Microsoft details security options for Windows 365 Business and Enterprise

Microsoft details security capabilities for its new cloud PC service Windows 365 in a Tech Community post. The company outline guidance for Windows 365 Business and Windows 365 Enterprise, which vary largely regarding the default privilege level of users. Like physical devices, attackers will try to take advantage of security flaws in cloud PCs. Earlier this month, we reported on a security vulnerability in Windows 365.
Windows 365 Business is aimed at smaller businesses. Because of this, it grants end users local admin rights on Cloud PCs. This is similar to what’s seen with physical PCs in these types of organizations. It does, however, present a different set of security challenges when compared to standard users lacking admin privileges.
Microsoft recommends the following steps if organizations want to use Microsoft Endpoint Manager:
- Configure the devices to enroll into Microsoft Endpoint Manager using automatic enrollment.
- Manage the Local Administrators group. For more details on how to do this using Azure Active Directory (Azure AD, see How to manage the local administrators group on Azure AD joined devices. For an example of how to do this using Microsoft Endpoint Manager, see this post from Microsoft MVP Peter van der Woude.
- Consider enabling Microsoft Defender Attack surface reduction (ASR) rules. ASR rules are in-depth defense mitigations for specific security concerns, such as blocking credential stealing from the Windows local security authority subsystem. For details on how to enable ASR rules, see Enable attack surface reduction rules.
- Review the Microsoft 365 Business Premium organizational security guidance, including enabling MFA to access Windows 365.
In contrast to Windows 365 Business, Windows 365 Enterprise is built for organizations with IT teams. Windows 365 Enterprise uses Microsoft Endpoint Manager out of the box. It also makes people standard users by default rather than granting admin rights.
Microsoft recommends that Windows 365 Enterprise customers do the following:
- Follow standard Windows 10 security practices, including limiting who can log on to their Cloud PCs using local administrator privileges.
- Deploy the Windows 365 security baseline to their Cloud PCs from Microsoft Endpoint Manager and leverage Microsoft Defender to provide in-depth defense to their endpoints, including all Cloud PCs. The Windows 365 security baseline enables the ASR rules discussed above.
- Deploy Azure AD conditional access to secure authentication to their Cloud PCs, including multifactor authentication (MFA) and user/sign-in risk mitigation.
Microsoft notes that at the moment, Windows 365 doesn’t support trusted launch. The company is working to bring trusted launch to Windows 365 alongside Windows 11 coming to the cloud PC service.
We may earn a commission for purchases using our links. Learn more.
Ask Windows Central: What Surface devices could we see show up this fall?
Welcome to the fifth episode of Ask Windows Central, a show where we answer our communities most asked questions around Microsoft, Windows, Surface, Xbox, and the general tech industry. In today’s episode, we answer questions about the Intel App Bridge, this fall’s possible Surface lineup, Windows 11 compatibility, and more.

The best gaming routers you can buy
It can be hard to nail down the best gaming routers out there. They need to be fast, low latency, and simple to use. Here are the best gaming routers you can buy right now.
This post was written by Sean Endicott and was first posted to www.windowscentral.com