In the current security landscape, it’s pretty standard you will have to put your Windows 365 Cloud PC for digital forensic investigations. The security team or 3rd party vendor would ask you (the PC Ownership team) for a backup or snapshot of the Cloud PC to run security tools or skim through the files. This blog post intends to get you 100% ready to help and collaborate with security teams on the Cloud PC forensic review.
To put the Windows 365 Cloud PC for review you will need the following:
- Azure Subscription with Storage Account Configured. Additionally, the Azure subscription is linked between Microsoft Intune (MEM Portal)
- Permission Storage Account Contributor for the Windows 365 Application
- A Windows 365 Cloud Enterprise license
- The snapshot stored within the Containers in Azure Storage account – The AAD account, needs to have Storage Blob Data Reader or Storage Blob Data Contributor
Azure Storage Account for Windows 365
I already created the storage account within the Azure Subscription linked with my MEM portal. However, I encountered the below issue as I missed out on the RBAC permissions.
The storage account selection will be grey out when you try to put the Windows 365 Cloud PC in Review
Provide the Windows 365 Application Storage Account Contributor access. Once I added the permission, the storage account would be listed within the Cloud PC review blade.
The overall permissions within the storage account to store the snapshot and to see the snapshot you will need these two permissions:
Place a Cloud PC in review
Login to the Microsoft Endpoint Manager admin center portal and go to Devices – All Devices and select the device starting with CPC-***** and then click on the three dots and select “Place Cloud PC under review.”
Select the Azure subcription, the storage account and further depending upon the secruity incident you will choose allow or deny access to the Cloud PC
After approx 10 mins, you will see the following within the Device actions status
View Snapshot in Azure Storage Account
The Cloud PC snapshot will be listed under the Azure Storage Account – Containers
Snapshot details it’s a *.vhd disk, and the disk size matches the Cloud PC SKU size.
Provide the snapshots to the security teams for analysis. Optionally there is a download button if you wish to download the snapshot (*.vhd) and take it outside the Azure environment for analysis. Post the review, depending upon the outcome, the SOC team will guide you. Note as an admin you must attest that the digital evidence provided demonstrates a valid Chain of Custody (CoC). I am showing the next step of removing the Cloud PC from review.
Remove Cloud PC from Review
Login to the Microsoft Endpoint Manager admin center portal and go to Devices – All Devices and select the device starting with CPC-*****, which you previously kept under review and the notifications
After approx 3 mins, you will see the following within the Device actions status as completed
I hope you will find this helpful information for putting the Cloud PC under secruity review. Please let me know if I have missed any steps or details, and I will be happy to update the post.