Azure Virtual Desktop on Confidential VMs: Hardware-Level Zero Trust Security

DCasv6 and ECasv6 Confidential VMs are now generally available worldwide as of January 2026. For Azure Virtual Desktop, this means session hosts with memory encryption that blocks access even from cloud administrators.

The Problem: Trust in the Cloud

With traditional VMs, we trust that cloud providers won’t access our data. However, regulatory compliance (GDPR, HIPAA, PCI-DSS) demands verifiable control.

Confidential Computing solves this dilemma: Hardware-based attestation provides cryptographic proof that:

• Memory is encrypted (AES-256)
• The boot process hasn’t been tampered with
• The VM runs in a trusted environment

DCasv6 vs. ECasv6: Choosing the Right VM for AVD

Property	DCasv6-series	ECasv6-series
Use Case	General Purpose	Memory-optimized
Max vCPUs	96	96
Max RAM	384 GiB	672 GiB
Memory-to-vCPU	4 GiB/vCPU	8 GiB/vCPU
Ideal For	Standard AVD Workloads	CAD, Data Analytics, Medical Imaging

Recommended VM Sizes for AVD Session Hosts

• Standard Office Workloads: Standard_DC4as_v6 (4 vCPUs, 16 GiB)
• Power Users with CAD: Standard_EC8as_v6 (8 vCPUs, 64 GiB)
• Data Science Workloads: Standard_EC32as_v6 (32 vCPUs, 256 GiB)

What Makes AMD SEV-SNP Special?

Secure Encrypted Virtualization - Secure Nested Paging (SEV-SNP) is AMD’s fourth-generation Confidential Computing technology:

+-----------------------------------------------------------+
|               Guest VM (AVD Session Host)                 |
|   +---------------------------------------------------+   |
|   |           Encrypted Memory (AES-256)              |   |
|   |   User Profiles | Office Docs | Credentials       |   |
|   +---------------------------------------------------+   |
+-----------------------------------------------------------+
|                   Hypervisor (Azure)                      |
|          [X] No access to encrypted RAM                   |
+-----------------------------------------------------------+
|              AMD EPYC 4th Gen Processor                   |
|               SEV-SNP Hardware Security                   |
|        [!] Keys available only inside processor           |
+-----------------------------------------------------------+

Key Benefits:

Feature	Description
Memory Encryption	AES-256 enabled by default
Integrity Protection	SNP prevents replay and swap attacks
Attestation	Cryptographic proof of VM integrity
Offline Key Rotation	Manual key rotation supported (not auto)
Boot Integrity	Secure Boot verified at hardware level

Creating an AVD Host Pool with Confidential VMs

Prerequisites

• Azure Subscription with Confidential VM quota
• Region with DCasv6/ECasv6 availability
• Windows 11 Enterprise 24H2 or Windows Server 2025

ARM Template for Confidential AVD Session Hosts

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "vmName": {
      "type": "string",
      "defaultValue": "avd-cvm"
    },
    "vmSize": {
      "type": "string",
      "defaultValue": "Standard_DC4as_v6",
      "allowedValues": [
        "Standard_DC4as_v6",
        "Standard_DC8as_v6",
        "Standard_DC16as_v6",
        "Standard_DC32as_v6",
        "Standard_EC4as_v6",
        "Standard_EC8as_v6",
        "Standard_EC16as_v6",
        "Standard_EC32as_v6"
      ]
    }
  },
  "resources": [
    {
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2024-03-01",
      "name": "[parameters('vmName')]",
      "location": "[resourceGroup().location]",
      "properties": {
        "hardwareProfile": {
          "vmSize": "[parameters('vmSize')]"
        },
        "securityProfile": {
          "securityType": "ConfidentialVM",
          "uefiSettings": {
            "secureBootEnabled": true,
            "vTpmEnabled": true
          }
        },
        "storageProfile": {
          "osDisk": {
            "securityProfile": {
              "securityEncryptionType": "VMGuestStateOnly"
            }
          },
          "imageReference": {
            "publisher": "MicrosoftWindowsDesktop",
            "offer": "windows-11",
            "sku": "win11-24h2-avd",
            "version": "latest"
          }
        }
      }
    }
  ]
}

Security Profile Options Explained

securityEncryptionType	Description	MAA Required
VMGuestStateOnly	vTPM and firmware encrypted	No
DiskWithVMGuestState	OS disk + vTPM encrypted	Yes

Recommendation: For AVD, start with VMGuestStateOnly. This enables Confidential Computing without additional attestation infrastructure.

Attestation: Cryptographic Proof of Security

Microsoft Azure Attestation (MAA) verifies the integrity of your Confidential VMs:

# Create Azure Attestation Provider
$attestationName = "avdattestation"
$resourceGroup = "rg-avd-confidential"
$location = "eastus"

New-AzAttestationProvider `
    -Name $attestationName `
    -ResourceGroupName $resourceGroup `
    -Location $location

# Get Attestation URI
$attestUri = (Get-AzAttestationProvider -Name $attestationName -ResourceGroupName $resourceGroup).AttestUri

Write-Host "Attestation Endpoint: $attestUri"

Retrieving the Attestation Quote from the VM

On the Confidential VM, you can request the hardware attestation report:

# Get SNP Attestation Report (on the Confidential VM)
$tpmChallenge = [System.Convert]::ToBase64String((1..32 | ForEach-Object { Get-Random -Maximum 256 }))

# Validate with MAA
$attestationResult = Invoke-RestMethod -Uri "$attestUri/attest/SevSnpVm?api-version=2022-08-01" `
    -Method POST `
    -Headers @{ "Content-Type" = "application/json" } `
    -Body (@{ "report" = $snpReport; "runtimeData" = $tpmChallenge } | ConvertTo-Json)

# JWT token contains verified hardware claims
$attestationResult.token

Performance: 25% Faster Than v5

The 4th Generation AMD EPYC “Genoa” processors deliver significant performance improvements:

Benchmark	DCasv5/ECasv5	DCasv6/ECasv6
Integer Operations	Baseline	+25%
Floating Point	Baseline	+28%
Memory Bandwidth	Baseline	+20%
Encryption Overhead	~3%	~2%

The encryption overhead is minimal—users won’t notice any performance difference compared to standard VMs.

AVD-Specific Configuration

FSLogix on Confidential VMs

FSLogix Profile Containers work unchanged. For maximum security:

# FSLogix with Azure Files (encrypted)
New-ItemProperty -Path "HKLM:\SOFTWARE\FSLogix\Profiles" `
    -Name "VHDLocations" `
    -Value "\\storageaccount.file.core.windows.net\profiles" `
    -PropertyType MultiString

# Double encryption: Storage + Memory
# Data is encrypted in Azure Files AND in the Confidential VM's RAM

Conditional Access for Confidential Hosts

Restrict access to trusted devices:

{
  "displayName": "Require Confidential VM for sensitive apps",
  "conditions": {
    "applications": {
      "includeApplications": ["<AVD-App-ID>"]
    },
    "devices": {
      "deviceFilter": {
        "mode": "include",
        "rule": "device.trustType -eq 'AzureAD' -and device.isCompliant -eq true"
      }
    }
  },
  "grantControls": {
    "builtInControls": ["compliantDevice", "mfa"]
  }
}

Important Limitations

Before deploying Confidential VMs for AVD, be aware of these constraints:

Feature	Status
Azure Backup	Not supported
Azure Site Recovery	Not supported
Accelerated Networking	Not supported
Live Migration	Not supported
Auto Key Rotation	Not supported (offline only)
Confidential Disk Encryption	Max 128 GB disk size

Impact for AVD: You’ll need alternative backup strategies (e.g., Azure Files snapshots for profiles). Plan maintenance windows carefully since live migration isn’t available.

Regional Availability (February 2026)

Region	Status
East US	GA
West US	GA
West Europe	GA
North Europe	GA
UK South	GA
Germany West Central	GA
Australia East	GA (Jan 2026)

Real-World Example: Healthcare with Patient Data

A hospital wants to deploy virtual desktops for physicians:

Requirements:

• HIPAA/GDPR compliance
• Access to electronic health records (EHR)
• No possibility of cloud admin access

Solution:

1. ECasv6 Confidential VMs as session hosts
2. Azure Files with Customer-Managed Keys for profiles
3. Azure Attestation verifies boot integrity
4. Conditional Access allows only compliant devices

Patient --> Compliant Device --> Entra ID MFA --> AVD Gateway --> Confidential VM
                                                                        |
                                                [RAM encrypted, even Azure
                                                 admins see only ciphertext]

Conclusion

DCasv6 and ECasv6 Confidential VMs bring hardware-based security to Azure Virtual Desktop. For industries with strict compliance requirements (healthcare, finance, government), this is the new standard.

Key Takeaways:

• AES-256 memory encryption enabled by default
• AMD SEV-SNP protects against cloud operator access
• 25% performance improvement over v5
• Up to 96 vCPUs and 672 GiB RAM for demanding workloads
• Globally available including US, Europe, and Australia

The future of AVD is “Confidential by Default.”

---

Further Reading:

• Quickstart: Create Confidential VM in Azure Portal
• Azure Confidential Computing FAQ
• ARM Template Reference