First announced in early 2021, Windows 365 is Microsoft’s latest product that is making waves in the domain of virtualization technology. It is a platform that has been designed to take the desktop-as-a-service experience to greater heights.

Windows 365 is built on top of existing Azure Virtual Desktop infrastructure. It provides clients with PCs in the cloud that can be provisioned from the very same Microsoft Endpoint Manager dashboard that your organization may be using to manage your physical devices and VMs.

However, unlike with AVD where the pricing is consumption-based, Windows 365 comes in two editions – Windows 365 Business and Windows 365 Enterprise. Both have fixed per-user monthly pricing. But, as with any product, It gets better with regular updates. And Microsoft just announced a few that we should definitely take a look at.

What is Azure AD Join?

When we talk about Azure AD joined devices we are referring to devices whose computer object is no longer stored in the on-premises Active Directory Domain Services environment. Rather, it is now located in Azure Active Directory.

Simply put, by using Azure AD Join you’ll be able to join devices directly to Azure AD without the need to join to on-premises Active Directory. And all this can be done while keeping your users productive and secure. Your admins can easily leverage Azure AD Join for both at-scale and scoped deployments.

In addition, you can get single sign-on (SSO) access to on-premises resources for all your devices that are Azure AD joined. But, as you can imagine, this makes a rather significant change to how IT professionals have been managing devices over the decades. So when considering Azure AD Join there are a few criteria you can look at to help you decide:

• If your goal is to adopt Microsoft 365 as the productivity suite for your users, then Azure AD Join could be ideal for you.
• Another ideal scenario is if you are interested in device management using a cloud device management solution.
• Azure AD join would also be good for those wanting to simplify device provisioning for geographically distributed users.
• Lastly, if you are planning on modernizing your application infrastructure then it’s worth considering.

Adding the ‘join’ feature

So after looking at what Azure AD Join is, it’s probably not surprising that one of the biggest requests that have been made to Microsoft regarding Windows 365 has been to simplify the onboarding process by adding this feature. And there’s great news for all admins out there.

Microsoft recently announced some Windows 365 updates. And undoubtedly the Azure AD Join Windows 365 Cloud PC support is going to draw a lot of attention. Microsoft had this to say in the announcement:

” This has been by far the most requested feature since Windows 365 reached general availability. With Azure AD Join as a Cloud PC join type option, you no longer need an existing Azure infrastructure to use the service, just your Azure AD users.”

This new feature is meant to make it easier for admins to onboard users using Azure Active Directory. As one can imagine, this is a huge development. It’s especially significant when you consider just how integral Azure AD is to Microsoft’s identity and security services.

Therefore, bringing the ‘join’ feature to the Windows 365 platform will go a long way in maintaining the theme of ease of use that Microsoft has described for its Cloud PC. Until now, the ‘join’ feature helped businesses using the on-premises version of Active Directory by functioning as a device-joining bridge.

So bringing Azure AD Join to the Windows 365 platform will enable admins to enroll devices without the need to have on-premises Active Directory. Now all you need to do is use your Azure AD users.

Localized first run experience

One of the key aspects that helps to expand the reach of Windows 365, is the assurance that clients in any part of the world can use this platform as easily as those within the United States. To that end, Microsoft is aiming to simplify the configuration process even more. They intend to do so by enabling admins to set up local language Cloud PCs easily and at first login.

Subsequently, when you’re in the process of creating provisioning policies, this new update will enable you to configure a Language & Region pack. It can be installed on the Cloud PCs during provisioning. Currently, it appears as though there will be 38 languages available.

Also, the process should be a relatively simple one. It will require you to navigate to the Microsoft Endpoint Manager admin center. There you’ll find Language & Region under Configuration where you can then proceed to select your language of choice.

What about Cloud PCs?

So what about already provisioned Cloud PCs? Well, Microsoft has made it such that provisioned Cloud PCs can also reap the same benefits. Admins will be able to change the configured language for any existing provisioning policies. This includes those that you choose and subsequently reprovision any desired Cloud PCs.

I think most admins will agree that this new feature is going to vastly simplify their lives. You no longer have to spend all that time manually installing language packs onto a custom image to l

I think most admins will agree that this new feature is going to vastly simplify their lives. You no longer have to spend all that time manually installing language packs onto a custom image to localize your Cloud PCs. Instead, all you need to do is simply configure language settings in a gallery image.

Adding more regions with Windows 365

In addition to providing organizations with local languages for their Cloud PCs, Microsoft is looking to reach more people. They plan to achieve this by expanding the regions they support.

Per the February 2022 announcement, Microsoft informed their clients regarding immediate effects the US Central region and the Germany West Central region. Both were now on the list of supported regions for Windows 365.

So for any businesses that would like to use the new features that are Azure AD Join and Microsoft hosted network, you simply head over to the Region drop-down and you’ll see these as available options.

Create a virtual network

If you intend to bring your own network you’ll need to also create virtual networks in advance in one of these new regions. This virtual network is necessary for connecting to resources in the cloud.

As you migrate compute workloads to the cloud you’ll discover that a virtual network is integral to the process. There needs to be communication among your resources but this has to happen in a secure environment. There are several ways you can use to create a virtual network including:

• Creating a virtual network using the Azure portal.
• Creating a virtual network using PowerShell.
• Creating a virtual network using the Azure CLI.
• Creating a virtual network using the Azure Resource Manager template.

Create an on-premises network connection

After you have completed the process of creating a virtual network, you’ll then need to create a new on-premises network connection with this virtual network. And what an on-premises network connection (OPNC) is, is an object in the Microsoft Endpoint Manager admin center.

This is what provides Cloud PC provisioning profiles with the required information to connect to on-premises resources. So before you get started with creating the OPNC, you’ll need the following:

• AD DNS domain name
• Organizational unit
• Configure Azure AD Connect
• AD username UPN
• AD join password

With everything now in place, you first need to find your domain name. This is simple enough with access to a domain controller. Once you know your domain name then you can proceed to validate the User Principal Name Suffix (UPN Suffix). Checking that your UPN Suffix is routable is extremely important to avoid problems later on.

Once done, you will create an Organizational Unit, allowing you to properly manage your Cloud PCs and dedicated GPOs. To perform this task, go to AD Users and Computers mmc and then head over to where you want to set your new Organizational Unit. Next, you can then either right-click an existing Organizational Unit or click where you want to create a new one.

Next, you need to ensure that Azure AD Connect is properly configured to get users synchronized with Azure AD. This you will do by opening Azure AD Connect and then selecting Configure device options.

Finally, you need to fill in the AD username UPN and the AD domain password. Then click next. On the page that then appears click Review+create. It should take no more than a few minutes to create the on-premises network connection. And if you have configured everything properly, you’ll see a “checks successful” status.

Become more proficient with Windows 365

Improving your proficiency in Windows 365 is critical to your organization taking full advantage of what the platform has to offer. Microsoft designed Windows 365 to be easy to use from the outset.

So, unlike with Azure Virtual Desktop, your organization does not need to have an Azure Solutions expert on staff to configure and manage your Windows 365 environment. The provisioning and deployment process should not present too many difficulties. And it will be even easier with the new updates that have just been announced.

Also, to learn more about Windows 365 Enterprise and utilizing these features, Microsoft has a video on Windows in the Cloud that you should explore.

In addition, to help Windows 365 clients, even more, Microsoft is going to be hosting Ask Microsoft Anything (AMA) events specifically dedicated to Windows 365. These will be held on the fourth Wednesday of every month starting February 2022. So all interested parties should make a note in their calendars for Wednesday, February 23rd at 8:00 AM Pacific Time.

Any questions that you have about Windows 365 will be up for discussion. These might include questions regarding available features, provisioning, deployment, customization, best practices, and anything else you may need clarification on.

And Microsoft will have members from its engineering and product teams available at these hour-long events. They’ll be available to help you and provide you with the answers you need.

Therefore, if your organization wants to get the most out of running Windows in the cloud, there’s probably no better place to get the information you need.

As Microsoft stated previously, the feedback that they constantly receive from clients is crucial in the creation of Windows 365. And Microsoft wants to continue in that manner as the platform continues to evolve.

To that end, Microsoft is availing a platform to us where we can forward our feedback and/or suggestions. So if you want to help further enhance Windows 365 and have ideas that you’d like to share, you can do so at https://aka.ms/W365feedback.

Wrap up

There’s no denying the impact that Windows 365 is having on the way that businesses manage their IT environments. Admins can benefit from a platform that is easy to use and provides their organization with a great virtualization experience. And one of the truly good things about the services is that Microsoft appears to be paying attention to the feedback from its clients.

This is something that is pretty much evident in the new updates that have been recently announced. By giving us Azure AD Join, Cloud PC support Microsoft simplifies the process of enrolling devices without an on-premises Active Directory. Additionally, this feature can increase the appeal of Windows 365 to those who may have been on the fence about it.

Talking of expanding appeal, having more regions supported and availing local language packages for Cloud PCs should go a long way. It allows clients from different parts of the world to have a better experience with the Windows 365 Cloud PC.

And all this will be done without burdening IT with the task of manually installing language packs onto a custom image. Windows 365 has a goal to revolutionize the virtualization domain. And with regular improvements like this, that reality is far from impossible.

Microsoft is looking to take cloud computing to a whole other level through its Windows 365 Cloud PC. Cloud computing technology has seen tremendous growth in the last couple of decades.

It has enabled organizations to operate in ways that were previously only possible in imagination. And Windows 365 was built to enhance those possibilities even further. It can give clients the Windows experience wherever they may be and on almost any device they choose.

The applications for such features can do wonders for the productivity of your organization. Many have heard about Windows 365 but still have doubts. In this blog, I’ll be going over what your organization could be potentially missing out on with the Cloud PC.

Cloud computing, explained

Before we delve into Windows 365, let’s step back a little and go over what exactly cloud computing is.

Although it’s only now gaining popularity, computing-as-a-service has existed in one form or another from as far back as five decades ago. And then in the 2000s the term ‘cloud computing’ started getting thrown about. As the need for computer resources has grown, more and more people and organizations have been making use of this service.

Over the last couple of years, in particular, plenty of people have probably heard about and used cloud computing services. Simply put, cloud computing provides you with on-demand computing services, meaning applications, servers, data storage, and networking capabilities among many others. The service will be delivered to clients via the internet for a fee that can be a fixed monthly subscription or based on usage.

So basically, rather than owning on-premises infrastructure, you can rent whatever you need. And if need be you can scale up your operations at any time. The most obvious benefit here is that as an organization you won’t have to worry about the complexities and potentially astronomical costs of purchasing and maintaining your own infrastructure.

Why Windows 365?

There are clients who may also be wondering why Windows 365? Is this not a case of Microsoft just giving us another version of Azure Virtual Desktop? Well, not exactly. Windows 365 Cloud PC may be built on Azure but they are different services and understanding those differences can help you choose what’s best for your business.

To start with, you’ll find differences in the architecture of these products. With AVD, apps and resources are run on virtual machines meaning that one PC can be used by an individual or as a pooled desktop.

Windows 365 operates completely differently on a one user:one PC basis. Another key difference is how these services are priced. For the most part, you’ll find Windows 365 offering subscriptions for a fixed monthly fee. On the other hand, AVD charges according to your monthly usage as well as the Windows version you use.

When it comes to administration then admins may be slightly happier with the flexibility that AVD offers. Using the latter, admins can configure network routers, security settings, and the storage type. But when using Windows 365, admin settings are saved on the cloud and used across all devices. They can only change if and when an administrator decides to change them.

The next point, however, goes to Windows 365. The onboarding process is a lot simpler than it is for AVD and may only take a few hours, if not minutes. Because AVD’s onboarding happens on the Azure portal, it can be a tedious process that takes weeks.

Ideal user scenarios with Windows 365

Once you have considered the differences between AVD and Windows 365, you may also want to know what kind of scenarios would be best for Windows 365. This will be key in helping you decide in which direction to take your organization.

The first thing you can look at is the number of PCs you have in your IT environment. Because of the low-cost factor, ease of deployment, and lack of pre-requisites, environments with only a few PCs will find Windows 365 to be a great choice.

Another consideration is organizations that currently aren’t utilizing Azure and have no plans to do so in the near future. For these businesses, they should seriously look into Windows 365 because of how easy they’ll find desktop assignment. Not to mention that there is no administrative overhead for IT admins to worry about.

Some enterprises may also be wary of Windows 365 because of a lack of experience with virtualization technology. They may not have the necessary in-house expertise to handle other virtualization services available. But, this is where Windows 365 makes itself even more attractive.

To start using it, you don’t need to have an expert team of IT pros who are well versed in multi-session administration. Nor do you need an in-hours pro with knowledge of profile encapsulation or auto-scaling. The easy-to-use design gives organizations a simple, uncomplicated way to deploy and manage their Cloud PCs. And they do so alongside their existing on-premises infrastructure.

Microsoft has made the administration of Cloud PCs easier by allowing IT to delegate administration to users who need it. Since Cloud PCs are personalized and designed for a single user, it makes it a lot more convenient for users to install the software they need. And it’s simpler to make configuration changes, as well.

Organizations will also find that using Windows 365 will prove more cost-effective. This is especially true when you have users who need PC access 24/7. This is because of the fixed fee structure. It means that Cloud PCs can run continuously without worrying about shutting them down to save costs.

Empower your users

One of the things that can undoubtedly improve the way that your organization operates is empowering your users. In the modern world with so much technological innovation, businesses need to leverage the best tools available to them. This can simplify the way your employees work thereby increasing productivity.

Improved flexibility with Windows 365

Windows 365 promises to provide your employees with greater flexibility. Right now if the your preferred platforms don’t enable users to be productive from anywhere using any device, it’s time to start considering other solutions. And the Cloud PC is one that can provide just what you need.

This is because users can access Cloud PCs via a modern web browser or through Microsoft’s Remote Desktop app. They can also access Windows from their PC, Mac, iPad, Android device, and more.

Doing so will enable your organization to take full advantage of the hybrid work scenario. It’s seamless because whenever you log in, regardless of your location or device, you’ll find your settings just as you left them and your work unchanged.

Not only that, but organizations don’t need to worry about having the necessary IT expertise to run a hybrid environment. This will be an added advantage because users can utilize bring-your-own-device policies to use devices of their choice.

And if you happen to be one of those individuals or businesses that prefer Microsoft software but want Apple hardware, then this will suit you perfectly. You can now get the best of both without having to sacrifice.

Network security

If your organization has already implemented a hybrid working environment, the question is how secure is your network? Do those working from home have the same level of security as those using on-prem infrastructure?

Ensuring hybrid work is as secure as possible is a key objective for Windows 365. And by storing data on the cloud and making use of Zero Trust principles, the Cloud PC offers clients very strong security.

Features such as strict authentication of all users and use of just-in-time and just-enough-access, among others are going to provide you with the kind of cyber security necessary for the complexities of the modern environment and the hybrid workplace.

What will make this even better for configuring these settings is that you can preconfigure them en masse for all users. Whether they be a handful of users or number in the thousands. By using features such as multi-factor authentication, admins can determine which accounts can log in, and how long they have access.

Furthermore, the bringing together of Configuration Manager and Intune in Microsoft Endpoint Manager creates a solid foundation for supporting Windows 365 in the hybrid configuration.

Hardware updates

Something else that will endear Windows 365 to users is that they will no longer have to constantly face the costs of refreshing dated technology. Not only is upgrading your devices a costly process, but it can be a very time-consuming process as well.

However, the Cloud PC was made to ensure that users will always have access to the latest updates, fixes, and features. All of this for a flat subscription fee. This allows you to easily upgrade or downgrade users’ Cloud PCs according to the requirements of the work they are carrying out.

Performing the upgrade is a very simple task. All an admin needs is a good, reliable internet connection. And within seconds, they can switch a user/users from a 2GB RAM machine to a 32GB RAM machine.

And as far as maintaining the configuration goes, it’s now all about a simple subscription model that can be scaled as well as distributed globally. Also, managing everything won’t be too difficult a task as you can do it directly from the Microsoft Cloud using Microsoft Endpoint Manager.

By shifting resources to the cloud, you can protect your investments. The cloud ensures that hardware specifications are Windows 11 compliant. And it prevents you from running into challenges later.

Support for Windows 11

In constantly improving the products that Microsoft wants to offer its clients, Windows 11 can give users an even better experience than before. It provides a more eye-catching layout with its new design and several new features designed to smoothen the Windows experience. Some of the features to look forward to include:

• More cohesive interface features
• Improved multi-monitor support
• Multiple desktops on a single monitor
• Translucent windows
• Enhanced touchscreen interactions
• Introduction of the Microsoft Store (to replace the Windows Store)

Beginning in October of 2021, Microsoft began offering Windows 365 Enterprise clients support for Windows 11 for all newly provisioned PCs in the available regions. And by year-end that support had been extended to all Windows 365 Business clients as well.

Windows 11 is the ideal OS for the hybrid environment. It can adapt to how you work. It’s equally, highly secure and IT won’t have difficulties with deployment and management. So as long as the hardware configuration supports it, you can optionally select Windows 11 as the operating software. Distinguishing between Windows 10 and 11 isn’t difficult because of the newly designed wallpaper that comes with Windows 11.

Benefits of Windows 11

As already mentioned, Windows 11 is the ideal OS for hybrid work environments. And it is arguably the biggest benefit. Collaboration will become easier because of how Microsoft Teams Chat and other functions have been integrated into the taskbar. And even if the person you want to communicate with doesn’t have the Teams app, you can still communicate via two-way SMS.

The new interface is also designed to be sleek, smooth, and free of distractions thus it should improve productivity. Using the same device for both work and play can sometimes prove tricky. But, you can better organize your life by creating virtual desktops with different looks and apps to cater to the different scenarios.

It follows from this, however, that you’ll need great security to protect that device. Windows 11 built-in security features will provide a high degree of encryption and malware protection.

Windows 365 enhanced security

Microsoft wants to enhance both the performance and security of Windows. To do so there are new requirements being introduced. This makes it the first service capable of delivering Windows 11 in the cloud, while also meeting the new system requirements. These include TPM, UEFI, and secure boot.

Also, all hardware requirements are supported by Windows 365 as part of the new baseline configuration for Cloud PCs. However, clients should note that the current Windows 365 Cloud PC baseline already in Microsoft Endpoint Manager also supports Windows 11. Microsoft recommends using this baseline for optimizing the security posture of your Cloud PCs.

Gallery images

For Windows 365 Enterprise, the Windows 11 image that Windows 365 Enterprise provided on October 5 2021, includes the same apps preinstalled and configured as the Windows 10 image. However, if your organization would like to create your own custom Windows 11 images then you can also do that.

• Custom images switch to Gen2 – if your business decides to use custom images instead of Windows 365 Cloud PC gallery images then you can continue doing that. But, for you to prepare a new version you are going to have to change the virtual machine type from Gen1 to Gen2 as the source image. So for your Cloud PC to be ready for Windows 11 in-place upgrades, this will need to be carried out.
• Detect your Cloud PC Windows 11 readiness via Endpoint Analytics – for those using gallery-based images, provisioning of new Cloud PCs based on Windows 11 became possible in October 2021. So for any Cloud PCs that were provisioned before then and that you would like to upgrade to Windows 11, you can:
• Make a direct transition to Windows 11. To do this you must change the gallery image from Windows 10 Enterprise to Windows 11 Enterprise + Microsoft 365 Apps. Following this, a reprovisioning of your Cloud PCs will be triggered via the Devices menu in Intune/Microsoft Endpoint Manager.
• Alternatively, you can start by reprovisioning your existing Cloud PCs back to Windows 10 Enterprise. You can then do an in-place upgrade to Windows 11 Enterprise directly or later.

Organizations that want to reprovision their Cloud PCs will find that it’s a simple and straightforward process. As long as users are assigned OneDrive licenses, their data will be automatically backed up. It’s additionally restored after the reprovisioning process.

To view whether your Cloud PC is ready for in-place Windows 11 upgrades, you can go over to the Work from anywhere dashboard in Endpoint Analytics. And if the Windows 11 readiness status of your Cloud PC reads Capable, then it means you can now perform the in-place upgrade.

Reducing costs

There is not a single company out there that would not love to reduce operating costs. And IT costs can be extremely high for a lot of businesses. This can prove to be a stumbling block especially for small enterprises with very limited budgets. Given the opportunity to get access to all the computational resources you could want, without breaking the bank, you should certainly take it. Or at least seriously consider it.

Save on data centers

Using Windows 365 can help to reduce those costs while placing almost limitless resources at your disposal. Organizations that run their own data centers can appreciate just how massive an investment it takes just to get set up.

And then there are going to be the never-ending expenses associated with the physical space. But there’s also personnel, heating, cooling, and electricity required to operate the servers, too. That’s before we even start talking about the costs related to infrastructure as well as operational data.

This is why taking advantage of the Windows 365 Cloud PC can be of immense benefit to your business. You can let Microsoft take care of running and maintaining the data centers. All you’ll need to do is pay for whatever resources you need and that’s it.

Software-As-A-Service

This is another area that businesses can take advantage of to reduce their costs even more. Your organization stands to gain by reducing the time to benefit. The SaaS model differs from the traditional one by having the application already installed and configured. So all you’ll need to do is the provisioning and after a few hours, the app will be ready.

Also, SaaS often resides in a shared or multi-tenant environment. The hardware and software costs are bound to be a lot less than the traditional model. By gaining access to software that they may not normally have because of the high license costs, smaller enterprises will benefit, especially in scaling and growing their clientele base.

In addition, you’ll also find that the costs associated with upgrades and new releases are lower than with the traditional model. This is because the responsibility for this falls entirely on the service provider.

Lower staff cost

Windows 365 is a platform that any business can utilize regardless of how small or big it is. Therefore, Microsoft has built it such that small businesses without large IT departments or expert IT pros won’t face too many difficulties.

Windows 365 enables any business to create a hybrid work environment and access Cloud PCs. They do it without having to bring in full-time IT experts to run it, too. It’s also going to allow you to develop a more streamlined staff. This will increase focus on innovation, optimization, and improving overall productivity.

Cost-efficient disaster recovery

Coming up with an effective disaster recovery strategy is a prerequisite for any business today. The challenge that businesses will face is just how much they may have to pay for such a strategy. How do you create resilience in your network without breaking the bank? Well, a great way to do it is to move towards cloud services.

With a platform like Windows 365, you can free yourself from having to use disaster recovery plans that require you to build redundancies into everything. And they drive up your expenses. Having a Cloud PC will keep your data securely on the cloud without having to purchase two of everything.

Data Security

As mentioned above, Windows 365 provides you with the best security features to ensure that your data and devices are well protected. It gives businesses plenty of reasons to migrate to the cloud. Especially given the increasing opinion that storing your data on the cloud is a safer option that may also save you money on security expenses.

When looking at your data storage on the Microsoft Cloud, it’s safe to say there aren’t too many places that even come close to that level of security. And even for organizations that may want to establish this level of security on-site, it’s not easy. Or cheap.

Most businesses simply don’t have the necessary staff or financial resources to have the kind of on-site security that companies like Microsoft can provide. Moreover, having your data stored in multiple, geo-independent data centers gives you the kind of availability that businesses need.

The distribution of data across multiple data centers and the redundancies placed in the system serve to secure your data even more. This is because if one goes down your data will remain secure and your access won’t be affected.

Another consideration you should have when discussing potential migration to the cloud is the cost of on-site physical security. To have the highest level of security for your on-premises servers, you’ll have to invest in security personnel. Many companies also use high-tech security systems, mantraps, and locked cages.

In addition, to have adequate surveillance of your data centers, you would need to have round-the-clock staff. You need people to constantly monitor for attacks while others are guarding the physical premises. As most know, this is something that will certainly require a significant capital outlay.

However, when you opt for a service like Windows 365, you need not worry about all these other factors. The company has data centers that are very well guarded and have state-of-the-art security systems in place. Therefore, your data is far more secure and the cost for that is shared across all of Microsoft’s clients.

Switching to Windows 365

Switching to the Windows 365 Cloud PC and placing your data on the cloud is also going to help boost your technical security. Most businesses, whether small companies or massive enterprises have faced issues with patching.

And there’s a good likelihood that without leveraging the power of the cloud, those issues will remain. Service providers like Microsoft are well-placed to adequately deal with those issues. They have the resources necessary to hire full-time teams dedicated to patching their products.

And with the automation of the cloud patching process, you’ll also avoid the downtime that you would otherwise face on-premises.

Still not sure?

If you are still hesitant about the cloud, how about looking at the complete segmentation of user workstations which helps to fortify your network. Cyber criminals have had a lot of success penetrating secure networks via phishing and email attacks.

By directly targeting a user workstation, a hacker has a greater chance of succeeding than if they were to attempt going through the servers. When using the cloud, user workstations are completely segmented. This means that users won’t be sitting on the corporate network where data is stored.

We all know just how important encryption is to the security of our data and communications. So all your data should be highly encrypted to keep it secure. The problem is that not all businesses have the necessary resources to provide this kind of encryption across an entire organization.

But, Windows 365 can easily provide it from the start. And this will serve to protect your data so that even in the event of data theft, the military-grade encryption that the big cloud service providers offer will still secure your information. So a hacker may have your data but it will be extremely difficult, sometimes impossible, to decrypt.

Collaboration with Windows 365

If you’ve been looking into how you can improve collaborative work within your organization as well as with other organizations, then Windows 365 is worth considering. In this modern world and especially in the last few years, finding ways to better collaborate has become a key requirement for plenty of businesses.

These days you have people on-site working on projects with those who are working remotely from home. Then you also have work that you may want to do with other companies. All this requires you to have efficient ways to simplify how you work together. And needless to say, security remains of the utmost importance.

The cloud environment encourages collaboration across teams from end users, administrators, security personnel, support staff, to any other department. They are all working on the same infrastructure allowing them all to work seamlessly without getting in each other’s way. Assigned roles and permissions enable administrators to monitor the entire network ensuring that smooth workflow is maintained.

Windows 365 is simpler

Microsoft has created a system that makes collaboration using platforms such as Windows 365 simpler and more efficient. Your organization can utilize Microsoft Teams to facilitate flexible working conditions, whether you’re in the office, at home, or across the globe.

You can create teams for various reasons, such as a team or group under the same manager or a team working on a particular project. It gives you a central storage place for data and communications.

Furthermore, colleagues can work simultaneously on a file without having to wait for someone to finish first. Using real-time co-authoring can speed up how you work and even the quality of work done.

Sharing made easy

Sharing files is also aided by making use of OneDrive features. Taking advantage of certain features means that you can share a file with peers and stop sharing it if necessary. This gives you ultimate control over who can access and edit your files.

And if you decide to share the file with more people, uploading the file to Microsoft Teams or a team site is an option. Basically with Microsoft 365, we now have the ability to work from anywhere with access to all the tools we need and use just about any device we have.

Therefore, even if I’m in a remote area somewhere with just my mobile phone, I can still join the meeting. As long as there’s internet access, I can easily attend meetings online, share Office files, co-author in real-time, and remain productive.

Seamless set up

We’ve already gone over the benefits to users and the lower expenses a business will face when using Windows 365. Even with all that, your organization is still not likely interested in anything that would take ages to set up and be complicated to manage.

Once again, the Windows 365 Cloud PC can present itself as the right option for you. One of the biggest selling points of the service is the click-and-go approach to cloud computing and virtual environments. Administrators can quickly and easily configure and assign Cloud PCs to users based on the various needs of the work they perform.

The ease with which this can be done creates an amazing scenario. Users can sign in and be ready to work within a matter of minutes. And with the fixed monthly rates that Microsoft offers, businesses can plan well in advance and easily stay within their budgets.

Increase your financial returns

Every business out there is constantly looking for ways to increase its revenue stream. You need to come up with measures that will help you to operate more efficiently, cut down on expenses, and improve your productivity.

Well, why not consider taking advantage of cloud computing? Windows 365, in particular, is tailor-made to help organizations gain access to the computational resources they need. Of course, there’s a fee. However, it enables you to operate in an ideal IT environment.

Because all the necessary heavy processing is carried out in the cloud, the device one uses to access the Cloud PC is less important. The benefit to your business is that most of the devices currently in use can remain operational for longer . This maximizes the return on your investment.

In addition, the implementation of bring-your-own-device policies means that establishing a hybrid work environment can be done a lot faster. Not to mention for a lot less. No significant capital outlay requirement is necessary. And you can have peace of mind concerning the need to frequently refresh your hardware. Instead, you can take advantage of this scenario to pour more investment into critical areas that will grow your business.

Build for the future with Windows 365

One of the headaches that businesses constantly have is the need to modernize. Keeping with innovation ensures they don’t get left behind by rapidly evolving technological advancements. So if there’s a way to invest for the future while also safeguarding those investments, you’d be interested right?

Microsoft has presented Windows 365 as a potential solution for businesses. The technology with Windows 365 will keep up with the advancements that continue to happen in the future.

Therefore, unlike with your office PCs that eventually start to have performance and reliability issues as the years go by. Windows 365 Cloud PCs won’t face the same problems.

Clients will continue to benefit from new features and updates as they are rolled out. You won’t have to worry about decreasing performance levels or spending massively to upgrade your infrastructure.

If necessary, you’ll also have the option to upgrade the version of Windows that you have installed on your Cloud PC. So with the Windows 365 Cloud PC, as the years go by you can actually anticipate a better computing experience.

Design a modern workplace

There’s no denying that the workplace has changed over the last few decades. And if there’s anything that the last few years have shown us is that the evolution will continue at a rapid rate. The global pandemic has probably accelerated the change that we have all known was coming. Most businesses have been forced to rethink how they’ve been operating and in some cases they have probably realized that adopting modern technology has had a significant impact on improving their business models. Using a service like Windows 365 can play a huge role in that. You can easily create virtual ‘offices’ and have people collaborating on work projects from different ends of the planet.

Microsoft is looking to provide organizations with modern workplace services that can improve user satisfaction, promote remote collaboration, and increase productivity. All in a highly secure environment. For instance, by using the latest generation of Office 365 features, you can securely manage business-owned devices.

In addition, you’ll be able to easily manage employee devices that fall under bring-your-own-device policies and choose-your-own-device style strategies. Leveraging the Windows 365 Cloud PC can help you to ensure that business technologies can work everywhere in a distributed workforce.

The Cloud PC offers a lot to foster the way that modern employees want to work. And the state-of-the-art security that Windows 365 provides allows the modern workplace to operate without the constant worry about security breaches.

Conclusion About Windows 365

Windows 365 has brought us a product that can revolutionize the workplace by eliminating the boundaries that have prevented businesses from creating an agile workforce. For businesses that had not been thinking about cloud computing, the pandemic may have forced their hand.

But, even if that may be the case, Windows 365 has been of immense benefit as it allows employees to work remotely without losing the collaborative and productivity benefits of teams working in the office. For other businesses, the flexibility that they can offer employees can play a huge role in attracting as well as keeping talent.

When it comes to devices, you can access the Cloud PC using almost any device. And if you happen to lose that physical device, your data will remain secure on the cloud and you won’t lose any work progress. You can simply continue where you left off when you access your Cloud PC via another device.

So for a lot of people out there, cloud computing may be something that they weren’t interested in and didn’t know too much about. But, with the experience of a platform like Windows 365, you may just find the solution that will take your business to that next level.

Cybercrime has increasingly become a very big problem. Whether you’re a small business or a multinational conglomerate. A WEF report goes so far as to say that cyber-attacks have become the fifth top-rated risk as of 2020. And Windows 365 can help.

This means that businesses need to do everything possible to safeguard their data. Security protocols need to be in place that will keep cyber criminals at bay. As some organizations can attest, a cyber attack can cost your business tens of millions of dollars.

Hence the need for Windows 365 to implement security features that will give you peace of mind. Understandably, there is concern about having your desktop in the cloud, but Microsoft has put in place measures designed to mitigate the risk of an attack on your system.

Why you should enhance security

Over the last few years, plenty of organizations have fallen victim to cybercrime. And as hackers grow bolder and more sophisticated, the cybersecurity risk to your business grows significantly. This is why you must take advantage of any and all measures that are available to you.

By implementing security guidelines, you can protect your business against a wide range of cybersecurity threats such as:

• DDoS Attack – a Distributed Denial of Service Attack happens when nefarious elements try to overwhelm your network or servers by sending large volumes of traffic. This can eventually make your network unusable.
• Malware – this encompasses a lot of elements such as viruses, spyware, Trojan horses, etc. And the danger with these is that users’ computers can become infected from downloading seemingly harmless content or attachments in emails.
• MiTM – a Man-in-The-Middle attack involves hackers intercepting data being transferred between two or more parties.
• Phishing – in this scenario, you’ll have cybercriminals sending out emails to various people hoping to get sensitive information such as banking details, social security numbers, passwords, etc.
• SQL injections – the objective here would be to insert malicious code via SQL statement and then carry out actions on data in a database to potentially steal it.

From the threats above, and these are only some of them, it’s abundantly clear why you need to leverage the security features that Windows 365 offers. This will increase your digital protection and prevent your employees from falling victim to criminals.

Moreover, by having effective security measures in place, you can increase productivity levels because malware won’t be slowing down or crashing your system. Also, having these kinds of security measures is bound to boost client confidence in your organization.

Securing your Cloud PCs with Windows 365

As most people are aware, cloud computing has many benefits that it can bring to any organization. But, it’s extremely important to follow strict cyber security guidelines to ensure you safeguard your data and applications.

Microsoft provides its clients with security advice to maintain the highest level of network security. The guidelines provided will differ slightly for clients of Windows 365 Business (designed for small businesses) and those of Windows 365 Enterprise (designed for larger businesses).

For clients of Windows 365 Business, Microsoft provides IT admins with standard IT security practices that are meant to set each user as standard users on their devices using Microsoft Endpoint Manager (MEM).

The typical process that you will need to follow is outlined below:

• The process starts with device configuration to enroll the devices in MEM using automatic enrollment.
• The next step involves the management of the Local Administrators group. This can be done using Azure Active Directory (Azure AD) or using Microsoft Endpoint Manager.
• In addition, it would be a good idea to have Microsoft Defender Attack surface reduction (ASR) rules enabled. This would be very useful because these rules are in-depth defense mitigations for specific security concerns, such as blocking credential stealing from the Windows local security authority subsystem.

When it comes to Windows 365 Enterprise, the process is slightly easier for IT admins. This is because, for the Enterprise license, Cloud PCs are automatically enrolled.

Not only that but they also get reporting of Microsoft Defender Antivirus alerts as well as optional onboarding into Microsoft Defender for Endpoint capabilities. By default, Enterprise users are automatically set up as standard users.

However, admins still retain the option to make per-user exceptions when necessary. The guidelines for users of Windows 365 Enterprise Cloud PCs are as below:

• Users should stick to standard Windows 10 security practices. This also means restricting access to your Cloud PC using local administrator privileges.
• You need to deploy Windows 365 security baselines to your Cloud PC from MEM. Furthermore, you should utilize Microsoft Defender to protect your endpoints, especially all Cloud PCs.
• Taking advantage of Azure AD conditional access is a must. With features such as multifactor authentication (MFA) and user/sign-in risk mitigation, you can significantly reduce the risk of unauthorized access to your Cloud PC.

Enhancing protection for Windows 365

Microsoft offers various security measures to aid its clients with threat protection, data protection, and device management. These features have proven to be a great way to safeguard your organization from online threats and unauthorized access. Below I’ll be going over some of the features that your business should be using to enhance security.

Multi-factor authentication

When looking for easy but very effective ways to reduce the risk of unauthorized access, multi-factor authentication (MFA) offers a great solution.

That simple step of having to provide a second verification factor to gain access can block hackers from going any further even if they have your password. And adding 2-step verification to your personal Microsoft account is an equally simple process.

Setting up MFA is going to require you to turn on Security defaults and if your subscription is new, this may already be automatically turned on. But, you can do this yourself from the Properties pane for Azure AD in the Azure portal.

Training users to use Windows 365

Another recommendation that Microsoft makes is that you should utilize the Harvard Kennedy School Cybersecurity Campaign Handbook to help develop the security awareness of your employees. This includes things such as training people to identify phishing attacks.

Furthermore, Microsoft itself has provided an article describing various actions that you should be taking to further protect your data and devices. These actions include the use of good, strong passwords, protecting your devices, and enabling security features on Windows 10 and Mac PCs. There are also a couple of articles that users need to read to better protect their personal email accounts:

•  Help protect your Outlook.com email account
•  Protect your Gmail account with 2-step verification

Use dedicated admin accounts

The administrative accounts that your organization uses for the administration of your Microsoft 365 environment have elevated privileges that can provide cybercriminals with a way to compromise your network.

Therefore, you need to use admin accounts strictly for administration purposes only. This means that admins should have separate user accounts for regular, non-administrative tasks. Microsoft also recommends:

• Setting up your admin accounts with multi-factor authentication.
• Closing all unrelated browser sessions and apps, including personal email           accounts before you sign into an admin account.
• Logging out of the browser session as soon as you complete the admin tasks.

Raise the protection level against malware

Although your Microsoft 365 environment does offer protection against malware, you can enhance that security by blocking attachments with file types that are commonly used for malware. Strengthening your malware protection in email can be done in the following ways:

• Navigating to the Microsoft 365 Defender portal and going to Email & collaboration > Policies & rules > Threat policies > Anti-malware in the Policies section.
• Go to the Anti-malware page, double-click on Default (Default), and a flyout will appear.
• Next, go down to the bottom of the flyout and choose Edit protection settings.
• Now, head over to the next page, and under Protection settings select the checkbox next to Enable the common attachments filter. Below this option, you can view all the blocked file types and if you want to add or delete file types you can select Customize file types.
• Click Save.

Ransomware protection

Ransomware is malware that is used to block your access to your computer files, systems, or networks. And the only way you’ll be able to regain access is by paying a ransom. To reduce the risk of falling victim to this kind of attack, you can create one or more mail flow rules to block file extensions that are commonly used for ransomware, or to warn users who receive these attachments in email. There are a couple of rules you can create for this:

• Macros are a common vehicle for hiding ransomware so you can warn all users to avoid opening attachments with this file type, especially from unknown senders.
• The next rule is to block file types that could be infected with ransomware or any other type of malicious software.

Stop auto-forwarding for email

This is crucial for all users because if a hacker manages to gain access to your email, they can easily exfiltrate mail by enabling auto-forwarding. And this can go on without you being aware that anything is wrong. To prevent this from happening, you can configure a mail flow rule:

• Go to the Exchange admin center.
• Head over to the mail flow category and choose rules.
• Select +, and then Create a new rule.
• You can view the full set of options by selecting More options at the bottom of the dialog box.
• Next, you can provide the settings that you want in the following table. And unless there’s a need to change, leave the rest of the settings at default.
• Select Save.

Use Office Message Encryption

In this case, the advantage is that Office Message Encryption (OME) comes with Microsoft 365 and is already set up. Using this feature will enable you to have encrypted communications. Not only in your organization but with people outside your organization as well. And it works with the popular Outlook.com, Yahoo!, Gmail, among other email services.

Utilizing this service is a great way to try and ensure that only the intended recipient/s can view a message. There are two protection options that you get with Office Message Encryption namely Do Not Forward and Encrypt. Furthermore, your organization also has the option to set up other options that apply a label to an email, such as Confidential.

Safeguarding against phishing attacks

Protection against phishing is something that will come included with Microsoft Defender for Office 365. This can help protect your organization against various types of phishing attacks especially those of the impersonation type. However, without a configured custom domain, you won’t need to do this. Creating an anti-phishing policy in Defender for Office 365 requires you to follow the steps below:

• Go to the Microsoft 365 Defender portal.
• Next, head over to Email & collaboration > Policies & rules > Threat policies > Anti-phishing in the Policies section.
• Now, navigate to the Anti-phishing page where you’ll choose + Create. After this, a wizard will be launched to guide you through defining your anti-phishing policy.
• Provide a name, description, and settings for your policy according to the given recommendations.
• When you are done reviewing all the settings, you can then proceed to Create this policy or Save.

Using Safe Links

Another way that hackers can employ to compromise your network is by hiding malicious websites in links in email or other files. Fortunately, for clients with Microsoft Defender for Office 365, you can take advantage of Safe Links. The latter is designed to offer you time-of-click verification of web addresses in emails and Office documents. Getting Safe Links only requires you to follow a few simple steps:

• Head over to the Microsoft 365 Defender portal where you’ll need to sign in with your admin account.
• Now you go to Email & collaboration > Policies & rules > Threat policies > Anti-malware in the Policies section.
• Select + Create to create a new policy or modify the default policy.

Deployment of security baselines

Every organization needs specific security controls that can help to address its cybersecurity needs. To ensure the highest level of security, Microsoft recommends using industry-standard security measures that have been well-tested.

With Windows 365 security baselines, you’ll be getting Microsoft-recommended security measures that are based on best practices and expert feedback. This will help to improve the security of your Cloud PCs because of the recommendations you benefit from. Windows 365 security baselines are going to affect the following areas:

             – Windows 10 settings: 1809

             – MDATP settings: version 4

             –  Edge settings: April 2020 (Edge version 80 and later)

Microsoft also optionally allows you to apply Windows 365 security baselines to the Azure AD groups containing Cloud PC devices in your tenant.

Security configuration deployment

Once you are ready to deploy the security configurations, you’ll follow the steps below:

1. Navigate to the Microsoft Endpoint Manager admin center and sign in. Then select Endpoint Security > View Security Baselines. 
2. Select Cloud PC Security Baseline (Preview).
3. Next, you select Create Profile and then give a name for the profile.
4. The groups of settings for the baseline you chose can now be viewed on the Configuration settings tab. If you want to view the settings in a particular group as well as the default values for those settings in the baseline, all you need to do is expand the group. And if you want to see specific settings:

– Select a group to expand and from there you can review the available settings.

– You can use the search bar to type in specific keywords so that you get results displaying only the groups that match your search criteria.

All the settings in a baseline will have default configurations for that particular baseline version. To cater to varying business needs, Microsoft gives you the option to reconfigure the default settings. You will also notice that depending on the intent of the baseline, some baselines will have the same setting but will use different default values for that setting.

• Next, go to the Assignments tab and select a device group with Cloud PCs to include. After that, you’ll need to assign the baseline to one or more groups with your Cloud PCs. You can use Select groups to exclude to fine-tune the assignment.
• After completing the above and you’re ready for deployment, go to the Review + create tab and review the details for the baseline. To save and deploy the profile click on Create.

Application of the baseline to the assigned group Is carried out immediately following the creation of the profile.

Configuring Conditional Access

Conditional Access provides organizations with a set of security measures that make it significantly more difficult for unauthorized people to access apps or data. This ensures greater protection for your users and your organization’s resources by defining certain requirements that must be met to be granted access to apps and data. Conditional Access policies can be simply defined as statements concerning what specific actions a user will need to perform to access a resource. There are two main objectives for using Conditional Access:

• Increase productivity and empower users by making it possible for them to work anywhere at any time.
• Enhance the layers of security around your organization’s resources.

However, Microsoft does not intend for Conditional Access policies to encumber the way your employees work. Therefore, you can set up access controls in such a way that they improve the security of your organization but are out of the way when not needed.

Policy assignment

You’ll need to go through the process of assigning Conditional Access policies to your Cloud PCs. This is because you won’t be getting those policies set for your tenant by default. So for you to target CA policies to the Cloud PC first-party app, there are a couple of methods that you can use. But, regardless of which option you choose, the policies will be enforced on the Cloud PC end-user portal and the connection to the Cloud PC.

The methods available are below:

• The first way would require you to go through Azure.
• And the second way would require the use of Microsoft Endpoint Manager. For this method, follow the steps below:
• Navigate to the Microsoft Endpoint Manager admin center and sign in. Select Endpoint Security > Conditional Access > New Policy.
• Next, you’ll need to provide a name for the specific Conditional Access policy that you require.
• Now you go to the New Policy tab and look under Users and groups. From there select Specific users included. With that done you now have to choose the specific user or group that you want to target with the CA policy. Depending on your particular needs you have the option to exclude certain users or groups to fine-tune the assignment.
• Go to Cloud apps or actions and choose No cloud apps, action, or authentication contexts selected.
• Select Cloud apps > Include > Select apps.
• Next, head over to the Select pane. Here you’ll have to search for and select the apps below:

• Windows 365, or you can alternatively search for cloud.
• Windows Virtual Desktop. You could potentially see it come up as Azure Virtual Desktop.

Other Considerations

Ensuring that the policy is applied to the Cloud PC end-user portal as well as the connection to the Cloud PC.is achieved by choosing both of the apps above. Choosing both of these apps is also necessary if you want to be able to exclude apps.

• Fine-tuning a policy can be performed by going over to Access controls and selecting 0 controls selected. Now, go to Grant and proceed to choose the options that you want to apply to all objects assigned to this policy.
• Before you proceed any further you may want to test the policy. This can be done by going to Enable Policy and turning the setting Report-only to Off. This will prevent the policy from being applied as soon as you’ve completed the creation process.
• All that’s left now is for you to select Create and you’ll complete the creation of the policy.

If you want to see the list of your active and inactive policies, navigate to the Policies view in the Conditional Access UI.

Managing the local admin group

Managing a Windows device is only possible if you are a member of the local administrators’ group. Because it’s a part of the Azure AD join process, Azure AD updates the membership of this group on a device. Membership updates can be customized to your liking so as to meet your organization’s needs.

Explaining the process

Connecting a Windows device with Azure AD using an Azure AD join will add the security principles below to the local admin group on the device:

• The Azure AD global administrator role
• The Azure AD joined device local administrator role
• The user performing the Azure AD join

Adding Azure AD roles to the local admin group is going to enable you to update the users that can manage a device anytime in Azure AD without modifying anything on the device. The principle of least privilege (PoLP) is very important to your overall security. To support PoLP, Azure AD will add the Azure AD joined device local administrator role to the local administrators’ group. Furthermore, users that have been only assigned the device administrator role can also be enabled to manage a device.

Managing the device administrator role

Management of the device administrator role can be handled through the Azure portal from the Devices page. The steps for the process are as given below:

1. Start by going to the Azure portal and signing in as a global administrator.
2. Now you need to search for and select Azure Active Directory.
3. Next, click on Devices which you’ll find under the Manage section.
4. And then on the Devices page, click Device settings.

If at any point, modification of the device admin role becomes necessary, you’ll need to configure Additional local administrators on Azure AD joined devices.

However, doing this will need an Azure AD Premium tenant. All Azure AD joined devices have device admins assigned to them and these admins cannot be scoped to a specific set of devices.

Additional considerations

Another thing is that any updates done to this admin role aren’t necessarily going to have an immediate impact on the affected users. For devices with users already signed in, privilege elevation will only happen when:

• About 4 hours have passed allowing Azure AD to issue a new Primary Refresh Token with the appropriate privileges.
• A user signs out and then back in again to refresh their profile. This excludes lock/unlock.
• With everything done, users won’t be listed in the local admin group, the permissions are received through the Primary Refresh Token.

However, it’s worth noting that this only applies to users who have not previously signed in to the relevant device. Otherwise, the administrator privileges will be applied immediately after a user’s first sign-in to the device.

Manage administrator privileges using Azure AD groups

Azure AD groups can be used to manage admin privileges on Azure AD joined devices with the Restricted Groups MDM policy from Windows 10 version 2004 onwards. By leveraging this policy, you’ll be able to assign individual users or Azure AD groups to the local admin group on an Azure AD joined device.

This will ultimately enable you to configure distinct administrators for different groups of devices. You should also be aware that from Windows 10 20H2, Microsoft now recommends using the Local Users and Groups policy instead of the Restricted Groups policy.

Custom OMA-URI settings

The management and configuration of these policies can be carried out through Custom OMA-URI Settings. Before using these policies, you’ll need to consider a few things:

• To add Azure AD groups through the policy you need the group’s SID and you can get this by executing the Microsoft Graph API for Groups. You’ll find the SID defined by the property securityIdentifier in the API response.
• Enforcing the Restricted Groups policy will result in the removal of any current member of the group that is not on the Members list. Therefore, enforcing this policy with new members or groups will remove the existing admins. These include users who joined the device, the Device admin role, and the Global admin role from the device. So if you want to avoid the removal of members, the latter will need to be configured as part of the Members list in the Restricted Groups policy. You can use the Local Users and Groups policy to address this limitation.
• When using both policies, admin privileges can only be evaluated for the following well-known groups on a Windows 10 device – Administrators, Users, Guests, Power Users, Remote Desktop Users, and Remote Management Users.
• For Hybrid Azure AD joined or Azure AD Registered devices, you won’t be able to manage local admins using Azure AD groups.
• The Restricted Groups policy is not entirely new and was in existence before Windows 10 version 2004. However, it did not provide support for Azure AD groups as members of a device’s local admin group.
• Azure AD groups deployed to devices with any of these policies can’t be applied to remote desktop connections. You’ll need to add the individual user’s SID to the appropriate group to manage the remote desktop permissions for Azure AD joined devices.

Note:

Windows sign-in with Azure AD supports the evaluation of up to 20 groups for admin rights. So to ensure the correct assignment of admin rights, Microsoft advises keeping the number of Azure AD groups on each device under 20. And this should also apply to nested groups.

Manage regular users

Users performing the Azure AD join are automatically added to the admin group on the device. So to prevent Azure AD from making regular users local admins, you can take the options below:

• Windows Autopilot – using Windows Autopilot enables you to block a primary user performing the join from becoming a local admin. All you need to do is create an Autopilot profile.
• Bulk enrollment – an Azure AD join that is performed in the context of a bulk enrollment happens in the context of an auto-created user. Thus, any users that sign in after the device join won’t be added to the admin group.

Manually elevate a user on a device

Microsoft has also made it possible for you to manually elevate a regular user to local admin on one specific device. However, you must be a member of the local admin group to perform this. From the Windows 10 1709 update, you can do this by:

      – Navigating to Settings -> Accounts -> Other users.

      – Select Add a work or school user.

      – Enter the user’s UPN under User account.

      – Next, you then select Administrator under Account type.

Another method for adding users would involve the use of command prompts:

      – For instances where the tenant users are synchronized from on-prem Active Directory, use net localgroup administrators /add  “Contoso\username”.

      – And if tenant users are created in Azure AD, use net localgroup administrators /add “AzureAD\UserUpn”

Attack Surface Reduction

By using Attack Surface Reduction (ASR) rules, you are placing additional layers of security around all the potential vulnerabilities in your organization’s network. This will create a highly secure environment with far fewer areas that attackers can use to compromise your network. ASR rules are designed to target certain software behaviors such as:

• The launching executable files and scripts that attempt to download or run files.

• Running obscure or plainly suspicious scripts.

• Additionally carrying out activities that one doesn’t normally expect from apps during the course of everyday work.

Although some of these actions may appear in the normal running of legitimate apps, they are still risky as they attractive to attackers. So the goal of ASR rules is to limit risky software behaviors thereby enhancing your security.

ASR rules features across Windows

Attack Surface Reduction rules allow for various editions and versions of Windows:

• Windows 10 Pro, version 1709 or later
• Windows 10 Enterprise, version 1709 or later
• Windows Server, version 1803 (Semi-Annual Channel) or later
• Windows Server 2019
• Windows Server 2016*
• Windows Server 2012 R2*

* For this feature to work on Windows Server 2016 and Windows Server 2012 R2, they will need to onboard using the instructions in Onboard Windows servers.

Having a Windows E5 License is not a pre-requisite for using Attack Surface Reduction rules. But, having the E5 License will offer you advanced management capabilities including:

• The monitoring, analytics, and workflows available in Defender for Endpoint
• The reporting and configuration capabilities in Microsoft 365 Defender.

So clients with Windows Professional or Windows E3 licenses won’t have these advanced abilities. But, having these licenses allows you to use Event Viewer and Microsoft Defender Antivirus logs to review your attack surface reduction rule events.

Automatic enrollment

Another key thing Microsoft advises clients to secure are their Windows 365 Cloud PCs is to configure devices. It’s also best to enroll into MEM using automatic enrollment. However, to do that, you need to meet the following requirements:

• Microsoft Intune subscription (if you don’t have an Intune subscription you can sign up for a free trial account).
• You need to first create a user and create a group to complete the quickstart.

Sign in Intune in Microsoft Endpoint Manager

Start by signing in to the MEM admin center as a Global administrator. If you are using the Trial subscription, the account you use to create the subscription becomes the Global administrator.

Set up Windows 10/11 automatic enrollment

If you want to enroll both corporate and bring-your-own-devices, you’ll have to use MDM enrollment. In addition, you have to sign up for a free Azure AD Premium subscription.

1. Navigate to the MEM admin center. Select All services > M365 Azure Active Directory > Azure Active Directory > Mobility (MDM and MAM).
2. Choose Get a free Premium trial to use this feature. This enables auto-enrollment using the Azure AD free Premium trial.
3. Select the Enterprise Mobility + Security E5 free trial option.
4. Click Free trial > Activate the free trial.
5. Choose Microsoft Intune to configure Intune.
6. Go to the MDM user scope and select Some. This enables you to use MDM auto-enrollment to manage enterprise data on your employees’ Windows devices. This will configure MDM auto-enrollment for AAD joined devices and bring your own device scenarios.
7. Click Select groups > Contoso Testers > Select as the assigned group.
8. And then for data management on your workforce’s device, choose Some from the MAM Users scope.
9. Choose Select groups > Contoso Testers > Select as the assigned group.
10. And then, for the remaining configuration values, you’ll use the default values.
11. Choose Save.

Wrap Up

Cybercrime continues to unfortunately evolve into a multimillion-dollar venture for criminals across the globe. The sophisticated and often well-organized attacks have been an absolute nightmare for countless enterprises over the last few years.

This is why any business looking to take advantage of the multitude of benefits that cloud computing offers needs to look into having the best security measures available in place.

And this is why the Windows 365 Cloud PC has been such a hot topic since it was first announced last year. The potential it has for enhancing your organization’s operations is almost limitless. But, what makes it even better are the top-notch security measures that we have gone over in this blog. If nothing else, the security features you’ll have access to could be reason enough to make the jump to Windows 365.