Although Microsoft announced the general availability of Windows 365 Cloud PCs just a couple of weeks ago, it has seemingly received an overwhelmingly positive response from the public. So much so that the company had to temporarily pause its trial program due to capacity constraints. Given the interest in the product as well as the fact that it's a new SKU, Microsoft has now provided guidance about how organizations can secure their Windows 365 Cloud PCs.
First and foremost, it is important to know that Windows 365 Cloud PCs come pre-installed with Microsoft Defender and also utilize OS images which are automatically updated using Windows Update for Business.
We already know that Windows 365 comes in two flavors: Business and Enterprise. As such, there are key differences in the security configurations for the two options as well. Since Business is meant for small organizations with a centralized IT staff, users with Cloud PCs in this program have local admin rights. Microsoft says that this mirrors what currently happens in small companies which physical machines are purchased and configured by employees themselves. That said, if you do have an IT department and want to use Windows 365 Business, you can also utilize Microsoft Endpoint Manager. For this, you are also recommended to enroll Cloud PCs into the service via automatic enrollment, manage the Local Administrators group, enable multi-factor authentication (MFA), and configure Microsoft Defender Attack surface reduction (ASR) rules.
Meanwhile, Windows 365 Enterprise is encouraged for bigger companies with dedicated IT departments. All Cloud PCs in this program are automatically enrolled in Microsoft Endpoint Manager and do not have local admin rights either. These can be provided on a per-user basis. Apart from this, Microsoft recommends that you limit local admin privileges where possible, deploy the Windows 365 security baseline, and configure Azure Active Directory (AAD) conditional access, including MFA.
Microsoft has noted that Trusted Launch is not yet present in Windows 365, even though it is available for Azure Virtual Desktop as we learned earlier today. The company will be working to enable this once Windows 11 globally launches on Windows 365 later this year.