Windows 365: After last week unveiling the new features of Windows 365, ushering in a new era of the Cloud PC, the all-in-the-cloud PC for businesses, Microsoft provided some helpful tips on how to secure information migrated to the service. These are guidelines divided by actions that customers themselves must adopt as soon as they sign up for Windows 365 Business or Windows 365 Enterprise.
As a starting point, explains lead Windows 365 program manager Christiaan Brinkhoff, “All cloud PCs, like their physical PC counterparts, come with Microsoft Defender — protecting the device from the first-run experience.” After migration, cloud PCs use a gallery image that is automatically updated via Windows Update for Business.
How to protect cloud PCs through Windows 365 itself?
In Windows 365 Business (for SMBs), where end users are given local administrator privileges, IT administrators must set each user as the default on their devices, using Microsoft Endpoint Manager, like this:
Configure devices in Microsoft Endpoint Manager via autoenrollment;
Manage the “Local Administrators” group. To do this, use Azure Active Directory (in Azure AD, see “How to manage the on-premises admin group on devices associated with Azure AD”;
Enable the Microsoft Defender Attack (ASR) surface reduction rules. For more details, see this link.
In the case of Windows 365 Enterprise (large companies), Microsoft recommends:
Limit the number of users who can log on to their cloud PCs using local administrator privileges;
Deploy a security baseline from Microsoft Endpoint Manager and use Microsoft Defender to provide defense-in-depth for all your endpoints;
Deploy Azure AD conditional access, including multi-factor authentication (MFA) and user/sign-in risk mitigation.