Forum Discussion

ConnyBjorkstedt's avatar
ConnyBjorkstedt
Copper Contributor
Jun 17, 2026

Windows 365 and developer environments: how do you balance security and productivity?

Hi everyone,

I’d like to raise a topic that we are currently struggling with, and I suspect many other organizations are facing the same challenge.

We are in the process of establishing a Windows 365–based development environment, where developers work in Cloud PCs. This is largely driven by:

  • a BYOD strategy
  • security requirements (no sensitive code on unmanaged devices)
  • the need for standardization

However, this quickly becomes complex in practice.

The core challenge

We are trying to balance three competing priorities:

1. Security requirements

  • No sensitive code on local devices
  • Minimal attack surface
  • Zero Trust principles and Conditional Access
  • Full traceability of identity and actions

2. Developer needs

  • Local admin rights to be able to do their work
  • Freedom to install tools, SDKs, and runtimes
  • Flexibility without constant blocking
  • Fast iteration cycles

The reality is that if it takes too long to get access or permissions, it breaks the developer workflow.

3. IT and governance

  • Standardization of environments
  • Manageability and patching
  • License and cost control
  • Compliance and auditability

The practical dilemma

  • Developers want to be local admins on their machines
  • Security teams prefer:
    • Just-In-Time access (PIM), or
    • No admin privileges at all

In practice:

  • PIM tends not to work well for developers
  • It introduces too much friction
  • It disrupts flow and often leads to workarounds

What we are currently exploring

We are testing a model where:

  • Developers work in Windows 365 Cloud PCs
  • They use their regular corporate identity (Entra ID)
  • Isolation is achieved through the environment, not separate accounts
  • Developers have local admin rights within the Cloud PC

However, this raises a new question:

How do we secure an environment where the user is an admin?

Questions to the community

I would really appreciate insights from others who have been through similar scenarios:

1. Identity vs privilege

  • Do you use the same identity for everything, or separate user/admin accounts?
  • How far do you take identity separation?

2. Local admin rights

  • Do you allow developers to have local admin rights?
  • Is it permanent or Just-In-Time?
  • If JIT, how do you make it work without impacting productivity?

3. Cloud-based development environments

  • If you are using Windows 365, Dev Box, or AVD:
    • Has this made it easier to relax restrictions?
    • Or are you facing the same challenges, just in the cloud?

4. Guardrails instead of restrictions

Instead of trying to prevent everything:

  • EDR / endpoint protection
  • Conditional Access
  • Network isolation
  • Monitoring and detection

Has anyone successfully shifted from strict control to strong guardrails and detection?

Current reflection

I am starting to think that:

Focusing on secure, isolated environments for development
may be more effective than trying to tightly control every individual action.

In other words:

  • secure the platform
  • not every single user behavior

But this is far from straightforward.

Purpose of this discussion

The goal is to find a realistic blueprint that:

  • maintains high developer productivity
  • meets security requirements
  • minimizes friction in day-to-day work

Not something theoretically perfect, but something that actually works.

If you have experience in this area, I would really value your input:

  • what has worked well
  • what has not worked
  • key design decisions you would recommend

Thanks in advance.

1 Reply

  • Hi, I'd handle this with developer personas rather than one Cloud PC image for everyone. Give developers enough local admin or approved elevation for dev tools, but keep source access, device compliance, DLP, Defender, and conditional access tight. Also separate standard dev images from privileged/admin workstations so security and productivity are not fighting in the same box.