Forum Discussion

ConnyBjorkstedt's avatar
ConnyBjorkstedt
Occasional Reader
Jun 17, 2026

Windows 365 and developer environments: how do you balance security and productivity?

Hi everyone,

I’d like to raise a topic that we are currently struggling with, and I suspect many other organizations are facing the same challenge.

We are in the process of establishing a Windows 365–based development environment, where developers work in Cloud PCs. This is largely driven by:

  • a BYOD strategy
  • security requirements (no sensitive code on unmanaged devices)
  • the need for standardization

However, this quickly becomes complex in practice.

The core challenge

We are trying to balance three competing priorities:

1. Security requirements

  • No sensitive code on local devices
  • Minimal attack surface
  • Zero Trust principles and Conditional Access
  • Full traceability of identity and actions

2. Developer needs

  • Local admin rights to be able to do their work
  • Freedom to install tools, SDKs, and runtimes
  • Flexibility without constant blocking
  • Fast iteration cycles

The reality is that if it takes too long to get access or permissions, it breaks the developer workflow.

3. IT and governance

  • Standardization of environments
  • Manageability and patching
  • License and cost control
  • Compliance and auditability

The practical dilemma

  • Developers want to be local admins on their machines
  • Security teams prefer:
    • Just-In-Time access (PIM), or
    • No admin privileges at all

In practice:

  • PIM tends not to work well for developers
  • It introduces too much friction
  • It disrupts flow and often leads to workarounds

What we are currently exploring

We are testing a model where:

  • Developers work in Windows 365 Cloud PCs
  • They use their regular corporate identity (Entra ID)
  • Isolation is achieved through the environment, not separate accounts
  • Developers have local admin rights within the Cloud PC

However, this raises a new question:

How do we secure an environment where the user is an admin?

Questions to the community

I would really appreciate insights from others who have been through similar scenarios:

1. Identity vs privilege

  • Do you use the same identity for everything, or separate user/admin accounts?
  • How far do you take identity separation?

2. Local admin rights

  • Do you allow developers to have local admin rights?
  • Is it permanent or Just-In-Time?
  • If JIT, how do you make it work without impacting productivity?

3. Cloud-based development environments

  • If you are using Windows 365, Dev Box, or AVD:
    • Has this made it easier to relax restrictions?
    • Or are you facing the same challenges, just in the cloud?

4. Guardrails instead of restrictions

Instead of trying to prevent everything:

  • EDR / endpoint protection
  • Conditional Access
  • Network isolation
  • Monitoring and detection

Has anyone successfully shifted from strict control to strong guardrails and detection?

Current reflection

I am starting to think that:

Focusing on secure, isolated environments for development
may be more effective than trying to tightly control every individual action.

In other words:

  • secure the platform
  • not every single user behavior

But this is far from straightforward.

Purpose of this discussion

The goal is to find a realistic blueprint that:

  • maintains high developer productivity
  • meets security requirements
  • minimizes friction in day-to-day work

Not something theoretically perfect, but something that actually works.

If you have experience in this area, I would really value your input:

  • what has worked well
  • what has not worked
  • key design decisions you would recommend

Thanks in advance.

best practices
enterprise
No RepliesBe the first to reply