Security Guidelines For Cloud PCs

What’s up, everyone! 

In this post we’ll take a look at security guidelines and a couple of recommendations that Microsoft has put together to increase the security for Windows 365 Cloud PCs. If you want to know what options you have to increase security and how to configure them, this post might be for you! Enjoy!

Prerequisites

I will use the following for this post:

  • Windows 365 Enterprise (because of Intune management).
  • Microsoft E3 licenses.
  • The guidelines from Microsoft.

The Guidelines

Microsoft has published security guidelines for Cloud PCs. These guidelines are based on a couple of solutions that each contribute to a better security configuration. In short it all comes down to this;

  • Use Conditional Access
  • Use Microsoft Defender for Endpoint
  • Use compliance policies
  • Make sure to update your operating system
  • End users will not be local admins
There are some other recommendations as well. They might not be a part of the guidelines but they are still worth your consideration;
 
  • Use security baselines
  • Enable screen capture protection
  • Restrict Office 365 services to Cloud PCs
  • Manage RDP device redirections for Cloud PCs

Guideline: Conditional Access

Conditional Access might be a no-brainer, but it’s a great way to make sure your users gain access to their Cloud PCs while finetuning and improving security. You can find conditional access from the endpoint manager portal, Devices, Policy, Conditional Access. I will not go into too many details but here are some considerations for conditional access;

  • Make sure your users use MFA when logging into their Cloud PC.
  • Choose which users can login to Windows 365 while blocking others.
  • Define named and trusted networks and base your policies on them.
  • Block logins from locations / countries you don’t trust.
  • Set sign-in frequency.
  • Or block access to Office 365 except from Cloud PCs.
You can simply select Windows 365 from the Cloud apps or actions control. Your users need an Azure AD Premium P1 license to get access to this feature.

Guideline: Microsoft Defender for Endpoint

We can use Microsoft Defender for Endpoint to protect our Cloud PCs. Determine which features you need and check if you have the correct licenses in your tenant. Enable sharing of device information via the Microsoft Intune Connection. Go to security.microsoft.com, Settings, Endpoint, Advanced Features and toggle the Microsoft Intune connection switch.

Save the change and check back in Endpoint Manager.You should see the connection status change to Available. 

Make sure to enable ‘Connect Windows devices version 10.0.15063 and above to Microsoft Defender for Endpoint‘ setting and save the configuration. If you don’t have a compliance policy yet, you’ll see a blue bar popup on the top part of your screen which helps you to setup a compliance policy. Use the Microsoft Defender for Endpoint section and configure the ‘Require the device to be at or under the machine risk score’ value. Remember, you can check your compliance policies at Devices, Policy, Compliance policies.

Cloud PCs will also respond to remediation measures if you have the correct licenses and if you’ve setup remediation. 

Guideline: Use Compliance Policies

We already created a compliance policy specifically for Microsoft Defender for Endpoint. But there are other options to think about;

  • Custom compliance; you can use your own discovery script.
  • Device Health; You can require Bitlocker, Secure Boot and Code integrity. 
  • Device Properties; Determine which OS builds are valid.
  • Configuration Manager Compliance; Require device compliance from config mgr.
  • System Security; Password settings, encryption settings, Firewall, TPM, AV and antispyware settings.
  • Defender options.
  • Microsoft Defender for Endpoint; already discussed.

Guideline: Updates

I guess that Microsoft updates are a no-brainer as well. Let’s keep things simple here. You can use update rings, feature updates for Windows and quality updates for Windows to keep your environment up-to-date. 

Or go next-level and implement Windows Autopatch and let Microsoft keep your Cloud PCs up-to-date. Check my writeup on Windows Autopatch if you want to know more about this great service.

Guideline: Local Admin Rights

Microsoft recommends that end users have standard user accounts. This is also the default setting for users on Cloud PCs. If you want to change this setting, go to the Windows 365 node in Endpoint Manager and select User Settings.

Recommendation: Use Security Baselines

Basically a security configuration is a set of policy templates based on security best practices and experience from real world implementations. Microsoft has created a security baseline for Windows 365 specifically. 

Navigate to Endpoint Security and click on the View Security Baselines button or Security Baselines under Overview. At this point there are security baselines for;

  • Windows 10 and later
  • Microsoft Defender for Endpoint
  • Microsoft Edge
  • Windows 365

Select the Windows 365 security baseline and create a new profile. Give the profile a sensible name and check the baseline version. It’s created november 2021.

You can see all the settings on the Configuration settings tab. I expanded a couple so you can see that there’s something configured here. Next, add scope tags if you want and assign the profile.

The new profile will be pushed to the Cloud PCs once saved and apply immediately.

Recommendation: Screen Capture Protection

Did you know that you can prevent screen captures being made from your Cloud PC? If you configure this feature, your client will prevent your users from making a screen capture. 

Now haters will say that it will not prevent users from taking a picture with their phone. And they are right. So I’ll just leave it at that.

Recommendation: Restrict Office 365 Access To Cloud PCs

You can make sure that users can access Office 365 from their Cloud PCs only. This is great way to ensure that users use the Cloud PC is their primary device. Microsoft has documented the configuration really well. You can, of course, enforce this way of working for all users (if they all have a Cloud PC) or just to a group of users.

You can use Conditional Access to configure the access to Office 365. From Endpoint Manager, Devices, Policy, Conditional Access.

Create a new policy and;

  • Give it name.
  • Assign the policy to a group of users or all users. (You can use exclusions if you want)
  •  Select Office 365 in the Cloud apps or actions section.
  • In the same section, select Windows 365 and Azure Virtual Desktop in the exclusion tab.
  • Configure the filter. Use the filter: Model – Starts With – Cloud PC.
  • Access Controls, Grant: select Block access.
You can test the policy first without actually blocking access to Office 365 by selecting the report-only option. Or select On to enforce this policy immediately after saving.
 
Here are screenshots of the Cloud apps or actions section.

And a screenshot of the Conditions section.

And to finish up the screenshot of the block access setting.

Recommendation: Manage RDP Device Redirections for Cloud PCs

You can manage the RDP device redirection options. These options are (source Microsoft):

You can configure these settings in two ways;

  • Settings Catalog
  • Group Policies

In this demo I’ll take a look at the settings catalog and skip group policies. We’ll start by creating a new configuration policy (Endpoint Manager, Devices, Configuration Policies).

Select Windows 10 and later as platform and Settings Catalog as profile type and hit Create.

Provide a name for your shiny new policy and a description if you like.

Here are two search terms you can use: 

  • Device and Resource Redirection
  • Printer Redirection

Select the options you want to manage. 

Just toggle the switches for the options you want to manage. Finish up by adding scope tags if you want and assign the policy to your  users (or group of users).

Resources

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *