Earlier this week, Microsoft shared details about their Windows 365 Cloud PC security capabilities and how enterprise and end-users can secure them.
The guidance provides step-by-step instructions on how to secure Cloud PCs that are enrolled in Windows 365 Enterprise and Windows 365 Business plans.
“All Cloud PCs, like their physical PC counterparts, come with Microsoft Defender—securing the device beginning with the first-run experience,” said Christiaan Brinkhoff, Principal Program Manager for Windows 365. “Cloud PCs are also provisioned using a gallery image that is automatically updated with the latest cumulative updates for Windows 10 through Windows Update for Business.”
In the case of Windows 365 Business, which automatically grants end users local admin rights, it is suggested that IT admins follow standard security procedures to ensure that only the users that are most critical to their organization are allowed to access their devices. To do this, Microsoft advises:
- Configuring the devices to enroll into Microsoft Endpoint Manager using automatic enrollment;
- Managing the Local Administrators group on Azure AD. For more details, see How to manage the group on Azure AD;
- Enabling Microsoft Defender Attack surface reduction (ASR) rules. For more information, see Enable attack surface reduction rules;
- It’s also easier for them to secure their PCs with Microsoft’s Endpoint Manager.
If you’re an IT manager, you have access to Microsoft Endpoint Manager, which will easily secure all your Windows 365 Enterprise Cloud PCs. These also have access to Microsoft’s Defender Antivirus alerts and an optional onboarding into Microsoft Defender for Endpoint.
Windows 365 Enterprise PCs end-users are also automatically set up as default users. To further secure their Windows 365 Enterprise cloud PCs, Microsoft advises users:
- Following standard Windows 10 security practices
- Limiting who can log on to their Cloud PCs using local administrator privileges;
- Deploying the Windows 365 security baseline to their Cloud PCs, which includes the ASR rules, using Microsoft Endpoint Manager or Microsoft Defender;
- Deploying AD conditional access to secure authentication to their Cloud PCs, including multifactor authentication (MFA).
Although virtualized Windows 365 service on Azure is already used to secure Cloud PCs, it is not yet widely available. This is expected to change later this year when Microsoft launches it with Windows 11.
For complete guidance, see it on Microsoft’s website.