With Secureframe Virtual Desktops, your organization can provision a CMMC-compliant virtual machine to view and process Controlled Unclassified Information (CUI). This is one step in setting up Secureframe's CMMC-compliant enclave solution.

The setup involves three main steps:

1. Creating an Azure Government Account (if needed)
2. Connecting Secureframe to your Azure application
3. Provisioning your virtual desktops
4. Access the Desktop from the Windows App

NOTE: Secureframe will always be provisioning the desktops into an Azure Government account that you own. You are responsible for the infrastructure costs associated with any resources that you provision. See the FAQ for pricing estimates.

Step 1: Create an Azure Government Account (if you don’t already have one)

If your organization already has an Azure Government account, skip ahead to Step 2.

If you don’t, you’ll need to request access from Microsoft. This process usually takes about one business day.

1. Submit Microsoft’s U.S. Government Cloud form

Fill out Microsoft’s U.S. Government Cloud intake form, explaining why your company needs access to Azure Government or GCC High. Link to form: https://usgovintake.embark.microsoft.com/

You’ll be asked to provide:

• Company details (e.g., business type, registration info)
• Confirmation that you handle sensitive data (e.g., CUI or ITAR)

2. Receive eligibility approval

Once submitted, Microsoft will review your request.

• Typical turnaround: around 24 hours (may vary by organization type)
• You’ll receive an Eligibility ID by email when approved.

3. Purchase GCC High licenses through Secureframe

Once you've received your Eligibility ID, your Secureframe Customer Success Manager will help you obtain GCC High licenses. 

You'll then be provided with your Azure Government account credentials, and you'll be ready to connect your account to Secureframe.

Step 2: Connect Secureframe to Your Azure Application

1. Open Secureframe and navigate to the Virtual Desktops module from the left-hand navigation bar.
2. Click “Set up virtual desktops” to begin.
3. Follow the on-screen instructions to create a new Azure App Registration.
   • This ensures Secureframe only interacts with the infrastructure needed for virtual desktops.
4. Copy and paste the required IDs and secrets into Secureframe as prompted.
   Once setup is complete, you’ll land on a confirmation page indicating that your Azure environment is connected.

You are now ready to provision your first virtual desktop.

Step 3: Provision Virtual Desktops

1. From the Virtual Desktops homepage in Secureframe, click “Create Desktop.”
2. Fill out the required fields to configure your new desktop environment
3. Click “Provision” to create the desktop.

Once provisioning completes, the desktop will appear in your list of available desktops.

Step 4: Access the Desktop from the Windows App

After provisioning, users can connect to the virtual desktop via the Remote Desktop app for Windows.

1. Open the Windows Remote Desktop client.
2. Click the “+” (Add) icon and select “Add Workspace.”
    
3. Enter the following URL for Azure Government: 
   https://rdweb.wvd.azure.us/api/arm/feeddiscovery
4. Log in with your Azure Government credentials.
5. Your provisioned desktops should now appear in the Windows app.

To launch:

• Double-click the desktop name.
• The virtual desktop will open in a secure, compliant environment.

Why a Dedicated Subscription Is Required

Secureframe Virtual Desktops are always provisioned into a dedicated Azure subscription that you own rather than into an existing subscription with other infrastructure. This is intentional and provides three key benefits:

Clear Security & Compliance Boundaries

Using a separate subscription creates a clean boundary between Secureframe Virtual Desktops and your other systems. This makes it easier for auditors and compliance teams to confirm that Secureframe only has access to the VDI resources it manages, without inadvertently touching your other infrastructure.

Reliable Operation

Isolation in its own subscription helps ensure that Secureframe’s VDI environment does not interfere with other workloads, and that other systems do not accidentally impact the virtual desktops. This separation improves reliability for both Secureframe and your existing cloud resources.

Transparent Billing & Cost Tracking

A separate subscription makes it clear which costs are associated with Secureframe Virtual Desktops. While Azure billing can still be managed centrally, separating the VDI subscription makes it easier to track infrastructure spend and avoid confusion over shared costs.

Because of these reasons, provisioning into an existing VDI or shared subscription is not supported.
If you have questions about billing, subscription ownership, or identity/access integration across subscriptions, see the FAQ below or contact Support.

Tips and Troubleshooting

• Ensure that the user has an active GCC High license assigned before trying to access the desktop.
• When first launching a virtual machine, it may take a few minutes to load.

Windows App issues on Mac

If you have trouble connecting with the Windows App on Mac (for example, errors after adding your Azure Government workspace), try these steps:

1. Confirm you are on macOS 14 or later.
2. Install the latest Windows App from the Mac App Store: https://apps.apple.com/us/app/windows-app/id1295203466
3. If issues continue, try the Windows App Beta build (requires macOS 14 or later): https://install.appcenter.ms/orgs/rdmacios-k2vy/apps/microsoft-remote-desktop-for-mac/distribution_groups/all-users-of-microsoft-remote-desktop-for-mac
4. As another option, you can install the latest macOS build from Microsoft’s documentation: https://learn.microsoft.com/en-us/windows-app/whats-new?tabs=macos

Additional Support

If you run into issues during setup or provisioning:

• Contact your CSP if the issue is with Azure Government access
• Reach out to Secureframe Support at support@secureframe.com

Frequently Asked Questions (FAQ)

How much does it cost to provision a virtual desktop?

• When you first connect your Azure account, the foundational infrastructure required to support virtual desktop provisioning costs approximately $5 per month. Each individual virtual desktop, configured with baseline performance settings, typically costs around $300 per month.

What Azure resources are created during the initial setup (before deploying virtual desktops)?

• We provision core Azure resources, such as a virtual network, subnets and NAT gateway, needed to securely enable virtual desktop deployment.

What Azure resources are created for each virtual desktop?

• Each virtual desktop deployment includes a dedicated virtual machine (VM) along with its associated storage disk, network interface, and security configurations (e.g., NSGs, identity assignments, and monitoring agents).

Does deploying a virtual desktop make me fully CMMC compliant?

• No. Virtual desktops support CMMC compliance by securing how CUI is accessed and stored, but full compliance also requires additional policies, controls, and processes.

If we enable Secureframe Enclave but don’t deploy any virtual desktops yet, are there any costs?

• Yes, Even without any desktops provisioned, the foundational Enclave infrastructure creates cloud resources that incur minimal Azure costs. Costs may vary based on customer Azure pricing and network traffic.

Why can’t Secureframe deploy VDI into our existing Azure subscription?

Because mixing Secureframe’s Virtual Desktop with your other infrastructure creates unnecessary risk.

Using a dedicated subscription:

• Keeps compliance clean — auditors can clearly see exactly what Secureframe can and cannot access

• Prevents accidental impact — our VDI can’t interfere with your production systems (and vice versa)

• Makes costs obvious — VDI spend is isolated and easy to track

Doing anything else increases audit complexity, operational risk, and billing confusion — which is why we don’t support it.

Can Secureframe use or integrate with our existing VDI setup?

• No. Secureframe does not support adopting or running inside existing VDI environments.
  We provision and manage our own Secureframe Virtual Desktop environment to ensure security, reliability, and audit readiness.

If we’re an MSP with multiple subscriptions, does this complicate billing?

No. Azure billing is already centrally managed at the account level.
You can:

• Associate the Secureframe VDI subscription with your existing Azure account

• Choose payment methods per subscription

• Track costs independently without breaking consolidated billing

If VDI lives in a separate subscription, can access still be centrally managed?

• Yes. Azure supports centralized identity and access management across subscriptions.
  Using a dedicated subscription does not prevent centralized authentication or access control.

I see "Unable to connect" or error code 0x5000057 in the Windows App. What should I do?

• This usually means the Windows App does not see an available virtual desktop for your account yet. In the Windows App, try opening (double-clicking) the virtual desktop listed under your workspace. If no desktop appears, confirm in Secureframe that you are assigned to the desktop under User access, that provisioning has completed, and that you added the Azure Government workspace URL (https://rdweb.wvd.azure.us/api/arm/feeddiscovery) and signed in with your Azure Government account. If the error continues, contact support@secureframe.com and include error code 0x5000057 and a screenshot of the message.