Configuration guidance for Windows 365 aligned to the ASD Blueprint
Windows 365 Enterprise Cloud PC is a cloud-based Desktop-as-a Service (DaaS) that automatically creates Windows 365 virtual machine (Cloud PCs) for your end users. It provides the productivity, security, compliance at Protected level, and collaboration benefits of Microsoft 365.
An Australian Government Infosec Registered Assessors Program (IRAP) assessment of Microsoft 365 available in the Microsoft Service Trust Portal includes Windows 365 in the scope of assessed services. The service is assessed to hold up to Protected level of data. Protected is the highest level of security assessment applicable to a public cloud service in Australia. The service is built with Zero Trust and is encrypted while in transit and at rest.
However, as with any new service deployed into a sensitive environment, introducing Windows 365 requires some specific configuration. This configuration planning guide is dedicated to addressing the considerations necessary for the successful deployment of Windows 365 within an operational framework that handles sensitive information. This guidance assumes access to Windows 365 subscription licensing and Microsoft 365 Enterprise E3 or E5, in alignment with the Australian Signals Directorate (ASD) Blueprint for Secure Cloud configuration guidance for Microsoft 365. This guide is intended to be used with the following documents:
- Microsoft Protective Security Policy Framework (PSPF) Guide: Prescriptive guidance on using Microsoft products to adhere to PSPF requirements.
- Microsoft Essential 8 Guide: Prescriptive guidance on using Microsoft products to adhere to Essential 8 for Maturity Levels 1 to 3.
- Australian Signals Directorate (ASD) Blueprint for Secure Cloud: Link to the ASD Blueprint, providing practical guidance for organizations to consider alongside the requirements in the ISM and PSPF when designing, configuring, and deploying cloud workspaces.
Planning Windows 365
The Windows 365 Enterprise Documentation is a comprehensive guide for Windows 365 Cloud deployment. To align to the ASD Blueprint and highly regulated industries in Australia, this article should be used with the Windows 365 Enterprise Documentation.
Tip
Both Cloud PCs and physical PCs can be managed through Intune, allowing the use of existing controls like your security baselines, including Essential 8, role-based access control (RBAC), analytics applicable to your physical devices to also be applied to your Cloud PCs.
Setting up a provisioning policy
Follow the instructions as per create provisioning policies for Windows 365 guidance, with the following specific steps to align with the ASD Blueprint.
General tab
In the join type details, it's recommended to select Microsoft Entra join and Microsoft hosted network whenever possible. This selection provides an optimal end-user experience combined with administrative ease of management, security, and simplicity. From a network and security standpoint, this configuration treats the Cloud PC as an isolated device that can only connect to on-premises and specified private resources via a secure VPN.
For Cloud PC users needing on-premises access, refer to Create Azure network connections for Windows 365. It's recommended to create two provisioning policies: one for hybrid join users to limit unnecessary access per the Information Security Manual (ISM) Protect Principle 11, and another users who don't require on-premises access, ensuring optimal performance and security.
The ISM has no mandatory requirements regarding location storage of data. Microsoft recommends for best end-user experience that you provision Cloud PCs to the closest region that your users are connecting from. For applications that are sensitive to high latency, they also can benefit from targeting regions closer to the user or backend systems to ensure an optimal end user experience. For most common use-cases following the ASD Blueprint, users are in Australia, for example, for Microsoft Entra Join and Microsoft hosted network:
Select Geography Australia.
Select Region Automatic (recommended)
For more information on other Azure geographies and regions available for provisioning a Windows 365 Cloud PC, see Supported geographies and regions for Cloud PC provisioning.
Select Use Microsoft Entra single sign-on (SSO). SSO should be enabled as your default setting. For more information, see Windows 365 identity and authentication.
Select Next.
Configuration tab
Windows settings
For Language and region, select English (New Zealand).
Note
English (Australian) isn't yet available for Windows 365. We recommend selecting New Zealand option is most similar to Australian English.
Cloud PC naming
For Cloud PC naming, if you don’t need to have a specific naming convention, then we recommend leaving this box unchecked, as Microsoft automatically creates a PC name when the Cloud PC is provisioned. The default Cloud PC name is prefixed with CPC.
Additional services
Microsoft recommends using Autopatch for Windows 365 Enterprise and Frontline Dedicated Mode. It assists your organization achieving Essential 8 Maturity Level 3 for your endpoints.
For more information on using Autopatch in an Essential 8 aligned setting, see Essential 8 guidance using Autopatch for Windows 365.
Select Next. Provisioning of Cloud PCs starts once you select Create.
The remaining steps for scope tags, assignment, and review + create are as per the provisioning policies guide for Windows 365.
Tip
Scope tags are used to provide granular administrative control in an environment. For more information, see using RBAC and scope tags.
Window 365 application recommendations
Windows App provides a unified experience, for users to connect to any one of Microsoft DaaS such as Windows 365 Cloud PCs, Azure Virtual Desktop or Dev Box. Desktop access is available through either the lightweight installable client or a modern HTML5 browser.
Download the Windows App at one of the following locations:
- https://windows365.microsoft.com
- Microsoft Store app and searching for Windows App
To further secure access to a Cloud PC desktop using Windows App (client or browser), use Conditional access policies for authorization and compliance, and/or Mobile Application Management (MAM) configuration policies for data governance.
Recommended Blueprint settings in Intune
Windows 365 security baseline
Deploy the Windows 365 Security Baseline in Microsoft Intune admin center. For step by step instructions, see Windows 365 Security Baseline.
Manage RDP device redirections for Cloud PCs
Intune Remote Desktop Protocols (RDP) redirection settings determine how users access their Cloud PC and what specific features they have access to which can be tailored to your organizational and end user requirements.
Tip
ASD advises that organizations “consider the Blueprint alongside their own unique requirements, risk appetite, and organizational culture”. Redirections suggested should be assessed and tailored to the organization’s specific use-case.
| Redirection | Detailed guide | Default setting | Notes |
|---|---|---|---|
| Audio and video redirection | Configure audio and video redirection | Default is Audio and video playback redirection is enabled allowing redirection to the local computer. | If changing this setting, consider accessibility advice in the ASD Blueprint. Keep this setting the default. |
| Audio capture redirection | Configure audio capture redirection | Default is audio recording redirection isn't blocked, and the Cloud PC enables audio recording redirection. | The ASD Blueprint recommend blocking sound recording. Configure setting from Allow audio recording redirection > Disabled. |
| Camera, webcams and video capture | Configure camera, webcam, and video capture redirection | Default is camera, webcam, and video capture peripheral redirection is enabled and can be redirected to the local computer. | If changing this setting, consider accessibility advice in the ASD Blueprint. Keep this setting the default. |
| Clipboard | Configure clipboard redirection over the Remote Desktop Protocol | Default is Clipboard redirection isn't blocked. The clipboard is redirected in both directions between the remote session and the local device. | The ASD Blueprint recommends blocking clipboard redirection. Configure setting from Do not allow Clipboard redirection > Enabled. |
| Drives and storage | Configure fixed, removable, and network drive redirection | Default is all drives are redirected from the local device to a remote session, including ones that are connected later. | The ASD Blueprint recommends blocking drive redirection. Configure setting from Do not allow drive redirection > Enabled. |
| Location | Configure location redirection | Default is user controls sharing location information. | Force Location On assists with identifying location anomalies, such as impossible travel using Defender for Cloud App anomaly detection policies which follows ASD Blueprint recommendation for protection of SaaS. |
| MTP and PTP | Configure Media Transfer Protocol and Picture Transfer Protocol redirection on Windows | Default is MTP and PTP redirection is enabled. | Configure settings from Do not allow supported Plug and Play device redirection > Enabled. |
| Printers | Configure printer redirection | Default is all printers are redirected from the local device to a remote session and the default printer on the local device is the default printer in the Cloud PC. | ASD Blueprint recommends printing enabled for office use only. Do not allow client printer redirection > Enabled. Alternatively, secure printing to designated office printers can be achieved using Universal Print. |
| Serial/COM ports | Configure serial or COM port redirection | Default is serial or COM ports are redirected from the local device to the Cloud PC. | Configure settings from Do not allow COM port redirection > Enabled. |
| Smart cards | Configure smart card device redirection | Default is smart card devices are redirected from the local device to the Cloud PC. | Configure settings from Do not allow smart card device redirection > Enabled. |
| USB | Configure USB redirection on Windows | Default is USB redirection isn't allowed. | Configure settings from Do not allow supported Plug and Play device redirection > Enabled. |
| WebAuthn | Configure WebAuthn redirection | Default is Cloud PC enables WebAuthn redirection | Keep this setting the default (allow WebAuthn redirection), as SSO uses WebAuthn. |
There are some nuances for device redirection, depending on what client endpoint OS is being used. For more information on comparison of features across endpoints, see Compare Remote Desktop app features across platforms and devices.
Common RDP examples
This section contains templated RDP device redirection examples of common Cloud PC use-cases in Government organizations. Use these settings as a starting point and tailored to your organizational needs.
Example 1: Corporate user from organizational managed device
Where a corporate user is logging on from an organizational managed device, it's recommended that the Cloud PC inherit the existing corporate configurations.
| Redirection | Suggested setting |
|---|---|
| Audio and video redirection | Inherited (no changes) |
| Audio capture redirection | Inherited (no changes) |
| Camera, webcams, and video capture | Inherited (no changes) |
| Clipboard | Inherited (no changes) |
| Drives and storage | Inherited (no changes) |
| Location | Inherited (no changes) |
| MTP and PTP | Inherited (no changes) |
| Printers | Inherited (no changes) |
| Serial/COM ports | Inherited (no changes) |
| Smart cards | Inherited (no changes) |
| USB | Inherited (no changes) |
| WebAuthn | Inherited (no changes) |
Example 2: Contractor BYOD
A common use-case in government settings is to provide a Cloud PC to contractors commonly used RDP device redirections for the use case of a Bring Your Own Device (BYOD) contractor use-case.
| Redirection | Suggested setting |
|---|---|
| Audio and video redirection | Leave as default |
| Audio capture redirection | Disabled (block audio capture) |
| Camera, webcams, and video capture | Leave as default |
| Clipboard | Enable (block clipboard redirection) |
| Drives and storage | Enable (block drive and storage redirection) |
| Location | Force Location On |
| MTP and PTP | Enabled (block MTP and PTP) |
| Printers | Enabled (block printer redirect) Alternatively, use Universal Print to direct all printing back to organizational approved office printers. |
| Serial/COM ports | Enabled (block serial/COM ports) |
| Smart cards | Enabled (block smart cards) |
| USB | Enabled (block USB) |
| WebAuthn | Leave as default |
Example 3: Secure enclave
Secure enclaves are typically small, separate organizations designed for higher classification data than what the main organization handles. This allows individuals with higher clearance and a need-to-know to gain access to this data.
| Redirection | Suggested setting |
|---|---|
| Audio and video redirection | Disabled (block audio and video redirection) |
| Audio capture redirection | Disabled (block audio capture) |
| Camera, webcams, and video capture | Enable (block video capture redirection) |
| Clipboard | Enable (block clipboard redirection) |
| Drives and storage | Enable (block drive and storage redirection) |
| Location | Force Location On |
| MTP and PTP | Enabled (block MTP and PTP) |
| Printers | Enabled (block printer redirect) Or use Universal Print to direct all printing back to specified Protected rated printers. |
| Serial/COM ports | Enabled (block serial/COM ports) |
| Smart cards | Enabled (block smart cards) |
| USB | Enabled (block USB) |
| WebAuthn | Leave as default |
Example 4: Jump host
Administrative activities conducted through jump host are acceptable under ISM 1387 (ML 2 and 3). A Cloud PC is a simple and effective way to achieve a jump host.
| Redirection | Suggested setting |
|---|---|
| Audio and video redirection | Disabled (block audio and video redirection) |
| Audio capture redirection | Disabled (block audio capture) |
| Camera, webcams, and video capture | Enable (block video capture redirection) |
| Clipboard | Enable (block clipboard redirection) |
| Drives and storage | Enable (block drive and storage redirection) |
| Location | Force Location On |
| MTP and PTP | Enabled (block MTP and PTP) |
| Printers | Enabled (block printer redirect) Or use Universal Print to direct all printing back to specified Protected printers. |
| Serial/COM ports | Enabled (block serial/COM ports) |
| Smart cards | Enabled (block smart cards) |
| USB | Enabled (block USB) |
| WebAuthn | Leave as default |
Important
To meet ISM 1175 and to meet Essential 8 ML 1, 2 and 3 for jump hosts, follow the guidance to restrict Office 365 services to Cloud PCs. For more information for restricting administrative access to meet Essential 8, see Essential Eight restrict administrative privilege.