Skip to main content

Virtual Desktop Strategy

THIS SECTION IN PROGRESS

VDI better than W365 because of the granular capabilities provided by the Azure Firewall.

The Strategic Role of AVD in GCC High

In a CMMC environment, the physical endpoint is often the weakest link. Shipping fully managed, compliant Government Furnished Equipment (GFE) to every contractor, temporary auditor, or new hire is expensive and logistically slow.

Azure Virtual Desktop (AVD) acts as our "Compliance Enclave." It provides a fully managed, compliant Windows 11 Enterprise environment that lives entirely within the US Sovereign Cloud boundary.

When to use AVD vs. Physical GFE

ScenarioPreferred StrategyWhy?
Full-Time EmployeePhysical GFEBetter user experience for daily work; offline capability.
Contractor / PartnerAVDZero data footprint on their device; instant provisioning/deprovisioning.
"Break Glass" AccessAVDIf a physical device is lost/stolen, the user can resume work securely from any browser.
High-Risk Data (CUI)AVDKeeps CUI strictly within the Azure datacenter; blocks drive redirection.

Architecture: The "Cloud-Only" Standard

For GCC High, we reject the complexity of Hybrid Join for AVD. Our strategy relies on a Cloud-Native architecture that minimizes infrastructure dependencies.

[cite_start]Core Components [cite: 10]

  • Identity: Entra ID Join (No Domain Controllers).
  • Management: Microsoft Intune (No SCCM/MECM).
  • [cite_start]Region: USGov Virginia or USGov Arizona (Must match data residency requirements)[cite: 18].
  • [cite_start]Network: Hub-and-Spoke with Azure Firewall enforcing strict egress filtering[cite: 106].

Host Pool Configuration Strategy

We deploy AVD Host Pools designed for High Integrity and Zero Trust.

1. Security Baseline (Trusted Launch)

To meet CMMC 3.1.1 (Limit Access) and protect the boot chain, all Session Hosts must be configured with Trusted Launch:

  • [cite_start]Security Type: Trusted Launch Virtual Machines[cite: 28].
  • [cite_start]Secure Boot: Enabled[cite: 29].
  • [cite_start]vTPM: Enabled (Critical for Windows 11 and Intune BitLocker compliance)[cite: 30].
  • [cite_start]Integrity Monitoring: Enabled[cite: 31].

2. The Image Strategy

[cite_start]We utilize Windows 11 Enterprise (Version 24H2)[cite: 32].

  • Why: Windows 11 provides better support for FIDO2 passkey passthrough and modern security features than Windows 10.
  • [cite_start]Sizing: Standard D2as v5 (2 vCPU, 8GiB RAM) is the baseline for standard office work[cite: 33].

3. Assignment Type: Personal vs. Pooled

[cite_start]For high-security users (e.g., Developers, Admins), we utilize Personal (Direct) assignment[cite: 25, 26].

  • Pros: Guaranteed performance; data persistence is simpler; behaves like a physical PC.
  • Cons: Higher cost (1:1 VM to User ratio).
  • Note: For general staff, "Pooled" is more cost-effective, but "Personal" ensures audit trails are cleaner and eliminates "noisy neighbor" resource contention.

4. Encryption (Double Encryption)

For CUI repositories, standard Azure Storage encryption is often insufficient for CMMC Level 3+ targeting. We implement Double Encryption:

  • [cite_start]Disk Encryption Set: Uses Platform Keys (Microsoft) AND Customer Managed Keys (stored in a GCC High Key Vault)[cite: 87, 92].
  • [cite_start]BitLocker: Managed via Intune Policy inside the OS[cite: 97].

Networking & Firewall Strategy (The Boundary)

In GCC High, we do not allow the AVD hosts to talk directly to the open internet. [cite_start]All traffic is routed through an Azure Firewall to sanitize egress traffic[cite: 106].

1. Inbound Controls

  • [cite_start]Public Inbound Ports: None (Deny All)[cite: 44].
  • [cite_start]Connection Method: Reverse Connect via *.wvd.microsoft.com (TCP 443)[cite: 135].
  • RDP Shortpath: We disable direct UDP RDP connectivity to force traffic through the inspected gateway path.

2. Outbound "Allow" List (US Sovereign Cloud)

To maintain the boundary, we block all outbound traffic and whitelisting only the required US Gov endpoints.

[cite_start]Application Rule Collection: AVD Infra (GCC High) [cite: 154, 155]

  • *.wvd.azure.us
  • *.wvd.microsoft.com
  • *.xt.blob.core.usgovcloudapi.net
  • *.prod.warm.ingest.monitoring.core.usgovcloudapi.net

[cite_start]Application Rule Collection: Identity (Entra ID GCC High) [cite: 162, 163]

  • login.microsoftonline.us
  • *.microsoftonline.us
  • *.office365.us
  • *.msauth.net
  • *.msidentity.com

[cite_start]Application Rule Collection: Windows Updates [cite: 170]

  • *.windowsupdate.com
  • *.update.microsoft.com
  • *.delivery.mp.microsoft.com

[cite_start]Network Rule Collection: Essential Services [cite: 177]

  • DNS (UDP 53): To Azure DNS (168.63.129.16) or internal DNS.
  • NTP (UDP 123): *.time.windows.com.
  • KMS/Activation (TCP 1688): To Azure KMS.

Authentication & Identity Strategy

We must enforce phishing-resistant authentication at the gateway and at the desktop.

1. SSO and Entra ID Auth

We configure the Host Pool RDP Properties to allow Entra ID authentication, enabling Single Sign-On (SSO) so the user authenticates once with MFA at the AVD Client, and passes that token to the VM.

[cite_start]RDP Custom Properties: [cite: 61, 69, 70]

targetisaadjoined:i:1
enablerdsaadauth:i:1

Architecture Validation: The Consultants View

1. Host Pool & Compute Strategy

  • "What is the 'Reset' interval for the AVDs or are we dedicated one AVD per user?"
    • Consultant's Note: Are these persistent desktops (Personal) where users install their own apps, or ephemeral (Pooled) where we can re-image the machine every Saturday night? This dictates our FSLogix vs. Local Profile strategy.
  • "Do any applications require a GPU?"
    • Consultant's Note: Standard D-series VMs will fail with CAD/Engineering apps. If yes, we need NV-series VMs, which have specific quota limits in US Gov regions that we must request early.
  • "Is 'Nested Virtualization' required?"
    • Consultant's Note: Do developers need to run Docker, Hyper-V, or Android Emulators inside the AVD? If so, we must select a v4/v5 series VM size that supports nested virtualization.

2. Networking & The Boundary

  • "Does the client require 'Source IP Anchoring' for SaaS apps?"
    • Consultant's Note: Some government apps (like strict SharePoint sites) require the user to come from a known, static IP. If so, we need a NAT Gateway attached to the AVD subnet to ensure all egress traffic presents a single, whitelisted IP.
  • "Is there a requirement for RDP Shortpath (UDP)?"
    • Consultant's Note: RDP Shortpath improves performance (video/audio) but requires allowing UDP 3390 direct to the session hosts. In high-security CMMC environments, we often disable this to force all traffic through the inspected TCP gateway.
  • "Are we inspecting SSL traffic at the Firewall?"
    • Consultant's Note: If the client uses Azure Firewall Premium with TLS Inspection, we must deploy the Firewall Root Certificate to the AVD Trusted Root Store via Intune, or all HTTPS traffic will break.

3. Identity & Authentication

  • "Will users be accessing AVD from GFE (Government Furnished Equipment) or BYOD?"
    • Consultant's Note: This determines our Conditional Access logic. If BYOD, we likely need to enforce "MFA every time" and "Block Downloads." If GFE, we might allow "Silent Sign-on."
  • "Do we need to support FIDO2 / YubiKeys inside the session?"
    • Consultant's Note: Redirecting a physical smart card/YubiKey into the remote session requires specific RDP Properties (redirectsmartcards:i:1 and redirectwebauthn:i:1) and a Windows 11 host.
  • "Is 'Screen Capture Protection' a hard requirement?"
    • Consultant's Note: Enabling this feature prevents the user from sharing their screen via Teams/Zoom running on the local endpoint. It protects CUI but breaks collaboration if the user tries to "screen share" their AVD window during a meeting.

4. Operations & Maintenance

  • "How do we handle 'Drain Mode' for patching?"
    • Consultant's Note: For Personal host pools, we can't just delete the VM. We need a strategy to put the host into "Drain Mode" (no new sessions), patch it, reboot it, and re-enable it—without kicking off the user mid-work.
  • "What is the 'Idle Disconnect' vs. 'Logoff' policy?"
    • Consultant's Note: CMMC requires session termination. Do we simply disconnect the user (saving their open apps for 2 hours) or log them off (closing everything)? The difference impacts user satisfaction significantly.
  • "Who holds the 'Master Image'?"
    • Consultant's Note: Are we using a "Golden Image" from the Azure Marketplace (vanilla Windows 11), or are we building a custom image with the client's software pre-installed? Custom images require an Azure Compute Gallery and versioning strategy.

📩 Don't Miss the Next Solution

Join the list to see the real-time solutions I'm delivering to my GCC High clients.