The Windows Cloud Experiences team is happy to announce that all newly provisioned Cloud PCs will now be encrypted at the host level using Azure host-based encryption. This enhancement is in effect as of April 2023.
To date, Windows 365 Cloud PCs have utilized Azure Storage encryption, which uses server-side encryption (SSE) to help protect data and help you meet your organizational security and compliance commitments. Host-based encryption furthers our commitment to Zero Trust by making sure that the physical Azure server to which your Cloud PC is allocated is also encrypted at rest. This protection is in addition to, not replacing, SSE.
How host-based encryption works
With host-based encryption, all data is encrypted at rest and flows encrypted from the host to the Azure Storage service, where it persists. Encryption at host does not use your Cloud PC CPU and doesn't impact Cloud PC performance. This feature does not apply to the encryption of data in transit, which was and will continue to be encrypted by the TLS 1.2 protocol. For more information, see Enable end-to-end encryption using encryption at host.
How do I get host-based encryption?
This capability will be available for all supported Cloud PC SKUs at no additional cost. No action is required of your organization. You can continue to deploy, manage, and use your Windows 365 Cloud PCs as usual.
Where can I find more information about securing my Cloud PCs?
To learn more about the default security posture of Windows 365 Cloud PCs and how you can configure security policies optimized for the needs of your organization, see our Windows 365 security guidelines.
Editor’s note (4.19.2023): We have updated this post to clarify that Cloud PCs have traditionally been protected by SSE and that host-based encryption is an added protection that will now be available by default for all Cloud PCs.