This article is contributed. See the original author and article here.

Windows 365 Customer Lockbox is now generally available for all organizations with a Microsoft 365 E5 or Office 365 E5 subscription. This security feature ensures that Microsoft cannot access content in your Cloud PCs to do service operations without your explicit approval.


What is Customer Lockbox?


In some cases, Microsoft support engineers may need to access your content to determine the root cause of an issue and address it. Windows 365 Customer Lockbox requires the engineer to request access from you as a final step in the approval workflow.


With Customer Lockbox, you have the option to approve or deny the request for your organization, and provide direct-access control to your content.


Customer Lockbox is included in the Microsoft 365 or Office 365 E5 subscriptions and can be added to other plans that have an Information Protection and Compliance or an Advanced Compliance add-on subscription. See Plans and pricing for more information.


How to use Windows 365 Customer Lockbox


Turn Customer Lockbox requests on or off


You can turn on Customer Lockbox controls in the Microsoft 365 admin center. When you turn on Customer Lockbox, Microsoft must obtain your organization’s approval before accessing any of your tenants’ content.



  1. Using a work or school account that has the global administrator role, go to https://admin.microsoft.com/ and sign in.

  2. Choose Settings > Org Settings > Security & Privacy

  3. In Security & Privacy, select Customer Lockbox.

    dereksu_8-1709742123348.png

     


    Once you select Customer Lockbox, a right-hand column will appear. Check the “Require approval for all data access request” checkbox and press the Save button on the bottom of the column to turn on the feature.

    dereksu_9-1709742123348.png


Approve or deny a Customer Lockbox request



  1. Using a work or school account that has either the Global Administrator or the Customer Lockbox access role assigned, go to https://admin.microsoft.com/ and sign in.

  2. Choose Support > Customer Lockbox Requests

    dereksu_10-1709742123349.png


  3. A list of Customer Lockbox requests is displayed.

    dereksu_11-1709742123351.png


  4. Select the Customer Lockbox request, then choose Approve or Deny.

    dereksu_12-1709742123352.png

  5. A green confirmation message about the approval of the Customer Lockbox request will be displayed.

    dereksu_13-1709742123352.png

    dereksu_14-1709742123362.png


Auditing access


Once just-in-time (JIT) access expires, the troubleshooting ticket is marked as complete. You can then visit compliance.microsoft.com and select Audit under the Solutions category to see what was done during the session. For Windows 365 specific records, under Record types, select Windows365CustomerLockbox.  


dereksu_15-1709742123364.png


Retention policies can be updated based on your organization’s needs. For more information, explore Manage audit log retention policies and Audit log activities for Microsoft 365 services,


Learn more about Customer Lockbox and Windows 365 security


For more information about Customer Lockbox as a feature in general, see the documentation on Microsoft Purview Customer Lockbox. We also invite you to learn more about Customer Lockbox requests and security concepts in Windows 365.


To learn about submitting support tickets in the Microsoft Intune admin center, please see Get support in the Microsoft Intune admin center.




Continue the conversation. Find best practices. Bookmark the Windows 365 Tech Community, then follow us @MSWindowsITPro on X/Twitter and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.


 

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.