The idea of having a desktop that you can access from just about anywhere is an incredible option to have. Not only that but you can do so using your PC, tablet, or smartphone. As can be seen by the disruptions we witnessed to business activities at the height of the pandemic, the lack of viable options can be disastrous. Hence why the Windows 365 Cloud PC has been very well received by organizations since coming onto the scene in 2021. It gives organizations a solution that they may not have had a few years back.
You can provide desktops for employees regardless of where they are working from. Be it at home or in the office, the Cloud PC remains accessible and productivity levels can be maintained.
But, the key question is how secure is Windows 365? Can the corporate network remain secure with the use of Cloud PCs?
Getting started with Windows 365
Organizations that use Windows 365 will benefit from an end-to-end connection flow for all their employees thus allowing them to work in a secure environment. Windows 365 has been designed with Zero Trust principles being integral to the security structure.
What this means is that clients have a great foundation that allows them to apply controls that help them to better secure their environments across the 6 pillars of Zero Trust. Microsoft allows you to implement Zero Trust controls in the following areas:
- Securing access to the Cloud PC – this is something that is crucial to Identity and it enables you to set the specific regulations concerning who can access the Cloud PC and under which conditions.
- Securing the Cloud PC device itself – the actual Cloud PC devices that one uses to access corporate resources require extremely high security. So this is an important category that allows for the securing of the Endpoint by placing extra security measures on the devices themselves.
- Securing the Cloud PC data and other data available while using the Cloud PC – this last area allows you to place additional security measures to secure the data itself that users will need to access. Also, you can place extra measures on how Cloud PC users can access the data.
Microsoft has a few features that are enabled on all new Cloud PCs by default. These include:
- Virtual Trusted Platform Module (vTPM): a vTPM is a virtualized version of a hardware Trusted Platform module and is designed to be compliant with the TPM2.0 spec. What it offers you is a dedicated secure vault for keys and measurements. With trusted launch, your virtual machine will get its own dedicated TPM instance that will run in a secure environment outside the reach of any VM.
- Secure boot: this next feature could be described as something that provides the foundation of trusted launch. Secure boot is a mode that is implemented in platform firmware and enhances the overall security posture by protecting against the installation of malware-based rootkits and boot kits. Basically, what you get is a system that ensures that only signed operating systems and drivers can boot. Therefore, any image that Secure Boot fails to Authenticate will be restricted from booting.
As a result of having the above features enabled, Windows 365 will support the enabling of the Windows security features below:
- Hypervisor Code Integrity (HVCI)
- Microsoft Defender Credential Guard
Another key thing that Microsoft has advised clients to secure their Windows 365 Cloud PCs is to configure devices to enroll into MEM using automatic enrollment. However, to do that, you need to meet the following requirements:
- Microsoft Intune subscription (if you don’t have an Intune subscription you can sign up for a free trial account).
- You need to first create a user and create a group to complete the quick start.
Sign in Intune in Microsoft Endpoint Manager
Start by signing in to the MEM admin center as a Global administrator. If you are using the Trial subscription, then the account you used to create the subscription becomes the Global administrator.
Set up Windows 10/11 automatic enrollment
If you want to enroll both corporate and bring-your-own-devices, you’ll have to use MDM enrollment. In addition, you have to sign up for a free Azure AD Premium subscription.
- Navigate to the MEM admin center. Select All services > M365 Azure Active Directory > Azure Active Directory > Mobility (MDM and MAM).
- Choose Get a free Premium trial to use this feature. This enables auto-enrollment using the Azure AD free Premium trial.
- Select the Enterprise Mobility + Security E5 free trial option.
- Click Free trial > Activate the free trial.
- Choose Microsoft Intune to configure Intune.
- Go to the MDM user scope and select Some. This enables you to use MDM auto-enrollment to manage enterprise data on your employees’ Windows devices. This will configure MDM auto-enrollment for AAD joined devices and bring your own device scenarios.
- Click Select groups > Contoso Testers > Select as the assigned group.
- And then for data management on your workforce’s device, choose Some from the MAM Users scope.
- Choose Select groups > Contoso Testers > Select as the assigned group.
- And then, for the remaining configuration values, you’ll use the default values.
- Choose Save.
Windows 365 Business
Windows 365 comes in two different options to cater to the various businesses and their different needs. Microsoft intends for Cloud PCs to be available for both small and large enterprises. Therefore, smaller organizations have Windows 365 Business that can meet the needs of the business.
If your organization does not have an IT department/staff or central IT management solutions then this is the option for you. This option gives end users local admin rights to their Cloud PCs in a way that is typically seen with smaller businesses.
In instances where IT would like to use Windows 365 Business for a particular scenario, Microsoft recommends sticking to standard IT protocols. That is, of course, if you intend to set users as standard users on their devices. You can use Microsoft Endpoint to carry this out and to do so you need to follow the steps below:
- The process starts with device configuration to enroll the devices in MEM using automatic enrollment.
- The next step involves the management of the Local Administrators group. This can be done using Azure Active Directory (Azure AD) or using Microsoft Endpoint Manager.
- In addition, it would be a good idea to have Microsoft Defender Attack surface reduction (ASR) rules enabled. This would be very useful because these rules are in-depth defense mitigations for specific security concerns, such as blocking credential stealing from the Windows local security authority subsystem.
Windows 365 Enterprise
When it comes to Windows 365 Enterprise, the process is slightly easier for IT admins. This is because, for the Enterprise license, Cloud PCs are automatically enrolled. Not only that but they also get reporting of Microsoft Defender Antivirus alerts as well as optional onboarding into Microsoft Defender for Endpoint capabilities.
By default, Enterprise users are automatically set up as standard users. However, admins still retain the option to make per-user exceptions when necessary. The guidelines for users of Windows 365 Enterprise Cloud PCs are as below:
- Users should stick to standard Windows 10 security practices. This also means restricting access to your Cloud PC using local administrator privileges.
- You need to deploy Windows 365 security baselines to your Cloud PC from MEM. Furthermore, you should utilize Microsoft Defender to protect your endpoints, especially all Cloud PCs.
- Taking advantage of Azure AD conditional access is a must. With features such as multifactor authentication (MFA) and user/sign-in risk mitigation, you can significantly reduce the risk of unauthorized access to your Cloud PC.
Enhancing your security posture with Windows 365
Microsoft offers organizations security recommendations that are meant to enable you to improve your security. These guidelines are as follows:
Microsoft recommends the use of Conditional Access policies to improve your authentication processes. These policies are central to the zero trust strategy and help to secure your corporate network by putting strict controls concerning which devices can access it and how. You can even configure Conditional Access policies to meet the specific needs of your business and your Windows 365 environment.
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint (MDE) has been described as an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Organizations can connect MDE to their Cloud PC devices and thus have access to security procedures that are an industry standard for endpoint protection.
You can significantly improve your security because of how MDE can easily integrate with other Microsoft security tools. Clients with Windows 10 or Windows 11 licenses will get Microsoft Defender and Microsoft Defender Firewall as part of Windows Security which comes with their subscriptions. This also includes firewall and network protection, account protection, virus and threat protection, and device security among others.
Another thing to be aware of is that if you have a Microsoft 365 E5 plan then you’ll also get Microsoft 365 Defender. This service, which may also be purchased as an add-on for other Microsoft 365 subscriptions, compiles security data from the Microsoft 365 ecosystem and organizes it into a centralized dashboard.
And the way this dashboard has been designed simplifies the task for admins by making it easier to detect and respond to threats while setting aside the non-urgent. Ultimately, leveraging this security platform will help organizations to provide next-generation cybersecurity for their Windows 365 environment.
The use of Intune compliance policies is highly recommended as a way to set the requirements and settings that users and devices must abide by to be considered compliant. These policies can be used in conjunction with Conditional Access policies for your Windows 365 environment. This means that you can block any non-compliant devices from accessing corporate resources until any issues have been resolved.
Another recommendation that Microsoft gives has to do with OS updates. Devices need regular updates to not only maintain high levels of security but to keep enhancing performance as well. Occasionally, vulnerabilities are discovered that may be exploited so updates will help mitigate those issues and provide new features as well. And when it comes to Cloud PCs, IT admins can use Endpoint Manager to configure Intune Windows 10/11 update rings and policies for Windows Update for Business.
With regard to Windows 365 Business, the target market is small businesses that may not have an IT team to manage the environment. So it makes sense that users are granted local admin rights. For Windows 365 Enterprise, on the other hand, users will not get those same privileges. And this is by default so as to be in line with Windows 10/11 security guidance.
Microsoft further enhances the overall security by having an integration between Microsoft Defender for Endpoint and Windows 365. What this means is that security and endpoint admins can collaborate on the management of the Cloud PC environment just like for any regular physical endpoint. If subscribed, Cloud PCs will:
- Send data through to Microsoft 365 Secure Score.
- Have the option to view unhealthy PCs on the Microsoft Defender for Endpoint Security Center and threat analysis dashboards.
- The response of Cloud PCs to remediation measures will replicate that of any other managed devices.
Deployment of security baselines
Every organization needs specific security controls that can help to address its cybersecurity needs. To ensure the highest level of security, Microsoft recommends using industry-standard security measures that have been well-tested.
With Windows 365 security baselines, you’ll be getting Microsoft-recommended security measures that are based on best practices and expert feedback. This will help to improve the security of your Cloud PCs because of the recommendations you benefit from. Windows 365 security baselines are going to affect the following areas:
- Windows 10 settings: 1809
- MDATP settings: version 4
- Edge settings: April 2020 (Edge version 80 and later)
Applying Windows 365 baselines
Microsoft also optionally allows you to apply Windows 365 security baselines to the Azure AD groups containing Cloud PC devices in your tenant. Once you are ready to deploy the security configurations, you’ll follow the steps below:
- Navigate to the Microsoft Endpoint Manager admin center and sign in. Then select Endpoint Security > View Security Baselines.
- Select Cloud PC Security Baseline (Preview).
- Next, you select Create Profile and then give a name for the profile.
- The groups of settings for the baseline you chose can now be viewed on the Configuration settings tab. If you want to view the settings in a particular group as well as the default values for those settings in the baseline, all you need to do is expand the group. And if you want to see specific settings:
- Select a group to expand and from there you can review the available settings.
- You can use the search bar to type in specific keywords so that you get results displaying only the groups that match your search criteria.
All the settings in a baseline will have default configurations for that particular baseline version. To cater to varying business needs, Microsoft gives you the option to reconfigure the default settings. You will also notice that depending on the intent of the baseline, some baselines will have the same setting but will use different default values for that setting.
- Next, go to the Assignments tab and select a device group with Cloud PCs to include. After that, you’ll need to assign the baseline to one or more groups with your Cloud PCs. You can use Select groups to exclude to fine-tune the assignment.
- After completing the above and you’re ready for deployment, go to the Review + create tab and review the details for the baseline. To save and deploy the profile click on Create.
Application of the baseline to the assigned group is carried out immediately following the creation of the profile.
Implementing Conditional Access
Conditional Access is a system designed to enhance the security of corporate networks by restricting access to verified and compliant devices. Being a policy-based approach allows you to configure the specific conditions that you want to apply to the access controls. As Microsoft puts it, these policies are basically “if-then” statements. If a user needs to access certain resources on the corporate network then it follows that he/she will need to meet certain requirements. Using Conditional Access can help you to accomplish the following:
◆ Enable users to maintain productivity levels wherever they may be.
◆ Safeguard corporate resources.
Assigning conditionalcccess policies to cloud PCs
Windows 365 Enterprise admins should be aware that Conditional Access policies aren’t set for tenants by default. So to assign policies to the Cloud PC first-party app you’ll need to use either of the following services:
◆ Microsoft Endpoint Manager by performing the steps below:
- Navigate to the MEM admin center and sign in. Proceed to select Endpoint Security > Conditional Access > New Policy.
- The specific Conditional Access policy that you want will require you to provide a name for it.
- Go to the New Policy tab and select Specific users included which you’ll find under Users and groups. Next, you need to pick the specific user or group that you want to target with the policy. You also get the option to Exclude certain users or groups if that’s the way you want to set up.
- Select No cloud apps, action, or authentication contexts selected. You can find this option under Cloud apps or actions.
- Select Cloud apps > Include > Select apps.
- Next, head over to the Select pane. Here you’ll need to search for and select the apps below:
- Windows 365 (you can also search for “cloud” to find this app).
- Windows Virtual Desktop (this may also appear as Azure Virtual Desktop)
More to know about Windows 365
Ensuring that the policy is applied to the Cloud PC end-user portal as well as the connection to the Cloud PC.is achieved by choosing both of the apps above. Choosing both of these apps is also necessary if you want to be able to exclude apps.
- Fine-tuning a policy can be performed by going over to Access and then choosing the options that you want to apply to all objects assigned to this policy.
- Before you proceed any further you may want to test the policy. This can be done by going to Enable Policy and turning the setting Report-only to Off. This will prevent the policy from being applied as soon as you’ve completed the creation process.
- All that’s left now is for you to select Create and you’ll complete the creation of the policy.
If you want to see the list of your active and inactive policies, navigate to the Policies view in the Conditional Access UI.
Windows 365 wrap up
Remote desktop services offer countless benefits to businesses that can help enhance the overall performance of the business. Businesses can easily have hybrid workforces without having to sacrifice productivity. Not only that but services like Windows 365 ensure that if an unexpected event such as the COVID-19 pandemic occurs, the disruption to business activities can be minimized.
However, all of this doesn’t mean much without the best security features you can get to safeguard corporate data as well as the physical devices that employees use. And Microsoft has provided Windows 365 clients with a wide array of security features to ensure that Cloud PCs have next-generation protection. This will make it such that the user experience becomes significantly better.
Pingback: Weekly Newsletter – 7th January to 13th January 2023 - Windows 365 Community
Pingback: Intune Newsletter - 20th January 2023 - Andrew Taylor