Making virtual desktops work with Azure AD and Intune - Security Boulevard

Making virtual desktops work with Azure AD and Intune

There has been a massive growth in demand for DaaS solutions due to COVID-19 and the sudden move to remote working, but there are still some major areas of improvement in the coverage of current solutions.

One of the main gaps in VDI/DaaS solutions is native support for Azure AD and Intune for managing the virtual Windows desktops. For example, for Windows Virtual Desktop, this was actually by far the most requested feature (correct to February 2021) according to Microsoft’s “user voice” product feedback forum:

The most requested feature for Windows Virtual Desktop: native Azure AD support

Why is it so important to support Azure AD and Intune when setting up virtual desktops? In this blog post, I’ll dive into the details and share how it’s possible to get cost-efficient, scalable, user-friendly virtual desktops AND full modern management with Azure AD and Intune.

The benefits of enrolling your desktops into Azure AD and Intune

To protect access to the organization’s assets, IT needs to manage the identities and security compliance of desktops accessing those assets. Azure Active Directory (Azure AD) helps do just that – by enrolling a device in Azure AD, the user enjoys single sign-on to enterprise apps while the security team can control which apps are accessible and under which conditions (a feature called “Conditional Access”). IT staff can further build on the device identity with tools like Microsoft Intune (now called Microsoft Endpoint Manager) to ensure standards for security and compliance are met.

 

Some of the most significant benefits of these Microsoft endpoint management tools are:

  • For users: single sign-on to enterprise apps
  • Conditional access to enterprise apps, based on a variety of conditions (including location, device compliance, user risk, etc)
  • Enforcing group policies on desktops
  • Deploying desktop apps and agents

Combining Azure AD, Intune & Conditional Access enforces access from compliant devices

Traditional virtual desktops & Azure AD/Intune

Multiple vendors provide virtual Windows desktops, including Microsoft, VMware, Citrix, and Amazon. These desktops can be persistent/non-persistent, single-user/multi-user, and their vendors provide various manageability capabilities.

 

With the rapid adoption of cloud technologies, and with Microsoft pushing all enterprises to adopt the standard cloud-based Azure AD and Intune technologies (replacing legacy AD and SCCM), there is an emerging and urgent need to add Azure AD and Intune support to these virtual desktops. Today, most vendors do not support these technologies on their virtual desktops and force customers to set up connections to legacy Active Directory domain controllers and apply all kinds of workarounds or cumbersome processes to allow some interoperability with Azure AD or Intune.

 

Traditional virtual desktop solutions are specifically challenged with management tools like Azure AD and Intune when the virtual desktops are configured to be non-persistent. Needless to say, many enterprises actually prefer non-persistent desktops because of their security, consistency, and cost benefits. Non-persistent desktops always come back to a pristine system state (while supporting a persistent user profile) and can reduce storage costs.

 

Hysolate Workspace: local virtual desktops with modern management

Hysolate Workspace is a lightweight virtual desktop that runs locally and can be instantly deployed, with no need to manage another OS image. Leveraging the latest Windows container VM technologies, Hysolate forks the existing clean OS binaries into a VM that is strongly isolated and can run (for example) a sensitive corporate workspace. With this technology, enterprises can easily allow users to access sensitive corporate apps from less trusted devices. The virtual machine is encrypted and isolated in every aspect, including the clipboard, networking, keyboard, display, etc.

 

On top of this, Hysolate Workspace is the first solution to support full native management of the virtual desktop with modern Microsoft management tools such as Azure AD and Intune, while still keeping the virtual machine non-persistent. With this, IT teams have full visibility into their virtual desktops within Microsoft Endpoint Manager, can configure their security policies, and make sure enterprise apps can only be accessed from these compliant virtual desktops. Users also enjoy single sign-on into enterprise apps.

Using Hysolate Workspace to instantly create local virtual desktops with modern management

 

Regardless of Azure AD and Intune support, there are many additional aspects that make Hysolate’s local VMs different:

  • The VMs are instantly deployed – it requires just 5 minutes on a user’s device (total time) for the user to get started.
  • The VMs do not require IT to manage/patch another enterprise OS image – the VM OS inherits the patching level of the host OS.
  • From the user’s perspective, the VM looks just like another desktop/space on your laptop. Users don’t need to know anything about VMs – it just works.
  • Hysolate automatically launches apps/documents in the right zone (either in the VM or not), so that users don’t get confused.
  • Hysolate isolates every aspect of the VM – including the isolation of memory, CPU, disk, network, keyboard, display, USB devices, printers, etc.
  • The VM is optimized to not take any overhead when not in use and to take just enough memory when in use, including optimizations for video conferencing, CPU scheduling, graphics acceleration, etc.

Summary

If you’re designing a virtual desktop architecture for your organization, take into account the level of integration you’ll need with modern cloud-based manageability technologies and when conducting a PoC make sure to also test the interoperability of your virtual desktops with Azure Active Directory and Intune. This will allow your IT teams to keep on using the tools they already know and trust for managing these new desktops.

Would you like more information on Hysolate? You can request a demo here.

The post Making virtual desktops work with Azure AD and Intune appeared first on Hysolate.

*** This is a Security Bloggers Network syndicated blog from Blog – Hysolate authored by Tal Zamir. Read the original post at: https://www.hysolate.com/blog/making-virtual-desktops-work-with-azure-ad-and-intune/