Securing Cloud Pcs And Azure Virtual Desktop May 2026

She showed him the log: A single API call to the AVD management plane, executed with stolen credentials. The call changed the assignment of a developer’s Cloud PC from “User A” to “Attacker B.” Then, the attacker launched a new session. No brute force. No malware. Just a misconfigured Azure RBAC role.

This was the nuclear option. She rebuilt the Azure Compute Gallery. Instead of persistent Cloud PCs that lived for months, she deployed multi-session AVD pools with Ephemeral OS disks . Every time a user signed out, their entire Cloud PC was destroyed and rebuilt from a fresh, immutable gold image. securing cloud pcs and azure virtual desktop

Because if you can access a virtual desktop from a beach in Bali, so can a threat actor—if they steal the right key. She showed him the log: A single API

“If we don’t lock down the control plane, yes,” Marta said. “The Cloud PC is a ghost. You can’t handcuff a ghost. You have to lock the séance room.” No malware

The CISO, a veteran of the firewall era, looked confused. “But our Cloud PCs are secured. We have anti-malware. We have network security groups.”

The old network security groups were wide open. Marta redesigned the virtual network. She enabled AVD’s RDP Shortpath for low latency, but wrapped it in Azure Firewall with FQDN-based filtering. More critically, she deployed Network Security Groups (NSGs) at the subnet level that only allowed RDP traffic from the AzureInstanceMetadataService tag—no direct internet access for session hosts. If a Cloud PC was compromised, it couldn’t phone home. It was a silent room with no windows.

Marta stared at the alert dashboard. It was 11:47 PM. The office was empty, but the Azure Virtual Desktop host pool was not.