Securing Cloud PCs and Azure Virtual Desktop: Start implementing and optimizing security for Windows 365 and AVD infrastructure

Cover
Title page
Copyright and credits
Foreword 1
Foreword 2
Contributors
Table of Contents
Preface
Part 1:An Introduction to Microsoft Virtual Desktops
Chapter 1: Introducing Windows 365 and Azure Virtual Desktop
	Advantages of using a virtual desktop
	Introducing Windows 365
		Features of Windows 365
		Windows 365 editions
	Introducing Azure Virtual Desktop
	Licensing Windows 365 and Azure Virtual Desktop
		Licensing Windows 365
		Licensing Azure Virtual Desktop
	Introducing Windows App
	Summary
Part 2: Why Is Endpoint Security Important?
Chapter 2: Importance of Securing Your Desktops
	A desktop at the heart of a user’s workspace
	Multiple users on a single desktop
	What happens when a physical desktop is lost or stolen?
	What can IT admins do to prevent data leakage?
		What about the Remote lock device action?
	Summary
Chapter 3: Modern Security Risks
	What are bad actors?
	Types of cyberattacks
		Phishing attack
		Ransomware
		Distributed denial of service
		Man in the middle attacks
		SQL injections
		Cross-site scripting
		Zero-day exploits
		Social engineering attacks
	Recovering from a cyberattack
		A cyber incident response plan
	Virtual desktops to the rescue
	Summary
Part 3: Security Controls for W365 and AVD
Chapter 4: Securing User Sessions
	CA and MFA
		Security defaults
		Per-user MFA
		CA policy
	Configuring RDP device and resource redirections for Windows 365
		Device and resource redirections with Intune
		Device and resource redirections with group policy
	Configuring RDP properties for Azure Virtual Desktop
		Drive and storage redirection
		Clipboard redirection
		COM port redirection
		Printer redirection
		Smartcard redirection
		USB device redirection
	RDP session limit timeouts
	Summary
Chapter 5: Preventing Data Leakage from Desktops
	Preventing screen captures
		Enabling screen capture protection for Windows 365
		Enabling screen capture protection for Azure Virtual Desktop
	Introducing and configuring watermarking
		Enabling watermarking for Windows 365
		Resolving information in QR codes
		Enabling watermarking for Azure Virtual Desktop
	Configuring screen locks
		Dynamic locking
		Screen savers
		Smart cards
		Session time limits
	Summary
Chapter 6: Update Management Strategies
	Windows Update for Business
	Windows Autopatch
		Licensing Windows Autopatch
		Enrolling into Windows Autopatch
		Registering devices to Windows Autopatch
		Release management in Windows Autopatch
		Autopatch groups
		Managing the Windows Autopatch service
	Managing updates using custom image templates
		Introducing custom image templates
		Preparing for custom image templates
		Creating a custom image template
		Using custom image templates as part of the update strategy
	Manually creating custom images
		The prerequisites to creating a custom image
		Creating a custom image for Windows 365
		Creating a custom image for Azure Virtual Desktop
	Summary
Chapter 7: Threat Detection and Prevention
	Microsoft Defender for Endpoint
		Requirements for Microsoft Defender for Endpoint
		Enrolling Windows 365 Cloud PCs into Microsoft Defender for Endpoint
		Using a security baseline as a starting point
		Enrolling an Azure Virtual Desktop session host into Microsoft Defender for Endpoint
	Introducing tamper protection
		Enabling tamper protection
		Verifying the tamper protection status
		Tamper-protected settings
	Encrypting data on the virtual desktop
		Encryption for Windows 365 Cloud PCs
		Encryption for Azure Virtual Desktop session hosts
	Summary
Chapter 8: Configuring Access Control
	Configuring Role-Based Access Control (RBAC)
		RBAC for AVD
		Management group RBAC assignment
		Subscription RBAC assignment
		Resource group RBAC assignment
		RBAC for Windows 365
	Azure Bastion
		Azure Bastion custom role
		Using Azure Bastion
	Configuring JIT
	Microsoft Privileged Identity Management
	Windows Local Administrator Password Solution (LAPS)
		Windows LAPS Azure Virtual Desktop
		Windows LAPS for Cloud PCs
	Summary
Part 4: Additional Security Controls per Solution
Chapter 9: Securing Windows 365
	Introducing the Windows 365 advanced deployment guide
		Deployment options
		Pre-deployment options
	Security guidelines for Windows 365
	Local admin rights
	Endpoint Privilege Management
		Creating an elevation settings policy
		Creating an elevation rules policy
		Acquiring the file hash
	Creating and exporting Cloud PC restore points
		Creating a restore point
		Exporting a restore point
		Placing a Cloud PC under review
	Tips and tricks
		Tip 1 – Use Windows 365 Boot with multiple Cloud PCs
		Tip 2 – Make sure that users always have to sign in to the Cloud PC
	Summary
Chapter 10: Securing Azure Virtual Desktop
	Configuring backups
		Creating a Recovery Services vault
		Backup policy session hosts
		Restoring session hosts
		Backup policy for FSLogix
	Restoring an FSLogix profile
	Securing AVD with private endpoints
		Host pool private endpoints
		Workspace private endpoints
	Trusted launch and confidential computing
		Trusted launch
		Confidential computing
	Configuring AppLocker
	Securing OneDrive
		Securing OneDrive with a GPO
		Securing OneDrive with Intune
	Active Directory structure and security
		Separated OU
		Separated GPO for each environment
		Dedicated service account to domain join
	Summary
Chapter 11: Securing Azure Infrastructure
	Configure storage security
		RBAC roles on the storage account
		Applying the correct NTFS permissions
		Configuring private access using a private endpoint
		Configuring NSGs
	Configure network security with Azure Firewall
		Using IP groups in firewall policies
	Configure network security with NSGs
	Deploying AVD on dedicated hosts
	Configuring Defender for Cloud
	Deploying an Azure VPN gateway
	Summary
Part 5: Use Cases
Chapter 12: Windows 365 Use Cases
	When to use Windows 365 as your personal desktop
	Windows 365 as a replacement for on-premise VDI
		Why is Windows 365 a good alternative to an on-premise VDI?
	Windows 365 for contractors
		Why is Windows 365 a good solution to provide a secure desktop for contractors?
	Using Windows 365 as a privileged access workstation
		Why is Windows 365 a good solution as a PAW?
	How Windows 365 Boot helps to secure an endpoint
		Why is using Windows 365 Boot a good way to secure a local desktop?
	Enhancing security by restricting access to Office 365 services to Cloud PCs
		The scenario of restricting Office 365 access to Cloud PCs
		How to restrict Office 365 access to Cloud PCs
	Windows 365 Frontline versus Windows 365 Enterprise
		Why should companies prefer Frontline Cloud PCs?
		How to license for Windows 365 Frontline
	Summary
Chapter 13: Azure Virtual Desktop Use Cases
	AVD for external users using Bring Your Own Device (BYOD)
	Using remote apps instead of desktops
	AVD as a disaster recovery solution
	AVD for a break/fix scenario
	Running AVD on Azure Stack HCI
	Summary
Index
Other Books You May Enjoy