Deploy Windows 365 Security Baseline Policies to Cloud PCs

In this post, we will how to deploy Windows 365 security baseline policies to Cloud PCs. It’s great news that Microsoft already created baseline security configuration policies for Cloud PCs. However, this type of configuration is missing for Azure Virtual Desktop.

Do you think you can use the same Windows 365 security baseline policies for Azure Virtual Desktop (AVD)? I would surely try the same set of policies for all virtual desktops. Also, you can edit the policy-setting values from this configuration.

The Windows 365 filtering rules can’t be applied to security baseline policies (at writing this post). Hence my recommendation is to use Azure AD dynamic device groups for deploying these security baseline policies for Cloud PCs.

Windows 365 Security Baseline

It’s time to create Windows 365 security baseline policies now. I don’t think the policy deployment will take so much time; however if you have already deployed security policies to Cloud PCs using setting catalog or other policies, that could create policy conflict issues.

Patch My PC

Try to check the baseline policies with new Cloud PC deployments without any other security policies. Let’s see how to create Windows 365 security baseline policies for Cloud PCs.

  • Launch MEM Admin Center https://endpoint.microsoft.com with appropriate permission.
  • Navigate to Endpoint Security node.
  • Click on Security Baselines node – You can see several other baseline policies in this node.
  • Select Windows 365 Security Baseline policy set.
Deploy Windows 365 Security Baseline Policies to Cloud PCs
Deploy Windows 365 Security Baseline Policies to Cloud PCs

You can now click on + Create Profile to create a Windows 365 security baseline profile for Cloud PCs. You can also check the versions of the baseline available. The one currently available is 2101.

Deploy Windows 365 Security Baseline Policies to Cloud PCs
Deploy Windows 365 Security Baseline Policies to Cloud PCs

You will have to enter to name and description of the Windows 365 Security Baseline. There are no drop-down options for the platform and Baseline version while writing this post. You can click on the next button to continue.

1E Nomad
  • Name -> HTMD Cloud PC Security Baseline
  • Platform -> Windows 10 and Later
  • Baseline Version -> 2101
Deploy Windows 365 Security Baseline Policies to Cloud PCs
Deploy Windows 365 Security Baseline Policies to Cloud PCs

Cloud PC Security Baseline Categories

You can get a quick overview of the Windows 365 security baseline categories with default values of these tables. This will help you understand the configurations very quickly and adjust them as per your requirements. However, I would recommend using the default Cloud PC security baseline.

You can check the individual policies in each category from the following blog post – List of Security Baselines Settings for Cloud PC Windows 365.

Category of Security BaselineDefault Value
Above LockDisabled
App RuntimeEnabled
Application managementEnabled
Attack Surface Reduction RulesSome of the settings are Enabled, and Some are Blocked
AuditA mix of Success and Failure
Auto PlayDo Not Execute/Disabled/Enabled
BrowserYes
ConnectivityEnabled
Credentials DelegationEnabled
Credentials UIDisabled
Device GuardEnabled
Device InstallationEnabled
DMA GuardBlock All
Event Log Service32768-196608
ExperienceEnabled
File ExplorerDisabled
FirewallConfigured
Internet ExplorerA Lot of options Disabled/Enabled (Use IE?)
Local Policies Security OptionsConfigured a lot of settings
Microsoft DefenderConfigured a lot of settings
Microsoft Defender Antivirus Exclusions3/9 Minutes
Microsoft EdgeEnabled and Disabled
MS Security GuideEnabled and Disabled
MSS LegacyHighest Protection, Enabled and Disabled for some settings
Remote AssistanceDisabled
Remote Desktop ServicesHigh and Enabled
Remote ManagementEnabled and Disabled
Remote Procedure CallAuthenticated
SearchConfigured
Smart ScreenConfigured
SystemGood unknown and bad critical
Windows Connection ManagerEnabled
Windows Ink WorkspaceEnabled
Windows PowerShellEnabled
Categories – Deploy Windows 365 Security Baseline Policies to Cloud PCs

Once you have checked and verified the values baseline policies for Cloud PCs, you can click on the Next button.

Deploy Windows 365 Security Baseline Policies to Cloud PCs
Deploy Windows 365 Security Baseline Policies to Cloud PCs

You can select the appropriate scope tags to support proper Intune RBAC scenarios.

NOTE! – You don’t have Intune filter rule for Windows 365 option here with Security baseline deployments. Hence you will have to use AAD dynamic device groups for this type of deployment.

Deploy Windows 365 Security Baseline Policies to Cloud PCs
Deploy Windows 365 Security Baseline Policies to Cloud PCs

You can now click on CREATE button to complete the Windows 365 security baseline deployment process.

Results

You can look into the default Intune reports to check the status of baseline security policies for Cloud PC. There are two ways to check the default reports.

  1. Check the report from Windows 365 security baseline policy -> Monitor section -> Device Status and Per Settings option.
  2. Check the report from Devices -> Endpoint Security Configuration Node.
Deploy Windows 365 Security Baseline Policies to Cloud PCs
Deploy Windows 365 Security Baseline Policies to Cloud PCs

About Author -> Anoop is Microsoft’s Most Valuable Professional Award winner from 2015 on the technologies! He is a Solution Architect on enterprise device management solutions with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like Configuration Manager, Windows 365 Cloud PC, Intune, Azure Virtual Desktop, Windows 10, and Windows 11.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.