The recommended method of securing the Virtual Machines in Azure Virtual Desktop (AVD) is to use Local Group Policy (LGPO) in combination with AppLocker.

Group Policy Editor

The local group policy editor can be opened on the Virtual Machine from the session desktop as on a local machine using the “edit group policy” control panel.

NOTE: Group policy and AppLocker permissions must be treated with care, since applying too broad or strict rules can mean that even administrators on a Virtual Machine can be locked out of making changes.

AppLocker

Microsoft provide a full guide to using AppLocker:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview

For AppLocker to work, it needs the Application Identity service to be running. It does not run by default and is usually set to manual start. You can set the service to run automatically using the Windows Services Command Panel as seen below:

Example - Locking down an executable application

In this example, we will use AppLocker to restrict access to the command line tool "Curl", which can be used to download resources from the internet.

1. Open Group Policy Editor and Navigate Computer Configuraton > Windows Settings > Security Settings > Application Control Policies > AppLocker
   
   
   
   
2. Right click on Executable rules and select Create New Rules. The wizard is launched.
   
   
   
   
3. Click Next, then under Actions, choose Deny. Below this option, you can select an individual user or a group of users depending on your requirements.
   
   
   
   
4. Use the Select button to pick a user or group using the standard Windows User identity selection window.
   
   
   
   
5. Next you will choose the application you wish to restrict access to. This can be done in several ways but for this example we will use the below method.
   
   Choose Path, and click Next
   
   
   
   This opens up a Windows Explorer window. Browse to the location of the executable file and select Open
   
   
   
   The screen will now be populated with the path you selected. Click Next
   
   
   
   Here is where you will select your Exception rule if required. Click Add to add this in.
   
   
   
   Finally, give your rule a name and description if this is needed.
   
   
   
   
6. Once the rule has been created, it will appear under the list of executable rules.