Microsoft breaks down how to secure Windows 365 cloud PCs

Windows (Image credit: Microsoft)

What you need to know

  • A new post from Microsoft helps organizations secure cloud PCs running Windows 365.
  • Windows 365 Business and Windows 365 Enterprise differ regarding the admin rights of standard users.
  • Microsoft is working to bring trusted launch to Windows 365.

Microsoft details security capabilities for its new cloud PC service Windows 365 in a Tech Community post. The company outline guidance for Windows 365 Business and Windows 365 Enterprise, which vary largely regarding the default privilege level of users. Like physical devices, attackers will try to take advantage of security flaws in cloud PCs. Earlier this month, we reported on a security vulnerability in Windows 365.

Windows 365 Business is aimed at smaller businesses. Because of this, it grants end users local admin rights on Cloud PCs. This is similar to what's seen with physical PCs in these types of organizations. It does, however, present a different set of security challenges when compared to standard users lacking admin privileges.

Microsoft recommends the following steps if organizations want to use Microsoft Endpoint Manager:

  • Configure the devices to enroll into Microsoft Endpoint Manager using automatic enrollment.
  • Manage the Local Administrators group. For more details on how to do this using Azure Active Directory (Azure AD, see How to manage the local administrators group on Azure AD joined devices. For an example of how to do this using Microsoft Endpoint Manager, see this post from Microsoft MVP Peter van der Woude.
  • Consider enabling Microsoft Defender Attack surface reduction (ASR) rules. ASR rules are in-depth defense mitigations for specific security concerns, such as blocking credential stealing from the Windows local security authority subsystem. For details on how to enable ASR rules, see Enable attack surface reduction rules.
  • Review the Microsoft 365 Business Premium organizational security guidance, including enabling MFA to access Windows 365.

In contrast to Windows 365 Business, Windows 365 Enterprise is built for organizations with IT teams. Windows 365 Enterprise uses Microsoft Endpoint Manager out of the box. It also makes people standard users by default rather than granting admin rights.

Microsoft recommends that Windows 365 Enterprise customers do the following:

  • Follow standard Windows 10 security practices, including limiting who can log on to their Cloud PCs using local administrator privileges.
  • Deploy the Windows 365 security baseline to their Cloud PCs from Microsoft Endpoint Manager and leverage Microsoft Defender to provide in-depth defense to their endpoints, including all Cloud PCs. The Windows 365 security baseline enables the ASR rules discussed above.
  • Deploy Azure AD conditional access to secure authentication to their Cloud PCs, including multifactor authentication (MFA) and user/sign-in risk mitigation.

Microsoft notes that at the moment, Windows 365 doesn't support trusted launch. The company is working to bring trusted launch to Windows 365 alongside Windows 11 coming to the cloud PC service.

Sean Endicott
News Writer and apps editor

Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at