AVD on Azure Local: Security Hardening the Azure Arc Agent

This article provides a detailed walkthrough for security hardening the Azure Arc (Connected Machine) agent on Azure Local session hosts for Azure Virtual Desktop (AVD). It explains the risks of default Full Mode configurations, which grant broad permissions and excessive telemetry. The guide covers adjusting agent settings, restricting extensions, and disabling unnecessary capabilities like remote PowerShell and SSH while preserving essential hybrid management. It includes validation steps using azcmagent config list and Azure Portal JSON view, aiming to apply least privilege for a secure AVD deployment.