Windows 365 Customer Lockbox now generally available

Windows 365 Customer Lockbox is now generally available for all organizations with a Microsoft 365 E5 or Office 365 E5 subscription. This security feature ensures that Microsoft cannot access content in your Cloud PCs to do service operations without your explicit approval.

What is Customer Lockbox?​

In some cases, Microsoft support engineers may need to access your content to determine the root cause of an issue and address it. Windows 365 Customer Lockbox requires the engineer to request access from you as a final step in the approval workflow.

With Customer Lockbox, you have the option to approve or deny the request for your organization, and provide direct-access control to your content.

Customer Lockbox is included in the Microsoft 365 or Office 365 E5 subscriptions and can be added to other plans that have an Information Protection and Compliance or an Advanced Compliance add-on subscription. See Plans and pricing for more information.

How to use Windows 365 Customer Lockbox​

Turn Customer Lockbox requests on or off​

You can turn on Customer Lockbox controls in the Microsoft 365 admin center. When you turn on Customer Lockbox, Microsoft must obtain your organization’s approval before accessing any of your tenants' content.

1. Using a work or school account that has the global administrator role, go to https://admin.microsoft.com/ and sign in.
2. Choose Settings > Org Settings > Security & Privacy
3. In Security & Privacy, select Customer Lockbox.
   
   
   
   
   
   Once you select Customer Lockbox, a right-hand column will appear. Check the “Require approval for all data access request” checkbox and press the Save button on the bottom of the column to turn on the feature.
   
   
   

Approve or deny a Customer Lockbox request​

1. Using a work or school account that has either the Global Administrator or the Customer Lockbox access role assigned, go to https://admin.microsoft.com/ and sign in.
2. Choose Support > Customer Lockbox Requests
   
   
   
   
   
3. A list of Customer Lockbox requests is displayed.
   
   
   
   
   
4. Select the Customer Lockbox request, then choose Approve or Deny.
   
   
   
5. A green confirmation message about the approval of the Customer Lockbox request will be displayed.
   
   
   
   
   
   
   

Auditing access​

Once just-in-time (JIT) access expires, the troubleshooting ticket is marked as complete. You can then visit compliance.microsoft.com and select Audit under the Solutions category to see what was done during the session. For Windows 365 specific records, under Record types, select Windows365CustomerLockbox.



Retention policies can be updated based on your organization’s needs. For more information, explore Manage audit log retention policies and Audit log activities for Microsoft 365 services,

Learn more about Customer Lockbox and Windows 365 security​

For more information about Customer Lockbox as a feature in general, see the documentation on Microsoft Purview Customer Lockbox. We also invite you to learn more about Customer Lockbox requests and security concepts in Windows 365.