This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.
Today, we are sharing details on what security capabilities Windows 365 provides out of the box and additional actions you can take to secure your Cloud PCs. We'll break down the guidance for both Windows 365 Business and Windows 365 Enterprise.
As we navigate the most complex cybersecurity environment we’ve ever seen, every organization wants to know what they can do to ensure they’re protected. All Cloud PCs, like their physical PC counterparts, come with Microsoft Defender—securing the device beginning with the first-run experience. Cloud PCs are also provisioned using a gallery image that is automatically updated with the latest cumulative updates for Windows 10 through Windows Update for Business.
Windows 365 Business
Windows 365 Business was designed for smaller businesses, particularly organizations without central IT management solutions or IT staff. As a result, Windows 365 Business grants end users local admin rights to their Cloud PCs. This is similar to what happens in many small businesses: users purchase a physical PC themselves from a retailer and they retain local admin rights for that device.
If you are an IT department that wants to use Windows 365 Business for a particular scenario, you should follow standard IT security practices to set those users as standard users on their devices. If you want to use Microsoft Endpoint Manager (part of Microsoft 365 Business Premium) for this approach, you will need to:
- Configure the devices to enroll into Microsoft Endpoint Manager using automatic enrollment.
- Manage the Local Administrators group. For more details on how to do this using Azure Active Directory (Azure AD, see How to manage the local administrators group on Azure AD joined devices. For an example of how to do this using Microsoft Endpoint Manager, see this post from Microsoft MVP Peter van der Woude.
- Consider enabling Microsoft Defender Attack surface reduction (ASR) rules. ASR rules are in-depth defense mitigations for specific security concerns, such as blocking credential stealing from the Windows local security authority subsystem. For details on how to enable ASR rules, see Enable attack surface reduction rules.
Additionally, review the Microsoft 365 Business Premium organizational security guidance.
Windows 365 Enterprise
There are some notable differences between Windows 365 Business and Windows 365 Enterprise when viewed through the IT management lens. We designed Windows 365 Enterprise for organizations with dedicated IT teams. It is designed around the management and security provided by Microsoft Endpoint Manager. Out of the box, all Cloud PCs in Windows 365 Enterprise:
- Are enrolled in Microsoft Endpoint Manager, with reporting of Microsoft Defender Antivirus alerts and the ability to onboard into the full Microsoft Defender for Endpoint capabilities.
- Configure end users as standard users with the ability for admins to make exceptions on a per-user basis.
We would recommend that all Windows 365 Enterprise customers:
- Follow standard Windows 10 security practices, including limiting who can log on to their Cloud PCs using local administrator privileges.
- Deploy the Windows 365 security baseline to their Cloud PCs from Microsoft Endpoint Manager and leverage Microsoft Defender to provide in-depth defense to their endpoints, including all Cloud PCs. The Windows 365 security baseline enables the ASR rules discussed above.
- Deploy Azure AD conditional access to secure authentication to their Cloud PCs, including multifactor authentication (MFA) and user/sign-in risk mitigation.
Finally, you may have noticed that we do not yet leverage trusted launch in Windows 365. Trusted launch is a series of technologies in Azure that improve the security of virtual machines (such as enabling TPM 2.0 and secure boot). As announced at Windows 365 launch, we are working on bringing Windows 11 to Windows 365 once it’s generally available later this calendar year. As part of that work, we are working to ensure that trusted launch is available in the Azure regions where Windows 365 is available today.
Continuing to listen and learn
Please keep the feedback coming. We’re learning so much every day from our customers and partners, and we will continue to listen, learn, and innovate so we can offer you a great Windows 365 experience.