Windows 365: level up security on Cloud PCs

by Niklas Tinner a month ago 9 min read

Introduction

This is the sixth part of the Windows 365 series on my blog in which I will show you how you can improve the security posture on your Cloud PC systems. I have listed and described recommended approaches to implement security technologies.

Security is at the heart of every modern system, and Windows 365 should also be secured accordingly. My focus is on the platform security, meaning the secure configuration of Windows and the identity access layer. This write up covers:

Windows platform security features and technologies
Steps to reduce the attack surface
Strengthen the access to Windows 365 systems
Overview of recommended security improvements on Cloud PCs

Overview

Have a look on this overview table to get an understanding of all the featured topics on a high level and their impacts.

Feature	Description	Implementation effort	Security improvement
Endpoint Security & baselines	Apply system hardening and configure built-in security features	❗Medium-High	❗High
Windows LAPS	Local Administrator Password Solution, should be used for all elevated actions	🟢 Low	❗High (when also used during operations)
Admin roles	Clean up privileged admin roles	🟢 Low	❗High
App Control for Business	Configure & control app execution	❔Depends	❗High
Defender for Endpoint onboarding	More visibility and XDR	🟠 Medium	❗High
Identity - Conditional Access	Protect access to W365 on the identity perimeter	🟢 Low	❗Medium-High
Endpoint Privilege Management	Configure & control app elevation for special use cases	🟢 Low	🟠 Medium
Software update policies	Define policies so Windows, drivers and apps stay up to date	🟢 Low	❗High
Compliance policies	Verify your deployment and system integrity	🟢 Low	🟠 Medium

Top features to get started with

Let's go through all the featured topics.

ℹ️

BitLocker and most hardware related features are not supported on Windows 365 as described in this official article.

Endpoint Security & Baselines

I have a dedicated blog post that goes deeply into all aspects around security baselines. Summarized: Security baselines define a set of policies, controls, behaviors and requirements for hardware to keep a system secure and compliant with a framework that is established by security experts and security organizations. In Intune we can start with the following configurations to make use of the built-in security features:

Antivirus - configure Defender Antivirus
Firewall - configure all firewall to secure network access
Attack surface reduction (ASR) - configure ASR rules and device control
Account protection - account related security controls
Windows hardening - various system security improvements (Settings Catalog)

💡

Make use of the built-in security baselines in Intune at Endpoint Security > Security baselines for a all-in-one solution.

Windows LAPS

Windows LAPS is a Windows built-in feature to rotate the password for the local administrator. This is very important, because it prevents pass-the-hash or lateral-traversal-attacks where multiple systems have a common weak spot (the admin credentials). For full understanding, have a look on my blog post:

To deploy it in Intune, you need two things, both described in my LAPS post.

Create a local administrator that is managed by LAPS
Create an Intune Endpoint Security, Account Protection, LAPS policy to define the behavior and settings of LAPS

💡

Consider a Local user group membership policy to ensure that only the LAPS managed account is member of the local administrators group. As described in my PAW post

Admin roles

Administrators on a system have full access to modify, alter or delete everything. Therefore we should control the admins on:

The management plane: Intune and Entra ID
The Windows system: Local administrators and roles

Management plane admins

A management plane admin is someone that can configure the Windows 365 service. With that, someone could modify the configuration of the Cloud PCs or even delete them. Someone who controls the management plane can also control all layers below (the Windows system layer). Make sure to check the following Entra roles assignments in your tenant:

Global administrator -> can do everything
Intune administrator -> can configure every aspect in Intune
Windows 365 Administrator -> have permissions on Windows 365 resources
Cloud Device Administrator -> can manage devices in Entra ID
Microsoft Entra Joined Device Local Administrator -> is local administrator on every Entra ID joined endpoint

🧹🧼 Reviewing and cleaning those roles up from unnecessary or unwanted assignments is crucial.

⚠️

Don't forget about Intune RBAC roles. There are custom roles in Intune which also have access to create, delete, alter or read content in Intune and with that modify your Cloud PC setup. Read more on Intune RBAC

Windows system local admins

To control the local administrators (group) on the Windows system of your Cloud PC, you can make use of local user group membership / account protection policies in Intune. With the setting to replace all administrators, except your LAPS admin, no other user will have local admin rights.

Furthermore, there is a new Entra ID device setting that allows to configure the local administrator user members of your tenant. I would configure both to 'none'.

App Control for Business

App Control for Business (ACfB - formerly Windows Defender Application Control) is a Windows security feature that controls the execution of code. It consists of multiple features that are all designed to secure software, drivers, apps and files on the system.

Use App Control for Business as an Intune configuration on Windows 365 and only allow software on the system that you know is good.

💡 Best practices to deploy App Control for Business

Leverage the Managed Installer feature - with that all software installed by Intune is flagged as secure and can be executed
Use the WDAC policy wizard to create custom XML based policies
Use the XML based configurations, since the built-in options do not allow all features
Start in Audit Mode with the feature and detect the potential impact
Include publisher certificates of software and vendors that you trust
Consider the Microsoft Intelligent Security Graph (ISG) feature - which is a database by Microsoft that classifies software and code. The ISG is a collection of generally well known and good reputable software.

Defender for Endpoint onboarding

Defender for Endpoint onboarding is crucial, so that Cloud PCs are protected by XDR and deliver their signals for analyzation, correlation, detection, hunting and response. In Intune you can create can setup the connection to Defender for Endpoint, as described in this blog post.

Identity - Conditional Access

To protect the identity layer and access to Cloud PCs you should consider Conditional Access. Combine different signals and conditions to ensure access to the service is valid. In Conditional Access you should choose the Windows 365 and Azure Virtual Desktop as target cloud apps to catch all authentication that could come against W365.

💡 Some ideas from policies:

Require Authentication Strength such as Microsoft Authenticator or phishing-resistant MFA
Only allow connections to Windows 365 from compliant devices
Require terms of use for access to Cloud PC
Restrict access to Windows 365 based on the user's location

Endpoint Privilege Management

Endpoint Privilege Management (EPM) is part of the Intune Suite. It is a feature that allows standard users to elevate applications defined by administrators in a policy from Intune. This feature helps to balance security and usability for end users. 1. They can run defined apps elevated by themselves, reducing the effort for the IT and 2. no local administrator rights that are system-wide are needed. Read more about it this blog post:

Software update policies

Software updates often deliver security fixes or address security relevant features in the system. Therefore, you should update all the software regularly, even better control the update deployments to ensure they are executed timely after release. Consider all those:

Microsoft updates, includes updates for all their products such as Windows OS, Microsoft 365 Apps for Enterprise, Edge and Drivers & firmware from their catalog
Third-party updates, anything that must be updated separately - use auto-update capabilities or separate tools for auto patching

Intune Windows Update rings

In Intune you can easily deploy policies for all Microsoft related updates. Create an update ring for Windows 10 and later and configure it accordingly. This is a recommendation:

Read more about Windows Updates in this blog post.

Verify with Compliance Policies

Also for enforcing device compliance, I have a dedicated post:

For Windows 365 you should apply a compliance policy that checks if the features from above are enabled on the system and therefore are compliant. This is my recommendation:

Setting	Value	Description
Minimum OS version	Latest OS version	OS minimum requirement, please note to continuously rise
Firewall	Require	Control network security
Antivirus	Require	System protection for Antivirus state
Antispyware	Require	System protection against spyware
Microsoft Defender Antimalware	Require	System protection against mailware
Microsoft Defender Antimalware security intelligence up-to-date	Require	Antimalware data up-to-date
Real-time protection	Require	Real-time system protection
Require the device to be at or under the machine risk score	Medium	Signal from MDE to consider machine risk score

powered by