Accessing Apps from Untrusted PCs: The Difference between Hysolate and Windows 365

Tal Zamir
August 8, 2021

Microsoft recently announced Windows 365 – a dedicated cloud PC, available anywhere. At Hysolate, we’ve always been big advocates of cloud-delivered workspaces, and it’s exciting to see Microsoft embracing this concept, however, there are significant differences between Microsoft Windows 365 and Hysolate Workspace. This post will dive deep into both Windows 365 and Hysolate to shed light on these differences.

What is Windows 365?

With COVID-19, many enterprise workers were suddenly working outside of the office. Organizations were looking for ways to let employees use their untrusted home PCs to access enterprise content without risking a security breach. There was a need to quickly provide employees with an isolated and managed corporate workspace, to safely access corporate applications.

A user with a Windows 365 cloud PC subscription gets a dedicated persistent virtual machine, hosted on Azure and running a corporate image of Windows 10. The user can connect to that remote Windows desktop from any device after installing an agent from Microsoft (or get a limited experience by accessing the remote desktop via the browser).

This might sound very similar to what you would get with existing VDI or DaaS solutions, however Windows 365 does remove some of the difficulties associated with setting up remote desktops and the issues with their underlying infrastructure. If you’re willing to go all in with the Microsoft manageability stack, you will be able to reduce some of the VDI setup work to prepare the Windows 365 VMs in the Microsoft Endpoint Manager portal, but you will still need to configure things like cloud network subnets, AD domain services synchronization, a custom Windows image you might need to manage/patch, etc.

With Windows 365, each user gets a dedicated standalone VM in the Azure cloud, as opposed to hosting multiple user sessions on a single server VM. A very basic VM spec with 4GB RAM will have a fixed price of ~$400/year per user regardless of usage (see plans here), approximately the price of buying a new basic physical laptop every year. As the underlying infrastructure requires a full dedicated VM per user, it might be challenging for Microsoft to provide enterprises with 1,000’s of cloud PCs on-demand.

In a sense, Windows 365 is Microsoft’s take on desktop-as-a-service (DaaS), with slightly easier setup and maintenance and a move from pay-per-use to fixed monthly cost. Just like DaaS, Microsoft already foresees some user experience challenges with the service and created built-in analytics tools to troubleshoot latency and performance issues through Microsoft Endpoint Manager, as well as the ability to upgrade to a more expensive VM (an action called “Resize”) when the low-end VM hardware resources wouldn’t suffice.

Other DaaS and VDI solutions are able to guarantee a consistent desktop environment by leveraging non-persistent virtual machines that are built on the fly from a clean trusted golden image. Windows 365, however, is exposed to IT maintenance issues as the cloud PC is a persistent long-lived Windows instance that needs to be patched, fixed, and managed just like physical PCs.

We see these as the main challenges for Windows 365:

 

1. A challenging user experience over a high latency or low bandwidth connection. Unfortunately, even in 2021, there are still large regions of the globe in which connectivity isn’t great. As home internet usage is increasing with remote work, remote education, and entertainment, the bandwidth available at home can further shrink. Furthermore, if the Azure region on which the Windows 365 VM is hosted isn’t nearby, latency is expected to be high. This would result in a poor user experience for users in which every app click requires a full long network round trip, something that Microsoft and organizations cannot really change or fix.
For users who need to do video calls (e.g. Zoom) on the remote cloud PC – this will also be challenging without special custom tweaks.

 

2. No offline support. Windows 365 does not currently support any way to work offline. With COVID-19, it’s easy to forget that people still get on airplanes, or need access while working in locations with scarce or limited internet connectivity.
Future support for offline access to the same enterprise image hosted on Windows 365 (with the same security controls, same apps, and same data) will be a challenge for Microsoft as it may require syncing dozens of Gigabytes of data between the user’s local device and the remote cloud PC, including the custom enterprise OS image, all user applications and data.

3. High total cost per user. To provide knowledge workers with a decent user experience, enterprises would need to spend at least $400/year/user just for the basic plan, not including the operational costs associated with troubleshooting connectivity and scale issues. Furthermore, IT teams will now need to handle another persistent desktop PC that can become faulty due to user error, a broken Windows Update, or malicious software.

4. Insufficient isolation from the user’s home PC. We already mentioned that the remote cloud PC can get infected with malware just like any other persistent PC. However, there’s also a need to put additional security controls in place around access to the remote enterprise desktop from an untrusted physical machine, such as preventing malware from recording sensitive keystrokes sent to the cloud PC, preventing data leakage by users or malware recording their screen, full auditing of sensitive actions, and secure (yet easy) ways to unlock access to the cloud PC on a multi-user home PC that is accessed by random family members.

5. Data security concerns. Putting entire enterprise desktop images and the associated user data fully in the cloud could be problematic for some organizations that prefer not to have their desktops hosted in a public cloud, such as Azure. Infamous cases like the recent Citrix Netscaler vulnerability left scars on IT teams that suddenly had their entire corporate desktops and networks exposed to the world.

What is Hysolate Workspace?

Hysolate Workspace leverages the hardware users already have to instantly spin up a local workspace that is isolated from the rest of the user’s operating system.

Hysolate is useful for a variety of enterprise use cases, including creating an isolated Workspace for isolation of risky or sensitive activities on a corporate endpoint. Another major Hysolate use case allows organizations to instantly and securely provide access to their sensitive enterprise applications on an employee’s home device or for a contractor’s Windows PC.

 

Behind the scenes, Hysolate uses the latest Hyper-V VM technology on Windows 10 to create a hardened, isolated, and lightweight Windows VM used for corporate access. From the user’s perspective, switching to the corporate environment is just like switching between desktop spaces, no need to learn anything new or understand what a VM is. Furthermore, from a performance perspective, the VM is fully suspended when not in active use and therefore does not consume any resources when the user isn’t accessing enterprise apps. Hysolate also leverages dynamic memory, audio/video paravirtualization, delta disks, and other advanced virtualization technologies to make it almost unnoticeable to the user. Needless to say, as the VM is running locally, there is no network lag associated with the corporate desktop – it’s always available, both online and offline.

From the IT perspective, the organization does not need to prepare a full VM operating system image, as Hysolate leverages the clean signed Windows binaries that already exist on the user’s host OS to create the VM. This means that there’s no need to manage another Windows instance in the traditional way that VMs are managed. Organizations can use the Hysolate cloud console to deploy apps and customizations into the VM in an easy centralized way. It also fully integrates with Azure AD to make it easy for Hysolate users and administrators to log in and leverage their existing management stack.

As the VM works locally, it does not require any data center/cloud resources/infrastructure and no associated cloud costs or scale issues.

Finally, from the security perspective, there are multiple security mechanisms in place, such as:

  • The OS in the VM is non-persistent, meaning that it always starts up from a consistent trusted snapshot, so malware cannot persist in the OS.
  • The VM is protected against screenshots and keylogging.
  • The data in the VM is fully encrypted by BitLocker.
  • Enterprises can limit the VM’s network access (e.g. to allow it to only connect to a VPN or to a Zero Trust broker), as well as make sure enterprise apps are exclusively accessible via the VM and not via any other operating system.
  • It’s possible to define fine-grained rules around copying-and-pasting between the two environments, including limits on content type (e.g. text/images/files), size limit, and requiring approval prompts on transfer, per direction.
  • Hysolate can limit access to peripherals such as printers, webcams, and USB devices, with fine-grained control over the types of devices.
  • The VM display can be watermarked to further prevent data leaks.
  • Ability to remotely wipe the VM.

This combination of a superior user experience, ease of manageability, and advanced security make Hysolate a great way to provision an isolated corporate workspace for employees and 3rd parties on any Windows device.

Want to learn more? You can request a Hysolate demo here, to learn how it can help your organization.

 

Tal Zamir

Tal is a 20-year software industry leader with a track record of solving urgent business challenges by reimagining how technology works. An entrepreneur at heart, he has pioneered multiple breakthrough cybersecurity and virtualization products. Before founding Hysolate, Tal incubated next-gen end-user computing products in the CTO office at VMware. Earlier, he was part of the leadership team at Wanova, a desktop virtualization startup acquired by VMware. Tal began his career in an elite IDF technology unit, leading mission-critical cybersecurity projects that won the prestigious Israeli Defense Award. He holds multiple US patents as well as an M.Sc. degree in Computer Science, and the honor of valedictorian, from the Technion.