MFA for Windows VDI meets security and compliance requirements

MFA for Windows VDI meets security and compliance requirements

  • Customer

    Zephyr Cloud

  • Industry

    Managed IT Services

  • Geography

    United States

If another client wants to use MFA for VDI, we wouldn’t do it any other way.

Salim Khouri Managing Partner, Zephyr Cloud

  • Challenge: A managed service provider (MSP) needed to implement multi-factor authentication (MFA) for a client migrating to a network using managed Windows virtual desktop infrastructure (VDI).

  • Solution: UserLock offers a simple way to enable MFA on Windows VDI without the complexity of additional software and hardware.

  • Result: The MSP can now ensure their VDI user access is streamlined and secure thanks to an MFA solution that lets them log into their VDI desktop from any client or browser.


Zephyr Cloud is a Virginia-based MSP that offers fully managed IT support for private and hosted cloud and virtual desktop networking services using Entra ID (formerly Azure AD).

The Challenge Implement MFA for all multi-session Windows VDI users to meet security and compliance requirements without adding complexity and cost

It all started when a Zephyr Cloud client moved its 40-person on-premise CAD/CAM engineering applications to a multi-session (shared) Windows virtual desktop infrastructure (VDI) network. The goal was to improve team collaboration while avoiding the device management and security issues that arise when running applications and sensitive data on individual laptops and workstations.

Given the security risk of multiple employees accessing a shared VDI, the client and Zephyr both agreed they needed to adopt MFA in addition to Windows credentials. This was essential to ensure that only authorized personnel could access sensitive documents.

It was also important that the VDI networks met annual compliance and reporting standards necessary to fulfill U.S. government contracts. While the client’s domain identity provider is Entra ID, they use AD DS to authenticate to legacy systems as well as VDI.

For Zephyr Cloud, the project was an example of how small networks running specialized applications increasingly demand the extra security of MFA. As an MSP, Zephyr Cloud needed to meet this requirement without creating complexity for itself or expense for its client.

The main reason clients opt for VDI is the need to run legacy applications. Engineering applications such as AutoCAD, MATLAB, and Design Studio must be installed on a PC. The obvious solution for the client was to run them on a VDI and make them available to multiple users.

Zephyr Cloud Managing Partner, Salim Khouri.

The client was already using MFA for email, SharePoint, and Teams. However, extending that to VDI turned out to be more complex than Zephyr Cloud had anticipated.

We looked at many different solutions, but they didn’t offer the right functionality. For example, Azure AD offered MFA, but it was designed to work with web services rather than a more traditional VDI implementation.

Zephyr Cloud Managing Partner, Salim Khouri.

The Solution UserLock simplifies MFA implementation for an on-premise VDI network

Because of the client’s need to keep and authenticate access to legacy applications that don’t run in the cloud, it made sense to continue using AD DS running in Entra ID for authentication.

The client also wanted a solution that would implement MFA consistently, regardless of how users logged into the VDI (via desktop or browser) or from devices such as smartphones.

But when Zephyr Cloud assessed how MFA could be implemented to meet these requirements, every solution added a lot of complexity in terms of hardware and software, not to mention cost.

Azure AD was the obvious option, but this required changes to the underlying VDI implementation to run MFA with Microsoft’s Remote Desktop Services (RDS) terminal services.

UserLock, by contrast, was incredibly simple to configure and used existing Active Directory infrastructure without the need for additional plug-ins or services to get VDI working.

The alternatives to UserLock we looked at were more complex solutions requiring extra hardware and extra software elements such as SAML. This added up to more pieces that could break in a network where the client demanded uptime and reliability.
UserLock is so simple. Running everything on one AD DS server also makes it easier to backup, restore, and replicate.

Zephyr Cloud Managing Partner, Salim Khouri.

The Benefits UserLock allows Zephyr Cloud’s client to implement MFA on its VDI network without unnecessary complexity or expense

Zephyr Cloud’s client migrated to a multi-session VDI secured with MFA using the same Microsoft Authenticator app employees were already using for email and Microsoft 365 access. UserLock makes this possible without the need for additional servers or software.

On average we have around 30 active users logged in at a time on a remote desktop session based VDI, each with their own files, profiles and applications. Importantly, with UserLock MFA each user is separate and gets their own authentication prompt.

Zephyr Cloud Managing Partner, Salim Khouri.

A big advantage of UserLock is that it makes the user experience simple. Users receive an MFA prompt just after their usual Windows desktop login dialog. This is true regardless of whether they access the VDI through a browser or a VDI agent. UserLock works seamlessly with any client.

With UserLock, MFA is implemented at the login screen as you log into the desktop. The beauty of UserLock is it works every way. They can use any client or their browser.
If another client wants to use MFA for VDI, we wouldn’t do it any other way.

Zephyr Cloud Managing Partner, Salim Khouri.

30-DAY FREE TRIAL

Get your 30-day free trial now and secure your Windows network with UserLock

Download Free Trial Discover UserLock

More Case studies?

Read more reviews from our UserLock customers.

Discover