AMA: Windows cloud security

Hi folks! Your moderator (Christian Montoya) here. I wanted to offer a quick correction in this month's AMA:

Windows 365 Cloud PCs are supported by Microsoft Endpoint Privilege Management, provided they are using a supported OS version. For more details on EPM, please see https://learn.microsoft.com/mem/intune/protect/epm-overview

Thanks for your participation in this AMA session! In addition to questions posted on this page, we also answer questions posted elsewhere in Tech Community, and in reply to this event streamed on LinkedIn and X (Twitter). Here are the questions we answered during the session, along with associated timestamps:

Question -- What’s the latest on Intune MAM (Mobile Application Management) with the Windows App and/or Remote Desktop apps? - answered at 5:53.

Question -- I know one of the controls on MAM allows for screen capture protection, which prevents the screen assistant to take screenshots-- my question is how does screen capture protection on MAM interrelate with screen capture protection generally in AVD and Windows 365?  - answered at 11:12.

Question -- Can we use MAM to block jailbroken devices? - answered at 15:04.

Question -- Can we require that BYOD Windows folks devices already be up to date on the latest version of Windows? - answered at 17:08.

Question -- Re: MAM, I'm assuming there are grace periods. Are those customizable or preconfigured? - answered at 17:42.

Question from X -- We use Credential Guard with our physical PCs. Is that possible with W365 too? - answered at 22:56. 

Follow up question -- With regards to using Credential Guard with Windows 365, I remember there’s an interplay between using both the HVCI and nested virtualization-- can you clarify is you have to choose one or the other? - answered at 24:57.

Question -- What features are natively in W365 to protect organizational data and where do we need to consider other solutions (Defender or other) to ensure we have robust data protection in place? - answered at 26:46.

Question -- Where does the customer lockbox come into the picture? - answered at 31:06.

Question -- So when talking about the customer key solution, what’s the default if customers don’t use Microsoft Customer Key? And where do you see which key is being used for encryption (if it’s a Microsoft managed key or Customer managed key)? - answered at 32:57.

Question -- What does the user see when they encounter something like screen capture protection? Do they just think their PC isn't working properly? - answered at 35:59.

Question – What sort of visibility is there today that you’re aware of for investments with Cloud Security copilot? - answered at 40:54.

Question -- I read that Windows 10 devices can run Windows 11 on their Cloud PC. Is that right? Do the Windows 10 devices have to support TPM 2.0 to do that? - answered at 43:25.

Question -- I believe that users aren't admins on their Cloud PCs, correct? How do you handle JIT elevation or similar scenarios? - answered at 51:02.

Are you planning any Windows 365 "Tablet" Models similar to "Link" for Frontline Workers ? We would need to manage full tablets even if we just use Windows 365. Would be nice to boot directly to Windows 365 from the Tablet without setting complex Shared Device Modes up.

Welcome to this month's Windows 365 AMA! Today we have Windows cloud security experts on the panel so post your questions here in the Comments. Let's get started!