Microsoft Purview Customer Key for Windows 365 Cloud PCs (preview)

Microsoft Purview Customer Key is a security feature that lets you add an extra layer of encryption to your data within Microsoft 365 services.

When you use Customer Key with Windows 365 Cloud PCs:

• Your Cloud PC disks, snapshots, and images are encrypted at rest with customer-managed keys.
• These keys are supplied by you and managed using Azure Key Vault.
• Microsoft manages all other keys, supporting a secure and controlled environment.

Windows 365 support for Customer Keys is in public preview.

Set up Customer Keys for your Windows 365 Cloud PCs

1. Set up Customer Key as explained in the Microsoft Purview Customer Key documentation.

2. Create a data encryption policy for use with multiple workloads for all tenant users. This step includes assigning a multi-workload policy. Within 3-4 hours of completing this step, your Intune admin center will update to include the Configure button.

3. Sign in to the Microsoft Intune admin center > Tenant administration > Cloud PC encryption type > Configure.

   

4. Under Configure encryption type, select Microsoft Purview Customer Key > Encrypt existing Cloud PCs.

   

5. In the confirmation window, select Encrypt. A notification will inform you that encrypting has initiated.

Encryption forces a restart for each Cloud PC.

Encryption is limited to 20,000 Cloud PCs at a time. You can repeat these steps to encrypt more Cloud PCs.

Encryption can take a long time based on the number of Cloud PCs and the size of the disks. The Cloud PC encryption type page is updated with a notification when the encryption is complete.

Next steps

For more information about Microsoft Purview Customer Key, see Overview of service encryption with Microsoft Purview Customer Key.