Secure Desktops, Anywhere.
Your Data Never Leaves Azure.
ABT delivers Azure Virtual Desktop for credit unions, banks, and mortgage companies. Your team gets full Windows 11 desktops with Encompass, Byte, and every business application they need. Your data stays in Azure, behind conditional access and encryption. No VPN headaches. No hardware refreshes. No compliance gaps from unmanaged devices.
Trusted by 750+ of the Nation's Leading
Lenders, Banks & Credit Unions.
Your Full Desktop, Built for Regulated Finance
Azure Virtual Desktop replaces on-premise VDI with a cloud-native desktop experience. No more hardware refreshes, VPN headaches, or compliance gaps from unmanaged devices. ABT configures every host pool, image, and conditional access policy for the specific requirements financial institutions face.
Full Windows 11 Desktop
Windows 11 Enterprise multi-session desktops running in Azure. Encompass, Byte, PointCentral, Office apps, and every line-of-business tool your team uses today. Users get the same familiar Start menu, taskbar, and file explorer they already know.
Multi-session means multiple users share a single VM, cutting Azure compute costs by 30-40% compared to giving each user a dedicated virtual machine. ABT sizes each host pool based on actual workload measurements, not vendor estimates.
Data Never Leaves Azure
Loan files, member data, and financial records stay in Azure datacenters. Nothing is cached on the local device. A lost laptop is a hardware issue, not a data breach. No member notifications. No examiner incident reports.
Azure Virtual Desktop streams only display pixels to the endpoint. The actual compute, storage, and data processing happen inside Microsoft's SOC 2 Type II, ISO 27001, and FedRAMP-certified infrastructure.
Connect From Any Device
Windows, Mac, iPad, Chromebook, thin client, or any device with a modern browser. Your team connects through the Azure Virtual Desktop client or the web client at rdweb.wvd.microsoft.com. Same desktop experience regardless of what device they carry.
The Remote Desktop client is available on Windows, macOS, iOS, iPadOS, Android, and as a web app. ABT configures the connection settings so users click one icon and land in their desktop. No VPN software to troubleshoot.
Conditional Access Built In
Microsoft Entra ID conditional access controls who connects, from which devices, at which locations, and under what risk conditions. MFA is required for every session. Non-compliant devices are blocked before they reach your desktop.
ABT configures conditional access policies specific to financial services: block sign-ins from outside the U.S. (unless traveling loan officers are pre-approved), require compliant or hybrid-joined devices for full desktop access, and automatically block high-risk sign-ins detected by Entra ID Protection.
Predictable Monthly Cost
No capital expenditure on VDI hardware. Azure consumption billing means you pay for the compute, storage, and bandwidth you actually use. Reserved instances lock in rates 30-40% below pay-as-you-go pricing for committed workloads.
ABT manages sizing, auto-scaling schedules, and reserved instance purchasing to keep costs predictable. Most financial institutions running 50-200 users see monthly Azure costs between $12 and $80 per user depending on VM configuration and utilization patterns.
Examiner-Ready Logging
Session activity, sign-in events, data access, and policy enforcement all logged to Azure Monitor and Log Analytics. Every connection, disconnection, and policy evaluation generates an auditable record.
When examiners ask "who accessed what, from where, on which device," you answer with KQL queries against structured logs. ABT configures diagnostic settings on every host pool, workspace, and application group so the audit trail is complete from day one.
FSLogix Profile Management
User profiles load in seconds regardless of which host machine they connect to. FSLogix stores each user's profile in a VHDX container on Azure Files Premium, then dynamically attaches it at sign-in. Outlook cached mode, Teams settings, browser profiles, and desktop customizations persist across sessions.
ABT configures FSLogix with Azure Files identity-based authentication, NTFS ACLs per user, 30GB container caps, and directory exclusions for Downloads and Videos to speed login times. Each user's profile is isolated from every other user's data.
Disaster Recovery Built In
If your office goes down, your desktops keep running in Azure. Fire, flood, power outage, or internet failure at the branch: users reconnect from any other location on any device. Business continuity without secondary sites or failover hardware.
ABT can configure multi-region host pools with FSLogix profile replication to a secondary Azure region. If the primary region experiences an outage, users fail over to the backup region with their profiles intact. Recovery time objectives measured in minutes, not days.
Two Microsoft Solutions. Different Architectures.
Microsoft offers two cloud desktop platforms: Azure Virtual Desktop (AVD) and Windows 365 Cloud PC. Both run Windows in the cloud. The difference is who controls the infrastructure, how you pay, and how much flexibility you get. For regulated financial institutions, that difference matters.
| Feature | Azure Virtual Desktop ABT Recommended | Windows 365 Cloud PC |
|---|---|---|
| Service Type | Platform as a Service (PaaS). You control the infrastructure. ABT manages it for you. | Software as a Service (SaaS). Microsoft controls the infrastructure. Less customization. |
| Pricing Model | Pay-as-you-go Azure consumption. Only pay when VMs are running. Reserved instances save 30-40%. | Fixed monthly fee per user ($31-$66/user/month based on SKU). Same cost whether user connects 1 hour or 200 hours. |
| Multi-Session Support | Yes. Windows 11 Enterprise multi-session. 8-16 users per VM. Cost as low as $12/user/month with autoscaling. | No. Each Cloud PC is a dedicated single-user VM. No resource sharing between users. |
| Autoscaling | Native autoscaling. VMs spin up before business hours and deallocate after. Capacity-based and schedule-based triggers. | Not available. Cloud PCs are always provisioned at the selected SKU. No dynamic scaling. |
| Custom VM Sizes | Full Azure VM catalog. D-series, E-series, NV-series (GPU). Choose exact CPU, RAM, and disk configuration. | Limited to pre-defined SKUs (2vCPU/4GB through 16vCPU/64GB). No GPU option for standard Cloud PCs. |
| Networking | Customer-managed Azure VNet. NSGs, Azure Firewall, private endpoints, ExpressRoute, VPN. Full network control. | Microsoft-managed. Limited networking customization. No VNet integration in Business edition. |
| Application Delivery | MSIX App Attach delivers apps on-demand without baking into the image. RemoteApp for individual apps without full desktop. | Traditional app install on each Cloud PC. No MSIX App Attach. No RemoteApp publishing. |
| Profile Management | FSLogix profile containers on Azure Files or Azure NetApp Files. Sub-second profile load times. | Local profile on persistent Cloud PC. No FSLogix needed (dedicated VM). Profile does not roam. |
| Management | Azure Portal + Intune + PowerShell + CLI. Full administrative control. Requires Azure expertise. | Microsoft Intune only. Managed like a physical PC. Minimal Azure knowledge required. |
| Compliance Controls | Full Microsoft Defender for Cloud integration. Custom security baselines. CIS-hardened images. Session host isolation. | Standard Intune compliance policies. Less granular control over underlying infrastructure. |
| Best For | Financial institutions needing cost optimization, compliance granularity, seasonal scaling, and application flexibility. | Small teams wanting predictable bills and minimal IT management. SMBs without Azure expertise. |
Why ABT recommends AVD for financial institutions. Windows 365 works well for organizations that want a simple, fixed-cost Cloud PC. But financial institutions have specific requirements that AVD handles better: seasonal workforce scaling during refi booms, examiner-ready audit logging at the infrastructure level, custom network segmentation for compliance, and multi-session pooling that cuts per-user costs to a fraction of Windows 365 pricing.
ABT bridges the complexity gap. The most common objection to AVD is that it requires Azure expertise to manage. That is true. It is also why ABT exists. We handle the host pool configuration, image management, autoscaling rules, FSLogix tuning, and conditional access policies. Your IT team focuses on supporting users, not managing VDI infrastructure.
A hybrid approach is an option. AVD and Windows 365 are not mutually exclusive. Some institutions use Windows 365 for a handful of executives who need persistent, always-on Cloud PCs, while running AVD pooled desktops for loan processors and seasonal staff. ABT configures both services under a unified management model when the use case calls for it.
Built for How Financial Institutions Work
ABT configures Azure Virtual Desktop for each institution's specific application stack, compliance requirements, and team structure. These are the scenarios we deploy most often.
Remote and Hybrid Loan Officers
Loan officers access Encompass from home, a branch, or a realtor's office. Same desktop experience every time. Data stays in Azure, protected by conditional access policies that verify device compliance and MFA completion before allowing the connection.
No VPN client to install, troubleshoot, or update. The Remote Desktop client connects directly to the AVD gateway over TLS 1.2. Session latency stays under 150ms for users within the continental U.S. connecting to East US or West US Azure regions.
Seasonal Processing Teams
Scale up desktops during refi booms or peak origination periods. Scale down when volume drops. No hardware to purchase, image, or decommission. Autoscaling adds session hosts when user count exceeds the capacity threshold and deallocates them when demand falls.
ABT configures scaling plans with ramp-up periods 20 minutes before office hours, peak session limits based on your team size, and ramp-down schedules that drain sessions gracefully before deallocating VMs. One client saved 34% on compute costs using autoscaling without a single login delay.
Branch Consolidation
Replace aging branch PCs with thin clients or tablets running Azure Virtual Desktop. IT manages one golden image instead of hundreds of individual machines. When a branch PC breaks, swap in a thin client and the user is back in their desktop in minutes.
Thin clients from Dell Wyse, HP, or IGEL cost $200-400 per unit and last 7-10 years with no moving parts. Compare that to $800-1,200 for a traditional desktop PC that needs replacement every 3-4 years. The total cost of ownership shifts dramatically when the compute runs in Azure.
BYOD with Zero Data Exposure
Employees use personal devices without exposing member data. AVD streams a display signal to the endpoint. No data downloads. No clipboard leaks (when policies are configured). No local file caching. The personal device becomes a display terminal, nothing more.
Conditional access policies can restrict BYOD connections to web-client-only access, disable clipboard redirection, block drive mapping, and prevent printing. The user gets a productive workspace. The institution keeps full control of where data can go. Examiners see a documented BYOD policy backed by technical enforcement.
Merger and Acquisition Integration
When your institution acquires another organization, AVD provides instant desktops for the incoming team without touching their existing hardware. Provision a new host pool, install the required applications on the image, assign conditional access policies, and onboard users in days instead of weeks.
The acquired team connects from their existing machines to a separate, policy-controlled AVD environment. No domain trust required during transition. No physical equipment shipments. IT manages the integration at the Azure infrastructure level while users keep working.
Third-Party Vendor Access
Auditors, consultants, and IT vendors need temporary access to your systems. Instead of giving them VPN credentials and hoping for the best, provision a locked-down AVD desktop with access to only the applications and data they need for the engagement.
Time-bound accounts expire automatically. Conditional access enforces MFA and device compliance even for external users. Session logging captures every action. When the engagement ends, deprovision the accounts and the host pool. No lingering credentials. No orphaned VPN profiles.
From Assessment to Production in 4-6 Weeks
ABT manages the full AVD deployment lifecycle. Your IT team participates in decisions and testing. ABT handles the engineering. Here is what each week looks like.
Application Inventory and Azure Sizing
ABT catalogs every application your team uses: Encompass, Byte, PointCentral, Office apps, proprietary LOS plugins, browser-based tools, and line-of-business utilities. Each application gets tested for AVD compatibility and resource requirements.
We capture performance baselines from your existing PCs using monitoring data. CPU utilization, memory consumption, disk IOPS, and network bandwidth during peak hours determine the right Azure VM sizes. We apply Microsoft's 2.2:1 vCPU consolidation ratio for Office-heavy workloads and adjust based on your actual measurements.
The assessment also reviews your current identity infrastructure (Entra ID hybrid join vs. cloud-only join), network connectivity (ExpressRoute, VPN, or direct internet), and licensing (M365 E3/E5 entitlements that include AVD access rights).
Host Pool Configuration and Image Creation
ABT provisions the Azure infrastructure using infrastructure-as-code templates (Bicep or ARM). This includes the AVD host pool, workspace, application groups, Azure Virtual Network with NSG rules, Azure Files Premium for FSLogix profiles, and diagnostic settings for Log Analytics.
We build a golden VM image with Windows 11 Enterprise multi-session, install all applications from the inventory, apply CIS security baselines, configure FSLogix profile containers, and optimize the image for AVD (disable unnecessary services, configure MSIX App Attach for frequently updated applications).
Conditional access policies are drafted and tested in report-only mode: require MFA for AVD connections, require compliant or hybrid-joined devices, block connections from untrusted locations, and block high-risk sign-ins.
Application Validation and Security Hardening
Every application from the inventory gets tested in the AVD environment. Encompass performance is validated under simulated multi-user load. Byte, PointCentral, and other tools are confirmed working with the correct COM objects, printer drivers, and registry settings.
Security hardening is verified: Trusted Launch enabled on Gen2 VMs (Secure Boot, vTPM, virtualization-based security), Windows LAPS randomizing local admin passwords, screen capture protection enabled, drive redirection policies configured per user group, and Microsoft Defender for Endpoint deployed on all session hosts.
Network connectivity is validated end-to-end: session hosts reaching internal resources through VNet peering or VPN, Azure Firewall rules permitting only required outbound traffic, and proxy bypass configured for AVD service URLs.
Small Group Rollout and Feedback
A pilot group of 5-15 users (typically a mix of loan officers, processors, and IT staff) starts using AVD for daily work. ABT monitors FSLogix profile load times, session latency, application performance, and user feedback throughout the pilot.
Conditional access policies move from report-only to enforced mode during the pilot. Any issues with device compliance, MFA enrollment, or location-based restrictions are identified and resolved before full rollout.
Autoscaling plans are configured and tested: ramp-up schedule aligned to your business hours, peak capacity threshold calibrated to pilot usage data, ramp-down with forced logoff warnings, and off-hours deallocation. The pilot validates both the user experience and the cost model.
Production Deployment and User Training
All users migrate to AVD in coordinated waves (typically by department or branch). ABT provides login guides, Remote Desktop client installation instructions, and a FAQ document tailored to your institution. IT help desk staff receive a troubleshooting runbook covering the 10 most common AVD issues.
Additional session hosts are added to the host pool to handle full production load. Load balancing is configured (breadth-first for even distribution during peak, depth-first for cost optimization during off-peak). The golden image is finalized and stored as a shared image gallery version for rapid scaling.
Monitoring, Optimization, and Image Updates
ABT monitors the AVD environment continuously: host health, session counts, FSLogix performance, Defender alerts, and Azure cost trends. Monthly image updates incorporate Windows patches, application updates, and security baseline changes. Quarterly reviews optimize VM sizing, autoscaling thresholds, and reserved instance commitments.
When Microsoft releases new AVD features (like the recent dynamic autoscaling improvements or Watermarking for screen capture protection), ABT evaluates them and rolls out the ones that benefit your deployment. You get the advantages of a continuously improving platform without your IT team needing to track Microsoft's release cycle.
See What AVD Looks Like for Your Team
ABT will map your current application stack, estimate monthly Azure costs, and show you a live AVD environment configured for financial services. Assessment takes one week. No obligation.
Eight Layers of Security for Virtual Desktops
Azure Virtual Desktop security starts at the identity layer and extends through the network, the session host, the data, and the audit trail. ABT configures all eight layers as part of every deployment. No optional features. No "we will add that later."
Conditional Access & MFA
What it does: Every AVD connection is evaluated by Microsoft Entra ID conditional access before the user reaches a desktop. Policies check the user's identity, device compliance state, sign-in risk level, and geographic location.
How ABT configures it: MFA required for all AVD sessions. High-risk sign-ins (impossible travel, anonymous IP, malware-linked sources) blocked automatically. Device compliance required (disk encryption, antivirus, OS version). Geographic restrictions limit connections to approved countries. Report-only mode used during pilot, enforced mode for production.
Why it matters for examiners: FFIEC 2021 authentication guidance specifically calls for MFA and layered security controls. Conditional access provides both, with auditable policy evaluation logs for every connection attempt.
Network Segmentation
What it does: AVD session hosts run in an isolated Azure Virtual Network. Network Security Groups (NSGs) and Azure Firewall control what traffic flows in and out. No inbound RDP ports are open to the internet. AVD uses Reverse Connect transport, so session hosts initiate outbound connections to the AVD gateway.
How ABT configures it: Dedicated subnets for session hosts, separated from other Azure workloads. NSG rules allow only required outbound URLs (AVD service endpoints, Windows Update, Defender). Azure Firewall (or third-party appliance) provides centralized traffic inspection. VNet peering connects to on-premises resources through ExpressRoute or site-to-site VPN without exposing session hosts to the internet.
Why it matters for examiners: FFIEC IT Examination Handbook and NCUA cloud guidance both require network segmentation and inspection for cloud-hosted workloads. The architecture provides documented evidence of segmented, inspected, and logged network traffic.
Data Encryption
What it does: Data is encrypted at rest and in transit. Azure Storage uses AES-256 encryption for all data at rest (FSLogix profiles, OS disks, application data). TLS 1.2 encrypts all traffic between the client and the AVD gateway, and between the gateway and the session host.
How ABT configures it: Customer-managed keys (CMK) available for organizations that require key custody. Azure Disk Encryption with BitLocker for OS and data disks. Azure Files encrypted at rest with platform-managed or customer-managed keys. Trusted Launch with vTPM enables measured boot and integrity attestation for each session host VM.
Why it matters for examiners: GLBA Safeguards Rule requires encryption of customer financial information both in transit and at rest. The AVD architecture provides encryption at every layer, with key management options that satisfy the most stringent examiner requirements.
Endpoint Protection
What it does: Microsoft Defender for Endpoint runs on every AVD session host. It provides real-time protection against malware, ransomware, and fileless attacks. Threat detections are correlated across the entire Microsoft 365 Defender stack: endpoint, email, identity, and cloud apps.
How ABT configures it: Defender onboarded via Intune policy to all session hosts. Attack Surface Reduction (ASR) rules block common attack vectors: Office macros creating child processes, credential stealing from LSASS, and untrusted executables from USB or email. Automated investigation and response (AIR) enabled for Tier 1 incidents. Alerts routed to ABT Guardian for 24/7 monitoring.
Why it matters for examiners: FFIEC guidance requires financial institutions to deploy anti-malware, endpoint detection, and incident response capabilities on all systems processing customer data. Defender for Endpoint satisfies all three requirements from a single agent.
Data Loss Prevention
What it does: Microsoft Purview DLP policies monitor and control the movement of sensitive financial data within AVD sessions. Sensitivity labels follow documents from the virtual desktop to email, SharePoint, and OneDrive. Policies detect account numbers, Social Security numbers, loan applications, and other GLBA-regulated data types.
How ABT configures it: DLP policies configured with four GLBA-specific sensitive information types: SSN, account numbers, routing numbers, and loan application identifiers. Alert-not-block philosophy for initial deployment (surface visibility without disrupting workflows), then graduated enforcement based on 90-day alert data. Auto-encryption for highly sensitive documents leaving the virtual desktop environment.
Why it matters for examiners: Examiners increasingly expect documented DLP controls for remote work environments. The alert-and-log approach provides evidence of monitoring even before full enforcement is activated.
Session Controls
What it does: AVD session policies control what users can do during a virtual desktop session: clipboard redirection, drive mapping, printer redirection, screen capture, and USB device access. These policies are enforced at the RDP protocol level, so they cannot be bypassed by software on the endpoint.
How ABT configures it: Policies set per user group based on role and data sensitivity. Loan officers processing NPI get clipboard and drive redirection disabled. IT administrators get full access for troubleshooting. Screen capture protection enabled for all users (blocks screenshots from the local device). Maximum idle time set to 15 minutes. Disconnected sessions terminated after 60 minutes.
Why it matters for examiners: Session controls provide the technical enforcement behind your BYOD and remote access policies. Instead of relying on employee awareness, the controls are built into the protocol.
Audit Logging & Monitoring
What it does: Every AVD action generates log data: connection events, disconnections, authentication results, conditional access evaluations, host pool scaling events, and session host health checks. All logs flow to Azure Monitor and Log Analytics for retention, querying, and alerting.
How ABT configures it: Diagnostic settings enabled on all AVD resources (host pools, workspaces, application groups). Log retention set to 365 days minimum (configurable to 730 days for institutions requiring longer retention). KQL query templates provided for common examiner questions: "Who connected from outside the U.S.?", "Which sessions accessed file share X?", "How many failed MFA attempts this month?"
Why it matters for examiners: FFIEC examination procedures require financial institutions to maintain complete audit trails for remote access systems. Azure Monitor provides the logging infrastructure. ABT provides the queries that turn raw logs into examiner-ready reports.
Host Hardening & RBAC
What it does: Session host VMs are hardened with CIS benchmarks, Trusted Launch (Secure Boot + vTPM), and Windows LAPS for local administrator passwords. Azure RBAC limits who can manage AVD resources, with built-in roles for Desktop Virtualization Reader, Contributor, and Admin.
How ABT configures it: CIS Level 1 security baseline applied to all session host images. Network Level Authentication (NLA) enforced for RDP. Windows LAPS randomizes local admin passwords every 24 hours (no shared local admin credentials across session hosts). Privileged Identity Management (PIM) configured for just-in-time elevation of administrative roles. No standing admin access to session hosts.
Why it matters for examiners: FFIEC expects least-privilege access and hardened configurations for all systems in scope. PIM with JIT elevation means administrative access is time-bound, MFA-protected, and fully logged. No one has permanent admin rights to your virtual desktop infrastructure.
Any Device. Your Rules.
Azure Virtual Desktop decouples the desktop experience from the physical device. That means you can support corporate-owned laptops, branch thin clients, and personal devices under a single, policy-enforced framework.
Corporate Managed
Intune-enrolled, compliant devices. Full AVD access with clipboard, drive redirection, and printing enabled. The device is managed, patched, and encrypted by IT. This is the highest-trust tier.
Conditional access confirms: Intune compliance (encryption on, antivirus current, OS patched), hybrid or Entra ID joined, approved location or VPN. Users get the full desktop experience with no restrictions.
BYOD / Personal
Unmanaged personal devices. AVD access restricted to web client only (no native client). Clipboard disabled. Drive mapping disabled. Printing disabled. Screen capture protection active. The user gets a productive workspace. No data leaves Azure.
Conditional access confirms: MFA completed, Entra ID registered (not joined), approved location. Session idle timeout reduced to 10 minutes. Users understand the restrictions are the trade-off for using their own device.
Thin Client / Kiosk
Dedicated thin clients at branch locations. No local OS to manage. Boot directly into the AVD login screen. Clipboard and drive redirection configured per branch policy. Printing to local printers enabled via Universal Print or AVD printer redirection.
Thin clients from Dell Wyse, HP, or IGEL run a locked-down OS that connects directly to AVD. No local data storage. No local applications. If the device fails, swap it with another thin client. The user logs in and their desktop is there.
| Policy Control | Corporate Managed | BYOD / Personal | Thin Client / Kiosk |
|---|---|---|---|
| Clipboard Redirection | Enabled | Disabled | Configurable per branch |
| Drive Mapping | Enabled (with DLP) | Disabled | Disabled |
| Printer Redirection | Enabled | Disabled | Enabled (local printers) |
| Screen Capture Protection | Enabled | Enabled | Enabled |
| USB Device Access | Whitelisted devices only | Disabled | Disabled |
| Session Idle Timeout | 15 minutes | 10 minutes | 15 minutes |
| MFA Required | Yes | Yes | Yes |
| Connection Method | Native client or web | Web client only | Native client |
Everything You Need to Run Secure Desktops
ABT manages the full Azure Virtual Desktop stack. Your IT team focuses on supporting users, not maintaining VDI infrastructure. Here is what the platform includes.
- Windows 11 Multi-Session: Multiple users share a single VM. Reduces Azure compute costs by 30-40% compared to dedicated VMs. Only available in Azure Virtual Desktop, not Windows 365 or on-premises VDI.
- FSLogix Profile Management: User profiles load in seconds regardless of which host machine they connect to. VHDX containers on Azure Files Premium with identity-based authentication and per-user NTFS ACLs.
- MSIX App Attach: Applications delivered on-demand without baking them into the VM image. Updates deploy in minutes, not hours. Keep separate app versions (pilot, QA, production) and assign them to different user groups.
- DLP and Sensitivity Labels: Microsoft Purview enforces data loss prevention on virtual desktops. Sensitivity labels follow documents from desktop to email to SharePoint. Four GLBA-specific sensitive information types configured by default.
- Disaster Recovery: If your office goes down, your desktops keep running in Azure. Multi-region host pools with FSLogix profile replication provide failover measured in minutes. Business continuity without secondary sites.
- Native Autoscaling: VMs spin up before business hours and deallocate after. Capacity-based triggers add session hosts when utilization exceeds threshold. Schedule-based rules handle predictable demand patterns. Saves 25-40% on compute costs.
- RemoteApp Publishing: Deliver individual applications without a full desktop session. Users see Encompass or PointCentral appear as a window on their local desktop, but the application runs in Azure. Only available in AVD, not Windows 365.
- Trusted Launch: Gen2 VMs with Secure Boot, vTPM, and virtualization-based security. Measured boot verifies session host integrity at every startup. Microsoft Defender for Cloud monitors trusted launch status.
- Screen Capture Protection: Prevents screenshots and screen recording from the local endpoint device. When enabled, screen sharing tools on the local machine capture a blank or blacked-out screen instead of the AVD session content.
- Watermarking: Overlays a visible or invisible watermark on the AVD session with the user's identity and connection details. If someone photographs the screen, the watermark traces the image back to the specific user and session.
- Azure Monitor Integration: Dashboards tracking host health, session latency, FSLogix performance, user connection patterns, and Azure cost trends. Custom KQL queries for examiner-ready reporting. Alerting on anomalous connection patterns.
- Windows LAPS: Local administrator passwords randomized every 24 hours on each session host. No shared local admin credentials. Eliminates pass-the-hash and lateral traversal attack vectors across your virtual desktop fleet.
Your Applications, Running in Azure
Azure Virtual Desktop runs full Windows 11 desktops. If an application runs on a Windows PC today, it runs on AVD. ABT validates every application in your stack during the assessment phase. These are the applications we deploy most often for financial institutions.
Encompass (ICE)
Full Encompass client with SmartClient, plugins, and SDK integrations. D4as v5 VM sizing for optimal performance.
Byte Software
Loan origination and processing. Tested with BytePro Enterprise and all standard configurations.
PointCentral
ABT's lock tracking platform. Runs natively on AVD session hosts with full COM integration.
Microsoft 365
Outlook, Word, Excel, PowerPoint, Teams, OneDrive. Optimized for multi-session with Teams media optimization.
MortgageExchange
ABT's post-close document exchange platform. Full integration with LOS systems and investor delivery.
Power BI Desktop
Business intelligence and reporting. Full Power BI Desktop client with direct query and import mode support.
Core Banking (Symitar, DNA, Corelation)
Browser-based core systems run in the AVD browser. Thick-client cores connect through VNet peering to on-premises servers.
Adobe Acrobat
PDF viewing, editing, signing, and form filling. Acrobat Pro and Reader tested on multi-session hosts.
Compliance Tools (Ncontracts, Quantivate)
Browser-based compliance and risk management platforms. Full functionality through the AVD browser or installed client.
Printing & Scanning
Microsoft Universal Print for cloud-managed printers. AVD printer redirection for local branch printers. Scanner integration via TWAIN.
Document Management
SharePoint, OneDrive, and third-party DMS platforms. DocumentGuardian for secure file transfer. All file operations stay in Azure.
Custom & Legacy Applications
Win32 apps, .NET desktop apps, Java clients, and legacy 32-bit applications. If it runs on Windows, it runs on AVD. ABT tests every custom app during assessment.
Built on Certified Infrastructure
Azure Virtual Desktop runs on Microsoft Azure, which holds the broadest set of compliance certifications of any cloud provider. ABT layers financial-services-specific controls on top of Azure's certified foundation.
SOC 2 Type II
Azure's SOC 2 Type II attestation covers security, availability, processing integrity, and confidentiality. The audit is performed annually by an independent third party under AICPA SSAE 18 standards.
Financial institutions can request Azure's SOC 2 report through the Microsoft Service Trust Portal to support their own vendor due diligence and examiner review processes.
ISO 27001 / 27017 / 27018
Azure is certified under ISO 27001 (information security management), ISO 27017 (cloud security controls), and ISO 27018 (protection of personal data in the cloud). These certifications are renewed annually.
Examiners familiar with NIST CSF mapping often reference ISO 27001 controls. Azure's certification provides evidence that the underlying infrastructure meets internationally recognized security standards.
FedRAMP High
Azure Government regions hold FedRAMP High authorization, the highest level of cloud security authorization from the U.S. federal government. While most financial institutions use Azure Commercial, the FedRAMP certification demonstrates the depth of Microsoft's security controls.
FedRAMP High maps to NIST SP 800-53 Rev. 5 controls, which overlap significantly with the controls examiners expect under FFIEC guidance.
FFIEC IT Examination Handbooks
FFIEC IT Examination Handbooks cover remote access, cloud computing, and authentication for financial institutions. Azure provides a cloud security diagnostic tool and FFIEC workbook companion that map Azure controls to FFIEC requirements.
ABT configures AVD deployments to address specific FFIEC expectations: multi-factor authentication, session logging, network segmentation, least-privilege access, data encryption, and incident response capabilities. Each control is documented and testable.
GLBA Safeguards Rule
The Gramm-Leach-Bliley Act Safeguards Rule requires financial institutions to protect the security and confidentiality of customer financial information. The FTC Safeguards Rule (updated 2023) adds specific requirements for encryption, access controls, and monitoring.
AVD addresses GLBA requirements through: data encryption at rest and in transit, conditional access for authentication, DLP for data movement controls, audit logging for monitoring, and session controls that prevent unauthorized data transfer from virtual desktops.
NCUA Cloud Computing Guidance
NCUA (credit unions) and OCC/FDIC (banks) issue cloud computing guidance requiring due diligence, ongoing monitoring, and documented controls for cloud service provider relationships. Azure's SOC reports, independent audits, and compliance certifications satisfy the core vendor oversight requirements.
ABT serves as the managed service layer between your institution and Azure. Our SOC 2 practices, documented change management, and monthly reporting give examiners the vendor oversight evidence they expect from a cloud-managed service relationship.
Predictable Costs. Transparent Billing.
AVD costs depend on the number of users, VM sizes, storage, and how aggressively you optimize. ABT provides a detailed cost estimate during the assessment. Here are three scenarios we see most often with financial institutions.
Multi-Session Pooled
Best for: Loan processors, tellers, seasonal staff. Standard Office + Encompass workloads on shared VMs.
How it works: 8-16 users share a D8as v5 or D16as v5 session host. Autoscaling deallocates VMs outside business hours. Reserved instances lock in 1-year or 3-year rates.
What drives cost down: Multi-session sharing, autoscaling (VMs run ~60 hrs/week instead of 168), and reserved instances. One client runs 120 users on 8 session hosts at $14/user/month.
Personal Persistent
Best for: Power users, executives, developers. Users who need dedicated VMs with specific software configurations or GPU access.
How it works: Each user gets a dedicated D4as v5 VM that persists between sessions. The VM can be deallocated when not in use and started on-demand or on schedule.
What drives cost down: Autoscale start/stop based on user connection. Reserved instances for committed users. Hibernate support (preview) for instant resume without full boot. Still cheaper than a comparable Windows 365 Cloud PC at $41-66/month for similar specs.
Windows 365 (Comparison)
Best for: Small teams wanting zero Azure management. Fixed monthly bill. Predictable budgeting with no usage-based surprises.
How it works: Fixed SKU (2vCPU/8GB at $41 or 4vCPU/16GB at $66). Microsoft manages the infrastructure. Each user gets a persistent Cloud PC.
The trade-off: No multi-session sharing (every user pays full price). No autoscaling (you pay 24/7 regardless of usage). No custom VM sizes. Limited compliance controls compared to AVD.
The levers ABT manages to control your costs:
Reserved Instances: Commit to 1-year or 3-year terms for your base capacity. Savings of 30-40% compared to pay-as-you-go pricing. ABT calculates the optimal reserved instance quantity based on your minimum weekday user count.
Autoscaling: VMs that run 60 hours per week instead of 168 cost 64% less. ABT configures ramp-up schedules aligned to your business hours, capacity thresholds that add session hosts during demand spikes, and ramp-down schedules that drain sessions gracefully before deallocating.
Right-Sizing: The most common AVD cost mistake is over-provisioning VM sizes. ABT captures actual performance data during assessment and selects VM SKUs based on measured workloads, not vendor estimates. A D4as v5 costs twice as much as a D2as v5. If your users do not need the extra resources, you should not be paying for them.
Storage Optimization: FSLogix profile containers on Azure Files Premium for active users, Standard for inactive profiles. Directory exclusions (Downloads, Videos, temporary files) keep container sizes under 30GB. Storage tiering moves cold data to cheaper tiers automatically.
Security and Compliance Insights
The Blueprint for a Fully Connected M365 Workflow
How financial institutions connect desktops, email, collaboration, and security into a single managed workflow powered by Microsoft 365.
Read ArticleFFIEC CAT Is Dead: Your Examiner Expects NIST CSF 2.0
What the transition from FFIEC CAT to NIST CSF 2.0 means for your remote access and VDI compliance requirements.
Read ArticleGartner Named 5 Copilot Security Risks for Financial Institutions
The security considerations that apply whether your team runs Copilot on virtual desktops, local machines, or both.
Read ArticleAzure Virtual Desktop FAQ
Ready for Secure
Virtual Desktops?
Tell us about your current desktop environment, remote access setup, and the applications your team needs. An ABT cloud specialist will design an AVD solution for your institution.
