Strong and Simple Authentication, Clean Kiosk, and Zero Trust

This is a follow-up article to the previous blog about smart card authentication to Windows 365, that can be found here: https://www.igel.com/blog/authentication-to-windows-365-with-igel-smart-card/

Usually our life isn’t binary, very few organizations have the luxury of only having ONE single solution for their IT environment. In this follow-up blog I take the opportunity to show how IGEL OS can be your companion enabling secure certificate-based authentication with EntraID and Smart Card while using both Windows 365 and Azure Virtual Desktop. Many organizations looking and, or using, Azure Virtual Desktop and Windows 365, will in many cases combine both to fulfill different use cases.
Let’s fulfill a simple roaming between stations for your users, that have no interest at all about HOW the IT infrastructure is set up, they just want to do their work, and they certainly don’t care if they connect to a Windows 365 or an Azure Virtual Desktop (AVD) session.

I have seen many organizations that I have had the pleasure to engage with, where the optimal configuration is to have non-personal kiosk stations scattered across the organization’s office/hospital/warehouse, their users should be able to just walk up to one of the stations and easily roam their remote session to the station wherever they are, insert their smart card, and get back to where they were when leaving the last kiosk station.
At the same time, the solution that I demonstrate in the video below, of course fulfill the single user – single device, making it ideal for Zero Trust initiative.
You might think that this will add waiting time for users, as when using IGEL OS AVD or Windows 365 App, there is no subscribed resources, so it must take longer time to complete the login sequence!? Actually, that is not the case, a complete smart card certificate-based authentication to Entra and get connected to a desktop in just shy of 14 seconds. While maintaining Zero Trust!

Adding to that, the possibility that IGEL OS gives to assign a custom AppID for your IGEL OS endpoints when connecting into the AVD/Windows 365 services raise the security dramatically! I happened to write a blog on that subject, you can read it here: https://www.igel.com/blog/elevate-avd-and-windows-365-access-with-insider-tips-for-igel-os/

Let’s get back to what I’m about to show you. My IGEL OS device is configured for a Kiosk type of scenario. I have disabled any user access to the operating system, making the only way to interact with the kiosk station, is to insert the smart card, validate the Pin, and connect to the Desktop in Azure, so be it AVD or Windows 365. Actually, this can be used with Azure Virtual Desktop on Azure Local too.
the user, after validating the Pin for the smart card, gets logged in, without any further user interaction, and are taken back to the virtual desktop and can continue to be productive in matter of seconds.

When the user is done and need to rush away in the organization, simply removing the smart card from the IGEL OS endpoint disconnects the remote session and returns the IGEL OS kiosk to be ready for the next user to insert their smart card.

As you can see in the video, I have created a custom wallpaper, that also follows to the interaction screen of the AVD client, instructing the user about what to do to get started. With the nifty device customizations in IGEL UMS, this can be a way for you to talk to your users, by using desktop customization updates, you can push a new welcome screen to your users in matter of seconds, to inform about outages, or other important messages.

Now, let’s look at the video on optimal user experience with smart card session roaming, Microsoft EntraID, Azure Virtual Desktop and Windows 365!
By the way, all the configurations that done I for this video can be found in the blog here!

Hope you found this useful! Stay tuned to the upcoming blog on PIV, CAC and security keys.

/Fred

IT leaders, innovators and security experts will converge at IGEL Now & Next in Miami in March to show the latest solutions and synergies to optimize endpoint management, enhance security, and improve clinical workflows. Click Register Now to view the agenda and keynote speakers.