Script to add a Windows 365 Cloud PC User – Add-CloudPCUser.ps1

Script prerequisites for Windows PowerShell:

1. A minimum Windows PowerShell version of ‘7.2’ is required to run this script. The script automatically checks for and installs module if needed.

2. Windows 365 Cloud PC Management PowerShell Module must be installed on local machine. The script automatically checks for and installs module if needed.

3. Microsoft Graph PowerShell Module must be installed on local machine. The script automatically checks for and installs module if needed.

4. An Azure AD user that has an admin consent permission, if needed, to approve the following permissions in Microsoft Graph application in Azure AD apps:

CloudPC.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All, Directory.Read.All

.PARAMETER Username

Username to add to Windows 365 Cloud PC

.PARAMETER UsersListPath

CSV file path containing a list of users to add to Windows 365 Cloud PC. Sample file contents:

———- Windows PowerShell Continued

upn

AdeleV@sampletenant.onmicrosoft.com

AlexW@sampletenant.onmicrosoft.com

DiegoS@sampletenant.onmicrosoft.com

GradyA@sampletenant.onmicrosoft.com

.PARAMETER Group

Azure AD group name to add users to

.EXAMPLE

.\Add-CloudPCUser.ps1 -Username User@SampleTenant.onmicrosoft.com -Group IT -Verbose

.EXAMPLE

.\Add-CloudPCUser.ps1 -UsersListPath c:\temp\users.csv -Group Sales -Verbose

Direct link: Add-CloudPCUser.ps1
Github – https://github.com/ThomasMarcussen/assortedScripts/

Download all OneDrive files for a user using PowerShell

Powershell script to download a users OneDrive content.

New and improved: Download-OD4BAccount.ps1

.Example 
.\Download-OD4BAccount.ps1 -Username User@SampleTenantName.onmicrosoft.com -Destination "D:\OD4B" -ThreadCount 3 -Verbose

Script prerequisites:

1. Microsoft Graph PowerShell Module installed on local machine. The script automatically checks for and installs module if needed.

2. An Azure AD user that has an admin consent to approve the following permissions in Microsoft Graph application in Azure AD apps:
   Organization.Read.All, User.Read.All, Directory.Read.All

This was inspired by Adnan's script, which i have used on multiple occasions.
But when downloading very large OneDrive data structures, Multi-Threads seems to work faster and smoother.
 

Exciting New Capabilities in Microsoft Defender for Endpoint

The way that businesses are conducting their operations has been consistently changing over the years. As technology has evolved and the devices available to us have gotten significantly better, hybrid work environments have become more popular.

More so if your business has employees working from home or hires freelancers who use various endpoint devices. Although the benefits of having a hybrid work setup are well known, it has become clear that endpoints are one of the biggest attack vectors because of the potential vulnerabilities.

Hence the need for a solution such as Microsoft Defender for Endpoint that can offer your organization comprehensive threat protection against external as well as internal attacks.

What is Microsoft Defender for Endpoint?

Microsoft Defender for Endpoint is an enterprise-level security platform that Microsoft has designed to prevent, detect, investigate, and then respond to advanced threats on enterprise networks. This is something that has become extremely necessary especially when you consider information from sources such as a Ponemon Institute study that indicates that 68% of organizations have been the victim of at least one endpoint attack.

And arguably the most worrying part of this is how these attacks are increasing not only in number but sophistication year by year. Consequently looking at this highlights the importance of having a comprehensive solution that offers intelligent threat detection and remediation.

Fortunately, there are several various technologies that Defender for Endpoint uses and these have been built into Windows 10 and some Microsoft Azure services. They include:

Cloud Security Analytics

Microsoft has the advantage of having access to significant amounts of data because of its massive service offering. Given that, this process will make use of big data, device learning, and unique Microsoft optics across the vast Windows ecosystem, enterprise cloud products, and online assets. Once the data has been put together, it can then be translated into insights, detections, and recommended responses to advanced threats.

Threat intelligence

Here also we’ll find a massive collection of data that is obtained not only by Microsoft hunters and security teams but by Microsoft partners as well. Because of the availability of this threat intelligence, Defender for Endpoint can identify attacker tools, techniques, and procedures thus allowing for the generation of alerts when observed in collected sensor data.

Endpoint behavioral sensors

These particular sensors which are built into Windows 10 have been designed to collect and process behavioral signals from the operating system. Following this, all the gathered information will then be sent to your private, isolated cloud instance of Microsoft Defender for Endpoint.

Key components

Automated investigation and remediation

Microsoft Defender for Endpoint does a lot more than just provide a swift response to attacks. In addition to that, it also offers automatic investigation and remediation capabilities that are built to reduce the volume of alerts in minutes at scale.

Attack Surface Reduction

This provides a set of capabilities that are designed to reduce the attack surfaces on endpoints. Doing so will enhance the protection of your organization’s devices and networks such that you minimize any potentially vulnerable areas that attackers could exploit.

When configuration settings have been properly set up and the relevant mitigation techniques are applied, ASR allows endpoints to effectively resist attacks and exploitation. With the inclusion of network protection and web protection, there will also be strict regulation of access to malicious IP addresses, domains, and URLs.

Core Defender Vulnerability Management

This feature offers clients a built-in solution that leverages a modern risk-based approach that enables the discovery, assessment, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. Those who are using Plan 2 will get access to the Defender Vulnerability Management add-on that allows you to better assess your security posture and reduce risk.

Endpoint detection and response

Endpoint detection and response capabilities can be described as a type of second line of defense focused on the detection, investigation, and response to advanced threats that would potentially have made it past the initial barriers. With Advanced hunting, you get a query-based threat-hunting tool that allows you to proactively find breaches and custom detections. These capabilities are going to equip security teams to identify and respond to threats a lot faster.

Microsoft Secure Score for Devices

Included with Defender for Endpoint is Microsoft Secure Score for Devices which is a solution that ensures that you can dynamically assess the security state of your enterprise network. Furthermore, this feature can be used to identify unprotected systems and then perform all the necessary actions to enhance your overall security posture.

Microsoft Threat Experts

What you’ll be getting with this threat-hunting service is a tool that gives you proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately.

Next-generation protection

This feature is designed to ensure that the security perimeter of your network has the highest level of protection. Defender for Endpoint uses next-generation protections to detect and prevent emerging threats. Not only does this improve your security but it ensures that as attackers develop new ways of trying to penetrate your network your endpoint protection will remain solid.

Requirements

There are a few minimum requirements that you would need to meet before you can onboard devices to Microsoft Defender for Endpoint. These requirements include those for licensing, hardware, software, as well as other configuration settings.

Licensing requirements

Clients will need to know that the standalone versions of Defender for Endpoint Plan 1 and Plan 2 won’t include server licenses. And the same applies even when these versions are included as part of other Microsoft 365 plans. So what this means is that to onboard servers to those plans you need Defender for Servers Plan 1 or Plan 2 as part of the Defender for Cloud offering.

Browser requirements

If you want to access Defender for Endpoint then you have to do so through a browser. And Microsoft recommends using Microsoft Edge or Google Chrome for the best experience. You may still be able to use other browsers but the aforementioned two are the ones that are supported.

Supported Windows versions

  • Windows 11 Enterprise                                     
  • Windows 11 Education
  • Windows 11 Pro
  • Windows 11 Pro Education
  • Windows 10 Enterprise
  • Windows 10 Enterprise LTSC 2016 (or later)
  • Windows 10 Enterprise IoT
  • Windows 10 Education
  • Windows 10 Pro
  • Windows 10 Pro Education
  • Windows 8.1 Enterprise
  • Windows 8.1 Pro
  • Windows 7 SPI Enterprise (Requires ESU for support.)
  • Windows 7 SPI Pro (Requires ESU for support.)
  • Windows Server
  • Windows Server 2008 R2 SP1 (Requires ESU for support.)
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server, version 1803 or later
  • Windows Server 2019 and later
  • Windows Server 2019 core edition
  • Windows Server 2022
  • Windows Virtual Desktop
  • Windows 365

So, all the devices on your network that want to use Defender for Endpoint should be running one of these editions. However, other operating systems such as Android, iOS, Linux, and macOS are also supported. As far as the hardware requirements go, they are the same across all supported editions: Cores: 2 minimum, 4 preferred Memory: 1 GB minimum, 4 preferred.

Introducing a new API

Recently, an announcement was made concerning a new Microsoft 365 Defender API for alerts. This new API is meant to help you to work with alerts across all products within Microsoft 365 Defender using just a single integration.

The API will offer alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, Azure Active Directory Identity Protection, and Microsoft Purview Data Loss Prevention.

And according to Microsoft, this is just a start as this will continue to be expanded in the future. The objective of this new tool is to enhance the client experience even more across Microsoft Defender products and this is enabled via the new, central API.

With this new API in place, organizations need to be aware that they have to start making plans to migrate from Microsoft Defender for Endpoint SIEM API as Microsoft has already announced plans for its deprecation.

However, to ensure that all clients will have sufficient time to make the migration, the deprecation date has been moved to December 21, 2023. When that eventually happens, Microsoft has stated that the SIEM API will remain available but will only receive support for security-related fixes. But, as of December 31, 2024, the SIEM API may be turned off without any further notice. There are some options that have been proposed to get you started with migration.

1. Pulling MDE alerts into an external system (SIEM/SOAR)

There are a few options available if you want to pull Defender for Endpoint alerts into an external system. Having multiple options means that organizations have the flexibility to select the option that most suits them.

Microsoft Sentinel

Scalable, cloud-native, SIEM, and SOAR solution. This tool will give you intelligent security analytics and threat intelligence across the entire enterprise. Consequently, this means that you’ll get a single solution providing proactive hunting, attack detection, threat response, and threat visibility. Additionally, you can leverage the Microsoft 365 Defender connector to pull in all incidents and alerts from all Microsoft 365 Defender products with relative ease.

IBM Security QRadar

SIEM offers enterprises centralized visibility and intelligent security analytics that can identify and prevent threats and vulnerabilities from disrupting business operations. Moreover, the QRadar SIEM team has just announced that a new DSM is on the way. The great thing about this new option is that it will integrate with the new Microsoft 365 Defender alerts API to pull in Microsoft Defender for Endpoint alerts. Any new customers that would be interested in testing out this new DSM will be able to do so upon its release.

Splunk SOAR

This can enable you to orchestrate workflows and automate tasks in a matter of seconds thus allowing you to work smarter and respond a lot faster. Also, you’ll find that Splunk SOAR is integrated with the new Microsoft 365 Defender APIs including the alerts API.

Calling the Microsoft 365 Defender alerts API directly

Below is a table that is going to give you information about the mapping between the SIEM API to the Microsoft Defender alerts API.

SIEM API propertyMappingMicrosoft 365 Defender alert API property
AlertTime      ->createdDateTime
ComputerDnsName     ->evidence/deviceEvidence: deviceDnsName
AlertTitle     ->Title
Category     ->category
Severity      ->severity
AlertId     ->Id
Actor     ->actorDisplayName
LinkToWDATP     ->alertWebUrl
IocName      XIoC fields not supported
IocValue      XIoC fields not supported
CreatorIocName      XIoC fields not supported
CreatorIocValue      XIoC fields not supported
Sha1     ->evidence/fileEvidence/fileDetails: sha1 (or evidence/processEvidence/imageFile: sha1)
FileName     ->evidence/fileEvidence/fileDetails: fileName (or evidence/processEvidence/image: fileName)
FilePath    ->evidence/fileEvidence/fileDetails: filePath (or evidence/processEvidence/image: filePath)
IPAddress    ->evidence/ipEvidence: ipAddress
URL    ->evidence/urlEvidence: url
IoaDefinitionId    ->detectorId
UserName    ->evidence/userEvidence/userAccount: accountName
AlertPart       XObsolete (MDE alerts are atomic/complete that are updatable, while the SIEM API were immutable records of detections)
FullId       XIoC fields not supported
LastProcessedTimeUtc      ->lastActivityDateTime
ThreatCategory     ->mitreTechniques []
ThreatFamilyName     ->threatFamilyName
ThreatName     ->threatDisplayName
RemediationAction    ->evidence: remediationStatus
RemediationIsSuccess    ->evidence: remediationStatus (implied)
Source    ->detectionSource (use with serviceSource: microsoftDefenderForEndpoint)
Md5       XNot supported
Sha256     ->evidence/fileEvidence/fileDetails: sha256 (or evidence/processEvidence/imageFile: sha256)
WasExecutingWhileDetected     ->evidence/processEvidence: detectionStatus
UserDomain     ->evidence/userEvidence/userAccount: domainName
LogOnUsers     ->evidence/deviceEvidence: loggedOnUsers []
MachineDomain    ->Included in evidence/deviceEvidence: deviceDnsName
MachineName     ->Included in evidence/deviceEvidence: deviceDnsName
InternalIPV4List      XNot supported
InternalIPV6List      XNot supported
FileHash     ->Use sha1 or sha256
DeviceID     ->evidence/deviceEvidence: mdeDeviceId
MachineGroup     ->evidence/deviceEvidence: rbacGroupName
Description    ->description
DeviceCreatedMachineTags    ->evidence: tags [] (for deviceEvidence)
CloudCreatedMachineTags     ->evidence: tags [] (for deviceEvidence)
CommandLine     ->evidence/processEvidence: processCommandLine
IncidentLinkToWDATP     ->incidentWebUrl
ReportId       XObsolete (MDE alerts are atomic/complete that are updatable, while the SIEM API were immutable records of detections)
LinkToMTP     ->alertWebUrl
IncidentLinkToMTP     ->incidentWebUrl
ExternalId       XObsolete
IocUniqueId       XIoC fields not supported

Getting started

Using the Microsoft 365 Defender alerts API requires you to go through a registration process first. To register an application in Azure Active Directory you can simply follow the steps given below:

  • Start by navigating to the Azure Portal where you need to sign in as a user with the Global administrator role.
  • Next, head over to Azure Active Directory > App registrations > New registration.
  • Once you get to the registration form, you’ll then need to enter a name for your application. Select Register. You also have the option of selecting a redirect URI if necessary.
  • For the next step, you’ll select API Permissions > Microsoft Graph on your application page.
  • On the page that you see displayed, you need to select Delegated permissions. In the search box that appears, start typing “security” and from the options that you see select SecurityIncident.Read.All and then click on Add permission.
  • Click admin consent for your tenant. There are multiple permissions available for selection and you can grant admin consent for all of them.
  • Add a secret to the application. Then, proceed to select Certificates & secrets and then add a description to the secret. Select Add and make sure you save the secret.
  • Lastly, you need to ensure that you record your application ID and tenant ID someplace secure. You’ll find them listed on your application Overview page.   

What is Defender for Endpoint Plan 1?

To cater to the different needs of its clients Microsoft now offers two plans. Instead of having just one complete solution, Microsoft introduced Plan 1 so that smaller organizations that did not need the full range of features could also benefit.

So, we now have Plan 1 which contains a smaller set of features and then the version that retains all the features is now referred to as Plan 2. Defender for Endpoint Plan 1 offers next-generation protection, manual response actions, attack surface reduction capabilities, centralized configuration, and management, as well as protection for a variety of platforms.

Next-generation protection

This platform is built to detect various types of emerging threats and in doing so will enhance the security perimeter of your network. It’s going to give you behavior-based heuristic, and real-time antivirus protection as part of the robust measures that will reinforce your security. Also, there is cloud-delivered protection that is meant to provide you with near-instant detection and blocking of emerging threats. Furthermore, next-generation protection will give you dedicated protection and product updates.

Manual response actions

These represent the actions that your security staff can implement in instances when threats are detected on endpoints or in files. Defender for Endpoint offers certain manual response actions that can be used on devices that appear suspicious. There are also response actions that you can take on files that are detected as threats. The manual response actions that you get in Defender for Endpoint Plan 1 are summarized in the table below:

File/DeviceActionDescription
DeviceRun antivirus scanLaunches an antivirus that aims to detect any threats that may be present on a device. If there are any they will be addressed during the scan.
DeviceIsolate deviceIn an instance where there is a potential compromise, this action helps by disconnecting a device from the organization’s network. However, to keep the device under monitoring it will remain connected to Defender for Endpoint so that any further action that may be necessary can be carried out.
FileStop and quarantineThis action will stop any running processes and subsequently quarantine the associated files.
FileAdd an indicator to allow or block fileIndicators that block files are designed to block the reading, writing, or execution of portable executable files on devices. Allow indicators, on the other hand, are meant to prevent the blocking or remediation of files.
Attack surface reduction
  • Attack surfaces refer to all the potential attack points that exist in your organization and that cyber criminals could exploit. To reduce the risk of this happening, Defender for Endpoint Plan 1 minimizes your organization’s attack surfaces by protecting the devices and applications that you use. There are several attack surface reduction capabilities that are offered:  
Attack surface reduction rules
  • These are meant to target software behaviors that could be considered risky such as:
  • launching executable files and scripts that try to run or download other files
  • running questionable scripts
  • initiate behaviors that you normally would not expect apps to perform during work

However, we do still need to remember that these software behaviors can also be seen with genuine business applications. But even if that is the case the behaviors are still considered risky because they present a vulnerability that attackers can exploit using malware. Thus, by taking advantage of attack surface reduction rules, you can restrict risky behaviors and reinforce your organization’s security.

Ransomware mitigation
  • Getting ransomware mitigation is something that you can obtain by using controlled folder access. What the latter does is that it restricts access to protected folders on your endpoints strictly to trusted apps. Therefore, there is a need for a trusted apps list and apps can only be added to it based on their prevalence and reputation. Additionally, your security team can add or remove apps from the list when necessary.
Device control
  • A lot of people carry around with them multiple USB drives for personal as well as professional use. Unfortunately, as convenient as these removable drives tend to be they can also present a significant risk to your organization’s devices.

To counter this threat, Defender for Endpoint offers capabilities aimed at preventing threats from unauthorized peripheral devices from compromising your organization’s devices. If need be, you can simply configure Defender for Endpoint to block removable devices and the files they contain.

Web protection
  • This feature is just what your organization needs to protect your devices from web threats and unwanted content. With unfiltered access, some employees can spend time browsing the web, going through social media, etc.

So, it’s a good thing that this will give you web threat protection as well as web content filtering. Web threat protection protects you by blocking access to risky areas of the internet such as phishing sites, suspicious sites, malware vectors, exploit sites, and other sites that you have on your blocked list.

And then with web content filtering, there is blocking of sites according to category. Therefore, sites can be blocked if they fall under social media, leisure, adult content, legal liability sites, etc.

Network protection
  • Network protection gives you a tool that will help you to block devices in your organization from accessing suspicious domains that are potentially hosting phishing scams, malware, or other types of malicious content.
Network firewall
  • This type of protection is going to enable you to set rules that will determine the network traffic that will be allowed to flow to or from your organization’s devices. When you combine the advanced security that Defender for Endpoint is offering with the network firewall protection then you’ll have something that enables you to:
  • Minimize the risk you face from network security threats
  • Reinforce the security of intellectual property and sensitive data
  • Extend your security investment
  • Application control

As we all know, people can find several different applications to carry out certain tasks. And most people have their favorites. However, not all of them are secure and so application control will help protect your endpoints by allowing only trusted applications and code to run in the system core (kernel). It is left up to the members of your security staff to set the application control rules as they see fit.

Centralized management
  • With the Defender for Endpoint Plan 1, you also get the Microsoft 365 Defender portal.  And this is something that will help your security team:
  • View current data regarding any detected threats
  • Subsequently, take any necessary actions to reduce the threats
  • Centrally manage the threat protection settings of your organization
  • Role-based access control

Your security administrator can take advantage of role-based access control (RBAC) to create roles and groups that will provide the appropriate access to the Microsoft 365 Defender portal. Thus, by using RBAC you can retain a high level of control over who can have access to Defender for Cloud as well as what they can see and do.

Reporting
  • The Microsoft 365 Defender portal gives you a platform where you can easily view all the information about detected threats as well as the actions to address those threats.
  • You’ll find a simplified Home page that has cards showing users/devices at risk, the number of threats detected, and the alerts/incidents created.
  • There is an Incidents & alerts section showing the incidents that were created because of triggered alerts.
  • The Action Center shows you a list of remediations that were taken.
  • Lastly, there is a Reports section containing reports of detected threats and their status.      

Microsoft endpoint security plans

Now that I’ve gone over what Defender for Endpoint Plan 1 has to offer, let’s take a look at a comparison of the available Microsoft endpoint security plans.

PlanCapabilities on offer
Defender for Endpoint Plan 1Next-generation protection including antimalware and antivirusAttack surface reductionManual response actionsCentralized managementSecurity reportsAPIsSupport for Windows 10, iOS, Android OS, and macOS devices
Defender for Endpoint Plan 2Plan 2 has all the capabilities that you get with Plan 1 and then it also adds: Device discoveryDevice inventoryCore Defender Vulnerability Management capabilitiesThreat analyticsAutomated investigation and responseAdvanced huntingEndpoint detection and responseEndpoint attack notificationsSupport for Windows (client only) and non-Windows platforms (macOS, iOS, Android, and Linux).
Defender Vulnerability Management add-onHere we see more Defender Vulnerability Management capabilities that also come with Defender for Endpoint Plan 2: Security baselines assessmentBlock vulnerable applicationsBrowser extensionsDigital certificate assessmentNetwork share analysisSupport for Windows (client and server) and non-Windows platforms (macOS, iOS, Android, and Linux).  
Defender for Business (Small and medium enterprises can get this option as a standalone subscription or as part of Microsoft 365 Business Premium)This is a list of services that have been optimized for small and medium-sized businesses: Email protection Antispam protection Antimalware protection Next-generation protection Attack surface reduction Endpoint detection and response Automated investigation and response Vulnerability management Centralized reporting APIs (for integration with custom apps or reporting solutions) Integration with Microsoft 365 Lighthouse

Defender for Cloud

One of the best things that will further strengthen your security is the integration of Defender for Endpoint with Defender for Cloud. This integration will provide you with extra features on top of what you’re already getting. These are:

Automated onboarding

Defender for Cloud is going to automatically enable the Defender for Endpoint sensor on all supported machines that are connected to Defender for Cloud.

Single pane of glass

You’ll be able to view your Defender for Endpoint alerts on the Defender for Cloud portal pages. However, if you want to see additional information so you can investigate further you can head over to Defender for Endpoint’s own portal pages and there you can view extra information such as the alert process tree and the incident graph. There will also be a detailed machine timeline that displays all the behaviors for a historical period of up to six months.

However, there are a few requirements that you’ll need to check before you can proceed with the integration of Defender for Endpoint with Defender for Cloud. You need to verify that your machine meets the Defender for Endpoint requirements given below.

The machine needs to be connected to Azure as well as the internet:

Azure virtual machines (Windows or Linux): you need to carry out the configuration of the network settings as described in the configure device proxy and internet connectivity settings.
On-premises machines: you need to connect the target machines to Azure Arc and you’ll find the details on doing that in Connect hybrid machines with Azure Arc-enabled servers
When it comes to Windows servers you’ll have to check and see that your servers meet the requirements for onboarding Microsoft Defender for Endpoint.     
And for those who have moved their subscriptions between Azure tenants then they will be required to also carry out some manual preparatory steps.

Expanding security capabilities

The threats that organizations are facing will constantly evolve and so Microsoft Defender for Endpoint needs to keep enhancing its capabilities. By doing so, it remains a leading endpoint protection solution that can reinforce the security of your organization and minimize the risk of compromise. There have been a few features that have been announced recently and they are worth taking a look at.

Expanded capabilities at the network layer

  • In recent years, a lot of organizations have unfortunately had to deal with the increasing number of network-based attacks that are targeting endpoints. Subsequently, there are several reliable endpoint solutions that organizations can use to identify and deal with those threats.

However, the challenge that security teams will face is getting the necessary information that would enable them to identify any suspicious network communications on a device early on during the attack.

With that in mind, Defender for Endpoint is looking to strengthen its endpoint security defenses so as to give organizations greater protection at the network layer. Consequently, this will give your security team the tools they need to swiftly detect and remediate any threats.

Deep packet inspection support

  • Greater insights regarding endpoint activity at the network layer can vastly improve how efficiently organizations can mitigate network-based threats. To that end, Microsoft Defender for Endpoint has developed a new open-source partnership with Zeek. All in all, this is going to help by improving the way that attacks are handled by leveraging deep packet inspection support.

Ultimately, this will give your organization greater visibility into network signals across all the Defender for Endpoint devices. Those in the security department will be glad for the excellent signals they will receive for advanced threat hunting, the easier discovery of IoT devices, as well as vastly enhanced detection and response capabilities.

Because of the partnership Microsoft has with Corelight, the integration of Windows with Zeek is going to reinforce your organization’s security against network-based threats. In the long run, this is going to give you far greater overall endpoint security.

Detection and remediation of command and control attacks at the network layer

  • One of the key things that will help security teams quickly and accurately identify threats is having access to tools with excellent detection capabilities. Correspondingly, as the need for these kinds of tools grows, Microsoft has announced the release of Network Protection command and control (C2) detection and remediation capabilities for Defender for Endpoint.

By equipping security teams with these tools, network C2 attacks can then be detected a lot earlier during the attack. As a result, you will reduce the spread by swiftly blocking any further progression of the attack. In addition, the easy removal of malicious binaries will reduce the time needed for mitigation.

This capability inspects network packets, assesses them for C2 malware configuration patterns, and searches for any type. Defender for Endpoint has a Network Protection (NP) agent that is going to verify what the true nature of the connection is.

And this is something that it does by mapping the outbound connection’s IP address, port, hostname, and other NP connection values, with the Microsoft Cloud. The process will then leverage AI and scoring engines to decide whether the connection is malicious. At this point, certain actions will be implemented to block the connection and roll back the malware binaries on the endpoint to their previous clean state if detected.

Microsoft 365 Defender will display an appropriate alert under Incidents and alerts once detection has been made. Your security team can then verify the available information including the alert name, the severity level of the detection, the device status, and more. If you want to view more details on the alert, you can do so with a full timeline as well as the attack flow relative to your environment.

Wrap Up

The threat landscape that organizations are having to deal with is becoming increasingly worrying. By the same token, those looking to exploit potential vulnerabilities in organizations’ networks have grown more adept at compromising systems. By and large, we are witnessing some incredibly sophisticated cyberattacks that are targeting endpoints which they often identify as the weak point for infiltrating a network.

Organizations must seriously rethink their approaches to security because of this, and as more and more organizations adopt hybrid work environments, it becomes crucial to secure your endpoint devices to avoid vulnerability.

Doing so can have catastrophic consequences for organizational operations, data security, intellectual property, and much more. Hence, this is why Microsoft Defender for Endpoint can provide the perfect suite of capabilities to reinforce your security.

It gives you a comprehensive endpoint solution that goes far beyond what your legacy antivirus services can offer. Equally important, as emerging threats are attacking in extremely complex ways, it can only be good for businesses to have a solution that can deliver intelligent detection and response capabilities.    

Taking A Closer Look At Windows 365 Security

The idea of having a desktop that you can access from just about anywhere is an incredible option to have. Not only that but you can do so using your PC, tablet, or smartphone. As can be seen by the disruptions we witnessed to business activities at the height of the pandemic, the lack of viable options can be disastrous. Hence why the Windows 365 Cloud PC has been very well received by organizations since coming onto the scene in 2021. It gives organizations a solution that they may not have had a few years back.

You can provide desktops for employees regardless of where they are working from. Be it at home or in the office, the Cloud PC remains accessible and productivity levels can be maintained.

But, the key question is how secure is Windows 365? Can the corporate network remain secure with the use of Cloud PCs?

Getting started with Windows 365

Organizations that use Windows 365 will benefit from an end-to-end connection flow for all their employees thus allowing them to work in a secure environment. Windows 365 has been designed with Zero Trust principles being integral to the security structure.

What this means is that clients have a great foundation that allows them to apply controls that help them to better secure their environments across the 6 pillars of Zero Trust. Microsoft allows you to implement Zero Trust controls in the following areas:

  • Securing access to the Cloud PC – this is something that is crucial to Identity and it enables you to set the specific regulations concerning who can access the Cloud PC and under which conditions.
  • Securing the Cloud PC device itself – the actual Cloud PC devices that one uses to access corporate resources require extremely high security. So this is an important category that allows for the securing of the Endpoint by placing extra security measures on the devices themselves.
  • Securing the Cloud PC data and other data available while using the Cloud PC – this last area allows you to place additional security measures to secure the data itself that users will need to access. Also, you can place extra measures on how Cloud PC users can access the data.

Default features

Microsoft has a few features that are enabled on all new Cloud PCs by default. These include:

  • Virtual Trusted Platform Module (vTPM): a vTPM is a virtualized version of a hardware Trusted Platform module and is designed to be compliant with the TPM2.0 spec. What it offers you is a dedicated secure vault for keys and measurements. With trusted launch, your virtual machine will get its own dedicated TPM instance that will run in a secure environment outside the reach of any VM.
  • Secure boot: this next feature could be described as something that provides the foundation of trusted launch. Secure boot is a mode that is implemented in platform firmware and enhances the overall security posture by protecting against the installation of malware-based rootkits and boot kits. Basically, what you get is a system that ensures that only signed operating systems and drivers can boot. Therefore, any image that Secure Boot fails to Authenticate will be restricted from booting.

As a result of having the above features enabled, Windows 365 will support the enabling of the Windows security features below:

  • Hypervisor Code Integrity (HVCI)
  • Microsoft Defender Credential Guard

Automatic enrollment

Another key thing that Microsoft has advised clients to secure their Windows 365 Cloud PCs is to configure devices to enroll into MEM using automatic enrollment. However, to do that, you need to meet the following requirements:

Sign in Intune in Microsoft Endpoint Manager

Start by signing in to the MEM admin center as a Global administrator. If you are using the Trial subscription, then the account you used to create the subscription becomes the Global administrator.

Set up Windows 10/11 automatic enrollment

If you want to enroll both corporate and bring-your-own-devices, you’ll have to use MDM enrollment. In addition, you have to sign up for a free Azure AD Premium subscription.

  1. Navigate to the MEM admin center. Select All services > M365 Azure Active Directory > Azure Active Directory > Mobility (MDM and MAM).
  2. Choose Get a free Premium trial to use this feature. This enables auto-enrollment using the Azure AD free Premium trial.
  3. Select the Enterprise Mobility + Security E5 free trial option.
  4. Click Free trial > Activate the free trial.
  5. Choose Microsoft Intune to configure Intune.
  6. Go to the MDM user scope and select Some. This enables you to use MDM auto-enrollment to manage enterprise data on your employees’ Windows devices. This will configure MDM auto-enrollment for AAD joined devices and bring your own device scenarios.
  7. Click Select groups > Contoso Testers > Select as the assigned group.
  8. And then for data management on your workforce’s device, choose Some from the MAM Users scope.
  9. Choose Select groups > Contoso Testers > Select as the assigned group.
  10. And then, for the remaining configuration values, you’ll use the default values.
  11. Choose Save.

Windows 365 Business

Windows 365 comes in two different options to cater to the various businesses and their different needs. Microsoft intends for Cloud PCs to be available for both small and large enterprises. Therefore, smaller organizations have Windows 365 Business that can meet the needs of the business.

If your organization does not have an IT department/staff or central IT management solutions then this is the option for you. This option gives end users local admin rights to their Cloud PCs in a way that is typically seen with smaller businesses.

In instances where IT would like to use Windows 365 Business for a particular scenario, Microsoft recommends sticking to standard IT protocols. That is, of course, if you intend to set users as standard users on their devices. You can use Microsoft Endpoint to carry this out and to do so you need to follow the steps below:

  • The process starts with device configuration to enroll the devices in MEM using automatic enrollment.
  • The next step involves the management of the Local Administrators group. This can be done using Azure Active Directory (Azure AD) or using Microsoft Endpoint Manager.
  • In addition, it would be a good idea to have Microsoft Defender Attack surface reduction (ASR) rules enabled. This would be very useful because these rules are in-depth defense mitigations for specific security concerns, such as blocking credential stealing from the Windows local security authority subsystem.

Windows 365 Enterprise

When it comes to Windows 365 Enterprise, the process is slightly easier for IT admins. This is because, for the Enterprise license, Cloud PCs are automatically enrolled. Not only that but they also get reporting of Microsoft Defender Antivirus alerts as well as optional onboarding into Microsoft Defender for Endpoint capabilities.

By default, Enterprise users are automatically set up as standard users. However, admins still retain the option to make per-user exceptions when necessary. The guidelines for users of Windows 365 Enterprise Cloud PCs are as below:

  • Users should stick to standard Windows 10 security practices. This also means restricting access to your Cloud PC using local administrator privileges.
  • You need to deploy Windows 365 security baselines to your Cloud PC from MEM. Furthermore, you should utilize Microsoft Defender to protect your endpoints, especially all Cloud PCs.
  • Taking advantage of Azure AD conditional access is a must. With features such as multifactor authentication (MFA) and user/sign-in risk mitigation, you can significantly reduce the risk of unauthorized access to your Cloud PC.

Enhancing your security posture with Windows 365

Microsoft offers organizations security recommendations that are meant to enable you to improve your security. These guidelines are as follows:

Conditional Access

Microsoft recommends the use of Conditional Access policies to improve your authentication processes. These policies are central to the zero trust strategy and help to secure your corporate network by putting strict controls concerning which devices can access it and how. You can even configure Conditional Access policies to meet the specific needs of your business and your Windows 365 environment.

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint (MDE) has been described as an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Organizations can connect MDE to their Cloud PC devices and thus have access to security procedures that are an industry standard for endpoint protection.

You can significantly improve your security because of how MDE can easily integrate with other Microsoft security tools. Clients with Windows 10 or Windows 11 licenses will get Microsoft Defender and Microsoft Defender Firewall as part of Windows Security which comes with their subscriptions. This also includes firewall and network protection, account protection, virus and threat protection, and device security among others.

Another thing to be aware of is that if you have a Microsoft 365 E5 plan then you’ll also get Microsoft 365 Defender. This service, which may also be purchased as an add-on for other Microsoft 365 subscriptions, compiles security data from the Microsoft 365 ecosystem and organizes it into a centralized dashboard.

And the way this dashboard has been designed simplifies the task for admins by making it easier to detect and respond to threats while setting aside the non-urgent. Ultimately, leveraging this security platform will help organizations to provide next-generation cybersecurity for their Windows 365 environment.

Intune compliance

The use of Intune compliance policies is highly recommended as a way to set the requirements and settings that users and devices must abide by to be considered compliant. These policies can be used in conjunction with Conditional Access policies for your Windows 365 environment. This means that you can block any non-compliant devices from accessing corporate resources until any issues have been resolved.

Regular updates

Another recommendation that Microsoft gives has to do with OS updates. Devices need regular updates to not only maintain high levels of security but to keep enhancing performance as well. Occasionally, vulnerabilities are discovered that may be exploited so updates will help mitigate those issues and provide new features as well. And when it comes to Cloud PCs, IT admins can use Endpoint Manager to configure Intune Windows 10/11 update rings and policies for Windows Update for Business.

Admin rights

With regard to Windows 365 Business, the target market is small businesses that may not have an IT team to manage the environment. So it makes sense that users are granted local admin rights. For Windows 365 Enterprise, on the other hand, users will not get those same privileges. And this is by default so as to be in line with Windows 10/11 security guidance.

Integration

Microsoft further enhances the overall security by having an integration between Microsoft Defender for Endpoint and Windows 365. What this means is that security and endpoint admins can collaborate on the management of the Cloud PC environment just like for any regular physical endpoint. If subscribed, Cloud PCs will:

  • Send data through to Microsoft 365 Secure Score.
  • Have the option to view unhealthy PCs on the Microsoft Defender for Endpoint Security Center and threat analysis dashboards.
  • The response of Cloud PCs to remediation measures will replicate that of any other managed devices.

Deployment of security baselines

Every organization needs specific security controls that can help to address its cybersecurity needs. To ensure the highest level of security, Microsoft recommends using industry-standard security measures that have been well-tested.

With Windows 365 security baselines, you’ll be getting Microsoft-recommended security measures that are based on best practices and expert feedback. This will help to improve the security of your Cloud PCs because of the recommendations you benefit from. Windows 365 security baselines are going to affect the following areas:

  • Windows 10 settings: 1809
  • MDATP settings: version 4
  • Edge settings: April 2020 (Edge version 80 and later)

Applying Windows 365 baselines

Microsoft also optionally allows you to apply Windows 365 security baselines to the Azure AD groups containing Cloud PC devices in your tenant. Once you are ready to deploy the security configurations, you’ll follow the steps below:

  1. Navigate to the Microsoft Endpoint Manager admin center and sign in. Then select Endpoint Security > View Security Baselines
  2. Select Cloud PC Security Baseline (Preview).
  3. Next, you select Create Profile and then give a name for the profile.
  4. The groups of settings for the baseline you chose can now be viewed on the Configuration settings tab. If you want to view the settings in a particular group as well as the default values for those settings in the baseline, all you need to do is expand the group. And if you want to see specific settings:
  5. Select a group to expand and from there you can review the available settings.
  6. You can use the search bar to type in specific keywords so that you get results displaying only the groups that match your search criteria.

Default configurations

All the settings in a baseline will have default configurations for that particular baseline version. To cater to varying business needs, Microsoft gives you the option to reconfigure the default settings. You will also notice that depending on the intent of the baseline, some baselines will have the same setting but will use different default values for that setting.

  • Next, go to the Assignments tab and select a device group with Cloud PCs to include. After that, you’ll need to assign the baseline to one or more groups with your Cloud PCs. You can use Select groups to exclude to fine-tune the assignment.
  • After completing the above and you’re ready for deployment, go to the Review + create tab and review the details for the baseline. To save and deploy the profile click on Create.

Application of the baseline to the assigned group is carried out immediately following the creation of the profile.

Implementing Conditional Access

Conditional Access is a system designed to enhance the security of corporate networks by restricting access to verified and compliant devices. Being a policy-based approach allows you to configure the specific conditions that you want to apply to the access controls. As Microsoft puts it, these policies are basically “if-then” statements. If a user needs to access certain resources on the corporate network then it follows that he/she will need to meet certain requirements. Using Conditional Access can help you to accomplish the following:

            ◆ Enable users to maintain productivity levels wherever they may be.

            ◆ Safeguard corporate resources.

Assigning conditionalcccess policies to cloud PCs

Windows 365 Enterprise admins should be aware that Conditional Access policies aren’t set for tenants by default. So to assign policies to the Cloud PC first-party app you’ll need to use either of the following services:

            ◆ Azure

            ◆ Microsoft Endpoint Manager by performing the steps below:

  1. Navigate to the MEM admin center and sign in. Proceed to select Endpoint Security > Conditional Access > New Policy.
  2. The specific Conditional Access policy that you want will require you to provide a name for it.
  3. Go to the New Policy tab and select Specific users included which you’ll find under Users and groups. Next, you need to pick the specific user or group that you want to target with the policy. You also get the option to Exclude certain users or groups if that’s the way you want to set up.
  4. Select No cloud apps, action, or authentication contexts selected. You can find this option under Cloud apps or actions.
  5. Select Cloud apps > Include > Select apps.
  6. Next, head over to the Select pane. Here you’ll need to search for and select the apps below:
  7. Windows 365 (you can also search for “cloud” to find this app).
  8. Windows Virtual Desktop (this may also appear as Azure Virtual Desktop)

More to know about Windows 365

Ensuring that the policy is applied to the Cloud PC end-user portal as well as the connection to the Cloud PC.is achieved by choosing both of the apps above. Choosing both of these apps is also necessary if you want to be able to exclude apps.

  • Fine-tuning a policy can be performed by going over to Access and then choosing the options that you want to apply to all objects assigned to this policy.
  • Before you proceed any further you may want to test the policy. This can be done by going to Enable Policy and turning the setting Report-only to Off. This will prevent the policy from being applied as soon as you’ve completed the creation process.
  • All that’s left now is for you to select Create and you’ll complete the creation of the policy.

If you want to see the list of your active and inactive policies, navigate to the Policies view in the Conditional Access UI.

Windows 365 wrap up

Remote desktop services offer countless benefits to businesses that can help enhance the overall performance of the business. Businesses can easily have hybrid workforces without having to sacrifice productivity. Not only that but services like Windows 365 ensure that if an unexpected event such as the COVID-19 pandemic occurs, the disruption to business activities can be minimized.

However, all of this doesn’t mean much without the best security features you can get to safeguard corporate data as well as the physical devices that employees use. And Microsoft has provided Windows 365 clients with a wide array of security features to ensure that Cloud PCs have next-generation protection. This will make it such that the user experience becomes significantly better.

Getting Set up With Windows 365

Cloud computing and Cloud PC has come a long way in the last couple of decades. As a way of delivering various on-demand IT resources over the internet, cloud computing has an endless list of applications. These can then offer individuals and organizations alike access to resources that may otherwise be beyond their means.

As you can imagine, the cost of running an on-premises IT environment can be very steep. This is why cloud computing is being adopted by a lot of organizations as they realize the benefits and convenience you get. And Microsoft has been providing these services for a long time but with Windows 365, the company is looking to make cloud computing even better.

Windows 365

Windows 365 is a Desktop as a Service offering that was introduced by Microsoft in 2021. It is designed to provide both small and large organizations with a cloud computing environment that can adequately meet the various needs. And when you consider that Microsoft already had other virtualization technologies on offer, you can trust that this new service will give you some of the best of those other technologies.

In fact, Windows 365 is built on the Azure infrastructure so that already breeds confidence in the service. Microsoft has basically leveraged its existing products and gone for a new approach to delivering virtual desktop infrastructure. Organizations can use the Cloud PC to increase security as well as productivity. In addition, having a cloud-based Windows PC can also help employees collaborate better regardless of where they physically are.

By using the Windows 365 Cloud PC, users will be able to stream their Windows PC to any supported device. And this is something that you can do using either a browser or a native RDP client.

Rooted in simplicity

Arguably the key foundational concept of Windows 365 is simplicity and so Microsoft has designed the service to be relatively easy to set up and use. In line with that, you’ll get to use all your favorite tools such as Microsoft 365, Microsoft Dynamics 365, Microsoft Power Platform, and plenty more.

Furthermore, Windows 365 comes in two editions to cater to both small and large enterprises. The Windows 365 Business edition targets the small to medium enterprise sector that may only need a few desktops. Organizations can get up to 300 desktops and will be charged a fixed rate that depends on the selected hardware configuration.

For larger enterprises, there is Windows 365 Enterprise which can help you to integrate the desktops with your existing Azure virtual network.

Simplifying virtual desktop infrastructure

One of the things that Windows 365 aims to do is to ensure that it can avail cloud computing to as many people as possible. With traditional VDI environments, you would need to set up a server, install applications, and then provide access to users.

But, Windows 365 does away with all of that. Microsoft has designed a product that has all the building blocks automated for you and will take care of all the virtualization. In addition, the service can scale with you in a highly optimized way to use Microsoft 365 apps.

Your organization doesn’t need to worry about the hardware and software configurations of the devices that your users have. Admins will be particularly glad to hear this because it means that deployment will become significantly easier and faster.

Traditional VDI may sometimes have limitations regarding where one can get access. This is not so with Windows 365 as users can access their Cloud PCs from anywhere on almost any device. The kind of freedom that Windows 365 gives its users is what makes it the ideal product for an increasingly hybrid world.

Device requirements

So, before you get started with setting up your Windows 365 environment, you’ll need to find out what the device requirements are. Are there any specific devices that your organization needs to purchase if you want to use Windows 365? Fortunately, there’s not much to worry about in this regard because Microsoft wants to make accessing Cloud PCs convenient and easy.

Therefore, Windows 365 will do this by allowing you to use most devices which Microsoft also hopes will help you reduce your IT costs in the hardware department. Because Windows 365 is essentially PC hardware that runs in the cloud, the importance of your actual physical device is significantly less.

As long as you have an internet connection, you’ll be able to operate a reasonably powerful Windows PC using just about any device. To access this Cloud PC, you can use any modern browser or the Remote Desktop app.

Additional benefits of Cloud PC

A setup like this is going to be extremely beneficial for organizations that have a sizeable remote or seasonal workforce. Your organization won’t need to make a massive investment in hardware for all those employees. Even better is the fact that they’ll be able to easily access these Cloud PCs anywhere without losing any progress.

In short, all Windows 10 and Windows 11 devices should be compatible with Windows 365. The best part, however, is that clients will be able to easily stream a Windows 365 session to hardware running macOS, iOS, Linux, and Android.

However, for the best experience, Microsoft recommends devices that have a traditional keyboard and mouse. For the most part, as long as your device has an HTML5 browser and a DSL connection or a wireless internet connection capable of streaming a video you will be just fine. The amount of bandwidth that you’ll need, however, will depend on your workload.

How much does it cost?

Microsoft offers Windows 365 at varying prices to cater to the different needs of the target organizations. From the small outfit needing only a handful of PCs to the larger enterprises that may require unlimited options. Not only that but it also helps to ensure that users will only pay for what they need.

So, support staff can get a Cloud PC that works for them, and individuals such as engineers that have heavier computing needs can also get something that suits them. You can get Cloud PCs in multiple configurations from $20 per user per month for the lowest-end SKU, to $162 per user per month for the most expensive one.

This fixed per month pricing model is something else that distinguishes Windows 365 from Azure Virtual Desktop which is consumption-based. And if the need to scale up ever arises then you have the option of doing that by getting a different subscription.

Windows 365 Business Edition

For the Windows 365 Business edition, the $20 per user per month fee is going to get you a single virtual core, 2GB of RAM, and 64GB of storage. Although you will require Windows Hybrid Benefit, which is Microsoft’s Bring-Your-Own license model that is designed to help clients to apply existing (or new) licenses toward the cost of a product.

Otherwise, if you don’t have Windows Hybrid Benefit then the cost goes up to $24 per user per month. At the other end of the spectrum, clients will be able to purchase the Business SKU that offers eight virtual cores, 32GB of RAM, and 512GB of storage for $158. And similar to the previous one, without Windows Hybrid Benefit the cost goes up, this time to $162.

Larger organizations have the Windows 365 Enterprise edition designed for them and the pricing range is similar. Users that have lighter computing needs can get a single virtual core with 2GB of RAM and 64GB of storage for $20 per user per month. And for the other users that require virtual machines that can deliver significantly more, you can get an option that gives you eight virtual cores, 32GB of RAM, and 512GB of storage for $158 per user per month.

Provisioning with Cloud PC

The provisioning process is going to create a Cloud PC virtual machine and then set it up for a user. Provisioning also enables the completion of other tasks that will prepare the machine for use as well as the sending of access information to the user. To start the process, admins will have to provide configuration details to set up the process.

Once that’s been done, users that have a Windows 365 license that matches the configuration details will automatically get Cloud PCs provisioned for them. However, each user and license pair can only have one Cloud PC provisioned for them because the provisioning setup works on a one-time per user and per-license basis. The steps of the provisioning process are given below:

  • A provisioning policy is created to manage access to the Cloud PCs. These provisioning policies are integral to the process because they are responsible for building, configuring, and availing Cloud PCs to end-users. As such, each policy needs you to provide information about the on-premises network connection, the image used to create each Cloud PC, and an Azure AD user group.
  • The provisioning process will begin with the assignment of a Windows 365 license to users in the Azure AD user group. Subsequently, Windows 365 will then proceed with the automatic provisioning of the Cloud PC. And after doing that, the necessary access information will be sent to the user. The automation is performed in 3 phases that will remain invisible to the administrator.
  • Once all the above has been carried out successfully, what only remains is for the end user to get the access data that will provide them with access to sign in to the Windows Cloud PC from anywhere.

Improving the Cloud PC setup process

In the first few months of 2022, Microsoft announced that it was implementing a few changes meant to make setting up Cloud PCs even easier. The announcement informed us about how Windows 365 was going to get the “join” feature. Azure AD joined devices are those whose computer object is no longer stored in the on-premises Active Directory Domain Services environment.

Instead, it is now located in Azure Active Directory. By using Azure AD Join you’ll be able to join devices directly to Azure AD without the need to join to on-premises Active Directory. And all this can be done while keeping your users productive and secure. Your admins can easily leverage Azure AD Join for both at-scale and scoped deployments. According to Microsoft, this feature was highly requested by organizations who wanted to simplify the onboarding process.

Microsoft’s announcement

When Microsoft made the announcement, it was said that Azure AD join had been the most requested feature since Windows 365 reached general availability. So, admins will be glad to know that they now have the possibility of using Azure AD join as a Cloud PC join type option.

Therefore, what this means for organizations is that you no longer need to have an existing Azure infrastructure to use the service but just your Azure AD users. All of this has been done to make it easier for admins to onboard users using Azure Active Directory.

Expectedly, this presents a massive upgrade, especially when looking at how integral Azure AD is to Microsoft’s identity and security services. Bringing the ‘join’ feature to the Windows 365 platform will go a long way in maintaining the theme of ease of use that Microsoft has described for its Cloud PC.

Before this upgrade, the ‘join’ feature had helped businesses that use the on-premises version of Active Directory by functioning as a device-joining bridge. Simply put, adding Azure AD Join to the Windows 365 platform is going to enable admins to enroll devices without the need to have on-premises Active Directory. Now all you need to do is use your Azure AD users.

Accessing your Cloud PC

After everything has been set up it’s time for users to learn just how they can connect to the Cloud PC. We need to clarify what clients can be used as well as what options the end-users will have. Also, we need to know how administrative credentials can be provided to the end-user. Microsoft has provided two ways for users to connect to the Cloud PC:

  1. Web browser – the first method that users have for accessing the Cloud PC is via a web browser. All you have to do is simply navigate to windows365.microsoft.com. Once there, you can log in with the user credentials that have a desktop provisioned. The portal will show you an overview of the desktops available to you. However, to access the Cloud PC using this website, users’ devices need to meet the following requirements:
  2. supported operating systems: Windows, macOS, ChromeOS, Linux,
  3. a modern browser like Microsoft Edge, Google Chrome, Safari, or Mozilla Firefox (v55.0 and later).

Task management

When using windows365.microsoft.com, end users can carry out various tasks on their Cloud PCs. They only need to select the gear icon on a Cloud PC card.

  • rename: doing this will change the name of the Cloud PC that the user sees on the website. But, performing this action doesn’t change any name in Microsoft Endpoint Manager. Nor does it change Azure Active Directory, on the device, or in the Remote Desktop Apps.
  • restart: this will restart the Cloud PC.
  • troubleshoot: whenever a user is encountering challenges with connecting to the Cloud PC, this will help to resolve those challenges. A few checks will verify that all the files and agents necessary for connectivity have been properly installed. There will also be a check for the availability of Azure resources.
  • Remote desktop – the second method that Microsoft offers clients for connecting to the Cloud PC. This works by using the Microsoft Remote Desktop app. This is designed to enable users to access and control a remote PC, including a Cloud PC. So, for those who have been using Azure Virtual Desktop, this is an app they will already be familiar with. Setting up the Remote Desktop is a relatively simple process that requires you to follow a few steps:
  • first, you’ll have to download the Remote Desktop app. You can find it on the Download App page at www.microsoft.com/windows-365?rtc=1.
  • next, you select Subscribe.
  • the next step will require you to enter your Azure Active Directory credentials.
  • you will then see the Cloud PC appear on a list. Simply double-click it to launch.

Cloud PC security

Microsoft provides Cloud PCs with good security measures straight out of the box. And just like you have with your physical computers, Windows 365 Cloud PCs will come with Microsoft Defender. This helps to ensure that your device is secure from the first-run experience.

Also, the provisioning of the Cloud PCs is done using a gallery image. To ensure improved security, the image will have the latest updates for Windows 10 through Windows Update for Business. However, there are a few differences between what exactly you’ll get for Windows 365 Business and for Windows 365 Enterprise.

Windows 365 Business

Since Windows 365 Business is a service aimed at smaller organizations, particularly those that may not have IT staff, users on this edition are granted local admin rights to their Cloud PCs. So, this situation basically replicates what happens with a lot of small businesses. And users purchase computers and retain local admin rights.

For IT departments that want to use Windows 365 Business for particular cases, they need to follow standard security practices. These intend to make those users standard users on their devices. To use MEM for this approach, you’ll need to follow the guidelines below:

  • The process starts with device configuration to enroll the devices in MEM

               using automatic enrollment.

  • The next step involves the management of the Local Administrators group.

               This can be done using Azure AD or MEM.

  • In addition, it would be a good idea to have Microsoft Defender Attack Surface Reduction (ASR) rules enabled. This would be very useful because these rules are in-depth defense mitigations for specific security concerns. These include blocking credential stealing from the Windows local security authority subsystem.

Windows 365 Enterprise

When it comes to Windows 365 Enterprise, you’ll start to see some significant differences right away. This edition intends to serve organizations that have dedicated IT teams. This makes things slightly easier for IT, too. It provides a system that is bases on the management and security that Microsoft Endpoint Manager provides. All Cloud PCs in Windows 365 Enterprise configure users as standard users by default.

However, admins still have the ability to make exceptions on a per-user basis. Furthermore, all Cloud PCs will be enrolled in MEM with reporting of Microsoft Defender Antivirus alerts. You’ll also get the ability to onboard into the full Microsoft Defender for Endpoint capabilities. Microsoft makes the following security recommendations for users of Windows 365 Enterprise:

  • Users should stick to standard Windows 10 security practices. This also means restricting access to your Cloud PC using local administrator privileges.
  • You need to deploy Windows 365 security baselines to your Cloud PC from MEM. Furthermore, you should utilize Microsoft Defender to protect your endpoints, especially all Cloud PCs.
  • Taking advantage of Azure AD conditional access is a must. With features such as MFA and user/sign-in risk mitigation, you can significantly reduce the risk of unauthorized access to your Cloud PC.

Wrap up about Cloud PC

There has been a lot of talk about remote work and hybrid work environments in recent years. And with the growing interest, a product like Windows 365 is perfec to meet the needs of most organizations. The flexibility and scalability of the platform offer an endless list of benefits. And it makes it valuable to users both at home and in the office.

Additionally, Microsoft built the product to be simple to configure. It’s additionally easy for businesses that don’t have specialist IT professionals on staff. All of these benefits, among many others, combine to give you an incredible virtual experience that runs on the highly secure Microsoft Cloud.

What You Need To Know About Windows 365 Lifecycle

Organizations have countless products that they have to enable them to optimize the productivity of staff members. These products can come from different vendors and so it’s extremely important to guarantee the quality of these tools. And when there is a lifecycle policy available, like with Windows 365 lifecycle, organizations are confident. They can be certain that the products they are purchasing have been rigorously tested, are built extremely securely, and will meet any necessary compliance and security regulations. With Windows 365, clients know that they are using a product that meets all of the above and can perform to very high standards.

Windows 365 Lifecycle Policies

Microsoft gives its customers products that come with industry-leading lifecycle policies. These ensure that when purchasing a product, you’ll be receiving something with consistent, transparent, and predictable guidelines for software support and servicing.

And these policies are valid for all Microsoft customers regardless of where they are across the globe. However, it’s important to remember that how these policies are used will depend on the regulatory requirements in other countries. Also, the application of these policies may differ according to the industry sector.

The level of quality that customers get is a result of the development process. Microsoft puts into high-quality methods into these Windows 365 lifecycle policies. In addition to the specialists at Microsoft, the process also involves customers, partners, and analysts to produce a policy that meets all expectations.

Because of this, customers can plan better and manage their support requirements effectively. Microsoft provides Fixed Lifecycle policies for products that have defined end-of-support dates at the time of release. Then, for products that will receive continuous support and servicing, there are Modern Lifecycle Policies.

Fixed Windows 365 Lifecycle Policy

This type of policy is aimed at plenty of commercial and some consumer products. Customers can acquire through retail purchase and/or volume licensing. It is a policy that offers:

  • Defined support and servicing Lifecycle timeline at the time of product launch.

Receiving the support may possibly require you to deploy the latest Service Pack or update.

Modern Windows 365 Lifecycle Policy          

This type of policy is designed for products that will be serviced and supported continuously. However, there are certain conditions that need to be met for products and services to remain in support. These requirements are as follows:

  • It will be the customer’s responsibility to ensure that they stay current. This includes servicing and system requirements that are defined for a particular service or product.
  • Customers also need to verify that they are licensed to use the service or product.
  • It’s again necessary to check that Microsoft currently offers support for that service or product.  

Microsoft provides a modern lifecycle policy for Windows 365. This ensures Cloud PC users will have a great product that has continuous support.

The Cloud PC lifecycle

Microsoft has developed a setup whereby Windows 365 will coordinate and manage the lifecycles of all Cloud PCs. And due to the fact that Cloud PCs exist only in the cloud, the management of their lifecycles will be significantly easier than that of physical Windows devices. The lifecycle of the Cloud PC comprises 5 stages which are:

  1. Provision
  2. Configure
  3. Protect
  4. Monitor
  5. Deprovision

Provision

In keeping in line with the goal of making things simple, Windows 365 provides clients with an optimized experience for Cloud PC deployment. Microsoft has integrated the admin experience for setting up deployments into the MEM admin center.

The provisioning process will prove to be easier than one may imagine because it is an automated one. All you need to do is assign a Windows 365 license to a user. Then, add them to a group targeted with a provisioning policy, and the provisioning of the user’s Cloud PC will proceed automatically. The process will:

  • create a Cloud PC virtual machine.
  • set it up for the end-user.
  • perform any other necessary tasks to ready the Cloud PC for use.
  • send access information to the user.

A simplified admin experience

What Microsoft has done is create a simplified admin experience that makes the provisioning much simpler and more straightforward. Once you’ve finished providing a few configuration details, Cloud PCs will be automatically provisioned for all users who have a Windows 365 license and matching configuration details.

Because this process is a one-time per user and per license process, a user and license pair can only have a single Cloud PC provisioned for them. The complete process is going to follow the steps below:

  • Starts with the creation of a provisioning policy to manage access to the Cloud PCs. Provisioning policies are key to the entire process as they are responsible for building, configuring, and availing Cloud PCs to end-users. Each policy requires you to provide details regarding the on-premises network connection, the image used to create each Cloud PC, and an Azure AD user group.
  • Assignment of a Windows 365 license to users in the Azure AD user group will begin the provisioning process. And the provisioning of the Cloud PC will be carried out automatically by Windows 365. After which it will then send the necessary access information to the user. The automation is going to proceed in 3 phases that will be invisible to the administrator.
  • The last part of the process involves the end-user receiving the necessary access information. This will allow them to sign in to the Windows Cloud PC from anywhere.

Configure

As for Cloud PCs, they need to be configured and secured similarly to any other endpoint in your environment. Microsoft integrates configuration into the provisioning process thus making it simpler. Every Windows 365 Cloud PC will either be:

  • Azure AD joined or
  • Hybrid Azure AD joined.

Azure AD joined devices can be deployed by any organization regardless of the size or sector of a business. Moreover, Azure AD join will work in hybrid environments. This gives you access to both cloud and on-premises apps and resources. These devices can be signed into using an organizational Azure AD account.

To enhance the security of corporate resources, access can be controlled depending on the Azure AD account as well as the Conditional Access policies that govern the device. You also get Mobile Device Management (MDM) tools. These include Microsoft Intune or Microsoft Endpoint Configuration Manager. Both allow admins can use to enhance security and establish greater control over Azure AD joined devices.

Great for hybrid organizations

Hybrid Azure AD joined devices are joined to your on-premises Active Directory and registered with Azure Active Directory. This scenario can be a good option for hybrid organizations that already have on-premises AD infrastructure. The hybrid Azure AD joined devices can be signed into with organizational accounts. This works by using a password or Windows Hello for Business for Win10 and above. The key capabilities available include:

  • Configuration Manager standalone or co-management with Microsoft Intune
  • SSO to both cloud and on-premises resources
  • Conditional Access through Domain join or through Intune if co-managed
  • Self-service password reset and Windows Hello PIN reset on lock screen.

Once the Cloud PCs have been joined they will then be enrolled into Microsoft Endpoint Manager. Because of this enrollment, every Cloud PC will be instantly ready for Azure AD Conditional Access. And management through Microsoft Endpoint Manager granted. And this also includes co-management if necessary.

Microsoft Endpoint Manager plays the vital role of using compliance policies. They enable you to verify that your Cloud PCs are compliant. Understandably, when it comes to cloud computing, security is of very great concern. Windows 365 does a great job of addressing that through the optimized security baseline that is available for Cloud PCs. Leveraging this baseline would be a good way to securely configure your Cloud PCs with minimal overhead.

However, in case you have concerns, the baseline is optional. Additionally, you’ll find that these baselines have been optimized to ensure that remote connectivity won’t be affected.

Protect

The integration between Windows 365 and the rest of Microsoft 365 intends to ensure that you can secure your Cloud PCs to meet your standards. Similar to physical devices that come with Microsoft Defender for Endpoint, the Windows 365 environment will also get the same security.

Because of Microsoft Endpoint Manager’s integration with Microsoft Defender for Endpoint, your Cloud PCs will get instant protection as soon as they provision occur. As a result, Cloud PCs get excellent security measures in place from the first-run experience.

Gallery imagery

Also, it’s worth noting that the provisioning of Cloud PCs uses a gallery image. And to further strengthen your security, the image will have the latest updates for Windows 10 through Windows Update for Business. Among the available features include the ability to use the endpoint detection and response capabilities of Microsoft Defender for Endpoint to determine device risk.

Similarly, you can also get protection for your Windows 365 environment through Azure AD Conditional Access. This protection comes with an option that would be of great interest to certain users whereby you can exclude Windows 365 itself from device compliance policies.

The advantage that this has is that it allows your end users access to their Cloud PCs from any supported device they choose. However, to ensure that those users are securely authenticated, Windows 365 offers multi-factor authentication, sign-in risk, and various other controls.

Updates are another key element in ensuring a highly secure Cloud PC environment. With that in mind, Windows 365 will carry out the installation of the latest quality updates using the Windows Update auto-scan ability.

It’s important to verify that your end users sign in to their newly provisioned Cloud PCs as soon as possible so that the necessary updates can install swiftly. Another thing that you can do to strengthen security is to disable the clipboard and drive redirection so that you optimize data loss prevention. By disabling this feature, users won’t be able to:

  • Copy or paste information from their Cloud PCs to other unmanaged locations.
  • Save files to their personal devices from Cloud PCs.

Monitor

For Windows 365 to work effectively for its users, it’s extremely important to verify that the end user gets a virtual machine that can adequately meet their needs. To aid in this operation, Windows 365 integrates with the Endpoint analytics in Microsoft Productivity Score

These analytics are important for providing you with insights that allow you to measure how your organization is working as well as the quality of the experience that you are delivering to your users.

Leveraging the data on offer can help you identify policies or hardware issues that are causing problems for end users such as long boot times or other disruptions. All of this generally stems from IT not having enough feedback or visibility into the end user experience.

So to resolve this, Endpoint analytics aim to improve user productivity while simultaneously reducing IT support costs thanks to the provision of insights into the user experience.

Additionally, Endpoint analytics gives you a measurement of the compute and memory load on your Cloud PCs. Following this, you can use Windows 365 to resize those Cloud PCs so that they can meet the needs of different users and their apps.

A seamless experience

Along with other device actions, the resize is available in Microsoft Endpoint Manager. And setting it up this way allows you to have a seamless experience between your Cloud PCs and other endpoints.

Another tool that you can use to enhance Cloud PC monitoring and remediation is Proactive Remediation. These remediations are script packages that can detect and fix common support issues on a user’s device before users even realize there’s a problem.

By using these remediations, you can vastly improve the end user experience as well as reduce the load on support staff. They are also very flexible so you can schedule them to run hourly, daily, etc. Not only that but you can create your own script packages to perfectly meet your requirements.

Alternatively, you can deploy one of the provided script packages that should help you in reducing support tickets. Ultimately, by using Proactive Remediation, you can extend the built-in Microsoft 365 optimizations that are provided by Windows 365. Among these optimizations include those for a heterogenous IT environment.

Deprovision

Now and again a situation may arise that may require you to revoke a user’s Cloud PC access. And Windows 365 provides you with a couple of remedies. You can use these to remove anyone’s access.

The first method you can use involves removing the user’s license or targeted provisioning following which the Cloud PC will transition into a seven-day grace period. The potential benefit of this option is that it allows for errors and reinstatement in a way that does not affect the user.

Alternatively, if you need to block access immediately, you can disable the user account in the on-premises Active Directory. You can additionally revoke the user’s refresh tokens in Microsoft Azure Active Directory.

So, at the expiration of the seven-day grace period, Windows 365 will then deprovision the Cloud PC and its storage completely. The encryption of Windows 365 Cloud PCs using server-side encryption in Azure Disk Storage (platform-managed keys) helps to ensure that the devices deprovision securely.

However, if you find yourself in a situation whereby you determine that removing a user’s license was the right course of action and not a mistake, then you don’t need to wait out the seven days.

Windows 365 allows you to proceed with your action by clicking on the In Grace Period state and then selecting End Grace Period. Consequently, this will transition the Cloud PC to the state of Deprovisioning while the Cloud PC is deleted.

Cloud PC operating systems

As I’ve already gone over above, Windows 365 lifecycle policies govern operating systems’ servicing and support. And this also includes end of support. When we talk of lifecycle we are referring to the period during which Microsoft provides support for the operating system as well as releases regular security updates.

Also, we find that not all products share the same lifecycle timeline. The lifecycle timeline of each product will be determined by its respective lifecycle policy. And this will also be consistent by product family for new and future versions. With the older products, however, lifecycle timelines may differ so there will be a need to verify the necessary information.

Windows 365 Cloud PCs run on the Windows OS and are therefore governed by the Microsoft 365 Lifecycle Policy. When the operating system on a Cloud PC eventually reaches the end of support, it will no longer receive security updates, non-security updates, and assisted support.

Image status

Windows 365 keeps up to date of all necessary end of support information in Microsoft Endpoint Manager. There the information will be located on the Provisioning policies page under Image status. Below is information you can use to verify whether the OS on the image within each provisioning policy is supported or not.

Image statusGallery imageCustom image
SupportedThis lets you know that the Cloud PCs that have been created using this policy have a Windows operating system that is supported by Microsoft and can thus receive updates.Same as gallery image.
WarningIn this scenario, the OS would have expired within the previous six months. So the Cloud PCs that were created using this policy have an OS that is no longer supported. Because of this, those Cloud PCs are extremely vulnerable and don’t benefit from security updates.Same as gallery image.
UnsupportedThe Cloud PCs created using this policy would be running a Windows operating system that hasn’t been supported for over six months. So this is a policy that can no longer be assigned to any users. Consequently, you will need to resolve the issue by updating the OS image in the provisioning policy to an image with a supported OS. All Cloud PCs that were created using this policy are vulnerable and no longer receive security updates. Furthermore, they cannot be provisioned or reprovisioned. If you were to attempt to provision a Cloud PC using this policy you would not be successful and face a Windows Image out of Support message.Not applicable.

You can also find the status values for custom images under the OS support status column on the Device images page. Once we get to the end of support date, you’ll no longer be able to select gallery images that use the expired OS for newly created provisioning policies. In addition, those images also won’t be available for use when editing existing provisioning policies.

Wrap Up on Windows 365 Lifecycle

As with all Microsoft products and services, Windows 365 is governed by a Lifecycle policy enabling the delivery of industry-leading service to clients. In a world of rapidly increasing cybercrime, organizations are looking for products and services that get excellent support and regular security updates.

And as more and more organizations are migrating to the cloud and adopting Windows 365, the modern lifecycle policy that governs Windows 365 takes on even greater importance. It gives you a clear picture of what to expect from the provisioning of your Cloud PCs all the way to the deprovisioning protocols.

Leveraging the support that Microsoft provides will help your organization to run a more streamlined IT environment. Coupled with the ease with which you can deploy Cloud PCs to your users, this clearly highlights the principle of simplicity that Windows 365 is known for most. So, for any organizations that are considering a cloud computing environment, one such as Windows 365 would be a great option to consider.

Understanding Windows 365 Government

The interest in cloud computing technology has grown significantly over the last few years. Although it has been around for at least a couple of decades, a lot of businesses simply lacked interest in adopting the technology.

But, since the COVID-19 pandemic, many now recognize just what value cloud computing brings to their organizations.

Among the many potential benefits, it can enhance the security of your corporate data, it can reduce IT expenditure, and it can also contribute to greater employee satisfaction. As a leader in this space, Microsoft wants to offer clients a platform that can deliver the best of cloud computing. And this is where Windows 365 comes in.     

What is Windows 365?

Windows 365 is a service that Microsoft designed to offer clients an operating system on the cloud. This means that you can stream a Windows 365 PC to your PC, tablet, or even mobile phone. According to Microsoft:

“Windows 365 is a cloud-based service that automatically creates a new type of Windows virtual machine (Cloud PCs) for your end users. Each Cloud PC is assigned to an individual user and is their dedicated Windows device. Windows 365 provides the productivity, security, and collaboration benefits of Microsoft 365.”

So, what that ultimately means is that all those that are subscribed to the Windows 365 service will get access to all Microsoft apps and can access them using the Cloud PC on their device of choice. This allows Microsoft to address the growing need for hybrid work models as well as a platform that can offer flexible access to the Windows operating system.

And Microsoft assures prospective clients that their data will be extremely secure regardless of what device an individual may be using or where they may be working from. This is because all processes run on the highly secure network of Microsoft servers.

How it helps

As a result, your IT environment gets an excellent degree of protection that comes with all the benefits of the Windows Enterprise model.

Microsoft offers Windows 365 under two subscription models. Windows 365 Business which is aimed at organizations with 300 employees or fewer, and Windows 365 Enterprise which is meant for much larger organizations.

However, it’s worth noting that these two models both have the same range of features. As far as configurations go, we get twelve Windows 365 Cloud PC configurations with the cheapest one offering one vCPU, 2GB RAM, and 64GB storage, and setting you back $20 per user per month. At the other end of the spectrum, users that perform compute-heavy tasks have the option of purchasing a subscription that gives them 8 vCPUs, with 32GB RAM, and 512GB storage for $158 per user per month.

Analyzing Windows 365 Government

Microsoft wants to ensure that its Windows 365 Cloud PC offering is available to all organizations that require it. And this includes the federal government of the US. With this service, US government users can have Cloud PCs automatically created for them.

As a version of the Cloud PC designed for federal employees and contractors, Windows 365 Government will be offered for Government Community Cloud (GCC) and Government Community Cloud High (GCC High). According to Microsoft, this offering provides a full Windows 365 experience designed to meet the extremely high security and compliance requirements of the US government.

This will allow US government users to benefit from the power and security of the Microsoft Cloud to enhance the user experience through flexibility and innovation.

A better line of support

This service is going to extend to US government agencies, contractors, partners (State, Local, Federal Civilian, Defense), and native Indian tribes (US only). The users who will have access can stream their Windows apps, data, content, and settings from the Microsoft cloud to any supported device at any time in an extremely secure environment. Microsoft promises to deliver the complete Windows experience by offering the following advantages:

  • Personalization – you can easily stream all your apps, content, and settings to any supported device from the Microsoft cloud.
  • Powerful – Microsoft makes a point of emphasizing that the Cloud PC is a scalable service that brings you the complete Windows 10 experience on the device of your choice. And as of December 2022, clients will also have the option of Windows 11.
  • Simplicity – potential clients can provision and deploy Windows on a Cloud PC at their convenience using either Microsoft Intune or going through windows365.microsoft.com
  • Secure – the Cloud PC already has some great security benefits but those will be even further enhanced with the new security features that you can expect to get with Windows 11.

As one would expect, the cloud environment that US government users have access to is understandably different from what’s available to other organizations. For most other organizations, there is Microsoft 365 Commercial which is the standard Microsoft 365 cloud.

This is where we will find Enterprise, Business Essentials, Academic, as well as home Office 365 tenants. It comes with a comprehensive list of tools and features, widespread availability across the globe, and a very competitive pricing model. As far as the Government Community Cloud is concerned, we can look at it as a version of the commercial environment specifically designed for government use.

Unique differences

We’ll find that the majority of the features available are generally the same. But the biggest difference is that in this case, the data centers only present in the continental United States. This is so that the environment complies with the FedRAMP Moderate and adheres to the following requirements:

  • DFARS 252.204-7012 (As of February 2021 Microsoft will now attest to compliance)
  • DoD SRG Level 2 (with no provisional authority)
  • FBI CJIS (Criminal Justice Information Services)
  • FedRAMP High

Importance of the Government Community Cloud

The government cloud environment has to meet stringent security and compliance requirements some of which do not apply to the commercial environment. This is why Microsoft has found it necessary to create several, different cloud environments that can meet the various needs of the US government. Therefore, we find that there are 3 types of government clouds that Microsoft offers. These are:

  • Government Community Cloud – this particular type is ideal for local, civilian, and federal government agencies.
  • GCC High – this type is similar to the previous one but is for highly classified government users as well as those that they have business dealings with.
  • DOD cloud – this one is a level higher than GCC High and is specifically for intelligence agencies.

Microsoft has several cloud services and solutions that uniquely serve government employees. These are the services that we’ll find:

Microsoft Azure Government

This cloud gives you a platform designed with the key principles of security, privacy and control, compliance, and transparency at the heart. Because of this, government entities will benefit from a physically isolated instance of Microsoft Azure. It provides the highest level of security services to ensure that US government systems and applications can run seamlessly.

There are hundreds of different services available for businesses, organizations, and agencies that are looking for cloud computing services. Among these services, there are full virtual machines, services for mobile and web apps, file storage, backups, and databases to name a few.

What Microsoft Azure offers organizations is the ability to leverage the resources provided by the vast network of highly secure Microsoft servers. Doing this eliminates the need to host your own infrastructure. In turn, it could come at great expense to both purchase and maintain.

By using Azure, on the other hand, you can pay for what you need and no more. And if the need arises to scale your environment, then you don’t need to worry about purchasing even more hardware to do so.

With Azure, organizations can host email servers, user directories, and web servers. Additionally, they can accommodate databases, virtual machines, and file storage servers among other things. Taking advantage of what Azure has to offers a host of benefits. It means that organizations can basically hire a very secure data center that doesn’t cost as much as on-premises infrastructure.  

Office 365 US Government

Office 365 is undeniably one of the key productivity tools for plenty of organizations. And Microsoft ensures that this service is also available to the US government. The Microsoft 365 for US Government Cloud offering for clients will include Windows 10, Office 365, and Enterprise Mobility + Security features for US government customers.

Additionally, to cater to the varying needs of different organizations, Microsoft offers several versions of this service. This means that educational institutions, nonprofits, customer service employees, and more can all get a version that meets their needs. It also goes without saying, the service is built to adhere to the strict security and compliance requirements of the US government.

Microsoft avails this service to various organizations including tribal entities and governments at the local, state, and federal levels. Those in the defense can benefit from Office 365. They also work with entity contractors who can also benefit greatly from using Office 365 for US Government.

Dynamics 365 Government

The US public sector has a large number of very unique requirements that are constantly changing. So, to cater to the needs of qualified US government entities Microsoft came up with Microsoft Dynamics 365 Government. This service represents the continuing progress of the highly protected environment that was previously named Microsoft CRM Online Government. With the evolution of the service, Microsoft offers protections to the government community cloud in the form of eight separate functions:

  • Customer Service
  • Customer Voice
  • Field Service
  • Finance
  • Guides
  • Omnichannel Engagement Hub
  • Project Service Automation
  • Remote Assist on HoloLens or HoloLens 2
  • Sales
  • Supply Chain Management

The service is available for several different organizations including the following:

  • Federal, state, local, tribal, and territorial government entities in the United States.
  • Private organizations that are using Dynamics 365 Government to provide solutions or services to various government entities.
  • Private organizations that deal with customer data and use Dynamics 365b Government to meet the government’s regulatory requirements.        

Familiar experience

One of the best things about Windows 365 Government is how it aims to offer the same Windows experience. Government users can expect the same service that all other clients are used to. When using this platform, all Cloud PCs will be provisioned within a US government data center.

But, for those familiar with the Cloud PC, the experience will remain largely the same. If you’ve already experienced Cloud PCs in the commercial cloud, you’ll already be familiar. The experience you’ll get in the Government Community Cloud environment will offer you familiar tools and provisioning policy configuration.

Windows 365 Government is easier

This makes getting up to speed with Windows 365 Government significantly easier. And there is no need to train users to use a completely new service. Additionally, clients that use both Commercial and GCC environments will get the convenience of using the same identities and credentials.

Cloud computing using the Windows 365 Cloud PC is meant to eliminate as much as possible. Even the complexities that have been previously associated with virtualization technology are simplified. End-users get a transparent platform that is easy to use but also extremely secure.

But, using Windows 365 Government is also great for IT admins. They don’t need to worry about meeting the stringent security and compliance requirements of the US government. Ultimately, this gives Windows 365 clients a service that enables them to potentially reduce their operational costs. It effectively manages their hybrid environments as well as both legacy and modern applications.      

Are all the available features supported yet?

Government users would like to know how extensive the features available for Windows 365 Government really are. Especially for individuals that are already familiar with the Cloud PC experience. However, it’s worth noting that there are features that aren’t as yet available. These include the following:

  • Configure installed language and region for provisioning Cloud PCs
  • Digital forensics and placing a Cloud PC under review
  • Unified dashboard
  • Virtualization-based workloads
  • Endpoint analytics support (this is supported in GCC)
  • Windows 365 Security baseline
  • RDP Shortpath for public networks
  • Windows 365 System based alerting on Microsoft Endpoint Manager for Cloud PCs
  • User initiated feedback in End User Portal and Windows 365 Web Client
  • Resize VM

How does it compare to AVD?

This is, as you would expect, one of the most frequently asked questions by people considering Windows 365. Windows 365 offers clients virtual desktops known as Cloud PCs. These come at a fixed per user per month cost whereas Azure Virtual Desktop uses a consumption-based pricing structure. Windows 365 Cloud PCs are dedicated to a single user. This is unlike AVD which is a more traditional VDI setup accessible to multiple users.

When it comes to management, Windows 365 offers a simplified system that resembles the management of physical devices. However, AVD is heavily reliant on Azure management concepts. Ultimately, what you get with Windows 365 is a platform that is built to fully enhance the user experience while AVD is geared more towards flexibility.

Setting up users

Microsoft has put in place a system that makes it relatively easy to set up users with Cloud PCs. Even when you need to onboard thousands of Windows 365 devices you aren’t going to necessarily require an entire team of admins to get the job done. One of the key areas of focus when it comes to Windows 365 is simplicity and that applies to the onboarding process as well. This means that the ease with which users can be set up allows a single admin to be able to onboard hundreds or even thousands of devices.

As Microsoft has explained, the tools available to admins and the management of Cloud PCs are very much similar to how admins handle physical devices. So even for federal government clients who want to bring their own image the simplified, accelerated onboarding process remains the same.

Regardless of whether you’re talking about a handful of devices or a thousand. The admin can easily upload a custom image to the provisioning policy and can then assign groups to it with each group having a single user or a thousand.

Establishing ease of use

Windows 365 aims to make the use of Cloud PCs a simple process for all its clients. But, working in a regulated US government cloud is typically not the easiest of things. This is why Microsoft is determined to extend the ease of use of Windows 365 to its government clients. For instance, GCC customers that want to have their data and Cloud PCs to be hosted in the government cloud can use the same identity and credentials as for the commercial cloud.

So, by doing this, Windows 365 Government makes it significantly easier for clients to access their Cloud PCs on the secure government cloud. On the other hand, admins will still be able to meet the very high security requirements of the US government. Also, organizations can potentially run their operations more cost-effectively as they adopt an increasingly cloud-based approach.

End-users have their experiences made simpler because of the potential to have one identity that can authenticate both to on-premises resources as well as provide easy access to their Cloud PCs in Microsoft Azure for Government.

And users can do this through the Windows 365 portal at windows365.microsoft.com or through the remote desktop app on Windows, MacOS, iOS, and Android. There is also a recent addition to this list with the Windows 365 native client app which has recently been put in public preview and can be found in the Microsoft Store.

Looking at the admin experience

Administrators will find that the cloud-native Windows 365 architecture for GCC is delivered to customers FedRAMP compliant.  This means that admins will not need to make any other configurations thus keeping in line with the concept of simplicity. Admins can also stay in Entra (AAD) and Intune in Azure Commercial for the provisioning and administration of Cloud PCs in Microsoft Azure for Government (MAG).

Microsoft has also addressed the issue of clients who are already invested in the Microsoft Azure Commercial environment. Trying to rebuild everything in MAG would be a huge task that would probably come at a significant cost.

Therefore, Microsoft came up with the idea of a dual cloud execution that would see the identity and management planes remaining in the Azure Commercial environment. On the other hand, all the Cloud PC resources would be provisioned and accessed in the Azure for Government environment.

Management tools

One of the reasons why Windows 365 can repeatedly highlight how easy it is to use is the availability of the same tools that you use to manage physical devices. This means that end users and admins can operate in the same familiar environment that they have become accustomed to over the years.

Therefore, clients don’t need to learn how to function in a completely new environment and admins can keep the same controls and tools that they want. So, the way that you have been using tools for Endpoint Configuration Manager is going to translate to Windows 365 Cloud PCs. And this is regardless of whether you are operating in the commercial cloud or the government cloud.

Wrap Up

The modernization that we are seeing in the modern workplace is not only limited to the commercial sector. It goes beyond that and we can now see that government agencies are also leveraging cloud services at a faster pace than in the past.

As a result, this is having a massive impact on the way these entities operate. But, to do this effectively there is a need for a platform like Windows 365 Government that can provide the services needed for optimal operation.

Not only that but Windows 365 Government meets the stringent security and compliance requirements of the US government. This allows government entities to take advantage of the vast array of tools that Windows 365 offers to commercial entities without compromising security.

Implementing Microsoft Security Zero Trust Without Slowing Things Down

Providing employees with the possibility of working remotely is fast becoming a very attractive option for many organizations. By making use of this solution, businesses can widen the talent pool available to them and thereby increase productivity.

However, businesses still have to deal with a significantly increased cybersecurity risk. This is why a solution like Microsoft Security’s Zero Trust approach can be immeasurably beneficial to your organization.

With this solution, all individuals as well as every device will be thoroughly verified. The issue that some may have, however, is if this technology will slow operations down.

Key benefits

Before deciding whether or not Microsoft Security Zero Trust is something that you need, it’s important to know exactly what is on offer. The Zero Trust model intends to enable a strict evaluation of all access controls.

It works under the assumption that attacks can come from anywhere, including from within the network. Therefore, all users and devices that want access to the network must be authenticated, and each access request must be authorized and encrypted.

You’ll also find several preventive measures in place such as multi-factor authentication (MFA) that requires users to confirm their credibility using at least two forms of evidence.

Another way that will better secure the network is restricting the access of users to only what is strictly necessary. Also, by using micro-segmentation you can separate the network into zones meaning that even in the event of an attack, any damage will be limited to a particular zone.

Furthermore, real-time monitoring will enable swift detection of potential threats and immediate implementation of remediation measures. This helps to quickly address any issues after the initial breach before there is a chance to spread throughout the network.

In addition, arguably what makes the Microsoft Security Zero Trust model this good is the ability to integrate into a broader security strategy that can address an organization’s needs and compliance requirements.

Considerations

If you have decided to implement the Zero Trust security model with Azure to protect cloud assets, infrastructure, and users, there are a few things you will need to consider:

  • Identities – you need to establish an identity management governance framework to determine authentication methods and access controls.
  • Endpoints – all devices should be properly authenticated and kept under continuous monitoring.
  • Applications – on-prem, hybrid, and cloud-native apps, as well as APIs, will require the necessary access controls and protections.
  • Data – strict protocols should be in place to secure both business and customer data.
  • Infrastructure – any security issues need to be swiftly addressed especially those to do with legacy infrastructure.
  • Networks – end-to-end encryption, traffic monitoring, and analysis are crucial to maintaining a high level of network security.

Implementation

The actual implementation of the Microsoft Security Zero Trust model is a journey. This means that you don’t have to worry about a time-consuming, complete overhaul of your existing architecture. You can carry out the process in stages thus enabling everyone from IT to end-users sufficient time to familiarize themselves with the technology.

To protect your most vulnerable assets and users, you can start with specific apps, data assets, or classes of users. In addition, Microsoft Security Zero Trust allows you to leverage existing solutions to avoid slowing you down and to make the process more seamless and less costly.

Working effectively

Keeping things working smoothly is what any organization needs to operate at maximum productivity levels. So any security solution that you employ must not affect that. Zero Trust aims to fit seamlessly into how organizations function without causing disruptions.

This is evident in the quick and automated responses that help to contain access to corporate data in case of a breach. Another feature that helps to keep things moving along is having all the policy controls in place before the data is accessed.

Also, all apps will be properly configured and kept up-to-date to enable your organization to function with little to no disruption.

Identity management

As most people are aware by now, passwords are one of the weakest links in security today. That’s before we even look at the challenges users face with having good passwords for multiple accounts.

However, with passwordless authentication, which is now generally available for cloud and hybrid environments, you can eliminate that problem. Azure AD can make the process of signing in quicker and far more secure. This can be done through the use of:

  • biometrics,
  • a tap using Windows Hello for Business,
  • the Microsoft Authenticator app,
  • a compatible FIDO2 security key from Microsoft Intelligent Security Association partners such as Yubico, Feitian, and AuthenTrend.

Simplifying complexities

Dealing with the often extremely complex security solutions that are currently available can be a difficult and time-consuming task. The Microsoft Security Zero Trust approach is committed to addressing those complexities using integrated solutions that focus on the key issues.

Unlike other solutions, Microsoft wants to take a holistic approach by combining Security Information and Event Management (SIEM) tools and extended detection and response (XDR) tools. These tools, which will be developed in the cloud, will significantly enhance your posture, protection, and response.

So rather than slow you down, in this instance, these tools will actually improve operational efficiency and speed.

Wrap up

The recent spate of security breaches is clear enough evidence that organizations cannot ignore the reality. Businesses are at risk, from both external and internal threat actors. Hence the need for a Zero Trust approach. A solution that aims to verify all users and devices.

The benefits of leveraging this solution are plenty and reducing downtime, data breaches, and compliance failures are key among them.

You may not necessarily have to overhaul your security strategy but to ensure the confidentiality, integrity, and availability of your IT assets, then Microsoft Security’s Zero Trust model is one that you should look at integrating.

Microsoft Is Launching A New Intune Suite

Endpoint management is critical to the way that organizations can utilize and safeguard their resources. By using endpoint management solutions, IT teams can identify, monitor, and control the level of access that end users have to corporate resources. And it’s what inspired Microsoft’s new Intune Suite.

Endpoint management solutions enable IT professionals to improve the security of corporate data and significantly reduce the risk of security breaches. The importance cannot be overstated especially now when some research suggests that as a direct result of the pandemic there has been a 600% rise in cybercrime.

This is why Microsoft is looking to make changes to its array of endpoint management solutions to better cater to the needs of all organizations.

Recent developments

Microsoft has been working on improvements for endpoint management to strengthen corporate data security and increase efficiency. To that end, the company has just announced that a new suite of advanced endpoint management solutions will be launched in March 2023 together in one, cost-effective plan. This new plan has several benefits that will be offered to clients.

IT is going to be equipped with products that will improve endpoint management and also offer increased security to your hybrid workforce. This is ultimately going to deliver a better overall experience across your organization as well as increased operational efficiency. This new development is something that Microsoft had already talked about earlier this year.

The journey towards a bundled suite of advanced endpoint management solutions began with the rolling out of Remote Help for Windows. By using this service, the process of getting assistance for users on Windows devices is made easier.

Because of the integration with Microsoft Endpoint Manager, remote assistance can be rendered to managed devices. It also integrates with Azure AD ensuring that authentication and compliance information can be provided.

According to the announcement by Microsoft, in addition to Remote Help, this new bundled plan which will be introduced in March 2023 will also bring together Microsoft Tunnel for Mobile App Management, Endpoint Privilege Management, advanced endpoint analytics capabilities, and more advanced management capabilities in Microsoft Intune.         

Changes are coming

There was plenty to talk about at the Microsoft Ignite 2022 but one of the key areas would have been undoubtedly to do with Microsoft Endpoint Manager. As you would have noticed by now we are talking about a new Intune suite.

And that is because Microsoft announced that going forward the Microsoft Endpoint Manager brand will be replaced by Microsoft Intune. This change is not one for the future but something that has already been implemented. If you head over to the Microsoft Endpoint Manager landing page, you’ll notice that the name Microsoft Intune has already taken over.

It would appear that as far as endpoint management development is concerned, Microsoft is looking to place greater focus on cloud services. However, it’s worth noting that Intune, Configuration Manager, and the Co-management capability will still be retained. But, Microsoft Intune will be taking over as the main platform with regard to future development. Microsoft said in its announcement:

“Today, we’re announcing that Microsoft Intune will be the name of the growing product family for all things endpoint management at Microsoft…. The name Microsoft Endpoint Manager will no longer be used. Going forward, we’ll refer to cloud management as Microsoft Intune and on-premises management as Microsoft Configuration Manager.”    

Embracing the cloud

Although cloud-based services come with plenty of well-known benefits, it’s not everyone who has adopted the cloud approach. This is why Configuration Manager is still available to allow organizations to operate the way they want.

However, Microsoft continues to try and encourage migration to the cloud. And the cloud attach capability is one that is being talked about as something that could help facilitate the transition to the cloud. Most are already familiar with co-management and tenant attach so what exactly is cloud attach?

Cloud attach is a capability that allows for the enabling of both co-management and tenant attach. If your organization uses Configuration Manager, this gives you a way to have even more flexibility in managing endpoints without having to choose between security, compliance, and supporting new work realities.

Explaining the vision   

Inevitably, a lot of people will be rightly wondering why Microsoft is moving in this direction. Why the need for a suite of advanced solutions for endpoint management? Well, the answer is pretty simple.

When it comes to endpoint management, Microsoft is the biggest player in the game and so there is a need to continuously improve the services on offer. The countless millions of managed devices that Microsoft is responsible for require solutions that adapt to the changing environment.

As mentioned above, cybercrime has shot up at alarming levels in recent years. So endpoint management solutions need to strive to stay ahead of the threats. Microsoft received a lot of feedback from CTOs in recent years explaining how the needs of hybrid work are changing. This is leading organizations to combine security solutions from different providers to meet the security needs of their operations. As one would expect, this complicates life for IT staff and potentially adds massive costs to your overall expenditure.

This obviously will not go over well with management. And corporate security may end up suffering if the organization fails to meet the skyrocketing costs of the necessary solutions. IT departments feel pressure to cut corners and put in place temporary measures just to try and keep operations running.

Most would probably agree that this is not an ideal scenario and is a very tedious way of operating. So the announcement by Microsoft to introduce a bundled suite of advanced endpoint management solutions comes as welcome news. Clients can get a more comprehensive solution that can do what they currently need multiple products to do.

Enhancing endpoint management

The new Intune Suite intends to allow organizations to bring together in one place all the tools needed for securing their corporate data as well as managing their endpoints. In addition, this combined service will eliminate the risks of local admin users and give clients access to remote assistance. Not to mention that IT will be thrilled to see an improvement in the health and performance of Windows endpoints. The capabilities that we’ll discuss below will potentially change your IT environment for the better.

Remote Help for Windows and Android       

As I mentioned earlier, the initial version of Remote Help for Windows launched in April of this year. So what we can expect with the March 2023 release is an addition of enhancements to the Windows experience as part of the advanced management suite. The capabilities you get include ServiceNow integration that helps to provide service management incident information to Intune so that users’ technology issues can get a swift resolution.

Clients will also benefit from an improved messaging platform. It intends to simplify the process of viewing the reasons for device noncompliance, as well as how the IT Helpdesk staff hears the audio from the users who require remote assistance. Furthermore, there is enhanced elevation that will provide for quicker resolution. It’s especially helpful with issues that require alternate admin credentials because of the interaction with the User Account Control prompt.

Microsoft will also be looking to introduce support for Android. The addition of this capability will enable admins to serve their Frontline workers remotely with greater ease. This will offer a massive advantage to Android users because they can have any issues resolved a lot quicker. Admins can contact these users (who can also contact admins themselves), remotely diagnose the issue, and collaborate with the user to find a solution to the problem. This allows the user to quickly get back to work.

Endpoint Privilege Management

This is something that beginning in early 2023 Microsoft will be offering in public preview to clients with Microsoft Intune subscriptions. What this service will do is help you to automate and manage when workers have permission to use admin privilege for specific tasks on both Windows cloud-connected and co-managed endpoints.

According to Microsoft, by using Endpoint Privilege Management you’ll be able to give your users standard account privileges without making them local admins. With the use of these standard account privileges, users can be dynamically elevated to admin privilege for specific admin-approved tasks, based on the specific policies of your organization.

The advantage here is twofold. On one end, the organization will have a significant improvement in its security posture. And on the other end, users can become more productive. The objective is to ensure that IT admins have all the necessary tools to furnish employees of the organization with the capability to self-serve should the need arise.

To maintain a high level of security, this needs to follow Zero Trust principles hence the need for least privileged access. Furthermore, Endpoint Privilege Management will allow your organization to define the rules and parameters in Intune. Additionally, it will allow for configuration of a standard user’s permissions to be automatically elevated, be self-managed, or set to require authorization.

This is something that is going to impact operational efficiency massively by enabling users to perform tasks securely. These tasks include actions like adding approved apps, printers, or other peripheral devices. And all of this without the assistance of the IT helpdesk. Intune Endpoint Privilege Management will become generally available as part of the suite of advanced endpoint management solutions. It’s also available as an individual add-on to your Intune Suite subscription.

Microsoft Tunnel for Mobile Application Management

Microsoft Tunnel for Mobile Application Management (MAM) is a great service that is designed to bring convenience to end-users. In an era when employees are often carrying multiple devices to separate the personal from the professional, this feature will allow employees to use just a single device.

The beauty of the service is that there is no enrollment necessary. Corporate data will remain secure without end-users having to hand over control of their personal devices to IT. I’m sure many will like this the most about Microsoft Tunnel. So for organizations, this is going to address several issues.

You can now comfortably implement BYOD policies without worrying about the security of corporate data or user privacy. Switching to a BYOD program is also financially advantageous for organizations, as they no longer need to constantly invest in corporate-owned devices.

In addition, unenrolled iOS and Android devices get secure access to on-prem apps and resources using modern authentication, Single Sign On, and conditional access. This is because of how Microsoft Tunnel for MAM extends the VPN gateway to these devices. So this will enable the users of these unmanaged devices to also get secure access to corporate resources.

Because no device enrollment is needed the currently available capabilities of Microsoft Tunnel will be expanded. A good example of this is how Android apps won’t need integrating with any SDKs. Other than the MAM SDK, which is used to auto-start VPN for apps, applies if desired or to retrieve trusted root certs.

Advanced Endpoint Analytics

Endpoint Analytics aims to enable IT in optimizing the user experience and improve productivity. Endpoint Analytics provides insights that can help IT admins be proactive in their tasks, as well. This feature offers both IT staff and end-users a system that obtains detailed and granular data on the organization’s endpoints. Additionally, it improves insights into how the business is performing.

IT can leverage this data to provide proactive assistance to end-users. And it establishes a greater degree of working efficiency. This new suite that Microsoft is bringing to its clients will include several advanced endpoint analytics features. These seek to better equip IT to have a better analytical overview and understanding of how the end-user experience is going. And with these capabilities, the end-user experience can be optimized regardless of where the employee may be working from.

How it’s going to help

The introduction of improved drill-down capabilities is also going to help admins better cater to the needs of devices under their management. By using these capabilities, it becomes easier for IT to assess any areas that require improvement. And it will assist to prioritize targeted actions for specific people in your organization.

The insights that one can get are also invaluable for comparison purposes. For instance, some employees prefer working remotely. Organizations can take advantage of the detailed information they have to compare the experiences of workers in different working environments.

Microsoft has also talked about a new anomaly detection capability that will combine real-time visibility, AI, and machine learning. This capability intends to simplify the life of IT admins by eliminating the need to consistently monitor custom dashboards. It also eliminates complicated alert systems to assess the performance of endpoints in your care.

What anomaly detection will offer them, instead, is a system that delivers an early warning mechanism. This allows for proactive learning about user-impacting issues rather than relying on various other channels such as support for these reports. Anomaly detection helps to streamline the process and minimize any loss of productivity.

Additional benefits

This platform will enable the automatic identification of issues, including unexpected machine reboots, app crashes, and hardware and peripheral failures. It helps IT admins better analyze the issues at hand. And the anomalies are categorized based on severity and come with any relevant information. Once the information is available, IT can carry out a thorough analysis of the anomalies and implement the necessary measures.  

The new enhancements that Microsoft is introducing are going to make the organizations operate a lot more efficiently. By leveraging automations and proactive remediations, potential issues can be resolved before end-users are even aware that there’s an issue.

IT and support staff can look forward to plenty of new features in the new advanced endpoint management suite. They will now be able to run customized remediation scripts on individual devices on-demand and in real-time. This is something that happens within their troubleshooting sessions. Additionally, it offers instant fixes or change the device configuration to ensure devices are always performing optimally.       

Wrap Up

Going forward more and more organizations are embracing the hybrid workforce model as potentially the way to go. It’s not surprising as several surveys show that plenty of employees want to have the option of working remotely.

So if organizations are going to adopt this model, as well as put in place BYOD policies, it’s essential to have endpoint management solutions that make this a viable option. And this is just what Microsoft is aiming to do with the new advanced endpoint management solutions suite. This should give IT admins everything they need for effective endpoint management in one place.

No longer will you need to stitch together products from multiple vendors that will cost you dearly. If this new suite of products delivers as promised, then organizations will have an invaluable tool to add to their arsenal.

Analyzing the Economic Impact of Windows 365 on Businesses

In 2021, Microsoft added a new product to its software portfolio. The Windows 365 Cloud PC enables users to experience a cloud version of Windows 10/11 from their personal devices. And given what we have experienced in the last few years, the value of the Cloud PC to businesses is significant with real economic impact. No longer do employees have to be confined to their physical offices.

In fact, according to a survey done by Microsoft, 73% of workers would like to maintain flexible and remote work options. But, this presents a challenge for businesses. Can a hybrid workforce be a viable option? Also, what value if any would businesses stand to gain from such a work environment?

Below, I want to go over just what Windows 365 may potentially offer your business. Not only that, but it’s also important to know how the Cloud PC compares to some of the other options.

Adopting a cloud computing model

Windows 365 is ushering in a new era of computing that is putting aside the enterprise PC for an innovative Cloud PC. The latter is highly secure and always available thus offering users a different way of approaching their work.

But, as with any new technology, there are several concerns that need to be addressed. Businesses are concerned about how they would effectively manage a hybrid workforce with employees working remotely.

And then there is the issue of security. How do you secure the corporate network when employees are using personal devices that were never meant for the office?

Then there are concerns about operational viability as well as setting up costs. What about the time it will take as well as the cost to train your staff? 

These are only a few of the very real concerns that businesses have when the issue of setting up a cloud computing environment comes up. However, Windows 365 was designed to resolve all those issues to businesses’ satisfaction.

Incorporation of significant changes

Cloud computing is not something new and plenty are already familiar with it. And because several businesses already have experience with various other VDI platforms, they will be wondering what makes Windows 365 different from the technology they already have in place. After all, why pay for another service that potentially does the same thing? But, we very quickly realize that Windows 365 is very different from traditional on-premises VDI environments.

One of the biggest selling points of the Cloud PC is its ease-of-use. Microsoft has designed it to be simple to set up and easy to use. You can have new employees fully set up with Cloud PCs in a matter of hours. Something that could take weeks with legacy infrastructure.

You only have to look at what it takes to run on-premises VDI systems. Businesses have to purchase the necessary servers, set them up, install all the applications you’ll require, and then go through the often long process of onboarding users.

Windows 365 just about eliminates all of that. Offering you a Cloud PC means that Microsoft alone will take care of the virtualization. Ultimately this will make the deployment of operating systems a lot faster since you won’t have to deal with the hassle of hardware and software configurations.

The automation of the various processes also means that there is no need for additional VDI expertise or resources. Microsoft will also ensure that you can scale the service as necessary to meet your organization’s needs. And as organizations start to reap the benefits of a highly productive and remote workforce, the need for a solution like Windows 365 grows even more.

The ability to customize and provision a desktop based on the users’ needs means that for the most part, it doesn’t really matter what device an individual is using. It also doesn’t matter whether it’s a corporate-owned device or a personal one. The security measures that come with Windows 365 ensure that end-users can securely access corporate resources on personal devices.

What can businesses expect with Windows 365?

The Cloud PC is designed to offer a better cloud experience than other services on the market. Including Windows traditional devices. Developed for hybrid working, Windows 365 can offer the kind of flexibility that allows seamless device changes without affecting the status of the work. Not only that, but users will be happy to know that Windows 365 is compatible with other Microsoft 365 business applications. This means that you won’t miss out on your favorite apps such as Word, Planner, or SharePoint.

According to Wangui McKelvey, general manager for Windows 365, “However, the ability to work anytime, anywhere has become the new normal. All employees want technology that is familiar, easy to use, and available across devices. In the most complex cybersecurity environment weve ever seen, organizations need a solution that helps their employees collaborate, share, and create while protecting their data. We have the opportunity to develop the tools that enable this new world of hybrid work with a new perspective and the power and security of the cloud.

There’s plenty to like about Windows 365 with all the features available that benefit businesses and create significant economic impact. Features that enable this service to be a game changer in the world of cloud computing. And these features include:

  • Instant boot to a personal Cloud PC,
  • Clients get the full Windows experience in the cloud,
  • Clients can also stream various applications, tools, data, and settings directly from the Microsoft cloud across any device,
  • You get a choice of running either Windows 10 or Windows 11,
  • Secure by design, and fully compliant with Microsoft’s Zero Trust principles,
  • Flexible per-user, per-month pricing plans at flat subscription rates,
  • A scalable set of virtual hardware parameters that lets you adjust to changing conditions whenever necessary,
  • Fully compliant with Azure AD and Microsoft Endpoint Manager,
  • Fast setup process that provisions your Cloud PC within minutes.

Financial Windows 365 considerations

Outside of security, the economic impact and financial side of things is probably the biggest area that the Cloud PC needs to address. What sort of economic impact would adopting the Cloud PC have on your organization? If we consider a study by the Enterprise Strategy Group (ESG), using Windows 365 may possibly increase your annual potential revenue by up to $14,000 per user. For smaller businesses, there is mention of a possible annual benefit of up to $7000 per user. Undoubtedly, these kinds of figures could provide massive upturns in the performance of any business.

Now we may only be talking of potential here but those are really good numbers to look at. You also have to consider that Windows 365 can possibly lower your hardware expenses as well. Think about the costs involved in purchasing, running, and maintaining on-premises network servers. What about the cost of refreshing your hardware every now and again or providing new hires with devices? All these are costs that can be lowered when using Windows 365.

Windows 365 offers Cloud PCs at a fixed per-user/per month cost. This allows businesses to plan their budgets with greater certainty. Being able to accurately plan in advance can help increase revenue streams and decrease unexpected expenses. Below we’ll go over just what kind of security clients can expect from Windows 365. The high-end security that Microsoft has put in place means that businesses can rest assured that their data will be highly secure.

Simplified onboarding process

With traditional VDI environments, setting up new employees may take weeks. I’m sure we can all agree that this is far from ideal in a busy work environment. The beauty of Windows 365 is that deployment of Cloud PCs has been designed to be relatively easy. So much so that even if your organization doesn’t have the expertise to set up a traditional VDI it still won’t be too much of a challenge.

The process is simple and enables your business to onboard new employees with IT equipment, regardless of location, within a matter of hours. This gives users the advantage of using devices they are familiar with and thus comfortable with. While on the other hand, businesses need not worry about the security of corporate resources.

The swiftness with which employees can be onboarded can significantly reduce downtime and allow businesses to maintain productivity levels. In addition, this also makes it easier to bring on temporary workers when the need arises. Setting up temporary employees is done quickly and when their services are no longer required, access can be revoked just as quickly. So if you have seasonal workers, they can cycle on and off very easily.

Economic impacts and operational flexibility

As mentioned above, recently many workers have begun stating their desire to have flexible work conditions. Plenty are choosing to work from home if the option is availed to them. Windows 365 can make this a viable option for most businesses that are willing to consider it.

And accessing your PC on the cloud can even help organizations build an international workforce seeing as geographic boundaries are less of a concern with cloud computing. This can help businesses bring in the best talent regardless of location. The flexibility of Windows 365 also extends to your relationships with independent contractors.

A business won’t need to purchase company PCs for all these individuals nor go through a lengthy onboarding process. People who can benefit greatly from this include IT professionals, consultants, physicians, and countless others. Windows 365 can grant them access to your environment in a safe and as-needed capacity.

Enhanced network security with Windows 365

One of the key areas of great concern when establishing a hybrid workforce is security. How do you maintain a high level of security over corporate resources? Especially when you consider that employees may be using personal devices. But, Microsoft designed Windows 365 using Zero Trust principles. Also, it is powered by the security architecture of Microsoft Azure thus providing an incredibly secure cloud computing environment.

When it comes to the use of personal devices, Windows 365 can prevent the compromise of corporate data by configuring how those devices interact with the Cloud PC. This provides an enhanced layer of protection around the corporate network to safeguard data.

In addition, businesses need continuity strategies in case of disaster or something like the COVID-19 pandemic. Windows 365 is well placed to address these kinds of scenarios. With access to Cloud PCs, businesses will significantly reduce the risk of massive disruptions if disaster ever strikes. Microsoft has a wide distribution of data centers meaning your Cloud PCs will remain accessible and your data secure. The redundancies built into the system are designed to ensure that.

Another security issue concerns the offboarding process for employees or independent contractors. This can prove challenging especially when you have unhappy individuals in possession of expensive company devices. And when these individuals still have access to your network then your corporate data becomes extremely vulnerable.

There have been reports that have stated that 20 percent of companies have experienced breaches due to disgruntled former employees. However, with Windows 365 that is not a concern. This is because the offboarding process is swift with employees’ access to corporate resources being revoked immediately.

Windows 365 Accessibility

Microsoft offers the Windows 365 platform to both small and large businesses. There are options available that can cater to the needs of most. And the fixed price model means that businesses can find it easier to accurately predict the cost of use. Once the system is up and running, users can access their Cloud PCs from anywhere and may even use their mobile phones to do so. This means that productivity levels can be maintained when employees are traveling or working from home.

Additionally, because your desktop now resides on the Microsoft Cloud, your physical devices have slightly less value. Even if your laptop or mobile device is stolen, your desktop, as well as corporate data, will remain secure. Also, because the heavy computing runs on the cloud, users don’t need to worry about having powerful devices to run resource-intensive apps.

Certain design and engineering apps, for instance, may require a significant amount of processing power. But, with the cloud handling the processing you can take advantage of these apps on less powerful devices. And when it comes to the types of apps you can access on the Cloud PC, Microsoft has designed it such that all your apps that work on Windows 10/11 will run on the Cloud PC. So accessibility is not limited to Microsoft apps.

Localized user experience

A few decades ago English was considered the language of the internet by most. And this was understandable given how much of the early development was taking place in English-speaking regions. However, for a long time now that is no longer the case.

A lot of people across the globe are now very much active online. People from different cultural backgrounds and different languages. This means that localization of the user experience can no longer be something to consider as an afterthought. Microsoft has clients from all different continents and so it’s important to cater to the various needs.

A large part of the attraction of Windows 365 is that businesses both great and small can have options that will work for them. But, Microsoft wants to expand not only the reach of Windows 365 but the ease of use as well. To that end, Microsoft is aiming to simplify the configuration process by enabling admins to set up local language Cloud PCs easily and at first login.

Breaking the language barrier with Windows 365

This localization feature, which was announced earlier this year, is going to allow you during the stage of creation of provisioning policies to configure a Language & Region pack to be installed on the Cloud PCs during provisioning. Microsoft reported that there would be a selection of 38 languages to pick from.

So this creates a situation where organizations from various regions across the world can use the Cloud PC with greater ease. For any business that may have been hesitant to subscribe because of language barriers, Microsoft has addressed that.

Furthermore, those who have already provisioned their Cloud PCs can also take advantage of this feature. It has been set up to enable admins to change the configured language for any existing provisioning policies that you choose and subsequently reprovision any desired Cloud PCs.

This is going to give your admins something to be happy about as they will save a lot of time by not having to manually install language packs onto a custom image to localize Cloud PCs. All they need to do now is simply configure language settings in a gallery image. The time saved will also benefit the business as IT staff can spend more time on business-centric endeavors and aim to improve overall productivity.

Better workforce management

Windows 365 can play an integral role in helping your business improve in the area of workforce management. The features that the service provides are designed to enable you to optimize the way your business operates. As a result, you can expect to have the tools you need to put the right people in the right place at the right time to enhance your client’s experience in a way that will reflect positively on your revenue stream.

Leveraging Windows 365 can improve your use of time thus improving your efficiency and productivity. The ease of use that Microsoft has emphasized helps your employees because they don’t need to spend time maintaining the environment or resolving issues. Also, the available collaboration platforms such as Microsoft Teams facilitate instant communication and simplify working together for teams who may be in different locations.

Adapting to remote workforce management

Those communication platforms are equally important in ensuring that employees who are working remotely retain the same degree of efficiency and productivity as their peers who are on-site. As this trend of remote work continues to grow, those in leadership positions will need the flexibility to comfortably perform their management duties without missing a step.

This is why it’s so important that you can access your Windows 365 Cloud PC from anywhere on just about any device. Additionally, you can create various groups of people on Microsoft Teams so that those managing people working on the same project find it a lot simpler. Regardless of where they or you are.

A lot of businesses are in great need of innovative solutions that can promote rapid growth without relying on massive amounts of investment. Windows 365 has got this well covered. There are a wide range of options available with both Windows 365 Business and Windows 365 Enterprise.

So there’s something for everyone. From the small business trying to grow to the huge enterprises looking to streamline their operations. Because of the pricing structure, scaling up is easy and relatively affordable allowing you to acquire more resources as your business expands.

Another thing that helps with better workforce management is the fact that Windows 365 will be responsible for software updates and new releases. This helps your business to focus its energies on critical, productive endeavors. Not only that but you can also eliminate the exhaustive and costly task of refreshing dated hardware. As long as your current hardware is compliant with the Windows 365 requirements then you won’t need to worry about your hardware anytime in the near future.

Support availability

A good part of the overall value of a service can be attributed to the support that clients can expect to receive. If a problem was to arise with your Cloud PCs you would need for it to be attended to swiftly. From the beginning, Microsoft has designed Windows 365 to be easy to use. Unlike with Azure Virtual Desktop, businesses won’t require the services of an Azure Solutions expert to configure and manage the Windows 365 environment.

Microsoft also announced that they would look to help clients become more proficient at using Windows 365 clients by hosting Ask Microsoft Anything (AMA) events specifically dedicated to Windows 365. According to the announcement, these meetings would be scheduled for the fourth Wednesday of every month starting February 2022. So all clients that are using or considering Windows 365 should find these events a great source of information.

Getting support

Any questions that you have about Windows 365 will be up for discussion including questions regarding the available features, provisioning, deployment, customization, best practices, and anything else you may need clarification on. And Microsoft will have members of its engineering and product teams available at these hour-long events to help you and provide you with the answers you need. Therefore if your organization wants to get the most out of running Windows in the cloud, there’s probably no better place to get the information you need.

Another place where one can find out more about Windows 365 is the Windows 365 Tech Community. This platform can also provide great support to Cloud PC users by addressing any issues they may be encountering. But, the information available may also be of great value to businesses looking to establish a Windows 365 environment. They can get feedback from the community members regarding their interest in Windows 365.

Ease the load on IT staff

As one is going through the information that we have on Windows 365, it becomes abundantly clear that there are countless benefits for end-users. But, your IT admins will also want to know if they’ll see changes when compared to other services. And the reality is, that the ease of use principle that Microsoft applies to Windows 365 extends to your IT team as well.

From the management perspective, there is plenty to be excited about starting with the fact that there is no need to have headaches about the infrastructure you need to set up to get the Cloud PC experience. Microsoft handles that side of things. Also, admins won’t need to get certified in anything else or learn new management tools. This is because Windows 365 is designed for all organizations even those without expert IT pros on staff to be able to run it without difficulty.

Furthermore, you’ll be happy to know that the way you currently manage your physical devices with Microsoft Endpoint Manager will for the most part be similar to the management of Cloud PCs. A good example of this is that if you navigate to the All Devices list in Microsoft Endpoint Manager, you’ll see both your physical and Cloud PCs listed side by side.

Deployment and assignment

Admins will also find that the deployment process is not complicated at all. For users to get a Cloud PC assigned to them, there are pretty much just two requirements that need to be met. They need to have the necessary license in addition to being part of an Azure Active Directory Group that’s assigned to a provisioning policy.

The process starts in the Microsoft Admin Center where you assign licenses similarly to how you would for other Microsoft 365 services. You can have a licensing admin take care of this particular task. After that, you can head over to Active Users and perform the assignment. With that done, you can now give users Cloud PCs and set them up with Microsoft 365 as well.

As soon as a user is added to a group, the Cloud PC provisioning process will be launched and it won’t be long before the Cloud PC is ready for use. And with Windows 365 using a fixed price per user per month model, there’s no extra workload involving tracking, utilization, or keeping idle resources running.

Comparing Windows 365 and Azure Virtual Desktop

While Windows 365 may be a relatively new service, Microsoft already had another platform that offers remote desktop services. This product is of course Azure Virtual Desktop (AVD). Those who may be familiar with AVD will be asking themselves what if any are the differences between the two services.

Design

With Windows 365, you get a cloud-based service that delivers a Windows 10/11 desktop to a business’s employees. Using this service eliminates the need for managing Azure infrastructure and businesses get the advantage of using existing resources. This can include things such as the Microsoft Endpoint Manager portal, your Windows OS licenses, as well as various other applications. Windows 365’s ease-of-use principle enables businesses to get a remote desktop service that is simple to use with Cloud PCs that can be set up in a matter of hours.

Azure Virtual Desktop, on the other hand, is a virtual desktop infrastructure (VDI) service that works great for multi-session use, temporary use, high-end computing, and application virtualization. AVD offers clients affordable, flexible, and scalable virtual environments. The customizability of AVD allows businesses to have greater control over their VDI environment and potentially reduce operating costs. Costs can also be reduced because you won’t need single gateway servers to manage multiple host pools and run simultaneous workloads.

Technical features

When it comes to the technical side of things, there are several differences that you need to know for you to decide which service is right for your business. Some of the differences are as follows:

  • Design – Windows 365 has been designed to be simple and easy to use whereas AVD has been designed more for flexibility.
  • Desktop – clients get personal desktops for Windows 365 and AVD (single session). For AVD (multisession) there are pooled desktops.
  • Pricing – the pricing structure for AVD follows a consumption-based model whereas Windows 365 offers a fixed per-user per-month pricing.
  • Subscription – subscriptions are customer-managed for AVD and fully Microsoft-managed for Windows 365 Business. Windows 365 Enterprise is also Microsoft-managed with the exception of networking.
  • VM SKUs – Windows 365 has various optimized options for multiple use cases. On the other hand, AVD offers any Azure VM including GPU-enabled SKUs.
  • Backup – AVD clients will get to use Azure backup services while Windows 365 users get local redundant storage for disaster recovery.

Costs and economic impact

AVD normally has virtual machines (VMs) that are dedicated to a single user. However, there is also a pooled desktops feature that enables several users to have access to a VM. Also, AVD session hosts can provide personal desktops if the need arises. Because VMs operate under your Azure subscription it means that the computing expenses are passed on to you. Your costs for using AVD are going to be based on your consumption. But, this has the benefit of allowing you to lower AVD and VM environment costs because of auto-scaling.

Windows 365 provides clients with a virtual machine that is dedicated to one user. In this case, these VMs function under a Microsoft Azure subscription meaning that the client has no computing expenses to worry about. Cloud PCs require a Windows 365 Cloud PC license and usage costs are based on a fixed per-user/per-month price plan. Unlike with AVD, auto-scaling and reserved instances won’t be an option for Cloud PCs since the cost is fixed and admins don’t have access to the VMs from the Azure portal.

Ideal user scenarios

When deciding what your business should use you need to know what kind of scenarios would be best for Windows 365. The first thing you can look at is the number of PCs you have in your IT environment. Because of the low-cost factor, ease of deployment, and lack of prerequisites, environments with only a few PCs will find Windows 365 to be a great choice.

Another consideration is organizations that currently aren’t utilizing Azure and have no plans to do so in the near future. For these businesses, they should consider Windows 365 because of how easy they’ll find desktop assignment. Not to mention that there is no administrative overhead for IT admins to worry about.

If your organization has already invested in Microsoft Endpoint Manager then Windows 365 can be a great option for your environment. The Cloud PC is also ideal for clients that would like personalized VMs with local admin rights.

Windows 365 is An ideal business solution

Azure Virtual Desktop provides a wonderful solution for those who are already familiar with VDI environments and are comfortable with them. In addition, if you need a fully customizable environment then AVD may be the way to go.

For scenarios that require a published RemoteApp application, AVD is your best choice given that RemoteApps cannot be published from Windows 365 Cloud PCs. If the number of users requiring virtual desktops frequently varies throughout the month then you may be better served with AVD. Windows 365 has fixed costs per month regardless of whether a virtual desktop has been used or not.

 Windows 365Azure Virtual Desktop
Control planeAVDAVD
Business<300 Business, >300 Enterprisepersonal desktop (small deployments), pooled desktops (large deployments)
Active Directory requirementsAzure AD Connect (Hybrid Azure AD supported)Azure AD
ComputeFully Microsoft managed, admins have no access to VMsCustomer-managed, flexibility to configure VMs
StorageFully managed storage, fixed pricingCustomer managed, flexibility with OS Disks, FSLogix profiles
CostFixed per-user/per month costConsumption-based cost
User profileNo FSLogixFSLogix optional for Single-User, and mandatory for Multi-User
RemoteApp supportNoYes
Pooled desktopsNoYes
Supported endpoint operating systemsWindows, macOS, iOS, Unix, Web, AndroidWindows, macOS, iOS, Unix, Web, Android  

What about VMware Horizon?

When looking at VDI solutions, another name you’ll likely come across is VMware Horizon. The latter is a virtualization service that can deliver desktops and apps on Windows, Linux, and MacOS systems. Using this platform enables IT staff to run desktop applications and virtual machines in the data center or cloud.

They can then deliver these to employees as managed services. VMware gives you virtual machines that you can run on the VMware Cloud on AWS, Azure, Google Cloud, or other VMware partner clouds. End-users can run their VMs on various devices including PCs, tablets, and smartphones.

VMware is capable of delivering a very personalized user experience by separating desktop and application components before delivering them together when required. Below is a table that provides comparative information on all three of Windows 365, Azure Virtual Desktop, and VMware Horizon.

 Windows 365Azure Virtual DesktopVMware Horizon
PlatformWindows, SaaSWindowsSaaS
Target marketBusinesses requiring Windows Clouds PCs that are always availableIT professionalsIT professionals, app developers
SupportOnlineBusiness hoursBusiness hours, online
TrainingDocumentationDocumentationDocumentation
FunctionDaaS, VDIApp virtualization, DaaSDaaS, VDI, VM, virtualization
IntegrationsMicrosoft Endpoint ManagerAuthPoint, Automai Robotic Process Automation, Catapult Spyglass, Liquidware, Login VSI, Microsoft Azure, Remote Desktop Commander Suite, SysTrack    AuthPoint, Commvault HyperScale X, Goliath Performance Monitor, Login VSI, Oracle Database, Remote Desktop Commander Suite, SQL Server, SecureIdentity DLP, SecureIdentity MFA, SecureIdentity PAM, SysTrack, ThinPrint, vCenter Server, vRealize, Automation  

Wrap up on Windows 365

There used to be a time when getting your work done meant that you needed to be at your workstation using your desktop. Then the use of laptops allowed employees to have a bit more flexibility, although it was rather limited. In the last few decades, remote desktop technology has come along in leaps and bounds. Now, we’re at a point where businesses have options that deliver desktops from the cloud. Not least of which is Windows 365.

This remote desktop service from Microsoft is built on top of existing Azure Virtual Desktop infrastructure but comes with unique capabilities of its own. The Cloud PC presents a great economic solution in a world where the workspace is evolving. Businesses can leverage Windows 365 to provide desktops for remote workers without having to invest in physical devices.

And as we have seen with some of the potential figures, making the migration to Windows 365 could significantly boost revenue. Going forward, Microsoft is taking cloud computing to a completely new level. Businesses have plenty to gain as they begin to experience the Windows desktop in a completely new way.