Pavan Ramchandani
Publishing Product Manager: Prachi Sawant
Book Project Manager: Ashwini C
Senior Editor: Roshan Ravi Kumar
Technical Editor: Rajat Sharma
Copy Editor: Safis Editing
Proofreader: Roshan Ravi Kumar
Indexer: Hemangini Bari
Production Designer: Shankar Kalbhor and Aparna Bhagat
Senior DevRel Marketing Executive: Marylou De Mello
First published: June 2024
Production reference: 1310524
Published by Packt Publishing Ltd.
Grosvenor House
11 St Paul’s Square
Birmingham
B3 1RB, UK
ISBN 978-1-83546-025-2
www.packtpub.com
I would like to thank my wife, Myrna, and my beautiful daughter, Mila, for allowing me to pursue my passion for writing this book and my various community efforts. It was a lot of fun writing this book, even though it took a lot of work and dedication. I truly hope that you will have a lot of fun reading it and that it will help you in any way possible!
– Dominiek Verham
A special thanks to my two kids, Mats and Paulien, for their support in this journey. Writing a book requires a lot of dedication and hard work but I loved every step of the way. I hope you will enjoy reading this book and that it will help you.
– Johan Vanneuville
Foreword 1
Let’s begin with a brief history lesson. In 1975, Microsoft had a vision of there being “a computer on every desk and in every home.” At the time, this seemed like an impossible feat, but now we know better. Windows has evolved over time, and since the 90s, its operating systems have been accessible remotely. In 1994, Microsoft introduced the Remote Desktop Protocol (RDP 4.0) in Windows NT4, revolutionizing the way IT administrators managed servers remotely. This allowed us to connect to server operating systems without physically being in front of them. A year later, Windows NT introduced the UI that gave us the start menu and taskbar in Windows 95, which still facilitates billions of users today.
Windows virtualization continued to evolve with the introduction of Remote Desktop Services (RDS). However, this still required a control plane that included a web server, gateway, and broker, along with the session host for user sessions. This model continued until the launch of Microsoft Azure in 2012, which brought new opportunities such as hosting RDS on Azure via Infrastructure as a Service (IaaS).
This led to the control plane becoming a cloud-based service, called Windows Virtual Desktop (now Azure Virtual Desktop), as well as the acquisition of FSLogix in 2018, the same year I joined Microsoft. As the virtualization and cloud industry evolved, virtualization-specific skills became standard in every business. As applications shifted to Software-as-a-Service models, becoming easier to buy as a subscription model, easy to maintain, and scalable, cloud virtualization lagged in simplicity. Virtualization needed something completely turnkey, like the transition from Office to Office 365.
Thus, Windows 365 was created as a new vision for the future of Windows, a cloud service with Cloud PC as the endpoint managed by Microsoft—a new revolution. The release of Windows 365 and Azure Virtual Desktop was key, positioning us as a leader in virtualization, recognized by Gartner in 2023’s Magic Quadrant for Desktop-as-a-Service—just 4.5 years with Azure Virtual Desktop and 2.5 years with Windows 365 (at the time of writing).
Windows 365 sparked a computing revolution, moving PCs to the cloud while maintaining “like-local” experiences, manageable via Microsoft Intune without needing specialized skills. This principle guides Windows 365’s latest end user experience features, such as Boot and Switch, allowing anyone familiar with Windows to log on effortlessly, unlike traditional VDI, which often requires manuals and assistance.
I also want to welcome everyone into the new era of AI. Returning to Microsoft’s early vision of “a computer on every desk…,” the innovation around Client + Cloud + AI will continue to revolutionize our Windows experiences. End users and IT pros will leverage new tools that accelerate their productivity and creativity.
With Microsoft Copilot joining Windows, the cloud and AI will come together. We are entering a new era where the cloud and client converge, and hardware will no longer be the boundary for end users that determines their experience—offering endless possibilities in the next generation of AI PCs and cloud computing. Enjoy the ride, as we are just getting started. This book will give you superpowers for this exciting journey. Dominiek and Johan have done an excellent job of demystifying Azure Virtual Desktop and Windows 365, with a focus on security. This book will support anyone’s Windows in the cloud journey.
By Christiaan Brinkhoff, Principal Product Manager and Community Director, Windows 365 and Azure Virtual Desktop
Foreword 2
Virtualization solutions in today’s market offer a rich set of options and tools for savvy admins to deploy complex environments for their end-users. These admins invest in staying up-to-date with the evolving virtualization landscape and the various compute and storage solutions that host end-user workloads. Admins have numerous options for on-premises and cloud-based virtualization infrastructure to manage hybrid workloads. They can choose where to host these workloads, whether with one of the ever-growing list of public cloud providers or on the long list of server-class on-premises hardware. Once the infrastructure and hardware are defined, admins must navigate through myriad operating systems, app virtualization, user profile technologies, and other virtualization software solutions. They also need to manage hypervisors, user density, security, high availability, disaster recovery, and all other requirements for a robust virtualization solution. There are thousands of knobs and dials with thousands of settings, creating millions of possible configurations.
I equate the challenge a virtualization admin faces in defining, deploying, and managing a virtualization environment to the challenge a pilot faces while learning to fly a commercial airliner. All the knobs, dials, and switches allow a pilot to effectively fly a 350,000-pound tube through the sky at 500 knots. Even though there are approximately 300,000 commercial pilots in the world today who have been certified to take on this complex task, there are far more passengers who have found their way onto a plane to get from point A to point B.
So, what does flying a plane have to do with virtualization?
Some customers want full control of the virtualization environment to reduce costs or fine-tune the experience to meet their specific needs. Traditional VDI admins have developed the equivalent skills of flying a commercial airplane, building a VDI environment that is cost-effective and provides an optimal user experience. There has been a steadily growing adoption of traditional VDI, but overall penetration in the commercial market is still relatively small due to the complexity and perceived costs.
A new era of computing is upon us – the era of the Cloud PC introduced in 2021 with the announcement of Windows 365™. Windows 365 provides a purchase and management solution on par with traditional end-user computing (EUC) tools and workflows, without requiring admins to have any VDI knowledge or experience. For end-users, a Cloud PC is a Personal Computer in the Cloud, offering an experience more consistent with a traditional computing model. For admins and users, the Cloud PC provides a ticket to ride to a modern computing paradigm delivered from the cloud.
Through Dominiek and Johan’s book, you can experience this journey and equip yourself with the tools and confidence to tackle the most pressing virtualization challenges.
This book serves as your essential guide to effectively implementing and maintaining secure virtualized systems. It provides a comprehensive understanding of Microsoft virtual endpoints, covering everything from the fundamentals of Windows 365 and Azure Virtual Desktop to advanced security measures. You will learn how to adeptly secure, manage, and optimize virtualized environments in line with contemporary cybersecurity challenges.
In addition to covering the essential aspects of virtualization security, this book emphasizes the importance of staying ahead in the rapidly evolving tech landscape. As virtual environments become more complex and integral to business operations, the ability to anticipate and mitigate potential security threats is crucial. This book not only provides the technical knowledge needed but also encourages a proactive mindset towards continuous learning and adaptation.
Moreover, the book highlights best practices for integrating virtualized systems within existing IT frameworks, ensuring seamless interoperability and minimal disruption to business processes. It also addresses compliance with industry standards and regulations, offering strategies to meet these requirements without compromising on security or efficiency.
I hope you enjoy reading this book, and I wish you all the best in the new era of computing.
By Scott Manchester, VP of Product, Windows 365 and Azure Virtual Desktop
Contributors
About the authors
Dominiek Verham lives in the Netherlands. He has over 20 years of experience in IT, working in all kinds of technical roles focused on Microsoft products. Nowadays, he works primarily with Microsoft cloud products, such as Windows 365, Microsoft Intune, AVD, and related products, such as Nerdio. He is passionate about sharing his knowledge and personal experiences with the community via his personal blog, various presentations, and communities such as the Windows 365 community and the Cloud Experts Community. Dominiek has been a Microsoft MVP for Windows 365 as well as a Nerdio NVP since 2022.
Johan Vanneuville lives in Belgium together with his two children. He started in IT on a helpdesk and since then has taken multiple technical roles focusing on Azure and Azure Virtual Desktop and Nerdio. He loves to share his knowledge with the community on his personal blog and with the AVD community but also as a Microsoft Certified Trainer. Johan currently also holds the prestigious Microsoft MVP award for his contributions to the AVD community since 2022. Alongside that, he also is a Nerdio NVP.
About the reviewers
As a Microsoft MVP, Micha Wets enjoys talking about all Azure and Azure Virtual Desktop (AVD) topics and has spoken at Microsoft conferences, international (User Group) events, and Microsoft-hosted webinars and Workshops. He has over 15 years of experience as an Azure and DevOps engineer and has in-depth knowledge of private, hybrid, and public clouds. Today, Micha mainly focuses on Azure, DevOps, Windows 365, and AVD environments and is particularly knowledgeable about migrating those environments to Azure. Micha is a freelance Azure architect and works with Microsoft on Azure, Windows 365, and AVD.
Wim Matthyssen, based in Belgium, is a Microsoft Azure MVP with over 15 years of expertise in Microsoft technology. He specializes in guiding companies through their transition to the cloud and leveraging various Microsoft hybrid cloud services.
Alongside his role as an Azure technical advisor and trainer, Wim is deeply passionate about community work. He shares his knowledge and experiences through blogs and speaking engagements, actively contributing to the community. Additionally, he serves as a board member of the MC2MC user group, further highlighting his commitment to community engagement.
I want to express my sincere gratitude to my wife and son for their unwavering support, which allows me to dedicate a significant amount of our personal time to community activities. Additionally, I extend my heartfelt thanks to Johan Vanneuville and Dominiek Verham, the authors of this book, for giving me the opportunity to review their work. It has been an incredible honor and a truly enriching experience.
Sune Thomsen is a Windows 365 MVP based in Denmark with over 19 years of experience in the IT industry. He has spent at least a decade specializing in client management via Microsoft Configuration Manager and Intune, and he’s currently helping enterprise customers with their cloud journey. Sune works as a consultant for a consulting company called Mindcore. Prior to joining Mindcore, Sune gained 10 years of experience in the engineering industry, managing and deploying various Microsoft solutions and projects. He’s passionate about community work. Besides blogging and speaking at tech events, he’s also an official contributor within the Windows 365 community and the Modern Endpoint Management LinkedIn group.
First, I’d like to thank Dominiek and Johan for giving me the opportunity to review the book. It has been a great honor and an educational journey to be part of! Last but not least, I want to take a moment to express my deepest gratitude to my lovely family (Annie, Carl, and Lucas). Your support and understanding have allowed me to dedicate significant time to the community. I am truly blessed to have you by my side. With all my love, Sune.
Jitesh Kumar is based in India, and he’s a Windows 365 (Windows and Devices for IT) and Microsoft Intune MVP with over 8 years of IT experience. He focuses mainly on Microsoft device management technologies, and managing devices via Microsoft Configuration Manager and Microsoft Intune, and he loves to help customers and community members with their cloud journey.
He actively contributes to the tech community by writing insightful articles explaining concepts and providing insights into Microsoft Technology and tech information by writing insightful step-by-step guides. Being a tech enthusiast, he loves to keep tabs on new trends and advancements in the digital workplace tech space.
I’d like to thank my family, friends, and beloved community members who understand the time and commitment it takes to help grow the community. Working in tech would not be possible without the supportive tech community that has developed over the last several years. Reviewing this book has been a tremendous honor and an exciting opportunity for learning. Thank you, Dominiek and Johan, for the opportunity.
Table of Contents
Preface
Part 1: An Introduction to Microsoft Virtual Desktops
1
Introducing Windows 365 and Azure Virtual Desktop
Advantages of using a virtual desktop
Introducing Windows 365
Features of Windows 365
Windows 365 editions
Introducing Azure Virtual Desktop
Licensing Windows 365 and Azure Virtual Desktop
Licensing Windows 365
Licensing Azure Virtual Desktop
Introducing Windows App
Summary
Part 2: Why Is Endpoint Security Important?
2
Importance of Securing Your Desktops
A desktop at the heart of a user’s workspace
Multiple users on a single desktop
What happens when a physical desktop is lost or stolen?
What can IT admins do to prevent data leakage?
What about the Remote lock device action?
Summary
3
Modern Security Risks
What are bad actors?
Types of cyberattacks
Phishing attack
Ransomware
Distributed denial of service
Man in the middle attacks
SQL injections
Cross-site scripting
Zero-day exploits
Social engineering attacks
Recovering from a cyberattack
A cyber incident response plan
Virtual desktops to the rescue
Summary
Part 3: Security Controls for W365 and AVD
4
Securing User Sessions
CA and MFA
Security defaults
Per-user MFA
CA policy
Configuring RDP device and resource redirections for Windows 365
Device and resource redirections with Intune
Device and resource redirections with group policy
Configuring RDP properties for Azure Virtual Desktop
Drive and storage redirection
Clipboard redirection
COM port redirection
Printer redirection
Smartcard redirection
USB device redirection
RDP session limit timeouts
Summary
5
Preventing Data Leakage from Desktops
Preventing screen captures
Enabling screen capture protection for Windows 365
Enabling screen capture protection for Azure Virtual Desktop
Introducing and configuring watermarking
Enabling watermarking for Windows 365
Resolving information in QR codes
Enabling watermarking for Azure Virtual Desktop
Configuring screen locks
Dynamic locking
Screen savers
Smart cards
Session time limits
Summary
6
Update Management Strategies
Windows Update for Business
Windows Autopatch
Licensing Windows Autopatch
Enrolling into Windows Autopatch
Registering devices to Windows Autopatch
Release management in Windows Autopatch
Autopatch groups
Managing the Windows Autopatch service
Managing updates using custom image templates
Introducing custom image templates
Preparing for custom image templates
Creating a custom image template
Using custom image templates as part of the update strategy
Manually creating custom images
The prerequisites to creating a custom image
Creating a custom image for Windows 365
Creating a custom image for Azure Virtual Desktop
Summary
7
Threat Detection and Prevention
Microsoft Defender for Endpoint
Requirements for Microsoft Defender for Endpoint
Enrolling Windows 365 Cloud PCs into Microsoft Defender for Endpoint
Using a security baseline as a starting point
Enrolling an Azure Virtual Desktop session host into Microsoft Defender for Endpoint
Introducing tamper protection
Enabling tamper protection
Verifying the tamper protection status
Tamper-protected settings
Encrypting data on the virtual desktop
Encryption for Windows 365 Cloud PCs
Encryption for Azure Virtual Desktop session hosts
Summary
8
Configuring Access Control
Configuring Role-Based Access Control (RBAC)
RBAC for AVD
Management group RBAC assignment
Subscription RBAC assignment
Resource group RBAC assignment
RBAC for Windows 365
Azure Bastion
Azure Bastion custom role
Using Azure Bastion
Configuring JIT
Microsoft Privileged Identity Management
Windows Local Administrator Password Solution (LAPS)
Windows LAPS Azure Virtual Desktop
Windows LAPS for Cloud PCs
Summary
Part 4: Additional Security Controls per Solution
9
Securing Windows 365
Introducing the Windows 365 advanced deployment guide
Deployment options
Pre-deployment options
Security guidelines for Windows 365
Local admin rights
Endpoint Privilege Management
Creating an elevation settings policy
Creating an elevation rules policy
Acquiring the file hash
Creating and exporting Cloud PC restore points
Creating a restore point
Exporting a restore point
Placing a Cloud PC under review
Tips and tricks
Tip 1 – Use Windows 365 Boot with multiple Cloud PCs
Tip 2 – Make sure that users always have to sign in to the Cloud PC
Summary
10
Securing Azure Virtual Desktop
Configuring backups
Creating a Recovery Services vault
Backup policy session hosts
Restoring session hosts
Backup policy for FSLogix
Restoring an FSLogix profile
Securing AVD with private endpoints
Host pool private endpoints
Workspace private endpoints
Trusted launch and confidential computing
Trusted launch
Confidential computing
Configuring AppLocker
Securing OneDrive
Securing OneDrive with a GPO
Securing OneDrive with Intune
Active Directory structure and security
Separated OU
Separated GPO for each environment
Dedicated service account to domain join
Summary
11
Securing Azure Infrastructure
Configure storage security
RBAC roles on the storage account
Applying the correct NTFS permissions
Configuring private access using a private endpoint
Configuring NSGs
Configure network security with Azure Firewall
Using IP groups in firewall policies
Configure network security with NSGs
Deploying AVD on dedicated hosts
Configuring Defender for Cloud
Deploying an Azure VPN gateway
Summary
Part 5: Use Cases
12
Windows 365 Use Cases
When to use Windows 365 as your personal desktop
Windows 365 as a replacement for on-premise VDI
Why is Windows 365 a good alternative to an on-premise VDI?
Windows 365 for contractors
Why is Windows 365 a good solution to provide a secure desktop for contractors?
Using Windows 365 as a privileged access workstation
Why is Windows 365 a good solution as a PAW?
How Windows 365 Boot helps to secure an endpoint
Why is using Windows 365 Boot a good way to secure a local desktop?
Enhancing security by restricting access to Office 365 services to Cloud PCs
The scenario of restricting Office 365 access to Cloud PCs
How to restrict Office 365 access to Cloud PCs
Windows 365 Frontline versus Windows 365 Enterprise
Why should companies prefer Frontline Cloud PCs?
How to license for Windows 365 Frontline
Summary
13
Azure Virtual Desktop Use Cases
AVD for external users using Bring Your Own Device (BYOD)
Using remote apps instead of desktops
AVD as a disaster recovery solution
AVD for a break/fix scenario
Running AVD on Azure Stack HCI
Summary
Index
Other Books You May Enjoy
Preface
Windows 365 and Azure Virtual Desktop are Microsoft cloud solutions that allow companies to use virtual desktops. There are key differences between both solutions. This book will provide a short introduction to the worlds of Windows 365 and Azure Virtual Desktop and it will discuss various use cases.
But the real journey this book will take you on is about securing virtual desktops, no matter whether they are deployed using Windows 365 or Azure Virtual Desktop. Our goal is to give you a better understanding of what security controls can be used to secure Windows 365, Azure Virtual Desktop, and Azure infrastructure for both existing and new environments.
We hope that you will enjoy this book!
Who this book is for
This book is for IT decision-makers, IT consultants and engineers, security professionals, and students who want to learn more about security implications for desktops and the security controls that can be used to prevent cyberattacks or data leakage.
We will cover many topics. Some are introductory and other topics will go in depth. Some working knowledge about Windows 365, Azure Virtual Desktop, and Azure infrastructure will help to understand these chapters.
What this book covers
Chapter 1, Introducing Windows 365 and Azure Virtual Desktop, provides an introduction to the worlds of Windows 365 and Azure Virtual Desktop (AVD). It will cover the Windows 365-only features and editions. Licensing for Windows 365 works differently compared to AVD. Want to learn more? This chapter has got you covered! As an added bonus, we included the new Windows app as well!
Chapter 2, Importance of Securing Your Desktop, explains why securing a desktop is a very important task. The desktop tends to be the heart of the workspace. It’s used to access company data and, while doing so, data can be stored on that desktop. What kind of consequences are there if something were to happen to that data? Even worse, what happens when desktops are lost or stolen? What controls do you, as an admin or company, have?
Chapter 3, Modern Security Risks, takes you on a journey to learn about bad actors and cyberattacks. What kind of cyberattacks are there and how do they relate to the desktop? How can a company recover from a cyberattack? How can virtual desktops help in the recovery process?
Chapter 4, Securing User Sessions, describes various security controls that can be used to protect access to the virtual desktop.
Chapter 5, Preventing Data Leakage from Desktops, introduces you to security controls to prevent data leakage from the desktop. We’ll look at screen capture protection along with watermarking and how various screen locking options help to provide a secure environment.
Chapter 6, Update Management Strategies, discusses various strategies to keep your desktops up to date. Learn more about Windows Update for Business and the extra benefit of using Windows Autopatch. Did you know that you can build a template for AVD with customizations and let Azure Image Builder do the actual building of the image? Or perhaps you want to learn more about creating your own custom image manually? This chapter has got you covered on all of these solutions!
Chapter 7, Threat Detection and Prevention, covers how to use Microsoft Defender for Endpoint to protect your Cloud PCs and desktops in AVD against malware. But how do you make sure that all required components are running? Learn how tamper protection does exactly that! BitLocker is commonly used to encrypt the local drive of a desktop. But did you know that Cloud PCs do not support BitLocker? Learn more about the encryption of Cloud PCs and AVD in this chapter.
Chapter 8, Configuring Access Control, explores the world of role-based access control. It covers other access control solutions such as Azure Bastion, just-in-time virtual machine access, Microsoft Entra Privileged Identity Management, and the new Windows LAPS for Windows 365 and AVD.
Chapter 9, Securing Windows 365, covers specific security controls for Windows 365. Did you know that Microsoft has an advanced deployment guide to help you get started the right way? Or security guidelines, specifically for Windows 365? We will extensively cover Endpoint Privilege Management, a technique to run privileged actions with a standard user account. We will also learn how to create and export a Cloud PC restore point. We will end this chapter with some tips and tricks from the field.
Chapter 10, Securing Azure Virtual Desktop, covers specific security controls for AVD. We will learn about backups and securing your AVD environment with private endpoints, and how to use confidential computing or restrict apps that can be executed using AppLocker. Active Directory Domain Services (AD DS) is an important part of managing AVD, so we will learn more about the AD DS structure and security in this chapter.
Chapter 11, Securing Azure Infrastructure, takes you on a journey to secure the infrastructure that is needed for AVD. We will talk about storage, and network security with Azure Firewall, NSGs, and Azure VPN Gateway. We will also learn more about deploying AVD on dedicated hosts and how to configure Defender for Cloud for an AVD subscription.
Chapter 12, Windows 365 Use Cases, gives examples of when to implement Windows 365 for your company. These use cases can help if you already implemented Windows 365 or if you are looking at a new solution to deploy desktops. Are you thinking about replacing an existing VDI infrastructure or using Windows 365 for contractors? Or what about using a Cloud PC as a Privileged access workstation? Learn all about these topics in this chapter.
Chapter 13, Azure Virtual Desktop Use Cases, gives you examples of when to implement AVD for your company.
To get the most out of this book
To get the most out of this book, we recommend having a base-level understanding of the following technologies:
Windows 365Microsoft IntuneEntra IDActive Directory Domain ServicesAzure Virtual DesktopAzure infrastructureConventions used
There are a number of text conventions used throughout this book.
Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “Type azure virtual desktop in the search bar or search for the 9cdead84-a844-4324- 93f2-b2e6bb768d07app ID”
A block of code is set as follows:
{ "properties": { "roleName": "Custom - AzureImageBuilder", "description": "Permissions for Azure Image Builder", "assignableScopes": [ "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/RG-MVP-AIB" ], . . .Any command-line input or output is written as follows:
New-AzUserAssignedIdentity -ResourceGroupName <RESOURCEGROUP> -Name <USER ASSIGNED IDENTITY NAME> -Location <LOCATION>Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “IT admins can use a device action called Locate device.”
Tips or important notes
Appears like this.
Get in touch
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.
Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Share Your Thoughts
Once you’ve read Securing Cloud PCs and Azure Virtual Desktop, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.
Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.
Download a free PDF copy of this book
Thanks for purchasing this book!
Do you like to read on the go but are unable to carry your print books everywhere?
Is your eBook purchase not compatible with the device of your choice?
Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.
Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.
The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily
Follow these simple steps to get the benefits:
Scan the QR code or visit the link belowhttps://packt.link/free-ebook/9781835460252
Submit your proof of purchaseThat’s it! We’ll send your free PDF and other benefits to your email directlyPart 1: An Introduction to Microsoft Virtual Desktops
This part of the book provides an introduction to Windows 365 and Azure Virtual Desktop solutions by Microsoft. While both solutions provide the ability to deploy large numbers of virtual desktops, they are different solutions with their own unique advantages, which are highlighted in key topics, such as Windows 365-only features, the editions of Windows 365, and how to license Windows 365 or Azure Virtual Desktop. By the end of this part, you will have gained a comprehensive understanding of Windows 365 and Azure Virtual Desktop and their features.
This part contains the following chapter:
Chapter 1, Introducing Windows 365 and Azure Virtual Desktop1
Introducing Windows 365 and Azure Virtual Desktop
We would like to welcome you to our book, Securing Cloud PCs and Azure Virtual Desktop! Thank you for joining us on a journey that takes us through many security-related topics about Microsoft virtual desktops. We hope you find the book informative and use it as a source of knowledge for your own journey, no matter whether it be for business or personal growth.
The workplace of the user has evolved a lot over the last few decades. It all started with physical desktops and laptops, and it changed into server-based computing. Nowadays we see physical desktops being used and managed in a modern way. But the evolution continues as Windows 365 and Azure Virtual Desktop bring even more features and use cases. With all these great modern options on offer, we hope to be your guide in securing these solutions.
In this chapter, we will take you on a journey into the world of Microsoft-based desktops. We will learn about the advantages that virtual desktops have compared to physical desktops, and we will guide you to choose the correct solution to securely deploy virtual desktops via Windows 365 and Azure Virtual Desktop.
This chapter covers the following topics:
Advantages of using a virtual desktopIntroducing Windows 365Windows 365 editionsIntroducing Azure Virtual DesktopLicensing Windows 365 and Azure Virtual DesktopBonus – introducing the Windows appAdvantages of using a virtual desktop
Desktops are an important part of your IT infrastructure. Companies can choose to use either virtual and physical desktops or use both approaches. Each approach has its own strengths and drawbacks. Here are some advantages of using a virtual desktop compared to a physical desktop:
Flexibility and scalability: Virtual desktops can easily be provisioned or de-provisioned, meaning that the number of desktops can be scaled up or down depending on the needs of the organization. Distributing a virtual desktop to an end user is a fast process since a virtual desktop can be accessed remotely.Scaling up using physical desktops often involves buying additional hardware or implementing a strategy to keep stock of certain hardware. This hardware needs to be configured before handing over the desktop to the user, which can take up more time.
Resource utilization: Virtual desktops can run together on a physical machine, which allows for better resource utilization. Companies who use Azure Virtual Desktop have to plan for and maintain resource planning since Azure Virtual Desktop is a Platform-as-a-Service offering. Windows 365 simplifies this process by providing an isolated VM with a fixed number of vCPUs, RAM, and disk on a per-user/per-month license. IT admins can easily upgrade or downgrade the license by assigning a different SKU.Physical desktops are often dedicated to one user or used as a shared desktop by a group of users.
Isolation and security: Virtualization solutions have the ability to use isolation technology. This means each physical host machine can run multiple virtual machines. These virtual machines cannot interact with each other. So if one virtual machine becomes compromised or crashes, it will most likely not impact other virtual machines.Physical machines have no need for isolation unless you are a developer and use virtualization software. However, there are some other security concerns when using a physical machine. This could be anything from losing a laptop to the theft of devices. If the correct security measures aren’t in place, such as BitLocker, it could lead to data leakage.
Cost savings: Using virtual desktops can lead to cost savings. Windows 365 has a per-user/per-month license that companies can increase or decrease in bulk. This is especially useful when companies need to onboard a very large number of users. Simply adding licenses is a really easy and fast process compared to ordering a large amount of physical desktops. Azure Virtual Desktop offers flexibility in providing virtual desktops and because of that, it’s possible to implement cost-saving solutions in Azure Virtual Desktop. We will not go into detail about these options in this book.Fast deployment: The flexibility of using virtual desktops makes it easy for companies to adapt to changing business requirements such as the rapid increase (or decrease) of secure desktops. The process of deploying physical desktops takes up more time due to the need to order new hardware. The installation and configuration process can be accelerated using technologies such as Windows Autopilot.There are other use cases for fast deployments, such as testing and development. If your organization employs developers, they will most likely want the ability to spin up additional desktops or quickly remove desktops that they do not need anymore. Companies can use Windows 365 or Azure Virtual Desktop to better support their developers. Or even better, they can use the Microsoft Dev Box solution, which is specifically geared towards developers and their way of working.
Microsoft has two great solutions to provide virtual desktops. Let’s get acquainted with Windows 365 and Azure Virtual Desktop!
Figure 1.1 – Introducing Windows 365 and Azure Virtual Desktop
Introducing Windows 365
Windows 365 enables companies to stream a full desktop from the Microsoft cloud to the desktop of the user. Users can perform their daily tasks including accessing their company applications and data from the desktop in the Microsoft cloud, also referred to as a Cloud PC.
There are a lot of advantages to using Windows 365 when compared to a modern managed physical or virtual desktop for both IT admins and end users. Here are some key advantages:
Advantages for IT admins:Windows 365 is a Software-as-a-Service (SaaS) offering, which means that Microsoft takes care of a lot of complex tasks. IT admins do not need as much technical knowledge when compared to other VDI solutions.Another advantage of SaaS is that it uses a per-user/per-month licensing model. Licenses can easily be scaled to company needs by adding or removing them.IT admins can easily determine the total cost of licenses on a per user basis.IT admins can use Microsoft Intune to manage Windows 365, which greatly simplifies the management of Cloud PCs.IT admins can easily upgrade or downgrade virtual machines’ hardware to improve or reduce performance as needed.Windows 365 has great reporting options for IT admins. These reports let IT admins know if and what problems have occurred.Windows 365 is a great solution for bring-your-own-device scenarios. For example, contractors would benefit as they would be able to use their own laptops and connect to their Cloud PCs securely.Windows 365 enables users to perform basic management tasks such as rebooting their Cloud PC. This in turn can reduce the number of incidents reported to the service desk.IT admins can make sure that company data does not leave the Cloud PC.Advantages for end users:End users have access to the basic management tasks to troubleshoot basic problems themselves. For example, users can reboot their Cloud PC when they are unable to sign in, and they can restore the Cloud PC to a previous state (point-in-time restore).End users can use their own desktop to connect to the company’s Cloud PCs.End users can connect to their Cloud PCs from anywhere using any local client if they have internet available and a modern browser.A Cloud PC uses Windows 11 (or 10) as the operating system, which feels more familiar to users than using a server operating system with a user environment manager.Features of Windows 365
Windows 365 has great features that really set it apart from traditional virtual desktop infrastructure (VDI) or Cloud VDI. These features greatly improve the user experience or security aspects of using a desktop. Let us look into some of the features of Windows 365.
Windows 365 app
The Windows 365 app is a Windows app that can be downloaded from the Microsoft Store or published via Microsoft Intune if users work on a company-managed desktop. Since it’s a Microsoft Store app, it will automatically update to the latest version, making the life of the IT admin just a little bit easier.
