Configuring Azure Virtual Desktop for Single-User Workstations

This topic details how to configure Microsoft Azure Virtual Desktop and Imprivata Virtual Desktop Access for single-user workstations.

Download a PDF of this guide

The Single-User Workstation Workflow

Single-user (private) workstations are used by a single user who requires access to one or more applications for a prolonged period of time. These workstations are typically found in a private location, an administration area, or specialty areas.

The following details an example workflow:

  1. A user taps their proximity card to authenticate to a private workstation.

    • The virtual desktop is delivered to the local workstation.

      If Microsoft detects that the user has multiple accounts, they are prompted to choose an account. This behavior only occurs the first time the user accesses the virtual desktop.

    • Everything associated with the virtual desktop, such as files, shares, and all other applications are available to them.

  2. When the user is finished, they tap their proximity card to secure the workstation.

  3. The user continues their rotation, moving to a new location, and authenticates to a different private workstation.

    • The roaming virtual desktop is reconnected to the local workstation.

    • The desktop and the applications are running in the same state as previously used.

NOTE: This workflow supports multiple Windows desktops, also known as multiple-user desktops (MUD).

Before You Begin

Before you begin, be sure that you meet the following prerequisites:

The following Imprivata licensed features are required:

  • Virtual Desktop Access

  • Authentication Management

  • Single Sign-On

Verify that your Azure Virtual Desktop environment:

  • Is functioning normally, independent of Imprivata Enterprise Access Management, before installing and configuring Enterprise Access Management components.

  • Meets the minimum or recommended Azure Virtual Desktop and endpoint device requirements. For more information, see the Imprivata OneSign Supported Components matrix.

As part of the configuration process, you grant tenant-wide consent to let Imprivata Enterprise Access Management access your virtual desktops and authenticate your users.

Doing so requires a Microsoft Entra user account that can grant an application permission to the following APIs:

  • Azure Virtual Desktop

  • Microsoft Graph

Authenticating users using Microsoft Entra SSO is not supported.

Verify that Microsoft Entra SSO is not enabled in the RDP properties of your host pool.

Session persistence (roaming) is managed by your virtual environment, not Imprivata Virtual Desktop Access. If your virtual environment is configured correctly for session persistence, Imprivata Virtual Desktop Access seamlessly roams user sessions, on authentication, to the endpoint computers in your environment.

NOTE: For more information about configuring session persistence, see your vendor–specific documentation.

Deploying the single-user workflow with multiple-user desktops can quickly become resource intensive because each user session is a full Windows session. Performance is limited by the CPU and memory of the local workstation, as well as by the number and types of applications running.

For more information about limitations, see Enabling Multiple Windows Desktop Workstations in Computer Policies.

Azure Virtual Desktop Configuration

In this section you

  • Grant Entra ID tenant-wide consent to Imprivata Enterprise Access Management.

  • Install the Imprivata agent on your virtual machines.

You grant tenant-wide consent to let Enterprise Access Management access your virtual desktops and authenticate your users.

Granting consent requires a Microsoft Entra user account that can grant an application permission to the following APIs:

  • Azure Virtual Desktop

  • Microsoft Graph

To grant consent:

  1. Obtain the Imprivata application ID here.

  2. Copy the following sample to build a URL:

    Copy 
    https://login.microsoftonline.com/<tenant_id>/adminconsent?client_id=<application_id>

    Where <tenant_id> specifies your Entra ID tenant ID and <application_id> specifies the Imprivata application ID.

  3. Enter the URL into a browser to complete the consent process.

  4. In the Microsoft Entra admin center, locate the Imprivata AVD application and do the following:

    1. Verify that Imprivata AVD has been granted consent to the following APIs:

      • Azure Virtual Desktop

      • Microsoft Graph

    2. Assign the required users and groups.

NOTE:

For more information, see the Microsoft documentation about reviewing application permissions and assigning users and groups to an application.

on virtual machines

Install the Imprivata Citrix or Terminal Server agent (type 3) agent on the virtual machines that will be delivered to your users.

Use the Installation Wizard

To install the Imprivata agent:

  1. In the Imprivata Admin Console, click Computers > Deploy agents.

  2. Download the agent installer from the Deployment Procedure section.

  3. Run the installation wizard.

Completing the installation requires you to:

  • Enter the FQDN or IP address of the Imprivata appliance to which the agent must connect to obtain the enterprise topology.

  • Select the Citrix or Terminal Server agent.

Use a Third-Party Software Distribution Tool

To deploy the Imprivata agent using a third–party software distribution tool:

  1. In the Imprivata Admin Console, click Computers > Deploy agents.

  2. Download the agent installer from the Deployment Procedure section.

  3. Deploy and run the Imprivata agent installation using the following syntax:

    msiexec.exe /i "<path_to_installer>\ImprivataAgent.msi

    IPTXPRIMSERVER="https://<appliance_FQDN>/sso/servlet/messagerouter"

    AGENTTYPE=3

The IPTXPRIMSEVER value specifies the appliance to which the Imprivata agent should connect to obtain the enterprise topology.

Consider the following:

  • This syntax represents the required installation parameters. For a complete list of supported parameters, see Imprivata Agent command line reference .

  • The Imprivata agent installer supports standard msiexec options. For more information on these commands, run msiexec /?.

Windows Endpoint Configuration

In this section you:

  • Verify that your local endpoints can access the Imprivata web service.

  • Install the Microsoft Remote Desktop client on your local endpoints.

  • Install the Imprivata agent on your local endpoints.

  • Optionally, configure the DesktopToAutoLaunch registry key to override the desktop chooser.

Your local endpoints must be able to access the Imprivata web service endpoint URL (https://avd.cloud.imprivata.com/).

Coordinate with your network administrators to make sure that network restrictions do not prevent access to the Imprivata web service.

NOTE:

The Imprivata web service is not accessible via a web browser. The URL serves as the address through which the endpoint interacts with the web service.

The Microsoft Remote Desktop client lets your users connect to a virtual desktop.

For more information about the Remote Desktop client and how to install it, see the Microsoft documentation.

Install the Imprivata single-user computer agent (type 1) agent on the Windows endpoints that your users will use to access their virtual desktops.

Use the Installation Wizard

To install the Imprivata agent:

  1. In the Imprivata Admin Console, click Computers > Deploy agents.

  2. Download the agent installer from the Deployment Procedure section.

  3. Run the installation wizard.

Completing the installation requires you to:

  • Enter the FQDN or IP address of the Imprivata appliance to which the agent must connect to obtain the enterprise topology.

  • Select the Single User Computer agent.

Use a Third-Party Software Distribution Tool

To deploy the Imprivata agent using a third–party software distribution tool:

  1. In the Imprivata Admin Console, click Computers > Deploy agents.

  2. Download the agent installer from the Deployment Procedure section.

  3. Deploy and run the Imprivata agent installation using the following syntax:

    msiexec.exe /i "<path_to_installer>\ImprivataAgent.msi

    IPTXPRIMSERVER="https://<appliance_FQDN>/sso/servlet/messagerouter"

    AGENTTYPE=1

The IPTXPRIMSEVER value specifies the appliance to which the Imprivata agent should connect to obtain the enterprise topology.

Consider the following:

  • This syntax represents the required installation parameters. For a complete list of supported parameters, see Imprivata Agent command line reference .

  • The Imprivata agent installer supports standard msiexec options. For more information on these commands, run msiexec /?.

By default, when a user is entitled to multiple desktops, they are prompted to choose which one to launch.

You can override this behavior by configuring a registry key (DesktopToAutoLaunch). This registry key streamlines desktop access by letting you specify which desktop should automatically launch for the user on the Windows endpoint.

To specify which desktop should be launched:

1. From the endpoint, open the Registry Editor.

2. Create the following registry key:

Name Data Type Location Value
DesktopToAutoLaunch String

HKEY_LOCAL_MACHINE\SOFTWARE\SSOProvider\VDI

<name_of_virtual_desktop_as_it_appears_in_the_chooser>

Imprivata Enterprise Access Management Configuration

In this section you:

  • Configure a computer policy and assign it to your local endpoints.

  • Configure a user policy and assign it to the users who require access to a virtual desktop.

  • Import and deploy the AVD single sign-on application profile.

Configure a computer policy that automates access to virtual desktops and assign it to your local endpoints.

Configure a Computer Policy

To configure a computer policy:

  1. In the Imprivata Admin Console, go to the Computers menu > Computer Policies page.

  2. Do one of the following:

    • Click Add to create a new policy.
    • Click the name of an existing computer policy to edit it.

  3. Go to the Virtual Desktops tab > Microsoft Azure Virtual Desktops section.

  4. Select Automate access to Azure Virtual Desktop.

  5. Choose one of the following options:

    • Prompt the user only if they have multiple desktops. If the user is entitled to one desktop, it launches automatically after login. If a user is entitled to multiple desktops, an Imprivata OneSign dialog prompts the user to choose a desktop.

    • Always prompt the user to choose their desktop. An Imprivata OneSign dialog always prompts the user to choose a desktop, regardless of how many desktops they are entitled to.

      NOTE: If a user is entitled to multiple desktops, you can prevent them from having to choose which one to launch by configuring a registry key (DesktopToAutoLaunch) on the Windows endpoint.

  7. You can control the behavior when an endpoint computer is locked. Under When a Remote Desktop endpoint is locked, choose one of the following
    • Keep the Remote Desktop and user session active. This option preserves the user session. When a user logs back into an endpoint computer, or logs into another endpoint computer that is enabled for virtual desktop access, their desktop and applications are preserved just as they were when the endpoint computer was locked.
    • Shutdown the Remote Desktop and disconnect the user session. This option helps optimize resource consumption and minimizes the total number of active sessions in use in the enterprise. When a user logs back into an endpoint computer, or logs into another endpoint computer that is enabled for virtual desktop access, their desktop is relaunched.
  8. Optional: If you are deploying multiple-user desktops, go to the Shared Workstation tab, select Enable Multiple Windows Desktops (workstation reboot required), and specify the remaining values as required.
  9. Click Save.

Assign the Computer Policy

Assign the computer policy to your local endpoints.

Manually Assign the Computer Policy

To manually assign the computer policy:

  1. In the Imprivata Admin Console, go to the Computers menu > Computers page.

  2. Select the computers to which you want to assign the computer policy.

  3. Click Apply Policy.

  4. Select Choose a policy for the selected computers, select the policy from the list, and click Apply Policy.

Automatically Assign the Computer Policy

Computer policy assignment rules let you assign a policy to existing endpoint computers and make sure that the policy is automatically assigned to endpoint computers that are added later.

To automatically assign the computer policy:

  1. In the Imprivata Admin Console, go to the Computers menu > Computer Policy Assignment page.

  2. Click Add New Rule.

  3. Name the rule and select the assignment criteria.

  4. Select the policy you created, and click Save.

Configure a user policy that automates access to virtual desktops and assign it to your users.

Configure a User Policy

To configure a user policy:

  1. In the Imprivata Admin Console. go to the Users menu > User Policies page.

  2. Do one of the following:

    • Click Add to create a new policy.

    • Click the name of an existing user policy to edit it.

  3. Go to the Virtual Desktops tab, and select Enable virtual desktop automaton.

    By default, Automate access to full VDI desktops is enabled.

  4. Select Microsoft, and click Save.

Assign the User Policy

To assign the user policy:

  1. In the Imprivata Admin Console, go to the Users menu > Users page.

  2. Select the users to which you want to apply the user policy.

    You can view additional pages of the users without losing your selections. The users you have selected are tracked and displayed on a counter at the top of the page.

    BEST PRACTICE: To select multiple users more efficiently, use the Search for Users tool at the top of the Users page. Search for Users offers several search parameters for refining your results.

  3. Click Apply Policy, choose the policy you created, and click OK.

By default, users are prompted to log into the Microsoft Remote Desktop client to launch a virtual desktop. Import the AVD SSO application profile to prevent your users from having to enter their credentials manually.

NOTE: While this application profile enables support for Azure Virtual Desktop, it also enables any other application, which uses Entra ID as the identify provider, for SSO. For example, user credentials are proxied for Microsoft OneDrive.

To import the profile:

  1. Download and extract the application profile from here.

  2. In the Imprivata Admin Console, go to the Applications menu, and click Single sign-on application profiles.

  3. Click Add App Profile > Import from file, and import the profile.

  4. From the list of application profiles, select RemoteDesktopClient, and then click Deploy.

  5. Go to the Deployment section, and select Deploy this Application?.

  6. Optional: By default, an application profile is configured to deploy to all users. If you want to limit the deployment to specific organizational units, groups, or users, uncheck Deploy to All Users and Groups? and do the following.

    1. Select the domain that contains the target users.

    2. Select These OUs, groups, and users.

    3. Do one, two, or all three of the following:

      • Click Select OUs, select the target organizational units, and then click Done.

      • Click Select Groups, select the target groups, and then click Close.

      • Enter a semi-colon separated list of specific users.

  7. Leave the remaining settings unchanged.

  8. Click Save.