This is the sixth part of the Windows 365 series on my blog in which I will show you how you can improve the security posture on your Cloud PC systems. I have listed and described recommended approaches to implement security technologies.

Windows 365
This coast is all about Windows 365 and the Windows cloud experiences! Windows 365: the easy introIntroduction My first blog posts on Windows 365 were already 2 years old. This year I attended Workplace Ninja Summit in Switzerland and I got hooked by it again. Therefore I want to revive

Security is at the heart of every modern system, and Windows 365 should also be secured accordingly. My focus is on the platform security, meaning the secure configuration of Windows and the identity access layer. This write up covers:

  • Windows platform security features and technologies
  • Steps to reduce the attack surface
  • Strengthen the access to Windows 365 systems
  • Overview of recommended security improvements on Cloud PCs


Have a look on this overview table to get an understanding of all the featured topics on a high level and their impacts.

Feature Description Implementation effort Security improvement
Endpoint Security & baselines Apply system hardening and configure built-in security features ❗Medium-High ❗High
Windows LAPS Local Administrator Password Solution, should be used for all elevated actions 🟢 Low ❗High (when also used during operations)
Admin roles Clean up privileged admin roles 🟢 Low ❗High
App Control for Business Configure & control app execution ❔Depends ❗High
Defender for Endpoint onboarding More visibility and XDR 🟠 Medium ❗High
Identity - Conditional Access Protect access to W365 on the identity perimeter 🟢 Low ❗Medium-High
Endpoint Privilege Management Configure & control app elevation for special use cases 🟢 Low 🟠 Medium
Software update policies Define policies so Windows, drivers and apps stay up to date 🟢 Low ❗High
Compliance policies Verify your deployment and system integrity 🟢 Low 🟠 Medium

Top features to get started with

Let's go through all the featured topics.

BitLocker and most hardware related features are not supported on Windows 365 as described in this official article.


Endpoint Security & Baselines

I have a dedicated blog post that goes deeply into all aspects around security baselines. Summarized: Security baselines define a set of policies, controls, behaviors and requirements for hardware to keep a system secure and compliant with a framework that is established by security experts and security organizations. In Intune we can start with the following configurations to make use of the built-in security features:

  • Antivirus - configure Defender Antivirus
  • Firewall - configure all firewall to secure network access
  • Attack surface reduction (ASR) - configure ASR rules and device control
  • Account protection - account related security controls
  • Windows hardening - various system security improvements (Settings Catalog)
Dive into Microsoft Security Baselines
❗This post is a best-practice and recommendation source without any liability. Please ensure the enterprise grade system security strategy with your CISO and consult other professionals when you want to build up PAWs. Introduction In my blog posts I often mention the Microsoft Security Baseline…
Make use of the built-in security baselines in Intune at Endpoint Security > Security baselines for a all-in-one solution.


Windows LAPS

Windows LAPS is a Windows built-in feature to rotate the password for the local administrator. This is very important, because it prevents pass-the-hash or lateral-traversal-attacks where multiple systems have a common weak spot (the admin credentials). For full understanding, have a look on my blog post:

Windows LAPS: the comprehensive guide
Introduction This post features Windows LAPS with its most important specifications and what you need to know high-level. Both Active Directory and Azure AD scenarios are described. Overview Windows LAPS is now in public preview! The Local Administrator Password Solution is a familiar Microsoft pr…

To deploy it in Intune, you need two things, both described in my LAPS post.

  • Create a local administrator that is managed by LAPS
  • Create an Intune Endpoint Security, Account Protection, LAPS policy to define the behavior and settings of LAPS
Consider a Local user group membership policy to ensure that only the LAPS managed account is member of the local administrators group. As described in my PAW post


Admin roles

Administrators on a system have full access to modify, alter or delete everything. Therefore we should control the admins on:

  • The management plane: Intune and Entra ID
  • The Windows system: Local administrators and roles

Management plane admins

A management plane admin is someone that can configure the Windows 365 service. With that, someone could modify the configuration of the Cloud PCs or even delete them. Someone who controls the management plane can also control all layers below (the Windows system layer). Make sure to check the following Entra roles assignments in your tenant:

  • Global administrator -> can do everything
  • Intune administrator -> can configure every aspect in Intune
  • Windows 365 Administrator -> have permissions on Windows 365 resources
  • Cloud Device Administrator -> can manage devices in Entra ID
  • Microsoft Entra Joined Device Local Administrator -> is local administrator on every Entra ID joined endpoint

🧹🧼 Reviewing and cleaning those roles up from unnecessary or unwanted assignments is crucial.

Don't forget about Intune RBAC roles. There are custom roles in Intune which also have access to create, delete, alter or read content in Intune and with that modify your Cloud PC setup. Read more on Intune RBAC

Windows system local admins

To control the local administrators (group) on the Windows system of your Cloud PC, you can make use of local user group membership / account protection policies in Intune. With the setting to replace all administrators, except your LAPS admin, no other user will have local admin rights.

Furthermore, there is a new Entra ID device setting that allows to configure the local administrator user members of your tenant. I would configure both to 'none'.


App Control for Business

App Control for Business (ACfB - formerly Windows Defender Application Control) is a Windows security feature that controls the execution of code. It consists of multiple features that are all designed to secure software, drivers, apps and files on the system.

Use App Control for Business as an Intune configuration on Windows 365 and only allow software on the system that you know is good.


💡 Best practices to deploy App Control for Business

  • Leverage the Managed Installer feature - with that all software installed by Intune is flagged as secure and can be executed
  • Use the WDAC policy wizard to create custom XML based policies
  • Use the XML based configurations, since the built-in options do not allow all features
  • Start in Audit Mode with the feature and detect the potential impact
  • Include publisher certificates of software and vendors that you trust
  • Consider the Microsoft Intelligent Security Graph (ISG) feature - which is a database by Microsoft that classifies software and code. The ISG is a collection of generally well known and good reputable software.


Defender for Endpoint onboarding

Defender for Endpoint onboarding is crucial, so that Cloud PCs are protected by XDR and deliver their signals for analyzation, correlation, detection, hunting and response. In Intune you can create can setup the connection to Defender for Endpoint, as described in this blog post.


Identity - Conditional Access

To protect the identity layer and access to Cloud PCs you should consider Conditional Access. Combine different signals and conditions to ensure access to the service is valid. In Conditional Access you should choose the Windows 365 and Azure Virtual Desktop as target cloud apps to catch all authentication that could come against W365.


💡 Some ideas from policies:

  • Require Authentication Strength such as Microsoft Authenticator or phishing-resistant MFA
  • Only allow connections to Windows 365 from compliant devices
  • Require terms of use for access to Cloud PC
  • Restrict access to Windows 365 based on the user's location


Endpoint Privilege Management

Endpoint Privilege Management (EPM) is part of the Intune Suite. It is a feature that allows standard users to elevate applications defined by administrators in a policy from Intune. This feature helps to balance security and usability for end users. 1. They can run defined apps elevated by themselves, reducing the effort for the IT and 2. no local administrator rights that are system-wide are needed. Read more about it this blog post:

Endpoint Privilege Management deployment guide
IntroductionMicrosoft Endpoint Privilege Management (EPM) is a part of the Intune Suite offering. It allows standard users to run applications with privilege rights, without the need to be local administrators. This is a massive security improvement and supports your zero-trust strategy. At core, wi…


Software update policies

Software updates often deliver security fixes or address security relevant features in the system. Therefore, you should update all the software regularly, even better control the update deployments to ensure they are executed timely after release. Consider all those:

  • Microsoft updates, includes updates for all their products such as Windows OS, Microsoft 365 Apps for Enterprise, Edge and Drivers & firmware from their catalog
  • Third-party updates, anything that must be updated separately - use auto-update capabilities or separate tools for auto patching


Intune Windows Update rings

In Intune you can easily deploy policies for all Microsoft related updates. Create an update ring for Windows 10 and later and configure it accordingly. This is a recommendation:

Read more about Windows Updates in this blog post.


Verify with Compliance Policies

Also for enforcing device compliance, I have a dedicated post:

Enforce device compliance
Introduction Most organizations have compliance requirements for dozens of topics, spanning both technical and non-technical domains, as they are in a complex landscape of regulations, standards, and best practices to ensure the integrity, security, and conduct of their operations. This post is jus…

For Windows 365 you should apply a compliance policy that checks if the features from above are enabled on the system and therefore are compliant. This is my recommendation:

Setting Value Description
Minimum OS version Latest OS version OS minimum requirement, please note to continuously rise
Firewall Require Control network security
Antivirus Require System protection for Antivirus state
Antispyware Require System protection against spyware
Microsoft Defender Antimalware Require System protection against mailware
Microsoft Defender Antimalware security intelligence up-to-date Require Antimalware data up-to-date
Real-time protection Require Real-time system protection
Require the device to be at or under the machine risk score Medium Signal from MDE to consider machine risk score

powered by

Technology blog on Microsoft Cloud. Learn about cutting edge tech, explained simply & straightforward in quality focused blog posts.

You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.