Windows 365 Customer Lockbox is now generally available for all organizations with a Microsoft 365 E5 or Office 365 E5 subscription. This security feature ensures that Microsoft cannot access content in your Cloud PCs to do service operations without your explicit approval.
What is Customer Lockbox?
In some cases, Microsoft support engineers may need to access your content to determine the root cause of an issue and address it. Windows 365 Customer Lockbox requires the engineer to request access from you as a final step in the approval workflow.
With Customer Lockbox, you have the option to approve or deny the request for your organization, and provide direct-access control to your content.
Customer Lockbox is included in the Microsoft 365 or Office 365 E5 subscriptions and can be added to other plans that have an Information Protection and Compliance or an Advanced Compliance add-on subscription. See Plans and pricing for more information.
How to use Windows 365 Customer Lockbox
Turn Customer Lockbox requests on or off
You can turn on Customer Lockbox controls in the Microsoft 365 admin center. When you turn on Customer Lockbox, Microsoft must obtain your organization’s approval before accessing any of your tenants' content.
- Using a work or school account that has the global administrator role, go to https://admin.microsoft.com/ and sign in.
- Choose Settings > Org Settings > Security & Privacy
- In Security & Privacy, select Customer Lockbox.
Screenshot of the Security & Privacy list highlighting the Customer Lockbox option in grey.
Once you select Customer Lockbox, a right-hand column will appear. Check the “Require approval for all data access request” checkbox and press the Save button on the bottom of the column to turn on the feature.Screenshot of the Customer Lockbox with a check next to the Require approval for all data access requests.
Approve or deny a Customer Lockbox request
- Using a work or school account that has either the Global Administrator or the Customer Lockbox access role assigned, go to https://admin.microsoft.com/ and sign in.
- Choose Support > Customer Lockbox Requests
Screenshot of the Support menu highlighting the Customer Lockbox Requests option.
- A list of Customer Lockbox requests is displayed.
Screenshot of the Customer Lockbox Requests list with a blue box highlighting the request.
- Select the Customer Lockbox request, then choose Approve or Deny.
Screenshot of the Microsoft Engineer menu giving an option to Approve or Deny.
- A green confirmation message about the approval of the Customer Lockbox request will be displayed.
Screenshot of the green box notifying Your request has been updated.
Screenshot of the Microsoft Operator menu with the option to Approve or Deny.
Auditing access
Once just-in-time (JIT) access expires, the troubleshooting ticket is marked as complete. You can then visit compliance.microsoft.com and select Audit under the Solutions category to see what was done during the session. For Windows 365 specific records, under Record types, select Windows365CustomerLockbox.
Retention policies can be updated based on your organization’s needs. For more information, explore Manage audit log retention policies and Audit log activities for Microsoft 365 services,
Learn more about Customer Lockbox and Windows 365 security
For more information about Customer Lockbox as a feature in general, see the documentation on Microsoft Purview Customer Lockbox. We also invite you to learn more about Customer Lockbox requests and security concepts in Windows 365.
To learn about submitting support tickets in the Microsoft Intune admin center, please see Get support in the Microsoft Intune admin center.
Continue the conversation. Find best practices. Bookmark the Windows 365 Tech Community, then follow us @MSWindowsITPro on X/Twitter and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.