Data encryption in Windows 365
Windows 365 encrypts data at rest and in transit as explained below.
Encryption of data at rest
To help you protect your organization's data, Windows 365 Enterprise and Business Cloud PC disks are encrypted with Azure Storage server-side encryption (SSE).
This storage layer encryption provides the following benefits:
- When persisting data to the cloud, data at rest on your Microsoft-hosted Cloud PC's disk is automatically encrypted.
- Windows 365 Cloud PC disks are encrypted transparently using 256-bit Advanced Encryption Standard (AES) encryption, a modern block cipher, and is FIPS 140-2 compliant. The encryption at this layer doesn't affect Cloud PC performance.
- The encryption is applied to every Cloud PC in every region at no extra cost.
The following Windows 365 Enterprise and Business objects are automatically encrypted-at-rest with platform-managed keys:
Windows 365 as a service treats all data stored on Windows 365 disks as customer content. For more information, see Privacy and personal data in Windows 365.
BitLocker is not supported as an encryption option for Windows 365 Cloud PCs. For more information, see using Windows 10 virtual machines in Intune.
Encryption of data in transit
Windows 365 uses the Transport Layer Security (TLS) protocol to protect data in transit. TLS provides:
- Strong authentication
- Message privacy and integrity (enabling detection of message tampering, interception, and forgery)
- Algorithm flexibility
- Ease of deployment and use
TLS 1.2 is used for all connections started from Windows 365 to the Azure Virtual Desktop infrastructure components. These components use the same TLS 1.2 ciphers as Azure Front Door.
For more information about the cryptographic modules underlying Azure managed disks, see Cryptography API: Next Generation.
For more information on network connectivity and encryption of the RDP remoting connection, see Understanding Azure Virtual Desktop network connectivity.
Submit and view feedback for