Microsoft breaks down how to secure Windows 365 cloud PCs
Whether a PC is in the cloud or on your desk, it's important to keep it secure.
What you need to know
- A new post from Microsoft helps organizations secure cloud PCs running Windows 365.
- Windows 365 Business and Windows 365 Enterprise differ regarding the admin rights of standard users.
- Microsoft is working to bring trusted launch to Windows 365.
Microsoft details security capabilities for its new cloud PC service Windows 365 in a Tech Community post. The company outline guidance for Windows 365 Business and Windows 365 Enterprise, which vary largely regarding the default privilege level of users. Like physical devices, attackers will try to take advantage of security flaws in cloud PCs. Earlier this month, we reported on a security vulnerability in Windows 365.
Windows 365 Business is aimed at smaller businesses. Because of this, it grants end users local admin rights on Cloud PCs. This is similar to what's seen with physical PCs in these types of organizations. It does, however, present a different set of security challenges when compared to standard users lacking admin privileges.
Microsoft recommends the following steps if organizations want to use Microsoft Endpoint Manager:
- Configure the devices to enroll into Microsoft Endpoint Manager using automatic enrollment.
- Manage the Local Administrators group. For more details on how to do this using Azure Active Directory (Azure AD, see How to manage the local administrators group on Azure AD joined devices. For an example of how to do this using Microsoft Endpoint Manager, see this post from Microsoft MVP Peter van der Woude.
- Consider enabling Microsoft Defender Attack surface reduction (ASR) rules. ASR rules are in-depth defense mitigations for specific security concerns, such as blocking credential stealing from the Windows local security authority subsystem. For details on how to enable ASR rules, see Enable attack surface reduction rules.
- Review the Microsoft 365 Business Premium organizational security guidance, including enabling MFA to access Windows 365.
In contrast to Windows 365 Business, Windows 365 Enterprise is built for organizations with IT teams. Windows 365 Enterprise uses Microsoft Endpoint Manager out of the box. It also makes people standard users by default rather than granting admin rights.
Microsoft recommends that Windows 365 Enterprise customers do the following:
- Follow standard Windows 10 security practices, including limiting who can log on to their Cloud PCs using local administrator privileges.
- Deploy the Windows 365 security baseline to their Cloud PCs from Microsoft Endpoint Manager and leverage Microsoft Defender to provide in-depth defense to their endpoints, including all Cloud PCs. The Windows 365 security baseline enables the ASR rules discussed above.
- Deploy Azure AD conditional access to secure authentication to their Cloud PCs, including multifactor authentication (MFA) and user/sign-in risk mitigation.
Microsoft notes that at the moment, Windows 365 doesn't support trusted launch. The company is working to bring trusted launch to Windows 365 alongside Windows 11 coming to the cloud PC service.
Get the Windows Central Newsletter
All the latest news, reviews, and guides for Windows and Xbox diehards.
Sean Endicott is a tech journalist at Windows Central, specializing in Windows, Microsoft software, AI, and PCs. He's covered major launches, from Windows 10 and 11 to the rise of AI tools like ChatGPT. Sean's journey began with the Lumia 740, leading to strong ties with app developers. Outside writing, he coaches American football, utilizing Microsoft services to manage his team. He studied broadcast journalism at Nottingham Trent University and is active on X @SeanEndicott_ and Threads @sean_endicott_.