Can I use Windows 365 as a Privileged Access Workstation?

Back to Blog
Can Windows 365 be a PAW?
06Jun2023

Can I use Windows 365 as a Privileged Access Workstation?

It has been a while since we did a question from a reader. This one has been in my inbox for a while now, but since I just recently covered Windows 365 with our peer group, my offline conversation from a few months ago came to mind again, and I decided to turn it into a blog post, for others who might have similar questions.

“Alex, love the blog. I recently took your course on Intune (which was excellent btw), but you didn’t really mention Windows 365 or Privileged Access Workstations in it. My question is: do you think Windows 365 is viable for use as a PAW? I have a couple of users with Cloud PCs right now, and they report that it has been a very good experience. I was also looking for a way to implement PAW for my own purposes (so that I am not hopping in and out of management portals on the same computer I use for email and other web browsing). What are your thoughts on this?” -Jack from Texas

Thank you for the support of my site, Jack, and thank you for your thoughtful question. Please note that my Intune course is now more than two years old, so we should definitely do an update (more to come). Back then, Windows 365 was not yet Generally Available. We did have Azure Virtual Desktop (which was still called Windows Virtual Desktop in those days), but in any event, covering this topic would have been outside the scope of that course.

Now since you brought it up, I will say that Windows 365 is not my first choice for a PAW. This is primarily because Windows 365 was designed specifically for productivity: that is, it includes Microsoft 365 productivity apps out-of-the-box (the target audience here is end users more than admins). Generally speaking, you would not want productivity apps on a PAW.

That having been said, I believe that you could use a Windows 365 Cloud PC as your dedicated PAW if you really wanted to. No one is going to stop you from doing so. But in order to do it properly, you should plan for some specific settings and policies, for example:

  • Restrict redirection of local devices & storage
  • Implement screen capture protection
  • Configure Conditional Access policies:
    • Restrict access to Azure Management except from your Cloud PC:
      • Users & groups: select your administrator account(s)
      • Cloud apps: Microsoft Azure Management
      • Conditions: Device filters > Exclude > Model contains “Cloud PC”
      • Access controls: Block access
    • Block access to Office 365 email & productivity apps from your Cloud PC:
      • Users & groups: select your administrator account(s)
      • Cloud apps: Office 365
      • Conditions: Device filters > Include > Model contains “Cloud PC”
      • Access Controls: Block access

And of course, you would want other security policies in place on the device commensurate with privileged access. With all these measures in place, you could build a decent PAW out of a Cloud PC. I would add also that if you are going down this route, it would be best to use the Enterprise version of Windows 365 rather than the Business version, because in this case you would also gain control over the virtual network, and that means you can potentially control egress (outbound) traffic as well. But that is a topic for another day.

Now with all of that information behind us, let me put another idea in your mind: why wouldn’t you use a physical computer as your admin workstation, and the Cloud PC for your productivity, simply reversing the CA policies I recommended above? Example:

  • Allow access to Office 365 only from the Cloud PC:
    • Users & groups: [Select users assigned Cloud PCs]
    • Cloud apps: Include: Office 365, Exclude: Windows 365 & Azure Virtual Desktop
    • Conditions*: Device filters > Exclude > Model contains “Cloud PC”
    • Access Controls: Block access
  • Restrict access to Azure Management:
    • Users & groups: select your administrator account(s)
    • Cloud apps: Microsoft Azure Management
    • Conditions: Device filters > Exclude > [use the device IDs for your PAW(s)]
    • Access controls: Block access

*Also note that you can optionally exclude iOS and Android device platforms if you plan to support Office 365 apps on BYOD or corporate issued mobile devices.

And of course, remember as well that you would want to use a different primary account for your administrative functions on the physical PC, versus the “normal” user account on your Cloud PC. Either that, or use a separate Azure Virtual Desktop in an isolated vnet as your admin PC.  I think one of these arrangements would make more sense since the whole purpose behind Windows 365, again, is to optimize the experience of Microsoft 365 productivity apps in a virtualized environment. It wasn’t really intended to be used as an “admin environment.” But that’s just my two cents. You can do it however you like.

Thanks again for writing in, Jack.

If anyone out there is interested in learning more about Windows 365 Cloud PCs in general, check out our recent course on the topic. Also, stay tuned for our upcoming live Intune course (which is going to update existing content). If you are already a member of our SquareOne group, your invite is already secured. Details will be out soon.

Question, Technical , , , , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

15Aug

Find out why Windows Server 2016 Essentials Experience still matters

Upcoming Windows Server Essentials Experience Series For many months now, I have been playing around with the Windows Server 2016 Technical Previews, especially the Essentials Experience role. You might ask: Why? Does the Windows Server Essentials product matter anymore, now that we have Office 365 and have moved well past the... read more
15Feb

Key Differences between Essentials Dashboard Azure AD Integration and Azure AD Connect

Windows Server Essentials Dashboard allows you to connect your on-premises domain to Azure Active Directory and Office 365.  Arguably the best feature of this mechanism is similar to the primary benefit provided by Azure AD Connect or DirSync--the ability to sync local passwords into the... read more
04Aug

Hyper-V Failover Cluster: Converged Network

In this post, we will look at a concept known as "Converged Networking" for setting up a simple two-node Hyper-V cluster (a great option for small businesses). The basic idea is that all of your physical network adapters will be brought together as a single... read more
29Apr

How do you deal with the unreasonable storage limits in SharePoint Online?!

I had a great question come in from a long-time reader recently: As I begin my journey to move clients from on-prem file servers to SharePoint/Teams, I keep getting hung up on the storage allocation.  1TB for an organization + 10GB/user is so far behind the... read more
26Nov

Coming soon to an Azure AD/Microsoft 365 subscription near you: Life without passwords?!

I previously commented when Microsoft released new password guidance, which is backed by their own research as well as that of NIST. A quick recap of that: Require passwords have at least 8 characters. Longer isn't necessarily better, as they cause users to choose predictable... read more
15Jan

Differences between Azure Information Protection labels and Office 365 Sensitivity labels

In the previous two posts, we looked at two capabilities of Azure Information Protection (AIP) P1, which is one of the many subscriptions bundled into Microsoft 365 Business: Email encryption & customizationLabels for classifying messages and documents Recent announcements have shifted the sands a bit... read more
28Nov

Three ways to protect your customer’s on-premises data with Azure: Part 2 – Azure Backup Server

In the previous post, we looked at Azure Backup using the MARS agent, which can only do file, folder & system state data, and must be configured on the local machine. As you may already be aware, there are no local backup copies in that... read more
Simple Sensitivity Label design for the SMB
11Jun

Simple Sensitivity Label design for the SMB

In the recent updates to the CIS Controls (v8), one of the most noticeable changes was the re-prioritization of Data Protection (now Control #3, up from #13 previously). This control calls out a number of safeguards: inventory of sensitive data and data classification is among... read more
25Jan

Manage Office 365 Mailboxes using Directory Synchronization w/o Hybrid Exchange

When you have a hybrid environment configured between Exchange 2010 or 2013 and Office 365, then you will probably have noticed that mailbox creation and management happens on-premises. For example, to create a new mailbox, you would initiate this process from the local Exchange server... read more
17Aug

5 Steps to Better Credit Card Handling on Your Network

The requirements for PCI compliance are... high. Performing a risk assessment alone is a time-consuming process, to say nothing of an actual audit. Which is unfortunate for small and mid-sized businesses, since most of them don't even need to store credit card numbers locally (and in... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me