You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-desktop/security-guide.md
+9-3Lines changed: 9 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -88,6 +88,10 @@ When choosing a deployment model, you can either provide remote users access to
88
88
89
89
Monitor your Azure Virtual Desktop service's usage and availability with [Azure Monitor](https://azure.microsoft.com/services/monitor/). Consider creating [service health alerts](../service-health/alerts-activity-log-service-notifications-portal.md) for the Azure Virtual Desktop service to receive notifications whenever there's a service impacting event.
90
90
91
+
### Encrypt your VM
92
+
93
+
Encrypt your VM with [managed disk encryption options](../virtual-machines/disk-encryption-overview.md) to protect stored data from unauthorized access.
94
+
91
95
## Session host security best practices
92
96
93
97
Session hosts are virtual machines that run inside an Azure subscription and virtual network. Your Azure Virtual Desktop deployment's overall security depends on the security controls you put on your session hosts. This section describes best practices for keeping your session hosts secure.
@@ -160,7 +164,7 @@ Remote attestation is a great way to check the health of your VMs. Remote attest
160
164
161
165
A vTPM is a virtualized version of a hardware Trusted Platform Module (TPM), with a virtual instance of a TPM per VM. vTPM enables remote attestation by performing integrity measurement of the entire boot chain of the VM (UEFI, OS, system, and drivers).
162
166
163
-
We recommend enabling vTPM to use remote attestation on your VMs. With vTPM enabled, you can also enable BitLocker functionality, which provides full-volume encryption to protect data at rest. Any features using vTPM will result in secrets bound to the specific VM. When users connect to the Azure Virtual Desktop service in a pooled scenario, users can be redirected to any VM in the host pool. Depending on how the feature is designed this may have an impact.
167
+
We recommend enabling vTPM to use remote attestation on your VMs. With vTPM enabled, you can also enable BitLocker functionality with Azure Disk Encryption, which provides full-volume encryption to protect data at rest. Any features using vTPM will result in secrets bound to the specific VM. When users connect to the Azure Virtual Desktop service in a pooled scenario, users can be redirected to any VM in the host pool. Depending on how the feature is designed this may have an impact.
164
168
165
169
>[!NOTE]
166
170
>BitLocker should not be used to encrypt the specific disk where you're storing your FSLogix profile data.
@@ -186,7 +190,8 @@ The following operating systems support running nested virtualization on Azure V
186
190
- Windows Server 2022
187
191
- Windows 10 Enterprise
188
192
- Windows 10 Enterprise multi-session
189
-
- Windows 11
193
+
- Windows 11 Enterprise
194
+
- Windows 11 Enterprise multi-session
190
195
191
196
## Windows Defender Application Control
192
197
@@ -197,7 +202,8 @@ The following operating systems support using Windows Defender Application Contr
197
202
- Windows Server 2022
198
203
- Windows 10 Enterprise
199
204
- Windows 10 Enterprise multi-session
200
-
- Windows 11
205
+
- Windows 11 Enterprise
206
+
- Windows 11 Enterprise multi-session
201
207
202
208
>[!NOTE]
203
209
>When using Windows Defender Access Control, we recommend only targeting policies at the device level. Although it's possible to target policies to individual users, once the policy is applied, it affects all users on the device equally.
0 commit comments