For my fellow tech enthusiasts, this blog offers my insights into this solution.

FIDO2 authentication is frequently asked for and can be seen as an evolution or replacement for the ‘legacy’ smart card secure authentication. FIDO2 improves authentication speeds, and the security sticks are in a user-friendly format.

Connecting to AVD and W365

Connecting to AVD and W365 is a three-step process (simplified), first you authenticate to EntraID web pages, then you authenticate to the Azure Gateways, and finally you Authenticate to the VM you want to remote. With the previous versions of the Microsoft RDClientSDK, the three steps were only possible using credential stuffing – capturing the username and password from the user, and then in a secure manner provide the captured credentials in the connection process.

A Game Changer

To enable FIDO2 authentication, IGEL implemented support for RDSAADAUTH enabled in the RDClientSDK. Simplified, it gives the user the possibility to Authenticate to EntraID, to retrieve a token, RDSAADAUTH then takes this token and presents it to the Azure Gateways and the VM. This is the preferred way of modern Entra Authentication. RDClientSDK version 3, which is the foundation of the IGEL AVD App 1.3.x where the 3 stands for the SDK version that the App is based on gave IGEL access to Microsoft Authentication Library (MSAL) and RDSAADAUTH.

When IGEL built out the configuration to benefit from RDSAADAUTH, the next step was to build the FIDO2 integration. When a user has Security Key authentication method enabled, and Entra calls for a security pin and to prove presence, we needed to add a code to catch that event and provide what Entra requires.
Watch the demo video.

Stay tune to IGEL for the IGEL AVD App 1.3.2 on IGEL App Portal in the next weeks.

More Choice for Users

IGEL will now be able to provide you a choice to access your AVD or Windows365 workloads using the following authentication methods:

• Username/Password + MFA
• Certificate Based Authentication using smart cards
• Certificate Based Authentication using YubiKey PIV
• FIDO2 authentication
• Imprivata Tap-and–Go

That with the many options of customizing the user interface, everything from a clean Kiosk interface ‘Boot to AVD/Windows365’ providing a very simple access stations, to any type of desktop integration, and customization of the user experience with customized graphics, IGEL address any use case so you are not locking yourself into one single service.

I hope you found this useful!

/Fred

Stay tuned to the upcoming blogs on Tips & Tricks with Fred Brattstig.

Related Blogs

For the smart card authentication, MSAL was the key, as it embeds the smart card authentication.
Read the PIV Blog CAC/PIV smart cards, YubiKey and more. Insider Tips on how IGEL OS use both 

I have been playing with specifically YubiKeys, and they come in multiple variants, where I like the YubiKey 5c Nano, in the one user – one device. But for the multi-user – one device I like the YubiKey 5 and 5c better (comes with either USB-A or USB-C interface).

The post FIDO2 Authentication to Azure Virtual Desktop and Windows 365 appeared first on IGEL.

Next week, The Fontainebleau in Miami Beach will be the place to be seen as IT professionals, industry experts, and EUC enthusiasts come together for this four-day event that will highlight innovative strategies, solutions, and insights from IGEL partners, including Nerdio.

We sat down with Dave Fiske, Lead EUC Strategist at Nerdio, to learn more about the company’s collaboration with IGEL and what attendees can expect to see and learn at IGEL Now & Next 2025.

Tell us about your company and how you partner with IGEL. How long have you been an IGEL Ready partner?

Dave Fiske: Nerdio empowers Managed Service Providers (MSPs) and enterprises to build successful cloud practices in Microsoft Azure with Azure Virtual Desktop (AVD) and Windows 365. Nerdio Manager adds value on top of the powerful capabilities in AVD by delivering over 200 additional features to simplify management, ensure efficient operations through automation, and lower compute and storage costs on average between 50-75%. It is the only Azure management platform that allows admins to seamlessly provision and manage deployments of both AVD and Windows 365 interchangeably.

Nerdio has partnered with IGEL for over three years and is featured in the IGEL Ready Partner Showcase.

What are some key trends impacting your partners and customers in 2025, and how is your organization solving these?

Dave Fiske: EUC is growing at an incredible rate. Microsoft’s focus on Windows 365 is driving much excitement in the industry. Nerdio is here to help customers not only expedite their new endeavors but also help them optimize their compute resources and ongoing expenditures.

Why is your organization a sponsor of Now & Next 2025?

Dave Fiske: End-User Computing is the primary focus of Nerdio’s work. We help organizations of all sizes deploy, manage, and cost-optimize native Microsoft technologies. We partner with MSPs and enterprise organizations worldwide to add value to their existing Microsoft investments, such as Azure Virtual Desktop, Windows 365, and Microsoft Intune.

Is this the first time you are sponsoring an IGEL event? If not, what keeps bringing your organization back to these events?

Dave Fiske: Nerdio has been a multiple-time sponsor of an IGEL event, globally and locally. IGEL and Nerdio do not compete; they add value to each other’s offerings.

What will you present to attendees at Now & Next 2025?

Dave Fiske: Nerdio will showcase the simplicity and cost-effectiveness of our deployment and management capabilities for new or existing Microsoft native customers.

What do you hope attendees learn from the content you share at Now & Next 2025?

Dave Fiske: Nerdio and IGEL with AVD or Windows 365 is a combination every organization regardless of size should be looking to implement.

What do you hope to take away from participating in Now & Next 2025?

Dave Fiske: I am personally looking forward to growing our relationship and meeting customers and prospects in the EUC industry in general to help guide them in their futures.

What is one thing you plan to accomplish either personally or professionally in the next three to six months?

Dave Fiske: I am building a showcase environment to include many Nerdio technology partners, which will provide us the opportunity to work to jointly to showcase our technology offerings together.

Register today and meet the Nerdio team at IGEL Now & Next 2025.

The post IGEL and Nerdio – Helping Organizations Worldwide Add Value to Their Existing Microsoft Investments appeared first on IGEL.

What is PIV? PIV is an acronym for ‘Personal Identity Verification’ – which is a US federal government-wide credential. IGEL do support PIV.
What is CAC? CAC is an acronym for ‘Common Access Card’ – Is a standard identification for US defense personell. IGEL supports CAC.
Both PIV and CAC = certificates that validate an identity. Certificates also exist in non-US government environments, like healthcare, government etc. outside of the US – this article apply to all of certificate-based identification scenarios. Throughout this blog I will name everything PIV (as the function YubiKey is named PIV – to store a user identity certificate)

Security keys are becoming more and more popular, and using security keys in remote sessions is crucial. IGEL OS does, through its browsers support Fido2, but when it comes to access of Azure Virtual Desktop and Windows 365 we are waiting for the Fido2 auth support. While waiting, there is another way to use your security keys. Looking at YubiKey, these security keys have a PIV slot, which means that you can install a certificate on the YubiKey and use the certificate on the security key for strong and rapid authentication.

Technically, the YubiKey replaces the smart card, with the benefits of increasing the access performance. Using a YubiKey instead of a common smart card will give definite speed improvements, just by the architecture of the YubiKey, which has a much higher IO rate compared to regular smart cards. Where speed is of essence, YubiKeys are here to help!

The drawback in my view of security keys vs smartcards is the user intervention while inserting and removing the component. It is just more cumbersome to insert a USB stick that doesn’t fit in one way (USB-A variant), this of course gets easier with the USB-C version of YubiKeys. Of course, I’m talking about the roaming user concept.
If you have the benefit of having One User – One device, and can leave the YubiKey in the port, makes it much easier.
Smart cards on the other hand, is usually very easy to insert and remove based on its formfactor.

When using YubiKey PIV, the stick presents itself as a smart card, when inserted in the IGEL OS device, which also means that we can utilize the smartcard watch daemon, which monitors insert and removal actions and allow you to script what should happen when a smart card is inserted or removed.

As you probably understand by now, you can mix users with smart cards and users with PIV security keys, as IGEL OS treats the components equal. this makes it easy for you while transitioning from smart cards to security keys, or just want to have a mix.

To configure IGEL OS to use your security key as a PIV device no additional configuration is needed above what’s explained in this article: https://www.igel.com/blog/authentication-to-windows-365-with-igel-smart-card/

IGEL OS is not specifically tied to Windows 365. If you are using Azure Virtual Desktop (AVD) and Windows 365, or maybe even only AVD, this configuration applies to both environments. You do not need to use Windows 365 specifically.

As a summary, you now know that IGEL OS will enable you to use certificate-based identification to Windows 365 and/or AVD, it might be that you want to streamline the authentication speeds, your are using a mix of security keys and smart cards, or you want to increase the authentication strength for your users accessing your cloud (or local using AVD on Azure Local) desktops.

Let’s have a look att the user experience when logging in to Windows 365 using YubiKey PIV. This is the first Youtube, the second video is using the Yubikey PIV to login to Azure Virtual Desktop:

Hope you found this useful!

/Fred

Stay tuned to the upcoming blogs on Insider Tips with Fred Brattstig.

IT leaders, innovators and security experts will converge at IGEL Now & Next in Miami in March to show the latest solutions and synergies to optimize endpoint management, enhance security, and improve clinical workflows. Click Register Now to view the agenda and keynote speakers.

The post CAC/PIV smart cards, YubiKey and more. Insider Tips on how IGEL OS use both appeared first on IGEL.

Usually our life isn’t binary, very few organizations have the luxury of only having ONE single solution for their IT environment. In this follow-up blog I take the opportunity to show how IGEL OS can be your companion enabling secure certificate-based authentication with EntraID and Smart Card while using both Windows 365 and Azure Virtual Desktop. Many organizations looking and, or using, Azure Virtual Desktop and Windows 365, will in many cases combine both to fulfill different use cases.
Let’s fulfill a simple roaming between stations for your users, that have no interest at all about HOW the IT infrastructure is set up, they just want to do their work, and they certainly don’t care if they connect to a Windows 365 or an Azure Virtual Desktop (AVD) session.

I have seen many organizations that I have had the pleasure to engage with, where the optimal configuration is to have non-personal kiosk stations scattered across the organization’s office/hospital/warehouse, their users should be able to just walk up to one of the stations and easily roam their remote session to the station wherever they are, insert their smart card, and get back to where they were when leaving the last kiosk station.
At the same time, the solution that I demonstrate in the video below, of course fulfill the single user – single device, making it ideal for Zero Trust initiative.
You might think that this will add waiting time for users, as when using IGEL OS AVD or Windows 365 App, there is no subscribed resources, so it must take longer time to complete the login sequence!? Actually, that is not the case, a complete smart card certificate-based authentication to Entra and get connected to a desktop in just shy of 14 seconds. While maintaining Zero Trust!

Adding to that, the possibility that IGEL OS gives to assign a custom AppID for your IGEL OS endpoints when connecting into the AVD/Windows 365 services raise the security dramatically! I happened to write a blog on that subject, you can read it here: https://www.igel.com/blog/elevate-avd-and-windows-365-access-with-insider-tips-for-igel-os/

Let’s get back to what I’m about to show you. My IGEL OS device is configured for a Kiosk type of scenario. I have disabled any user access to the operating system, making the only way to interact with the kiosk station, is to insert the smart card, validate the Pin, and connect to the Desktop in Azure, so be it AVD or Windows 365. Actually, this can be used with Azure Virtual Desktop on Azure Local too.
the user, after validating the Pin for the smart card, gets logged in, without any further user interaction, and are taken back to the virtual desktop and can continue to be productive in matter of seconds.

When the user is done and need to rush away in the organization, simply removing the smart card from the IGEL OS endpoint disconnects the remote session and returns the IGEL OS kiosk to be ready for the next user to insert their smart card.

As you can see in the video, I have created a custom wallpaper, that also follows to the interaction screen of the AVD client, instructing the user about what to do to get started. With the nifty device customizations in IGEL UMS, this can be a way for you to talk to your users, by using desktop customization updates, you can push a new welcome screen to your users in matter of seconds, to inform about outages, or other important messages.

Now, let’s look at the video on optimal user experience with smart card session roaming, Microsoft EntraID, Azure Virtual Desktop and Windows 365!
By the way, all the configurations that done I for this video can be found in the blog here!

Hope you found this useful! Stay tuned to the upcoming blog on PIV, CAC and security keys.

/Fred

IT leaders, innovators and security experts will converge at IGEL Now & Next in Miami in March to show the latest solutions and synergies to optimize endpoint management, enhance security, and improve clinical workflows. Click Register Now to view the agenda and keynote speakers.

The post Strong and Simple Authentication, Clean Kiosk, and Zero Trust appeared first on IGEL.

Prerequisites:

Let’s start by the authentication prerequisites. IGEL supports Microsoft Entra Certificate Based Authentication which you can read about here: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-certificate-based-authentication

When Entra is configured, the second part will be to add the smart card middleware to your IGEL OS endpoint. IGEL OS 12 includes OpenSC as middleware, but it needs to be enabled in the IGEL Setup registry to be active, or you can install any of the available middleware’s in the IGEL App Portal:

To enable the built in OpenSC, open up IGEL Setup or your profile, navigate to System-> Registry -> scard->pkcs11->use_opensc and check ‘OpenSC’

Otherwise, if you go for a middleware from the IGEL App Portal, you only need to install the Middleware and reboot, it will become active automatically.

IGEL OS Prerequisites: Your IGEL OS estate should be on base OS version 12.6.0, and you should use the IGEL AVD App 1.3.0 Build 4 (this is as of 2025 February 11). Yes, we are going to use the IGEL AVD App to connect to Windows 365 CloudPC, as the IGEL AVD App enables Microsoft Authentication Library (MSAL), which in turn enables Smart Card Authentication using Microsoft Entra Certificate Based Authentication.

The configuration:

First we need to create a basic configuration, adding a AVD session. Follow these steps:

Using IGEL UMS:

1. In the WebUMS, create a new profile, Select OS 12 and give the profile a Name representing its intention – Click Select Apps
2. Select IGEL Azure Virtual Desktop and click Save
3. Make sure that Apps tab is selected, expand AVD and select AVD Sessions
4. Click the + sign to create a session
5. Edit the Session Name as preferred
6. Expand Advanced Options and check ‘Microsoft Authentication Library (MSAL)’
7. Click on System tab -> Click on Registry
8. Expand app and edit the values in Configuration Settings below

Using the local IGEL Setup:

1. In IGEL Setup, select the Apps tab, Expand AVD and select AVD Sessions
2. Click the + sign to create a new session
3. Expand Advanced Options and check Microsoft Authentication Library (MSAL)
4. Edit the Session Name as preferred
5. Click Save

The magic with IGEL OS is the possibility to alter configurations for the needs you have. There is no out-of-the-box smart card authentication and control the session by smart card insert and removal, but the tools are there to make it work. Let’s look at the configuration of the Smart Card Watch Daemon first. Open IGEL Setup, or your profile, and navigate to System-Registry:

Enable the Smart card Watch Daemon – This will allow executing commands when a hardware event is triggered, while inserting or removing the smart card from the reader.
Navigate to scard.scwatchd.enable – Check ‘Enable Smart Card Insert and Removal Actions’

Now when we have the smart card watch enabled, we can configure the insert- and removal-commands to be executed. Let’s together build the configuration that is used in the video below:

To read out User Principal Name on smart card insert and start session
Navigate to scard.scwatchd.insert_action and set it to:

export avduser=$(pkcs11getloginname | grep "^Login:" | sed -e "s/^Login://"); su -c "appwrap avd0 avd" user

This will set the variable ‘avduser’ to the UPN of the certificate on the smart card. When the UPN is read, we will start the configured AVD session

And to control the smart card removal behavior, we can use this example:
Navigate to scard.scwatchd.removal_action =

export avduser=""; killall -9 igelrdp3-avd; killall -9 igelrdp3-msal-auth

The above command will reset the ‘avduser’ variable and hard kill the running processes, which leads to a rapid disconnect from the Windows 365 session

Finally, we need to configure the IGEL AVD App (used to connect to your Windows 365 resources):
Navigate to app.avd.sessions.avd0.options.cmd_ext =

--username $avduser

The above will tell the IGEL AVD Appset the username to the previously retrieved UPN during the card insert.

As long as the user only have one resource allocated, it will automatically connect to the users session. If the user has multiple CloudPC’s, or even a mix of CloudPC’s and AVD resources, a resource picker will be displayed, allowing the user to select the resource to use.

The result:

Finally, let’s have a look at how it will look for the user, when inserting the Smart Card in the reader and connecting to the session. Then removing the Smart Card from the reader to disconnect from the Windows 365 CloudPC:

A series of blogs on this topic is in the writing and will follow shortly. Read the next blog in the Authentication series.

Thank you for reading and watching!

/Fred

IT leaders, innovators and security experts will converge at IGEL Now & Next in Miami in March to show the latest solutions and synergies to optimize endpoint management, enhance security, and improve clinical workflows. Click Register Now to view the agenda and keynote speakers.

The post Authentication to Windows 365 with IGEL Smart Card appeared first on IGEL.

The Intune Agent for IGEL OS was first announced at IGEL Disrupt back in Spring of 2024. Since then, we have been hard at work getting the Intune Agent to GA.

As of 5^th December 2024, the Microsoft Intune Agent for IGEL OS is now publicly available form the IGEL App Portal.

But what is Microsoft Intune & why does it matter?

Imagine you’re throwing a fancy party (let’s say… a masquerade ball). Now, you want to make sure only your invited guests—dressed in proper attire—get in. That’s where your bouncer, Intune Conditional Access, comes in.

Here’s how it works:

1. The Guest List: Conditional Access checks if the person (or device) trying to enter is on the list of approved invitees (authenticated user or compliant device).
2. Dress Code: Just being on the list isn’t enough. They must also wear the right mask—think of this as having the correct security posture, like device OS type or version.
3. Behavior Check: If someone looks sketchy (logging in from an unusual location, for example), the bouncer might double-check with them, like adding multi-factor authentication (MFA).
4. No Compromises: If they don’t meet the criteria? Sorry, no party access for them.

In short, Intune Conditional Access is your digital bouncer—ensuring only the right people (and IGEL endpoints) make it into your party without letting anyone crash the fun.

Why it matters?

The release of the Microsoft Intune Agent for IGEL OS provides visibility of IGEL OS devices within the Intune console giving admins a single place to asset track and apply security checks and policies.

The Microsoft Intune Agent for IGEL OS will allow registering the IGEL OS into EntraID, run Device Compliance checks and based on the compliance checks, apply conditional access policies to Azure Virtual Desktop (IGEL AVD Client v1.3 required, coming soon!) and Windows 365. optionally running Microsoft Edge browser (also available now in the IGEL App Portal) allows device compliance checks and conditional access polies to Microsoft 365 SaaS apps.

Out of the box Device Compliance policies can be applied to IGEL OS endpoints based on the following conditions:

• OS Type
• OS Min Version
• OS Max Version

Need a more granular approach? No problem, there is an option to create custom scripts to really apply granular device compliance controls on IGEL OS.

I’ll not be covering the scripting process here, but I will direct you to a technical blog on this very subject:

Microsoft Intune on IGEL App Portal – Custom Compliance Scripts for Entra Conditional Access with IGEL OS in this blog Fred describes how to create a custom script which will query IGEL OS for its Management servers unique ID, if the stars align, access is granted.

Partnership

The partnership between IGEL and Microsoft is a strategic collaboration focused on improving endpoint security, enhancing user experiences, and facilitating cloud migration. This relationship leverages each company’s expertise, IGEL’s secure endpoint operating system and Microsoft’s  cloud and hybrid work solutions—to deliver seamless solutions for enterprises. Learn more about how IGEL accelerates migration to Windows 11 in the cloud

https://www.igel.com/microsoft/

The post Available now! Microsoft Intune Agent for IGEL OS appeared first on IGEL.

The endless compliance opportunities – tech area!

The tight integration between IGEL OS, Microsoft Intune, IGEL AVD App and Microsoft Authentication Library (MSAL) ensures control of your IGEL OS devices using the IGEL Universal Management Suite (UMS), while letting Microsoft Entra and Intune custom compliance scripts to validate that the IGEL OS device that are used to access is actually managed by your organization.
As an example, you can create a compliance script that checks the devices assigned UMS certificate has a certain sha256 fingerprint, here is how that can look:

#!/bin/sh
logger “Starting compliance discovery script”
logger ” – Checking UMS fingerprint”
estcacertfile=”/wfs/ca-certs/tls/ums_ca.pem”
ums_fingerprint_sha256=$(openssl x509 -in ${estcacertfile} -noout -fingerprint -sha256 | cut -d ‘=’ -f2)
printf ‘{“ums_fingerprint_sha256″:”%s”}\n’ “$ums_fingerprint_sha256”
logger “Ending compliance script”

What the above script does when being executed on the device by Microsoft Intune, is to set a variable estcacertfile pointing at the UMS Certificate, then it creates a new variable, ums_fingerprint_sha256 that will have the value of the openssl command result when checking the sha265 fingerprint of the certificate And this is how the compliance policy – compliance setting in Intune admin portal looks:

{
“Rules”:[
{
“SettingName”:”ums_fingerprint_sha256″,
“Operator”:”IsEquals”,
“DataType”:”String”,
“Operand”:”80:20:EF:F6:61:DA:7E:54:23:FE:FF:74:CC:41:66:47:62:6E:E3:4C:36:14:17:4A:1B:17:81:AF:6D:81:BF:20″,
“MoreInfoUrl”:”https://www.igel.com”,
“RemediationStrings”:[
{
“Language”: “en_US”,
“Title”: “Enrolled to a wrong UMS”,
“Description”: “Please ensure that your IGEL OS is managed by the correct UMS.”
},
{
“Language”: “de_DE”,
“Title”: “Von einer falschen UMS verwaltet”,
“Description”: “Bitte stellen Sie sicher, dass Ihr IGEL-Betriebssystem von der richtigen UMS verwaltet wird.”
}
] }
] }

The script that runs on IGEL OS, will report back ums_fingerprint_sha256 which is the result of the script, and Intune will then validate that ums_fingerprint_sha256 matches the sha256 fingerprint of the actual known certificate: -80:20:EF:F6:61:DA:7E:54:23:FE:FF:74:CC:41:66:47:62:6E:E3:4C:36:14:17:4A:1B:17:81:AF:6D:81:BF:20

This means that we know that:
1. Device has to be enrolled in the company Intune (A trusted user needs to enroll the device)
2. The device has to be managed by the company UMS (We determine that it is not a random Intune enrolled device, it is a device that is managed by the company UMS)

So, what more can we do with compliance scripts? As you probably understand now, the command we run on IGEL OS to get the sha256 fingerprint, is a local binary openssl. We can take results of any command, or multiple commands, for instance we can use the IGEL OS get command to read out ANY configuration of the IGEL OS device, as an example get sessions.xlock0.options.autolock would result in true if use of the IGEL OS screensaver is activated. We can check for system variables and can check if certain processes are running with pgrep, or not etc. There are endless possibilities on what to look for to define as a compliant IGEL OS endpoint!

The compliance policy scripts extend the very limited built in compliance evaluations with Microsoft Intune for Linux.

Stay tuned for further tech articles on Microsoft integrations and apps with IGEL OS.

The post Microsoft Intune on IGEL App Portal – Custom Compliance Scripts for Entra Conditional Access with IGEL OS appeared first on IGEL.

If you want to continue running Windows, Windows 11 will be the only option after the 14^th of October 2025. That’s a long time away, so no need to hurry, right? Remember Windows 2000 -> Windows 7 race? Or even worse Windows 7 -> Windows 10? IT admins remember it surely. Maybe some users haven’t even left Windows 7 behind yet on all endpoints?

PCs and laptops that are in use today have a challenge, and that challenge is Windows 11.
I like Windows 11 as an operating system, and I use it daily for all my work. Windows 11 has a modern user interface, though it still has the ‘same ol’ well-known Windows experience. What is the challenge for Windows PCs and Laptops then?
With Windows 11 Microsoft introduced a set of hardware requirements that draws a line for supported hardware:

• CPU – Dual-core 1 GHz minimum
• RAM – 4 GB
• Storage – 64 GB
• UEFI – Secure boot support
• TPM 2.0
• Graphics – DirectX12 – WDDM 2.0

Out of this list, TPM 2.0 and 64 GB Storage stand out the most.  64 GB is usually not a problem, but it might be for lower spec’d devices like older laptops. Many of those will not have TPM 2.0 either.  The lack of TPM 2.0 chips is the biggest hurdle for older PCs and Laptops. While I cherish the functionality of TPM 2.0 and especially the raised security that comes with 2.0 (Released 2014) in comparison to 1.2 (released 2005) the biggest difference is that TPM 1.2 is using SHA-1 algorithms, which is not secure.  TPM 2.0 can use SHA-1 algorithms but offers the strong SHA-2 256 alternative.

Apart from that, does it make any sense to throw perfectly functioning PCs and Laptops in the recycle bin, just because they cannot run Windows 11? IGEL OS is an alternative, and it will help you to contribute to a more sustainable IT posture by optimizing older devices to expand their lifespan by up to 3 years, reducing e-waste by preventing those devices from landfill.

It is time to make a shift to virtualize Windows 11 and connect remotely. There are so many benefits of virtualizing Windows. Here are some of them:

• Stability
  While Windows is built to support many types of hardware, with drivers from many, many hardware manufacturers for PC components, running Windows virtualized makes the hardware separated from the software. This means that the OS will talk to a virtualized hardware stack- where virtualized in this case means software. Windows will talk to a generic stack, think it runs with direct access to hardware but rather talk with streamlined software drivers. This enhances stability as the quality of the software drivers is more reliable, and the hardware is accessed in translation of the hypervisor. The hypervisor is the operating system running as a translator between the hardware components in the server and the OS in the virtual machine.
• Anywhere access
  The concept of Virtual Desktop Infrastructure (VDI) enables remote connections to virtual machines. Most VDI solutions support direct connections to the VDI from user devices on the on-prem network but also have features to support secure connections to the same VDI desktops from anywhere. This means that a user can roam freely between the office, the internet café, a hotel, and home. The user always connects to the same VDI running in the data center of the company. This is the foundation for Desktop As A Service (DaaS) – In this scenario, the “Virtual Desktop Infrastructure” runs in a hyperscaler, like Microsoft Azure, Amazon AWS, Google Cloud to name some, as the virtual desktops run in the cloud.
• Highspeed connection to data / slim connection to user endpoint
  Imagine that you put all your PCs on the same network backbone as your servers. The server backbone consists of high-speed switches with minimal latency and maximal throughput. Any data access from your file, database, and web servers will be with the shortest possible impact to speed. Especially important for transaction-intensive applications.
  As it is not wise to have the company employees have their desks in the data center, instead we give the users binoculars. They will use an endpoint where the only purpose is to take input from the user’s keyboard and mouse, forward it to the user’s virtual desktop, and display the results on the user’s screen. It is very beneficial that the traffic generated back and forth from the user’s endpoint and the virtual desktop is very slim, and with compression algorithms in place the amount of data that needs to be transferred from screen updates and input is even reduced further.
• Multi-Session?
  While a PC or laptop generally is a 1:1 relationship = One user using One device, with virtual operating systems, you have multiple options you can give the users dedicated virtual Desktops, or you can give users shared virtual desktops.
  With dedicated virtual desktops, each user has their own virtual machine running in the data center. Still, hundreds of virtual machines can simultaneously run on one single server.
  With Multi-Session, each virtual machine can serve multiple users at the same time, and hundreds of virtual machines can run on one single server. The biggest benefit here is for every single multi-session virtual machine, the operating system only needs to be loaded once, and then shared between the users on that virtual machine. This gives a “One-to many-to many” relation. Every virtual machine serves many users, and each server serves many virtual machines. That is when the user density of one single physical server increases dramatically.
• Security
  What happens if a Windows laptop with lots of company intellectual property gets lost or stolen?
  If you instead have your users using that binocular to connect remotely? That will leave all the intellectual property tucked in safely in the data center. As the endpoint is just a binocular, there is no user data stored on the user’s device. If it gets lost or stolen, of course, it’s not fun, but still, it is not a big deal.
  What about securely connecting a device in the home office using Virtual Private Network (VPN) – basically you connect the network in the user’s home with the company’s data center.
  First of all, it is costly to set up and maintain VPN solutions. Second of all, the users get further and further away from the data which results in longer waiting times and frustrations.
  VDI and DaaS solutions use a thing called a reverse proxy, which allows the user session, not the device, to connect securely over the internet and reach the virtual desktop running in the data center. Whatever happens on the user’s current network is of no matter for the security of the company.

Why IGEL?

In the first part of this blog, you have learned about many challenges that companies are facing today. How can IGEL help you to address the challenges and take advantage of virtualizing Windows?

Hardware requirements

IGEL OS is a small-footprint operating system, that belongs to the Linux Debian family.
For the user, they do not need to understand anything about Linux, it’s just a way for me to describe the roots.
IGEL OS installs and runs on any x86-based, 64-bit operating system. It requires 4 GB of RAM and 8GB of storage. Even though more RAM, storage, and faster CPU are beneficial, it is not a requirement.

Comparison of minimal hardware requirements IGEL OS 12 vs Windows 10 vs Windows 11

Summarizing the hardware requirements, if you are running Windows 10 on your endpoint, and that endpoint doesn’t fulfill the requirements of Windows 11, then IGEL OS is a good alternative. I’d even argue that IGEL OS is a good choice even if the hardware supports Windows 11 on the endpoint! Let me continue explaining the real transition to Windows 11!

Windows 11

Windows 11 is designed for use in virtual environments. Microsoft is pushing hard to deliver the Windows experience from the cloud/data center with Windows 11. Look at services like Windows 365 and Azure Virtual Desktop, both are cloud-native desktop delivery models.
Azure Virtual Desktop is now also extended to run in your private data center with Azure Stack HCI. This will give you the best-in-class mix of cloud-delivered desktops, with the advantages of zero latency connectivity.
Instead of having Windows 11 running on laptops everywhere, with the challenges it gives (read latency, security, patching etc.), the obvious to me is to run Windows 11 tucked in safe and nice in the data center and allow your users to connect remotely to the desktops in a modern way. This means that you can harden the perimeter of the data center, making remote access to data sources super secure. What do I mean by that?

Let’s look at a common scenario with Windows endpoints in the field and on-prem:

In this scenario you have devices on the Internet (@), you have devices on-premises, and all of them are using native protocols to connect to the data center. As this is a very high-level drawing, the number of connections is limited. In a real-world scenario, there would be many many more connections crossing between endpoints and servers. Your firewalls will need to be of Swiss cheese type!

And now with Windows in the data center and IGEL on the endpoints:

Traffic flow from the IGEL endpoints goes with one secure connection type, it does not matter if the endpoints are on the Internet or on-premises. The same connection protocol is used no matter if the endpoints are connecting over the Internet or on-premises, which simplifies and secures communication from the endpoints to the data center.
I’d love to be the firewall admin in this scenario!

When putting Windows in the data center, you can focus on managing and patching Windows with low latency and high bandwidth. You will enjoy a much simpler admin experience!
IGEL OS 12 allows a very simple administration, Actually the IGEL Universal Management Suite can be set up as a self-playing piano. The UMS can orchestrate updates of applications, which is the way to go with cloud-native, or with manual approval from admins, which is the traditional management. You will spend fewer cycles administrating an IGEL estate compared to a Windows estate.

Roll out

How long does it take to roll out a Windows endpoint in your organization?
What if you run Windows 11 in the data center, making sure that you have the capacity needed to serve your users, and then roll out new devices in a matter of minutes? IGEL OS does allow a user to be productive within two minutes of powering on IGEL OS the first time. There is no need to pre-stage the device in a config center.
IGEL OS, the UMS, and IGEL Onboarding Service enable the rollout of new devices anywhere in the world with minimal user interaction.
If the IGEL OS endpoints are located on-prem, the rollout process is even simpler, as IGEL OS on the first start will find the UMS and register plus configure itself based on how the admin has architected the configuration, and the UMS will make sure to that all devices are configured in the designed way.

Financials?

IGEL OS will enable you to use your endpoints for a long time. With a Windows endpoint, many organizations replace hardware on a three-year basis. With IGEL OS that can be extended easily to five, six, maybe 10 years before you need to replace the hardware. It all depends on how your requirements change over time.
When the time comes to exchange hardware, the IGEL licensing model allows you to easily decommission the old endpoint, returning its license to your pool, and the new device will fetch a license automatically.

If you want to investigate the TCO of IGEL and understand the financial benefits, the IGEL TCO calculator is a powerful tool. Make sure that you fill out the form with real values matching your existing environment to make the best out of the calculator.
Here is a link to the IGEL TCO calculator: https://www.igel.com/tco-calculator/

Security

IGEL OS is designed with security as the top priority. The read-only operating system ensures that no cyber threats will become sticky, if at all even target, IGEL OS.
Additionally, IGEL OS comes with security principles, Chain-of-Trust, Microsoft Secure Boot, Signed applications, and Partition validation to name a few. It is all part of the IGEL Preventative Security Model, read more about it here: https://www.igel.com/preventative-security-model/
IGEL OS will not store any user credentials or user data (if you don’t explicitly allow it to). This will help to protect Intellectual Property, customer data, corporate information, etc in the event of a stolen, lost, or damaged device.

User Experience

The final but maybe most important thing for success in your IT environment. The User and what they experience when working with the day-to-day duties.
IGEL OS is designed to provide a high-performing operating system that is customized and able to fit your user’s needs. Do you want it to be a simple kiosk endpoint that the user cannot be mistaken on how to operate? Or should it be a full-fledged desktop experience? It doesn’t matter which requirements you need to fulfill, IGEL gives you the possibilities. And the Digital user experience is delivered without compromise.
With over 7.000 configurable items and additionally the capability to create your own scripting to control IGEL OS and its apps gives unlimited possibilities.

IGEL Ready

IGEL Ready is a program where IGEL and its 3^rd party collaboration partners ensure interoperability and functionality. With the IGEL Ready Certified Hardware Program, you will know that the hardware you choose is going to be functional over its lifetime.
The IGEL Ready Developer Program accelerates software integration in IGEL OS providing a wide range of software and agents to choose from that fit your needs. Through close collaboration with key ecosystem partners, support for modern collaboration tools and enterprise peripheral compatibility enhances productivity and satisfaction for users of virtualized Windows 11 on IGEL devices.

Certainly, this is not all the benefits of choosing IGEL for your endpoint strategy. I’d recommend you check out https://www.igel.com/preventative-security-model/ and the IGEL Community www.igelcommunity.com to get more inspiration about what IGEL can do for your organization.

The post Seamless Transition to Windows 11 with IGEL OS appeared first on IGEL.

Are you transitioning to Windows 11? Do you currently have hardware devices that don’t support Windows 11 due to the new hardware requirements introduced with the operating system? Instead of replacing the hardware, you should put Windows 11 in your data center on-premises or the cloud, and leverage IGEL OS for your endpoint to make them have a longer life and reduce your cost and by that contribute to saving the planet! Sounds too good to be true, but it is a reality! IGEL OS runs on any x86 64-bit capable computer, and as the footprint is smaller with less CPU, RAM, and storage requirements, any Windows-based endpoint will be a good choice.

Let us take a closer look at the outer ring of the IGEL Preventative Security Model^TM

IGEL Preventative Security Model

Dell ThinOS and hardware from other “thin client” hardware vendors can easily be reinstalled with IGEL OS turning those endpoints into a modern experience and benefiting the security enhancement and feature richness of IGEL OS!

Data Protection and Compliance requirements are fulfilled with IGEL OS as no user data is stored on the endpoint. No intellectual property or company secrets are lost if the device gets lost or broken.

DEX & SIEM, Digital Experience, Visibility, and Forensics are enabled via the IGEL Ready software partners. You can mix and match the tools needed to measure the Digital User Experience, gather performance reports, and logging of activity. Solution providers are constantly joining the IGEL Ready program, ensuring that the tools you need are available.

Endpoint recovery in the event you are hit by ransomware while running Windows on the endpoint, IGEL OS can be quickly deployed via a UD Pocket USB stick or installed via a software download. Insert the UD Pocket, boot up your endpoint, and get your users connected to virtual sessions. The UD Pockets do not interact with the operating system installed on the disk, which gives you breathing space to deal with the malicious code that infected your previous operating system.

In the event of an M&A (Merger and Acquisition), this often comes with great challenges “The acquired company doesn’t fit in our model” “It’s a big hurdle to get the technologies to work”, and traps are everywhere. What if you extend your VDI user capacity, blow the devices with IGEL OS or UD Pockets, and construct a usability training and be done with it?

Also, many organizations struggle with a well-working secure strategy for 3rd Party Access, e.g. contractors or consultants. Handing our IGEL OS-powered UD Pockets, or laptops with IGEL OS will increase the security within your network dramatically. Only your managed IGEL OS endpoints will be allowed access to the network, no exceptions are needed that entail security risks!

IGEL OS supports secure hybrid work, the features of IGEL Universal Management Suite, IGEL Cloud Gateway, and the OS itself can determine if an IGEL OS endpoint connects on-premises or from external, different rule sets can be applied accordingly.

Instead of ripping out and replacing your existing hardware endpoints, IGEL OS gives you an ideal sustainability solution, as the life span of your existing endpoints can be expanded for years and years. In many examples, an endpoint lifetime is 3 years, with IGEL OS that can easily be 6-10 years. Imagine the amount of electronic waste that will be reduced, and the amount of CO-emission minimized as up to 80% of a device’s CO emission comes from the manufacturing process and logistics of shipping. In many cases, IGEL OS even reduces the power consumption of the device compared to its previous operating system due to its streamlined architecture and small footprint.

At the same time, technology evolves rapidly, and with the IGEL Ready hardware vendors, you have a stable foundation when the time comes to replace your endpoint hardware, to support new and upcoming technologies.

When it comes to Manageability, IGEL licensing permits not only the use of IGEL OS but also the use of IGEL Universal Management Suite (UMS). The UMS controls over 7.000 configuration items in IGEL OS, a very detailed control of how the operating system should behave to suit your use case. The UMS ensures that all IGEL OS endpoints work exactly as you designed them to, on every single boot. With advanced scheduling capabilities, a modern web-based management interface, automatic license deployment, and any feature you can imagine is included at no extra cost.

Ransomware and Security – by far the most compelling reason to invest in IGEL OS.
IGEL OS is a read-only Linux operating system that has security mechanisms built-in that allow you to avoid paying extra for anti-virus solutions, VPN software, management software, and other tools to orchestrate your endpoint environment – It is all built-in and included! The likeliness of having a virus or ransomware breakout is minimal, IF it happens, a simple reboot of your endpoints will remedy the threat. IGEL OS validates the boot process with the chain-of-trust, which includes Microsoft Secure Boot and certificate and partition check making sure that the system boots untampered.

TCO & Optimization – Imagine that you can use your endpoint hardware for six years instead of three. Imagine that you can reduce the support personnel needed to manage your endpoints and let them do more important and valuable work. Roll out new devices in minutes instead of hours – the cost savings are everywhere. Save on your endpoint by investing in IGEL OS and focusing on building the backend infrastructure that your users deserve and are happy with leveraging!

Zooming into the core of the IGEL PSM model…

IGEL Preventative Security Model

All x86 HW-platforms:

IGEL OS is designed to run on any x86-based hardware platform and with its low footprint and hardware requirements it is a great choice to use as an endpoint operating system for your VDI/DaaS platform, but not limited to it. With a requirement of a 64-bit capable CPU, 4 GB RAM and 8 GB of storage, it will function well on any hardware up to at least 10 years of age, even older!

VDI – DaaS – Browser

IGEL OS 12 comes with a choice of VDI/Daas client apps plus Web Browsers, both consumer and enterprise-grade browsers, and can run native Linux applications which renders the endpoint to a chameleon that will adopt the functionality based on your needs. It is ideal for connecting to your VDI workloads, and with simple configuration changes, you can turn the IGEL OS 12 endpoint into a kiosk mode, user/session roaming, making it the perfect fit endpoint tailored for the use case you need to fulfill.
While the design of IGEL OS and IGEL Universal Management Suite (UMS) is designed to allow full control of how an IGEL OS endpoint is configured, and enforces the same, at the same time, admins have the choice to allow users to customize their IGEL OS 12 operating system and can allow users to select and install the applications that the user needs using the IGEL App Portal. It is a very flexible platform!

IAM – UEM – SSE/SASE

With the support for multiple Identity Access Management (IAM) solutions, protecting the IGEL OS user desktop with a choice of EntraID, Okta, Ping, Workspace One Access, or even OpenID connect will allow IGEL OS to adopt any Identity Provider (IdP) giving you the choice of Authenticating users and providing Single Sign On (SSO) functionality to OAuth and SAML enabled resources. In the case you are using Active Directory or LDAP as your IdP, Kerberos authentication will allow for SSO. The implemented functions include support for Smart Card authentication and/or Multi-Factor Authentication and more!

IGEL is integrating support for market-leading Unified Endpoint Management (UEM) solutions, like Microsoft Intune, VMWare Workspace ONE, Citrix Global App Config Service, etc. combining the strength of IGEL UMS with vendor-specific UEM solutions!

Secure Access Service Edge (SASE) and the included sub-components of Secure Service Edge (SSE), Zero Trust Network Access (ZTNA), and more are strong reasons for choosing IGEL OS as your primary endpoint strategy.

IGEL OS endpoints have no domain memberships and aren’t aware of any network services except what you explicitly allow them to. By SASE strategies, you remove the need for a Virtual Private Network (VPN). With integrations from the IGEL Ready ecosystem software vendors, the complete SASE story can be fulfilled, no matter where the endpoint is located, or what user accesses corporate resources. Conditional and contextual access adds even more security!

Smart Login

By combining the IAM and UEM services with SASE, IGEL OS enables Zero-Trust initiatives making it an ideal operating system for your endpoints, be it on-premises or in the open arena.

Establish Trust

Functions like device certificates, TMP functionality, Microsoft Secure Boot, validation of partitions and software during boot, and read-only operating system ensure that IGEL OS runs as a trusted endpoint and will enforce this on every start-up. If tampering is detected, the system will not boot!

Isolate

With the read-only only operating-system IGEL isolates runtime from the OS on disk. With IGEL OS 12, it’s taken a step further with handling the OS and all apps as just apps. You can now customize the IGEL OS operating system to function exactly as you want it to, and make sure that only the components that you are utilizing are installed on the endpoints. With that, you also have control of matching the needed IGEL OS version, with the App version that suits your needs.

Test IGEL OS today at https://www.igel.com/download/

The post Build Resilience in a Windows 11 Environment with IGEL appeared first on IGEL.