One of the key concerns that most organizations have is keeping their data secure to protect themselves and their clients. In this latest post in my Azure Virtual Desktop (AVD) series, I’ll be exploring how organizations can use Azure Virtual Desktop to keep their data secure while still empowering employees to be flexible to work from anywhere. You can check out my other posts on this topic here.
The Challenge – Data Security
All organizations handle some types of sensitive data, whether it is HR data, customer data, financials, or something else. Your employees need to access this data to do their jobs. You also have an obligation to prevent this data from unauthorized access. You need to do this in tension with empowering employee productivity as well as flexibility. For certain data types I would recommend SharePoint Online with Microsoft Purview Information Protection. SharePoint quickly enables a zero trust model that includes flexible access to data. Purview enables data loss prevention to protect information from leaving your organization. But not all file types are supported by Purview and there are limits to what can be stored on SharePoint. So how can organizations make sure their data can be accessed from anywhere but still maintain control over where that data goes and who can access it?
The Solution – Azure Virtual Desktop
Use Azure Virtual Desktop to provide a simple to use remote access solution and configure settings to prevent file transfer and clipboard access as well as screen capture. This solution allows users to access the data and applications they need from anywhere while also ensuring the data doesn’t go to places it shouldn’t. By disabling clipboard access and forcing users to access this data through AVD, you can ensure that sensitive data doesn’t end up on a user’s laptop or personal device. Also, because AVD uses Azure Active Directory for authentication, you can put strong authentication controls around this data access method.
To configure Azure Virtual Desktop to limit the possibility of data transfer outside the AVD environment, adjust the RDP properties on the AVD Host Pool as shown in the screenshot below.
I recommend setting your host pool device redirection settings like above where data security is a concern. This will configure the AVD Broker so that the remote sessions won’t allow the data and device redirections mentioned. You can also configure these settings directly on the session hosts themselves using group policy. The location for these policies is Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection.
Screen Capture Protection
One final protection that is available exclusively with AVD is screen capture protection. This prevents third party programs from recording or printing the screen of the Azure Virtual Desktop session to prevent data from being copied or recorded outside the environment. Note that this isn’t completely foolproof since a user could still take a picture of their screen with their camera, but this is a big leap forward. Be aware that this will limit the clients you can use to connect to the session hosts.
To configure screen capture protection, download the appropriate GPO templates here. Then configure Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Azure Virtual Desktop\Enable Screen Capture Protection to Enabled. Finally, connect to the session host in AVD using a supported client. Find the full details on supported clients in the docs here.
Azure Virtual Desktop is a great tool to empower your users to access data securely from anywhere while still enforcing strong authentication and preventing accidental or intentional data exfiltration. With Azure Virtual Desktop you can keep your data secure and keep it from going where it shouldn’t. Hopefully this information will help you to continue to achieve your IT initiatives by using Azure Virtual Desktop. Be sure to check out my other related posts here.
Share this content:
I am a leader and solutions architect with over 10 years of hands on experience in private, public, and hybrid cloud technologies, networking, security, and data center management. My passion is to help clients gain agility and accelerate their business through IT modernization using cloud technologies.
I have consulted for some of the largest universities and corporations in the world on topics such as Azure Architecture, Infrastructure as Code, Azure Virtual Desktop, Application Hosting, Network Security, Identity Management, and much more.
Finally, I am actively involved in Christian ministry as a teacher and I strive to reflect the character of Jesus in every area of life.
The best place to contact me is on LinkedIn
You can subscribe to receive new posts via email.