Securing your Windows 365 Cloud PCs

Published Aug 19 2021 10:00 AM 7,783 Views

Today, we are sharing details on what security capabilities Windows 365 provides out of the box and additional actions you can take to secure your Cloud PCs. We'll break down the guidance for both Windows 365 Business and Windows 365 Enterprise.

As we navigate the most complex cybersecurity environment we’ve ever seen, every organization wants to know what they can do to ensure they’re protected. All Cloud PCs, like their physical PC counterparts, come with Microsoft Defender—securing the device beginning with the first-run experience. Cloud PCs are also provisioned using a gallery image that is automatically updated with the latest cumulative updates for Windows 10 through Windows Update for Business.

Windows 365 Business

Windows 365 Business was designed for smaller businesses, particularly organizations without central IT management solutions or IT staff. As a result, Windows 365 Business grants end users local admin rights to their Cloud PCs. This is similar to what happens in many small businesses: users purchase a physical PC themselves from a retailer and they retain local admin rights for that device.

If you are an IT department that wants to use Windows 365 Business for a particular scenario, you should follow standard IT security practices to set those users as standard users on their devices. If you want to use Microsoft Endpoint Manager (part of Microsoft 365 Business Premium) for this approach, you will need to:

Windows 365 Enterprise

There are some notable differences between Windows 365 Business and Windows 365 Enterprise when viewed through the IT management lens. We designed Windows 365 Enterprise for organizations with dedicated IT teams. It is designed around the management and security provided by Microsoft Endpoint Manager. Out of the box, all Cloud PCs in Windows 365 Enterprise:

  • Are enrolled in Microsoft Endpoint Manager, with reporting of Microsoft Defender Antivirus alerts and the ability to onboard into the full Microsoft Defender for Endpoint capabilities.
  • Configure end users as standard users with the ability for admins to make exceptions on a per-user basis.

We would recommend that all Windows 365 Enterprise customers:

  1. Follow standard Windows 10 security practices, including limiting who can log on to their Cloud PCs using local administrator privileges.
  2. Deploy the Windows 365 security baseline to their Cloud PCs from Microsoft Endpoint Manager and leverage Microsoft Defender to provide in-depth defense to their endpoints, including all Cloud PCs. The Windows 365 security baseline enables the ASR rules discussed above.
  3. Deploy Azure AD conditional access to secure authentication to their Cloud PCs, including multifactor authentication (MFA) and user/sign-in risk mitigation.

Trusted launch

Finally, you may have noticed that we do not yet leverage trusted launch in Windows 365. Trusted launch is a series of technologies in Azure that improve the security of virtual machines (such as enabling TPM 2.0 and secure boot). As announced at Windows 365 launch, we are working on bringing Windows 11 to Windows 365 once it’s generally available later this calendar year. As part of that work, we are working to ensure that trusted launch is available in the Azure regions where Windows 365 is available today.

Continuing to listen and learn

Please keep the feedback coming. We’re learning so much every day from our customers and partners, and we will continue to listen, learn, and innovate so we can offer you a great Windows 365 experience.

 

1 Comment
Contributor

Please add below line in above post.

Windows 365 enterprise customers , don't need to enable ASR . because enterprise subscription comes with Enabled ASR out of the box

 

%3CLINGO-SUB%20id%3D%22lingo-sub-2663129%22%20slang%3D%22en-US%22%3ESecuring%20your%20Windows%20365%20Cloud%20PCs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2663129%22%20slang%3D%22en-US%22%3E%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EToday%2C%20we%20are%20sharing%20details%20on%20what%20security%20capabilities%20Windows%20365%20provides%20out%20of%20the%20box%20and%20additional%20actions%20you%20can%20take%20to%20secure%20your%20Cloud%20PCs.%20We'll%20break%20down%20the%20guidance%20for%20both%20Windows%20365%20Business%20and%20Windows%20365%20Enterprise.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EAs%20we%20navigate%20the%20most%20complex%20cybersecurity%20environment%20we%E2%80%99ve%20ever%20seen%2C%20every%20organization%20wants%20to%20know%20what%20they%20can%20do%20to%20ensure%20they%E2%80%99re%20protected.%20All%20Cloud%20PCs%2C%20like%20their%20physical%20PC%20counterparts%2C%20come%20with%20Microsoft%20Defender%E2%80%94securing%20the%20device%20beginning%20with%20the%20first-run%20experience.%20Cloud%20PCs%20are%20also%20provisioned%20using%20a%20gallery%20image%20that%20is%20automatically%20updated%20with%20the%20latest%20cumulative%20updates%20for%20Windows%2010%20through%20Windows%20Update%20for%20Business.%3C%2FP%3E%0A%3CH2%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2020px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId--380185417%22%20id%3D%22toc-hId--380095083%22%20id%3D%22toc-hId--380095083%22%20id%3D%22toc-hId--380095083%22%20id%3D%22toc-hId--380095083%22%3EWindows%20365%20Business%3C%2FH2%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EWindows%20365%20Business%20was%20designed%20for%20smaller%20businesses%2C%20particularly%20organizations%20without%20central%20IT%20management%20solutions%20or%20IT%20staff.%20As%20a%20result%2C%20Windows%20365%20Business%20grants%20end%20users%20local%20admin%20rights%20to%20their%20Cloud%20PCs.%20This%20is%20similar%20to%20what%20happens%20in%20many%20small%20businesses%3A%20users%20purchase%20a%20physical%20PC%20themselves%20from%20a%20retailer%20and%20they%20retain%20local%20admin%20rights%20for%20that%20device.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EIf%20you%20are%20an%20IT%20department%20that%20wants%20to%20use%20Windows%20365%20Business%20for%20a%20particular%20scenario%2C%20you%20should%20follow%20standard%20IT%20security%20practices%20to%20set%20those%20users%20as%20standard%20users%20on%20their%20devices.%20If%20you%20want%20to%20use%20Microsoft%20Endpoint%20Manager%20(part%20of%20Microsoft%20365%20Business%20Premium)%20for%20this%20approach%2C%20you%20will%20need%20to%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%20margin-top%3A%2020px%3B%22%3EConfigure%20the%20devices%20to%20enroll%20into%20Microsoft%20Endpoint%20Manager%20using%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fenrollment%2Fquickstart-setup-auto-enrollment%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eautomatic%20enrollment%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EManage%20the%20Local%20Administrators%20group.%20For%20more%20details%20on%20how%20to%20do%20this%20using%20Azure%20Active%20Directory%20(Azure%20AD%2C%20see%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fdevices%2Fassign-local-admin%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EHow%20to%20manage%20the%20local%20administrators%20group%20on%20Azure%20AD%20joined%20devices%3C%2FA%3E.%20For%20an%20example%20of%20how%20to%20do%20this%20using%20Microsoft%20Endpoint%20Manager%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fwww.petervanderwoude.nl%2Fpost%2Feasier-managing-local-administrators-via-windows-10-mdm-on-windows-10-20h2-and-later%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ethis%20post%3C%2FA%3E%26nbsp%3Bfrom%20Microsoft%20MVP%20Peter%20van%20der%20Woude.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EConsider%20enabling%20Microsoft%20Defender%20Attack%20surface%20reduction%20(ASR)%20rules.%20ASR%20rules%20are%20in-depth%20defense%20mitigations%20for%20specific%20security%20concerns%2C%20such%20as%20blocking%20credential%20stealing%20from%20the%20Windows%20local%20security%20authority%20subsystem.%20For%20details%20on%20how%20to%20enable%20ASR%20rules%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fenable-attack-surface-reduction%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EEnable%20attack%20surface%20reduction%20rules%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EReview%20the%20Microsoft%20365%20Business%20Premium%20%3CA%20style%3D%22font-family%3A%20inherit%3B%20background-color%3A%20%23ffffff%3B%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmicrosoft-365%2Fadmin%2Fsecurity-and-compliance%2Fsecure-your-business-data%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eorganizational%20security%20guidance%3C%2FA%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%2C%26nbsp%3B%3C%2FSPAN%3Eincluding%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fmicrosoft-365%252Fadmin%252Fsecurity-and-compliance%252Fsecure-your-business-data%2523setup%26amp%3Bdata%3D04%257C01%257Cv-hpoulsen%2540microsoft.com%257Cd6449d2ecf614a414a1108d963685849%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637650122082038299%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DgO5u5uws8UX9A0rOTEe0NbKDpkN4HnFIwJvrX2eVN9E%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Eenabling%20MFA%3C%2FA%3E%20to%20access%20Windows%20365.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH2%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2020px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId-2107327416%22%20id%3D%22toc-hId-2107417750%22%20id%3D%22toc-hId-2107417750%22%20id%3D%22toc-hId-2107417750%22%20id%3D%22toc-hId-2107417750%22%3EWindows%20365%20Enterprise%3C%2FH2%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EThere%20are%20some%20notable%20differences%20between%20Windows%20365%20Business%20and%20Windows%20365%20Enterprise%20when%20viewed%20through%20the%20IT%20management%20lens.%20We%20designed%20Windows%20365%20Enterprise%20for%20organizations%20with%20dedicated%20IT%20teams.%20It%20is%20designed%20around%20the%20management%20and%20security%20provided%20by%20Microsoft%20Endpoint%20Manager.%20Out%20of%20the%20box%2C%20all%20Cloud%20PCs%20in%20Windows%20365%20Enterprise%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%20margin-top%3A%2020px%3B%22%3EAre%20enrolled%20in%20Microsoft%20Endpoint%20Manager%2C%20with%20reporting%20of%20Microsoft%20Defender%20Antivirus%20alerts%20and%20the%20ability%20to%20onboard%20into%20the%20full%20Microsoft%20Defender%20for%20Endpoint%20capabilities.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EConfigure%20end%20users%20as%20standard%20users%20with%20the%20ability%20for%20admins%20to%20make%20exceptions%20on%20a%20per-user%20basis.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EWe%20would%20recommend%20that%20all%20Windows%20365%20Enterprise%20customers%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%20margin-top%3A%2020px%3B%22%3EFollow%20standard%20Windows%2010%20security%20practices%2C%20including%20limiting%20who%20can%20log%20on%20to%20their%20Cloud%20PCs%20using%20local%20administrator%20privileges.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EDeploy%20the%20Windows%20365%20security%20baseline%20to%20their%20Cloud%20PCs%20from%20Microsoft%20Endpoint%20Manager%20and%20leverage%20Microsoft%20Defender%20to%20provide%20in-depth%20defense%20to%20their%20endpoints%2C%20including%20all%20Cloud%20PCs.%20The%20Windows%20365%20security%20baseline%20enables%20the%20ASR%20rules%20discussed%20above.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EDeploy%20Azure%20AD%20conditional%20access%20to%20secure%20authentication%20to%20their%20Cloud%20PCs%2C%20including%20multifactor%20authentication%20(MFA)%20and%20user%2Fsign-in%20risk%20mitigation.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH2%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2020px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId-299872953%22%20id%3D%22toc-hId-299963287%22%20id%3D%22toc-hId-299963287%22%20id%3D%22toc-hId-299963287%22%20id%3D%22toc-hId-299963287%22%3ETrusted%20launch%3C%2FH2%3E%0A%3CP%20data-unlink%3D%22true%22%3EFinally%2C%20you%20may%20have%20noticed%20that%20we%20do%20not%20yet%20leverage%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fvirtual-machines%2Ftrusted-launch%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Etrusted%20launch%3C%2FA%3E%20in%20Windows%20365.%20Trusted%20launch%20is%20a%20series%20of%20technologies%20in%20Azure%20that%20improve%20the%20security%20of%20virtual%20machines%20(such%20as%20enabling%20TPM%202.0%20and%20secure%20boot).%20As%20announced%20at%20Windows%20365%20launch%2C%20we%20are%20working%20on%20bringing%20Windows%2011%20to%20Windows%20365%20once%20it%E2%80%99s%20generally%20available%20later%20this%20calendar%20year.%20As%20part%20of%20that%20work%2C%20we%20are%20working%20to%20ensure%20that%20trusted%20launch%26nbsp%3Bis%20available%20in%20the%20Azure%20regions%20where%20Windows%20365%20is%20available%20today.%3C%2FP%3E%0A%3CH2%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2020px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId--1507581510%22%20id%3D%22toc-hId--1507491176%22%20id%3D%22toc-hId--1507491176%22%20id%3D%22toc-hId--1507491176%22%20id%3D%22toc-hId--1507491176%22%3EContinuing%20to%20listen%20and%20learn%3C%2FH2%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EPlease%20keep%20the%20feedback%20coming.%20We%E2%80%99re%20learning%20so%20much%20every%20day%20from%20our%20customers%20and%20partners%2C%20and%20we%20will%20continue%20to%20listen%2C%20learn%2C%20and%20innovate%20so%20we%20can%20offer%20you%20a%20great%20Windows%20365%20experience.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2663129%22%20slang%3D%22en-US%22%3E%3CP%3ELearn%20what%20capabilities%20Windows%20365%20provides%20out%20of%20the%20box%20and%20additional%20actions%20you%20can%20take%20to%20secure%20Cloud%20PCs.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Stylized%20photo%20with%20illustration%20elements%20depicting%20a%20Cloud%20PC%20sitting%20on%20a%20modern%20white%20countertop%20in%20a%20kitchen%20area%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F304487i4F4C4299A5D163E8%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22W365CO21_Productivity_078.jpg%22%20alt%3D%22W365CO21_Productivity_078.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2663129%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWindows%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2672922%22%20slang%3D%22en-US%22%3ERe%3A%20Securing%20your%20Windows%20365%20Cloud%20PCs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2672922%22%20slang%3D%22en-US%22%3E%3CP%3EPlease%20add%20below%20line%20in%20above%20post.%3C%2FP%3E%3CP%3EWindows%20365%20enterprise%20customers%20%2C%20don't%20need%20to%20enable%20ASR%20.%20because%20enterprise%20subscription%20comes%20with%20Enabled%20ASR%20out%20of%20the%20box%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Aug 19 2021 05:19 PM
Updated by: