Virtual Desktop Strategy
Azure Virtual Desktop (AVD) is not a replacement for physical endpoints — it is a targeted tool for specific user profiles and risk scenarios. This chapter frames the strategic decision, establishes the architecture principles that govern all AVD deployments in this guide, and provides a pre-deployment discovery checklist for RPO engagements.
For implementation steps, see Scenario: Azure Virtual Desktop.
When to Use AVD
- GCC High
- Commercial
The primary driver for AVD in a CMMC environment is keeping CUI off unmanaged endpoints. A contractor connecting from a personal laptop is the canonical use case: AVD delivers a compliant Windows 11 session without requiring the organization to provision, ship, or manage a physical device.
| User Profile | Preferred Strategy | Rationale |
|---|---|---|
| Full-time employee | Physical GFE | Better daily-use experience; offline capability; no session latency |
| Contractor / subcontractor | AVD | Zero CUI footprint on their device; instant provisioning and deprovisioning |
| Temporary auditor or assessor | AVD | Controlled access window with no residual data after session ends |
| "Break glass" user | AVD | Physical device lost or stolen — user can resume work from any browser |
| High-risk CUI workflow | AVD | CUI stays inside the Azure datacenter; drive and clipboard redirection blocked at the protocol level |
For full-time employees who handle CUI, both physical GFE and AVD are defensible architectures. The deciding factors are workforce distribution (remote-first teams benefit more from AVD), device management overhead, and whether the client already has Azure Government infrastructure. Organizations that are heavily invested in Azure Government often find AVD cheaper to operate at scale than maintaining a physical device fleet.
Commercial environments generally do not need to deploy a secure enclave to handle CUI. AVD remains useful in specific scenarios — delivering a consistent managed desktop to remote contractors, providing a controlled environment for high-risk workflows, or reducing physical hardware overhead for distributed teams — but it is not driven by a regulatory enclave requirement.
| Use Case | Rationale |
|---|---|
| Contractor / BYOD user needing managed apps | AVD delivers a corporate desktop without requiring device enrollment |
| Remote workforce with inconsistent hardware | Guaranteed performance baseline regardless of end-user device |
| Application delivery for legacy or GPU workloads | Centralize specific workloads without imaging every endpoint |
| "Break glass" access | User can reach a managed desktop from any device when their assigned machine is unavailable |
Architecture Principles
All AVD deployments in this guide follow a cloud-native architecture. Hybrid Join for AVD is explicitly rejected.
| Principle | Decision | Why |
|---|---|---|
| Identity | Entra ID Join — no Domain Controllers | Eliminates DC dependency, supports RBAC-based login without GPO |
| Management | Intune — no SCCM/MECM | Consistent policy plane with physical devices; no on-prem management infrastructure |
| Join model | Cloud-only (AADLoginForWindows) | Hybrid Join adds complexity with no compliance benefit for new GCC High deployments |
| Host pool type | Personal (assigned) | One VM per user; no FSLogix; clean audit trail; no cross-session data contamination risk |
| Network egress | Azure Firewall with deny-all default | No direct internet path from session hosts; all egress explicitly enumerated |
| Region | US Gov Virginia or US Gov Arizona | FedRAMP High boundary; data residency requirement |
The rationale for the personal pool decision — including the multi-session compliance risk analysis — is detailed in Scenario: AVD → Host Pool Model.
Security Baseline for Session Hosts
Trusted Launch
All session hosts must use Trusted Launch virtual machines. This is required for Windows 11 and for Intune BitLocker compliance via vTPM.
| Setting | Required Value |
|---|---|
| Security type | Trusted Launch Virtual Machines |
| Secure Boot | Enabled |
| vTPM | Enabled |
| Integrity Monitoring | Enabled |
Set these in the Host Pool Security blade when creating the host pool. They cannot be changed on existing VMs without redeployment.
Encryption Tiers
Standard Azure Storage Service Encryption (AES-256, platform-managed keys) applies to all managed disks by default. For environments with higher sensitivity requirements:
| Tier | Mechanism | When to Use |
|---|---|---|
| Standard | Platform-managed keys (SSE) + BitLocker (Intune) | Baseline — satisfies compliance requirements for most organizations |
| Enhanced | Customer-managed keys (CMK) via Key Vault + Disk Encryption Set | Organizations with contractual or internal requirements for key lifecycle control |
If using CMK: create the Disk Encryption Set and Key Vault in the same Azure Government subscription and region as the session hosts. Keys must remain within the US Gov boundary.
Pre-Deployment Discovery Checklist
Use these questions before scoping an AVD deployment. The answers drive architecture decisions that are difficult to change after host pool creation.
Compute & Applications
-
What is the reset model — persistent or ephemeral? Personal (persistent) pools retain user profiles and installed apps between sessions. Pooled (ephemeral) pools can be re-imaged on a schedule. This guide covers personal pools only; pooled pools require FSLogix and a different compliance conversation.
-
Do any applications require a GPU? Standard D-series VMs are CPU-only. CAD, engineering simulation, and media encoding workloads require NV-series VMs. GPU quota in US Gov regions must be requested in advance — lead time can be 2–4 weeks.
-
Is nested virtualization required? Docker, Hyper-V, and Android emulators inside AVD require a VM size that supports nested virtualization (v4/v5 series). Confirm with the development or DevOps team before selecting VM size.
Network & Egress
-
Does the client require source IP anchoring for SaaS apps? Some government portals allowlist specific public IPs. If session hosts must present a static public IP, a NAT Gateway attached to the session host subnet is required.
-
Is Azure Firewall Premium with TLS inspection in scope? TLS inspection breaks AVD traffic unless the Firewall's root certificate is deployed to session hosts via Intune as a trusted root. Confirm whether the network team intends to enable TLS inspection before designing the firewall policy.
-
Is RDP Shortpath (UDP 3390) a requirement? Shortpath improves multimedia performance but requires allowing UDP 3390 direct to session hosts, bypassing the firewall inspection path for that traffic. For regulated environments, the latency improvement rarely justifies the network exception. Default recommendation: disable Shortpath and route all traffic through the TCP gateway.
Identity & Authentication
-
Will users connect from GFE or personal/BYOD devices? This drives Conditional Access policy design. GFE users can use silent sign-on; BYOD users should see "MFA every time" and download blocks enforced at the policy level.
-
Is FIDO2 / PIV card passthrough into the session required? The standard PIV flow authenticates once at Entra and carries the token into the session via SSO — no card passthrough needed. If a use case requires the physical card inside the session (e.g., signing documents inside the VM), RDP properties
redirectsmartcards:i:1andredirectwebauthn:i:1must be set, and the target application must support it over RDP. -
Is screen capture protection required? Enabling AVD screen capture protection prevents the user from sharing their AVD window via Teams or Zoom running on their local device. It is a strong data-in-place control but breaks collaboration workflows where users screen-share their session. Confirm with the client before enabling.
Operations
-
What is the patching model for personal pool VMs? Personal pool session hosts cannot be re-imaged on a schedule the way pooled hosts can — the VM is the user's persistent workspace. Patching options: (1) Intune Windows Update for Business policies applied to session hosts, or (2) periodic VM replacement with a new golden image via Drain Mode. Confirm the client's tolerance for coordinated maintenance windows.
-
What is the idle disconnect and session logoff policy? Security frameworks require session termination after inactivity (NIST SP 800-171 3.1.10). A disconnect preserves open applications for reconnect but leaves the session alive on the host. A logoff closes all applications. The distinction is significant for user experience — confirm expected behavior with stakeholders before configuring RDS session limits.
-
Who owns the golden image and what is the update cadence? A custom image with pre-installed applications requires an Azure Compute Gallery, a build VM, and a documented update process. If the client cannot commit to a quarterly or monthly image build cycle, the Microsoft-managed gallery image with Intune app deployment is the lower-maintenance alternative.
AVD Next Steps
| Next Step | Article |
|---|---|
| Implementation checklist (host pool, RBAC, KFM, verification) | Scenario: Azure Virtual Desktop |
| Azure Firewall rule reference (FQDN tables, network rules, KQL) | AVD Firewall Reference |
| Deployment timeline (65-hour greenfield estimate) | AVD Deployment Timeline |
| Compliance control mapping for AVD | Scenario: AVD → Control Mapping |
📩 Don't Miss the Next Solution
Join the list to see the real-time solutions I'm delivering to my GCC High clients.