WVD: Best Virtualized End-user Experience

Best Virtualized End-user Experience
Best Virtualized End-user Experience

The WVD end user experience, is the best user experience out there. 

Lets see why:

  • WVD allows users to connect from any device.  The WVD experience on Mac and other OS is indistinguishable from native. 

Local and remote UI is optimized for the various form factors across all supported platforms: Windows, macOS, iOS, HTML5, and Android

Performance of clients built on Linux SDK is at parity with other non-Windows clients

MacOS client provides integrated RemoteApp experience

iOS, Android, and HTML5 clients provide immersive RemoteApp experience

  • Extremely fast logon times. WVD offers extremely fast logon times…it’s because Microsoft uses containerized user profiles, but the net result is extremely fast logon times.
  • It should be no surprise that Windows devices are advantaged, because Microsoft can do more with Windows devices. Customers with Windows devices will have a “like- local” Windows experience, and the best support we can offer.
  • You’ll notice two of the Core Services called out on this page – 0365 and Teams. Microsoft Engineering is working hard to make sure that customers get the best experience possible, when they use 0365 and Teams in a virtual deployment. Best experience for 0365, for example, means that email, calendar and outlook performance is on par with using 0365 on your windows client.

The difference between traditional VDI/RDS and DaaS

You can see that a PaaS service really enables you to create a repeatable Desktop as a Service Offering.  This aspect allows you to scale your DaaS (or WVD offering) without requiring the in-depth technical knowledge that previous RDS/VDI offerings required.  You can focus on managing your customer’s experience and not have to worry about the IT backend as much.

The difference between VDI-RDS and DaaS
The difference between VDI-RDS and DaaS

The WVD end user experience, is the best user experience out there. 

Lets explore why:

  • WVD allows users to connect from any device.  The WVD experience on Mac and other OS is indistinguishable from native. 
  • Extremely fast logon times. WVD offers extremely fast logon times…it’s because it uses containerized user profiles, but the net result is extremely fast logon times.
  • It should be no surprise that Windows devices are advantaged, because we can do more with Windows devices. Customers with Windows devices will have a “like- local” Windows experience
  • Microsoft Engineering is working hard to make sure that customers get the best experience possible, when they use 0365 and Teams in a virtual deployment. Best experience for 0365, for example, means that email, calendar and outlook performance is on par with using 0365 on your windows client.
Windows Virtual Desktop Customer Benefits

Windows Virtual Desktop FAQ

What is Windows Virtual Desktop?
Windows Virtual Desktop is a comprehensive desktop and app virtualization service running on the cloud. It is the only service that delivers simplified management, multi-session Windows 10, optimization for Office 365 ProPlus, and support for Remote Desktop Services Environments. With Windows Virtual Desktop you can deploy and scale your Windows desktops and apps on Azure in minutes, with built-in security and compliance.
What are the key benefits of Windows Virtual Desktop?
• Multi-session Windows 10 that delivers the cost advantages of server-based virtualization
• The best service to virtualize Office 365 ProPlus running in multi-user virtual scenarios
• The only service to provide Windows 7 virtual desktop with free Extended Security Updates, giving you more options to support legacy applications while you transition to Windows 10
• Bring your existing Remote Desktop Services (RDS) and Windows Server desktops and apps
• Manage Windows 10, Windows Server, and Windows 7 desktops and apps all with a unified management experience on Azure
• Seamlessly virtualize both desktops and apps
What is the new Windows 10 multi-session?
Windows Virtual Desktop enables a capability of Windows 10 Enterprise multi-session available only in Azure. This allows full fidelity access to a Windows 10 experience – including the user experience, Office ProPlus support, Microsoft Edge, Cortona, per user search index and access to the Microsoft store – while taking advantage of the cost efficiency of shared compute resources previously only available with server-based virtualization.
What operating systems are supported by WVD?
Windows 10 multi-session, Windows 10 single-session, Windows 7 single-session, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019

How does the WVD solution reduce costs?
WVD reduces customer costs by reducing Infrastructure, Licensing, and Labor costs. Multi-session Windows 10 allows significant savings in compute resources, and WVD service now replaces complex management requirements of RDS/VDI solutions. WVD is free to use with many existing licenses and you no longer have to pay for RDS CAL licenses. Finally, labor savings are realized by the shift from IaaS to PaaS removing the need to manage core services like broker/gateway/web access etc. reducing management overhead.
Will WVD support Microsoft Office?
Yes. The best experience of Office is with Office 365 ProPlus, which is supported by Windows 10 multi-session. Perpetual versions of Office will not be supported by Windows 10 multi-session but will be supported on Windows Server operating systems with Windows Virtual Desktop.
What is required to run WVD?
You need an Azure Tenant and a Subscription with enough resource creation permissions.
That’s all!

Can we try WVD out now as a POC?
Yes! WVD is in General Availability since September 2019.

Contact us today for all your Windows Virtual Desktop requirements!

Windows Virtual Desktop Customer Benefits
Windows Virtual Desktop Customer Benefits

Microsoft 365 Business: Comprehensive security against advanced cyberthreats

Microsoft 365 Business can help you consolidate some of the point solutions across productivity and security that create risk and complexity for any small business.

Here is a comparison between various third party tools/services and Microsoft 365 Business suite of products:

Third party security tools cost
  • Cloud identity management — Jumpcloud
  • Azure Information Protection for Information Rights Management
  • Barracuda Essentials for email anti virus and DLP
  • Airwatch Express for the endpoint management system for SMB.
Microsoft 365 Business cost

As a trusted Microsoft partner, we can help you subscribe and set up all the advanced security features of Microsoft 365 Business: contact us today!

    Business continuity strategy

    To enable a proper business continuity strategy, you need to have all the various parts that form a well designed game plan for when things go wrong.

    In the cloud-enabled model of application and data availability and resiliency, costs—across the board—are lower for a holistic backup, disaster recovery, and archive plan.

    • High availability: When your applications have a catastrophic failure, run a second instance. Ensuring high availability (99.999% uptime) while the most expensive resiliency plan, is significantly more affordable in the cloud. With hyper-scale cloud, like Microsoft Azure, a spike in demand or traffic isn’t something to worry about. Now the scale you need is a few clicks away. With Azure, you’re able to scale up or down based on demand, in just a few minutes. Cloud also gets rid of the need for multiple or offsite datacenters. Workloads running in Azure are powered by always up Azure global datacenters. Azure is also pay-as-you-go, so you’ll only be charged for what you need. With cloud, high availability is available to everyone. Make sure that you’re always up and avoid the negative impact on your productivity, brand, and profits.
    High availability
    • Disaster recovery: When your applications have a catastrophic failure, run them in Azure or a secondary datacenter. Like high availability efforts, traditional disaster recovery (DR) is very expensive. Similarly, a cloud-based model for DR is significantly less expensive and more efficient than the traditional approach. No one can predict the future and even an hour of downtime can spell disaster for a business. Azure democratizes DR efforts and makes them a reality for every business. With Azure, businesses can rid themselves of the cost and overhead associated with the necessary redundant and offsite datacenters that come with traditional DR plans. No more servers to maintain, and no more taking assigning mundane service tasks to your IT talent. Azure’s global datacenters make it easy to house apps and data where it makes the most business sense to you, keeping mission-critical workloads stored in remote and secured. With Azure, you’re always prepared for when disaster strikes, able to get back to business in minutes, not hours or days.
    Disaster recovery
    • Backup: When your data is corrupted, deleted or lost, you can restore it. Backups are best thought of like a snapshot. They are a moment in your business’s life that is captured for the sake of continuity. In the event that all of your company’s data is lost, you can simply revert to a backup of the previous day, week, month, etc. depending on how often you back up information. With Azure backup, you can further lower the costs associated with already inexpensive backup. Azure backup is extremely affordable, so even small businesses with fixed IT budgets can afford it. It grants users anytime, anywhere access to their data from neatly any device. Backup data is housed safely offsite, in the event of a natural or human disaster.
    Backup

    Our Managed Azure Services can help with all of them!

    Google Cloud Platform CIS security controls

    This security configuration benchmark covers foundational elements of Google Cloud Platform. The security controls detailed here are important security considerations when designing your infrastructure on Google Cloud Platform. Most of the security controls provided with this release of the benchmark (1.0.0) covers security considerations only at individual Project level and not at the organization level.

    1 Identity and Access Management
    1.1 Ensure that corporate login credentials are used instead of Gmail accounts  
    1.2 Ensure that multi-factor authentication is enabled for all non-service accounts  
    1.3 Ensure that there are only GCP-managed service account keys for each service account  
    1.4 Ensure that ServiceAccount has no Admin privileges. 
    1.5 Ensure that IAM users are not assigned Service Account User role at project level  
    1.6 Ensure user-managed/external keys for service accounts are rotated every 90 days or less  
    1.7 Ensure that Separation of duties is enforced while assigning service account related roles to users  
    1.8 Ensure Encryption keys are rotated within a period of 365 days  
    1.9 Ensure that Separation of duties is enforced while assigning KMS related roles to users  
    1.10 Ensure API keys are not created for a project 
    1.11 Ensure API keys are restricted to use by only specified Hosts and Apps 
    1.12 Ensure API keys are restricted to only APIs that application needs access 
    1.13 Ensure API keys are rotated every 90 days  
    2 Logging and Monitoring 
    2.1 Ensure that Cloud Audit Logging is configured properly across all services and all users from a project  
    2.2 Ensure that sinks are configured for all Log entries 
    2.3 Ensure that object versioning is enabled on log-buckets  
    2.4 Ensure log metric filter and alerts exists for Project Ownership assignments/changes  
    2.5 Ensure log metric filter and alerts exists for Audit Configuration Changes  
    2.6 Ensure log metric filter and alerts exists for Custom Role changes  
    2.7 Ensure log metric filter and alerts exists for VPC Network Firewall rule changes  
    2.8 Ensure log metric filter and alerts exists for VPC network route changes 
    2.9 Ensure log metric filter and alerts exists for VPC network changes  
    2.10 Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes  
    2.11 Ensure log metric filter and alerts exists for SQL instance configuration changes  
    3 Networking 
    3.1 Ensure the default network does not exist in a project  
    3.2 Ensure legacy networks does not exists for a project  . 96
    3.3 Ensure that DNSSEC is enabled for Cloud DNS  
    3.4 Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC  
    3.5 Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC 
    3.6 Ensure that SSH access is restricted from the internet 
    3.7 Ensure that RDP access is restricted from the internet 
    3.8 Ensure Private Google Access is enabled for all subnetwork in VPC Network 
    3.9 Ensure VPC Flow logs is enabled for every subnet in VPC Network  
    4 Virtual Machines 
    4.1 Ensure that instances are not configured to use the default service account with full access to all Cloud APIs 
    4.2 Ensure “Block Project-wide SSH keys” enabled for VM instances 
    4.3 Ensure oslogin is enabled for a Project  
    4.4 Ensure ‘Enable connecting to serial ports’ is not enabled for VM Instance 
    4.5 Ensure that IP forwarding is not enabled on Instances  
    4.6 Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)  
    5 Storage
    5.1 Ensure that Cloud Storage bucket is not anonymously or publicly accessible 
    5.2 Ensure that there are no publicly accessible objects in storage buckets  
    5.3 Ensure that logging is enabled for Cloud storage buckets  
    6 Cloud SQL Database Services 
    6.1 Ensure that Cloud SQL database instance requires all incoming connections to use SSL 
    6.2 Ensure that Cloud SQL database Instances are not open to the world  
    6.3 Ensure that MySql database instance does not allow anyone to connect with administrative privileges. 
    6.4 Ensure that MySQL Database Instance does not allows root login from any Host 
    7 Kubernetes Engine 
    7.1 Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters 
    7.2 Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters 
    7.3 Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters  
    7.4 Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters  
    7.5 Ensure Kubernetes Clusters are configured with Labels 
    7.6 Ensure Kubernetes web UI / Dashboard is disabled 
    7.7 Ensure `Automatic node repair` is enabled for Kubernetes Clusters  
    7.8 Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes 
    7.9 Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image 
    7.10 Ensure Basic Authentication is disabled on Kubernetes Engine Clusters 
    7.11 Ensure Network policy is enabled on Kubernetes Engine Clusters  
    7.12 Ensure Kubernetes Cluster is created with Client Certificate enabled  
    7.13 Ensure Kubernetes Cluster is created with Alias IP ranges enabled 
    7.14 Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters 
    7.15 Ensure Kubernetes Cluster is created with Private cluster enabled 
    7.16 Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets 
    7.17 Ensure default Service account is not used for Project access in Kubernetes Clusters  
    7.18 Ensure Kubernetes Clusters created with limited service account Access scopes for Project access 

    Our Google Cloud Platform security services can enable your environment to be fully compliant with this security standard.

    NSG and forced tunneling

    Azure Network Security- Network Security Groups (NSG) and Forced Tunneling

    Network Security Groups (NSG) :

    • Enables network segmentation & DMZ scenarios
    • Access Control Lists & Network traffic rules as security group
    • Security groups associated with Virtual machines, Network Interfaces, or virtual machine subnets (not GW subnet)
    • Rules define a 5-tuple
    • Rules are separated into Inbound and Outbound rules
    • Rules applied in order of priority
    • Network traffic rules updated independent of Virtual machines
    • Controlled access to and from Internet

    Network Security Group Models : At the subnet level and at the VM level.

    • Subnet Level NSGs: An NSG rule is applied to a subnet is logically more like a firewall rule that is applied at the switch and affects inbound and outbound traffic on every port in the switch. Any VM connected to the switch port would be affected by the NSG rule applied to the subnet.
    • VM/NIC Level NSGs: Apply NSGs at the VM or NIC of a virtual machine.  This allows greater flexibility in how traffic is filtered.

    Forced Tunneling

    • “Force” or redirect customer Internet-bound traffic to an on premises site via default route
    • VPN – done per subnet
    • ExpressRoute – at BGP level
    • Can override with more specific routes via UDR
    NSG and forced tunneling
    NSG and forced tunneling
    Subnet Connected Defense in Depth

    Network Security for Azure environments

    Network security typically falls into three areas:

    • Secure/manage traffic flow between applications, their tiers, between different environments, and other services
    • Secure/manage traffic flow between users and the application
    • Secure/manage traffic flow between the applications and the Internet

    Azure Network security is about building a defense in depth approach.

    The usual type of services that need to be protected from the network perspective, can be categorized into those types:

    • IaaS services connected to subnets
    • PaaS services connected to subnets
    • Public facing PaaS services with security lockdown
    • Public facing PaaS services with TLS access restrictions
    PaaS Services with TLS
    PaaS Services with TLS
    PaaS Services with Lockdown DiD
    PaaS Services with Lockdown DiD
    Subnet Connected Defense in Depth
    Subnet Connected Defense in Depth

    Improve your Azure enhanced Secure Score

    The enhanced Azure Secure Score is attack surface focused and brings three benefits:

    • Security Controls – Security recommendations are grouped into logical sets that better reflect your vulnerable attack surfaces.
    • Overall score better reflects the overall posture – Your score will only improve when you remediate all of the recommendations for a single resource within a control. That means that your score only improves when the security of a resource improves.
    • Security status of individual attack surfaces is more visible – By showing the score per Security Control, the Secure Score page becomes the place where you can get a granular view of how well your organization is securing each individual attack surface.
    Azure enhanced Secure Score
    Azure enhanced Secure Score

    In order to remediate most of the security controls and improve your Azure Security score, you could very easily use our Managed Azure Services: by enabling compliance with the CIS standard, for example, it is guaranteed that your Azure Security score will increase dramatically.

    You must remember as well that our managed security services can Disable/Customize the security policies as they apply to your particular environment, so when the Secure Score is calculated you wont get penalized for the security controls that don’t apply to your particular requirements.

    Azure Security Center and Azure Policies – perfect companions

    In the past, cybersecurity and privacy were often low on the list of priorities for nonprofits. But, as cyberthreats have increased so have the risks of ignoring those threats. Breaches, compromised data, and cyberattacks can put vulnerable beneficiaries at risk, disrupt nonprofit operations and
    services, expose your organization to liability, and tarnish the reputation you have so painstakingly built.

    To combat those threats, small businesses need to:

    • Identify, assess, and mitigate security risks.
    • Stay up-to-date with security best practices and the overall  threat landscape.
    • Correctly respond to compliance obligations in a timely fashion.

    Azure Security Center and Azure Policies are tools that can help protect your data and cloud infrastructure while maintaining a high level of productivity.

    Many small businesses don’t have the resources or the in-house skills to perform those tasks, but you can use the extensive technical skills of NovaQuantum to secure your Azure environment today!

    Our skilled team of professionals have extensive security and compliance expertise that can help organizations like yours determine your level of risk, keep your security current, and meet compliance requirements. A great way to begin is with an assessment of your current technology and your level of security measured against a well know security standard like CIS. We’ll also let you know about new options available with the latest Microsoft technologies. Contact us Today!

    Azure Security Center and Azure Policies are tools that can help protect your data and cloud infrastructure while maintaining a high level of productivity