Supported Windows security configurations for Remote Desktop Services VDI
Windows and Windows Server have new layers of protection built into the operating system to:
- Safeguard against security breaches
- Help block malicious attacks
- Enhance the security of virtual machines, applications, and data.
Note
Features like Credential Guard may have performance implication on user density. Ensure to test your scenarios. Learn more about other considerations for credential guard configuration.
Make sure to review the Remote Desktop Services supported configuration information.
The following table outlines which of these new features are supported in a VDI deployment using RDS.
| VDI collection type | Managed pooled | Managed personal | Unmanaged pooled | Unmanaged personal |
|---|---|---|---|---|
| Credential Guard | Yes | Yes | Yes | Yes |
| Device Guard | Yes | Yes | Yes | Yes |
| Remote Credential Guard | No | No | No | No |
| Shielded & Encryption Supported VMs | No | No | Encryption supported VMs with extra configuration | Encryption supported VMs with extra configuration |
Remote Credential Guard
Remote Credential Guard is only supported for direct connections to the target machines and not for the ones via Remote Desktop Connection Broker and Remote Desktop Gateway.
Note
If you have a Connection Broker in a single-instance environment, and the DNS name matches the computer name, you may be able to use Remote Credential Guard, although this isn't supported.
Shielded VMs and Encryption Supported VMs
Shielded VMs aren't supported in Remote Desktop Services VDI.
For leveraging Encryption Supported VMs:
- Use an unmanaged collection and a provisioning technology outside of the Remote Desktop Services collection creation process to provision the virtual machines.
- User Profile Disks aren't supported as they rely on differential disks