Macquarie Cloud Services Toggle Search

Blog Cloud Services Essential Eight Compliance with Managed AVD

Essential Eight Compliance with Managed AVD

April 15 2025, by Pauline Thomas | Category: Cloud Services
pauline-thomas

Essential 8VD

What is the Essential Eight?

The Essential Eight is a cybersecurity framework that comprises eight strategies designed to mitigate security risks. These recommendations are increasingly seen as essential requirements—not just best practices—for Australian organisations. Sometimes, however, the very simplicity of the 8 controls can be frustrating, as increasing maturity levels is where the real challenge lies, even getting to maturity level 1, which is where most companies start.

As described in Essential Eight maturity model | Cyber.gov.au, maturity levels within this framework measure how effectively these strategies are implemented.

  • Maturity Level Zero: This maturity level signifies that there are weaknesses in an organisation’s overall cybersecurity posture. When exploited, these weaknesses could facilitate the compromise of the confidentiality of their data, or the integrity or availability of their systems and data, as described by the tradecraft and targeting in Maturity Level One below.
  • Maturity Level One: The focus of this maturity level is malicious actors who are content to simply leverage commodity tradecraft that is widely available in order to gain access to, and likely control of, a system.
  • Maturity Level Two: The focus of this maturity level is malicious actors operating with a modest step-up in capability from the previous maturity level. These malicious actors are willing to invest more time in a target and, perhaps more importantly, in the effectiveness of their tools.
  • Maturity Level Three: The focus of this maturity level is malicious actors who are more adaptive and much less reliant on public tools and techniques. These malicious actors are able to exploit the opportunities provided by weaknesses in their target’s cybersecurity posture, such as the existence of older software or inadequate logging and monitoring. Malicious actors do this to not only extend their access once initial access has been gained to a target, but to evade detection and solidify their presence. Malicious actors make swift use of exploits when they become publicly available as well as other tradecraft that can improve their chance of success.

How can AVD help?

Azure Virtual Desktop centralises desktop and application management within a secure bubble and reduces administrative overhead while ensuring consistent security policies across all installations. 

This came to life for AVD customers in July 2024 when the infamous CrowdStrike Falcon agent update issue caused unresponsiveness and startup failures on Windows machines.   Recovery could have been a simple re-deployment of host pools through our Macquarie Cloud Services Portal – GUI driven, and a click of a button, since we ensure multisession hosts are stateless, FsLogix storage accounts are domain-joined and roaming profiles enabled. The drained and previously unresponsive hosts could have been deleted immediately or configured to be deleted via MCSP as well. 

 1. Application Control -Restrict which apps can execute to reduce threats. 

Windows Defender Application Control is Microsoft’s recommended tool of choice to control applications. In addition, only approved apps can run on AVD session hosts. App attach (via MSIX technology) ensures better flexibility by deploying apps independent of the operating system, which means approved apps can be distributed to approved users across multiple host pools.

Level 2 tip – Audit privileged end users on personal single session pools with central logging via Azure Monitor Agent and Defender for Servers. 

2. Patch Applications – Keep all software up to date to close potential vulnerabilities. 

  • Level 1 – Protect session hosts with Defender for Cloud Servers Plan 2 which provides a near real time software inventory in the Defender portal.
  • Level 2 and above – Increase the maturity level by utilising the agent-based and agentless vulnerability scanning with the Microsoft Defender Vulnerability Management database. Our customers are alerted to critical vulnerabilities daily to reduce the maturity level 1 48-hour window to apply updates. Remediation through an out of cycle update may be requested to the 24×7 Hosting Management Centre when configured.

3. User Application Hardening – Disable risky application capabilities (e.g., Flash or advertisements).

Intune policies can prevent activation of OLE packages, disable or remove Internet Explorer, disable or remove .NET Framework 3.5 and Microsoft Office is blocked from creating child processes etc.

4. Restrict Administrative Privileges – Reduce the risk of breaches with just-in-time access policies.

Role based access control to Azure resources, Privileged Access Workstations, Domain joined hosts and storage accounts, central logging, inactive user reporting form part of the zero-trust baselines for AVD managed by Macquarie Cloud Services.

Level 2 tip – Introduce identity governance processes so that you can regularly check just enough and just in time privileges for your AVD applications, users and administrators.

5. Patch Operating Systems – Ensure your OS is always updated.

 Automating the regular patch of the desktop operating systems across AVD session hosts is table stakes. Stateless multi-session hosts mean users always access a reliable OS version on login, and new updates reduce disruption ongoing workflows (unless cost optimisation principles require users to be evacuated off from drained hosts).

Level 2 tip – Our customers are alerted to critical vulnerabilities daily to reduce the maturity level 1 48-hour window to apply updates. Remediation through an out of cycle update may be requested to the 24×7 Hosting Management Centre when configured

6. Multi-Factor Authentication (MFA) – Add an extra layer of login security.

MFA for users to access their Azure Virtual Desktop through Microsoft Authenticator is table stakes. Most of our customers use single sign on, conditional access, private endpoints, etc. to further advance maturity.

7. Daily Backups – Maintain resilient backups that are ready for quick restoration.

Data isolation is a given. Azure Backup vaulted backup data is stored in an Azure subscription and tenant. External users or guests have no direct access to this backup storage or its contents, ensuring the isolation of backup data from the production environment where the data source resides

Level 2 tip – Go beyond zone redundancy and privileged identity management to regional disaster recovery and logical air gapping of identity. (User profiles, app files, gold VMs, domain controllers, etc.). The environment should include immutability, Multi-user authorisation and Privileged Identity Management approval workflows. 

8. Disable Microsoft Office Macros – Block macros from untrusted locations.

Intune policies may be used to deploy ACSC hardening policy, as well as Microsoft Defender for Endpoint to log execution.

Making the Essential 8 work with Azure Virtual Desktop.

The simple best practices described in the Essential Eight may not reduce to simple implementation, especially with the many configuration options of AVD. Our AVD Landing Zone embeds zero trust principles in its baselines and continues to evolve as the rules of operations, security and compliance evolve.

Macquarie Cloud Services is at the forefront of helping Australian businesses adapt to these challenges with our Managed AVD service offering. As an Azure Expert Managed Service Provider, we’ve earned Microsoft’s highest distinction through rigorous independent assessments. We’re also a proud member of the Microsoft Intelligent Security Association (MISA) and among a select few invited to join Microsoft’s Cyber Security Investment Program.

When you partner with us, you’ll gain access to exclusive funding, expertise, and the best cloud native tools already built into your Microsoft environment. Simply put, we’re here to help you maximise your Microsoft investment, ensuring it drives both security and cost efficiency across your business.

Reach out to us today at 1800 004 943 or drop us an email at enquiries@macquariecloudservices.com.

About the author.

As the Product Lead for Azure and Hybrid Cloud Solutions, Pauline has achieved business goals through data driven decision making, market led products, collaboration with key stakeholders, interdepartmental groups, and partners , while streamlining processes and systems work flow. With years of experience in private and public cloud. Pauline believes in harnessing technology to provide true customer outcomes.

See all articles by this author