Microsoft’s Inspire event was this week, and let’s cover two announcements out of the event.
First, a preview of Azure Active Directory Privileged Identity Management integration with Azure Lighthouse. The idea is just in time access to Azure services – and it lasts up to eight hours, after which the partner is removed from the system. This “only on demand” security is part of a zero trust style implementation.
But the big news is Windows 365. Referred to as a Cloud PC, it’s a fully cloud-based desktop experience that runs on top of Azure Virtual Desktop and will be available August 2nd. Pricing has not been revealed.
You can connect to your cloud PC from any device – so that includes Macs, iPads, Linux, and the like. Deployment can be managed via Intune. Two versions, Enterprise and Business. Enterprise is designed and capable of being integrated with Microsoft Endpoint Manager, where Business is for individual users and small businesses who need it stand alone. Diagnostics, statistics, and complete management plus security configuration of devices is done directly from Endpoint Manager. There is a Watchdog Service for running diagnostics and providing alerts when checks fail.
Users connect using a standard Remote Desktop client or an embedded client in a browser.
The product includes roll back, so you can go back to previous versions of files, for example. Instant boot, ability to pick back up from another device right away, and full customizations. Also noted – it’s a zero trust architecture, including cloud storage of data, multi-factor authentication, conditional access policies, least privilege access, security baselines, and data encryption during transit and storage.
One of the motivating forces – Microsoft noticed that 80% of their Azure Virtual Desktop users were using a third party to help manage their installations. Microsoft is specifically citing the product for business, from one-person all the way up to thousands of employees. The differentiation – ease of use and management.
Why do we care?
I’m spending on a whole episode on this… because I think we care a LOT.
Microsoft is taking away a lot of the actual management of devices with this move. You can build a complete Windows environment that runs entirely on top of another environment… that you likely do not care about. It can be entirely unmanaged.
Or simple. Chromebooks. iPads. Take the complexity away from a user.. or give them the actual flexibility.
For most users, if you simplify down to a browser, and office suite, and web access… you’re done for most, and you don’t have any of the annoying overhead of a full modern computer with the PC and OS on top of it.
In this configuration, Microsoft Endpoint Manager is your RMM, and it enforces with policy against the operating system as the approach rather than agent added to the operating system. Put this in the context of my recent comments about RMM. Why add an attack vector when you don’t need to anymore?
Now project out – a possible Chromebook competitor. Dream of a Surface device that just runs Remote Desktop. Here, you have a fully managed experience even without having to control the endpoint. Even today, this makes every virus infested home computer… now a viable option for small businesses to use.
And that example proves the new model. A business can run entirely in Microsoft’s cloud in a controlled, managed way… yet also not trust any endpoints. That’s the zero trust architecture cited, and this is an simple way to accomplish that goal.
Does this instantly change the landscape. No… but yes. Sure, your day to day operation didn’t change. But a direction is pretty clear on a way you should be heading if you want to change the game for security. A zero-trust architecture is within reach. I’m redoing my own threat calculus based on this… are you?