At Microsoft, we prioritize security at every stage of our development process—from design to coding to feature creation. A common challenge for organizations is the complexity of managing security policies across their infrastructure. To simplify complex security management across organizational infrastructure, we recently released several key features in Windows 365 and Azure Virtual Desktop. These updates, paired with a turnkey approach that enables critical security measures by default, help admins implement strong security policies without manual configuration.
To better understand the risks, let’s consider a typical Internet of Things (IoT)–based attack: hackers can hijack compromised devices or networks to steal data, control systems, or form botnets used in denial of service (DoS) or distributed denial of service (DDoS) attacks. When powered by AI, these threats become even more sophisticated and challenging to combat. To counteract these risks, Windows Cloud solutions include a robust suite of features covering secure identity, secure access, and secure data, ensuring that security is built in from the start. Plus, these capabilities are secure by default, delivering out-of-the-box solutions that help protect against today’s most advanced threats.
Below, we expand on these four key elements.
Secure by default
By embedding Microsoft-recommended security settings from the moment a Cloud PC or virtual machine (VM) is created, Windows 365 and Azure Virtual Desktop make security a foundational part of the cloud experience. This approach allows organizations to benefit from robust security measures right out of the box, reducing the need for manual configurations and enabling IT teams to focus on other critical tasks. One of the latest updates, which restricts Port 3389 by default on all newly provisioned and reprovisioned Windows 365 Cloud PCs, supports our goal of automated, built-in security.
While default security is essential, we also offer IT admins the flexibility to override these settings as needed—for example, if organizations need to customize security for their virtualization deployment to accommodate different devices and varying work models. We prioritize making it easier to secure identity, access, and data while providing the choice, flexibility, and control that customers need for a strong security posture.
Secure identity
Customers are looking for enhanced security that also delivers a seamless user experience, especially when using non-Microsoft identity providers.
The recent preview launch of Passkey support in Microsoft Entra for macOS and iOS devices with single sign-on (SSO) and passwordless authentication streamlines the end-to-end user experience and enhances phish-resistant passwordless security for Windows 365 and Azure Virtual Desktop. New features such as faster re-authentication (public preview) take advantage of sign-in frequency in Microsoft Entra Conditional Access policies, enabling IT admins to enforce secure, timely reauthentication based on their needs.
Secure access
We recognize that each organization has unique needs, so we offer flexible options for customizing security access configurations. For example, Microsoft Intune Mobile Application Management (MAM) for Windows App on iOS (generally available) and Windows App on Android (in public preview), enables administrators to secure access to Windows 365 and Azure Virtual Desktop from managed and unmanaged mobile devices. Microsoft Purview Insider Risk Management with forensic evidence and redirection management, along with client device access control, provides visual insight into potentially risky actions on Cloud PCs and VMs. This helps organizations mitigate insider threats with built-in privacy controls and customized event triggers.
The Windows App MAM support for iOS (general availability) and for Android (in public preview), allows organizations with Windows 365 and Azure Virtual Desktop to set device security criteria and customize access, effectively supporting bring-your-own-device (BYOD) scenarios. And Conditional Access policies continue to help secure Cloud PCs and VMs by ensuring that users access them only under approved conditions.
Secure data
To further strengthen data protection alongside secured identity and access, Windows 365 and Azure Virtual Desktop offer a comprehensive suite of features designed to give organizations greater control over sensitive information.
Microsoft Purview Customer Lockbox (generally available) enhances data protection for Windows 365 by integrating users into the approval workflow, ensuring that only authorized requests can access content. Additionally, Microsoft Purview Customer Key customer-managed keys ensure data is encrypted and controlled by your organization. Furthermore, features such as screen capture protection for Windows 365 and Azure Virtual Desktop add layers of defense by preventing the capture or sharing of sensitive information, while unidirectional clipboard redirection helps prevent accidental or intentional data leaks.
This balance between built-in security and customization enables organizations to scale their security strategies in line with their growth and risk management priorities.
As part of our commitment to a secure cloud experience, we have deeply integrated Windows 365 and Azure Virtual Desktop with the Microsoft security ecosystem. This unified approach combines the strengths of Microsoft Entra for identity management, Microsoft Intune for device control, Microsoft Defender for endpoint protection, and Windows 11 for its security features to deliver a cohesive and secure package.
Additional resources
- Expanding Microsoft’s Secure Future Initiative (Charlie Bell blog)
- MAM for Windows 365 and Azure Virtual Desktop
- What's new with Windows at Microsoft Ignite 2024
- Secure and resilient Windows strategy from Client to Cloud (Microsoft Ignite session)
- Transform end-user computing experiences with Windows, Windows 365 and Intune (Microsoft Ignite session)
Hear more about what's new with Windows and Windows 365
Bookmark our guide to Windows at Microsoft Ignite 2024, then dive into the Microsoft Ignite announcements that reinforce our commitment to getting you and your organization future-ready:
- Windows 365 Link—the first Cloud PC device for Windows 365
- New AI experiences transform productivity on Windows 11 Copilot+ PCs
- Hotpatch for client comes to Windows 11 Enterprise
- Streamlined, AI-powered update management: Windows Autopatch
- Windows 365 Frontline shared mode now in public preview
- Two new features make Universal Print truly "universal"
- Administrator protection on Windows 11
Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.