Can I use Windows 365 as a Privileged Access Workstation?

Back to Blog
Can Windows 365 be a PAW?

Can I use Windows 365 as a Privileged Access Workstation?

It has been a while since we did a question from a reader. This one has been in my inbox for a while now, but since I just recently covered Windows 365 with our peer group, my offline conversation from a few months ago came to mind again, and I decided to turn it into a blog post, for others who might have similar questions.

“Alex, love the blog. I recently took your course on Intune (which was excellent btw), but you didn’t really mention Windows 365 or Privileged Access Workstations in it. My question is: do you think Windows 365 is viable for use as a PAW? I have a couple of users with Cloud PCs right now, and they report that it has been a very good experience. I was also looking for a way to implement PAW for my own purposes (so that I am not hopping in and out of management portals on the same computer I use for email and other web browsing). What are your thoughts on this?” -Jack from Texas

Thank you for the support of my site, Jack, and thank you for your thoughtful question. Please note that my Intune course is now more than two years old, so we should definitely do an update (more to come). Back then, Windows 365 was not yet Generally Available. We did have Azure Virtual Desktop (which was still called Windows Virtual Desktop in those days), but in any event, covering this topic would have been outside the scope of that course.

Now since you brought it up, I will say that Windows 365 is not my first choice for a PAW. This is primarily because Windows 365 was designed specifically for productivity: that is, it includes Microsoft 365 productivity apps out-of-the-box (the target audience here is end users more than admins). Generally speaking, you would not want productivity apps on a PAW.

That having been said, I believe that you could use a Windows 365 Cloud PC as your dedicated PAW if you really wanted to. No one is going to stop you from doing so. But in order to do it properly, you should plan for some specific settings and policies, for example:

  • Restrict redirection of local devices & storage
  • Implement screen capture protection
  • Configure Conditional Access policies:
    • Restrict access to Azure Management except from your Cloud PC:
      • Users & groups: select your administrator account(s)
      • Cloud apps: Microsoft Azure Management
      • Conditions: Device filters > Exclude > Model contains “Cloud PC”
      • Access controls: Block access
    • Block access to Office 365 email & productivity apps from your Cloud PC:
      • Users & groups: select your administrator account(s)
      • Cloud apps: Office 365
      • Conditions: Device filters > Include > Model contains “Cloud PC”
      • Access Controls: Block access

And of course, you would want other security policies in place on the device commensurate with privileged access. With all these measures in place, you could build a decent PAW out of a Cloud PC. I would add also that if you are going down this route, it would be best to use the Enterprise version of Windows 365 rather than the Business version, because in this case you would also gain control over the virtual network, and that means you can potentially control egress (outbound) traffic as well. But that is a topic for another day.

Now with all of that information behind us, let me put another idea in your mind: why wouldn’t you use a physical computer as your admin workstation, and the Cloud PC for your productivity, simply reversing the CA policies I recommended above? Example:

  • Allow access to Office 365 only from the Cloud PC:
    • Users & groups: [Select users assigned Cloud PCs]
    • Cloud apps: Include: Office 365, Exclude: Windows 365 & Azure Virtual Desktop
    • Conditions*: Device filters > Exclude > Model contains “Cloud PC”
    • Access Controls: Block access
  • Restrict access to Azure Management:
    • Users & groups: select your administrator account(s)
    • Cloud apps: Microsoft Azure Management
    • Conditions: Device filters > Exclude > [use the device IDs for your PAW(s)]
    • Access controls: Block access

*Also note that you can optionally exclude iOS and Android device platforms if you plan to support Office 365 apps on BYOD or corporate issued mobile devices.

And of course, remember as well that you would want to use a different primary account for your administrative functions on the physical PC, versus the “normal” user account on your Cloud PC. Either that, or use a separate Azure Virtual Desktop in an isolated vnet as your admin PC.  I think one of these arrangements would make more sense since the whole purpose behind Windows 365, again, is to optimize the experience of Microsoft 365 productivity apps in a virtualized environment. It wasn’t really intended to be used as an “admin environment.” But that’s just my two cents. You can do it however you like.

Thanks again for writing in, Jack.

If anyone out there is interested in learning more about Windows 365 Cloud PCs in general, check out our recent course on the topic. Also, stay tuned for our upcoming live Intune course (which is going to update existing content). If you are already a member of our SquareOne group, your invite is already secured. Details will be out soon.

Comment (1)

  • MaR Reply

    Thanks for this! I am glad you mentioned this particularly, “Now since you brought it up, I will say that Windows 365 is not my first choice for a PAW. This is primarily because Windows 365 was designed specifically for productivity: that is, it includes Microsoft 365 productivity apps out-of-the-box (the target audience here is end users more than admins). Generally speaking, you would not want productivity apps on a PAW.”

    August 5, 2024 at 11:44 am

Leave a Reply

Back to Blog

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.