Enabling End-to-End Encryption in Azure

  • Updated on Jul 30, 2024
  • Published on Jul 30, 2024
  • 1 minute(s) read
  • Robert Plamondon

You can enable end-to-end Microsoft Encryption at Host encryption in your Azure deployment. This option is available starting with Control 18.5.

Features

  • Available on Microsoft Azure Clouds.

  • Encrypts all desktops and application servers created under a Workspot Cloud Subscription.

  • Can be applied to by editing existing Workspot Cloud Subscriptions as well as new ones.

    • All new desktop and application server VMs will be encrypted

Limitations

  • Existing desktop and application server VMs are not encrypted. See below for workarounds.

  • The Azure Client ID and Secret used to create the subscription must set the “Contributor” role permissions.

  • The feature takes around 15 minutes to become registered and available at Azure. Desktops and application servers created during this period are not encrypted.

This feature is only available on the Azure clouds.

Enabling Encryption at Host

To enable Encryption at Host on an Existing Azure Subscription

  1. In Workspot Control, go to “Setup > Cloud > cloudname > Actions > Edit,” where cloudname is the name of your Azure Cloud. The “Update Cloud Subscription” popup appears.

  2. Scroll down until you see the “Check here to enable ‘Encryption at host’ in Azure for all desktops and servers” checkbox. Select it.

  3. Press “Save.”

To enable Encryption at Host on a New Azure Subscription

To enable Encryption at Host on a new subscription:

  1. Go to “‘Setup > Cloud” and press “Add Public Cloud.” The “Add Public Cloud” page appears.

  2. Fill out the form normally.

  3. Be sure to check the “Check here to enable ‘Encryption at host’ in Azure for all desktops and servers.”

  4. Press save.

After Enabling Encryption

Wait

Wait fifteen minutes before provisioning any new virtual machines.

Replacing Unencrypted Desktop VMs

Desktops imaged before encryption was enabled can be (destructively) replaced by encrypted desktops as follows:

  1. Think twice before doing this to persistent desktops that are assigned to users, or to non-persistent desktops or application servers with active user sessions.

  2. Go to “Resources > Desktop Pools > poolname > Action > Edit.” The “Edit Cloud Desktop Pool” page appears.

  3. Select the “Auto Create on Delete Desktop” box and press “Save.”

  4. Go to “Resources > Desktop Pools > poolname.” You will see a list of the desktops in the pool.

  5. Check the box in the leftmost column to select individual desktops or topmost box to select all desktops.

  6. Click the “Delete Desktops” button.

  7. The desktops will be deleted and then reimaged. The new desktops will be encrypted.

Replacing Unencrypted Application Server VMs

As above, but use the “Resources > Cloud App Pools” page.