Windows 365 Cloud PCs and Microsoft Intune for VDI administrators

  • Thread starter Thread starter Christiaan_Brinkhoff
  • Start date Start date
C

Christiaan_Brinkhoff

Are you a Virtual Desktop Infrastructure (VDI) or virtualization administrator using different types of technologies and looking to unify management via modern management with Microsoft Intune? Stop the search, this article is for you. Learn about all the basics of implementing Microsoft Intune together with Windows 365 Enterprise.

In this post, we’ll cover:

What is Windows 365?


Windows 365 delivers Cloud PCs—a complete and secure Windows experience hosted in the Microsoft Cloud and accessible on any device. Whether your employees are full-time or contractors, shift workers or seasonal staff, they can access their personalized Windows apps, settings, desktop, and data on the device of their choice and from wherever they work. Windows 365 Cloud PCs help enable BYOPC (Bring your own PC) programs, onboard employees within minutes, reduce management and security headaches, and ensure your workforce is always up and running. With Microsoft Entra ID and Microsoft Intune, Cloud PCs are easy to configure, deploy, manage, and secure, so you can maximize existing technology resources to meet the needs of all your employees.

What is Windows 365 Frontline?


Windows 365 Frontline is an exciting new offer that allows customers with shift workers the flexibility to provision Cloud PCs for up to three users with the purchase of a single license of Windows 365. In terms of feature stack, we want to bring a certain level of product parity across Windows 365 offerings. If you’re coming from multi-session or server operating system to Windows 365, this is an offering to investigate.

What is Windows 365 Government?


If you are looking for a cloud-based solution that meets the stringent compliance and security requirements of the U.S. government, Windows 365 Government is the right choice for you. Windows 365 Government enables you to stream personalized Windows apps, data, content, and settings from a regulated U.S. government cloud to any device at any time.

Windows 365 Government is designed for U.S. federal, state, and local government agencies, as well as contractors who hold or process data on behalf of those agencies. It is available for customers who qualify to use services hosted in Government Community Cloud (GCC) and GCC High environments, which adhere to specific regulatory and audit standards. With Windows 365 Government, you can benefit from the flexibility, scalability, and security of the cloud while maintaining compliance with your data sovereignty and residency requirements.

Configuring Microsoft Intune


Already have Microsoft Entra ID activated in your tenant as a trial or subscription? If so, skip this step. If not, see Quickstart: Create a tenant (preview). You’ll also need to ensure you have the right licensing. If you have any of the licenses below, you are covered and good to continue:

  • Microsoft 365 E5
  • Microsoft 365 E3
  • Enterprise Mobility + Security E5
  • Enterprise Mobility + Security E3
  • Microsoft 365 Business Premium
  • Microsoft 365 F1
  • Microsoft 365 F3
  • Microsoft 365 Government G5
  • Microsoft 365 Government G3
  • Microsoft Intune for Education

Make sure one of the licenses is assigned to the IT admin account you are using right now! For more information, see Microsoft Intune licensing.

You can also use a Microsoft Intune Plan 1 Trial in the admin.microsoft.com portal to get started or follow these steps to set up Microsoft Intune.

The transition to modern management with Microsoft Intune


Microsoft Intune is an integrated solution that simplifies management and lowers total cost of ownership (TCO) across multiple operating systems, cloud, on-premises, mobile, desktop, and virtualized endpoints, including Cloud PCs. It empowers organizations to provide data protection and endpoint compliance that supports a Zero Trust security model. This unified management tool brings together device visibility, endpoint security, and data-driven insights to increase IT efficiency and improve user experiences in any work environment.

Intune allows organizations to deliver the best possible endpoint experience through zero touch deployment, flexible, non-intrusive, mobile application management, and proactive recommendations powered by Microsoft Cloud data. Here are more benefits to modern management with Intune:

  • Build a Zero Trust security architecture with a management solution that integrates endpoint security and centralized device compliance based on identity.
  • Cut costs and complexity by managing any device with a single unified tool that’s already integrated into Microsoft 365.
  • Windows 365 Cloud PCs can be managed side by side with other devices running Android Enterprise, iOS/iPadOS, macOS, ChromeOS and Linux in the Intune admin center.
  • If you have an on-premises Configuration Manager environment, you can co-manage domain-joined PCs with Intune.
Migrate user profiles, images, and other traditional components to Intune


If you’re using any virtualization solution right now with OneDrive, we recommend you enable the OneDrive Known Folder Move feature. This allows you to synchronize the user’s desktop, pictures, videos, and documents to OneDrive. Windows 365 supports the OneDrive Known Folder Move feature out-of-the-box, so that the first time the user logs on, the files will be there. Windows 365 uses local profiles only to remove the complexity of profile management solutions such as FSLogix profile container. Cloud PCs are persistent, personal, and dedicated to the user. It’s replicated across multiple zones in an Azure region and automated restore points to make the profile high availability as part of the service.

Enterprise State Roaming is used to roam Windows Settings. Enable this in your Entra ID tenant settings to ensure Windows Personalization settings are also coming over!

Image management


You can use custom images (also referred to as a golden image) if desired. To do so, you need to pre-load your images via Azure as a Managed Image or the Shared Image Gallery. To learn more about creating custom images with Windows 365, see Add or delete custom device images.

For the largest benefit of modern management, we strongly recommend using the Gallery Images included in Windows 365, and to use Intune to install applications. While in VDI, you may have updated your image on a weekly basis, using a Gallery Image eliminates the challenge of repeatedly updating your custom image whenever a single component changes.

large?v=v2&px=999.png

Windows updates with Windows Autopatch


We recommend that you keep your images updated with the latest monthly security updates your version(s) of Windows. How nice would it be to have Microsoft take care of your Windows updates as part of another Microsoft cloud service? Enter Windows Autopatch. Windows Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates for Windows, Microsoft 365 Apps, Microsoft Edge, and Teams.

Windows Autopatch uses careful rollout sequences and communicates with you throughout the release, allowing your IT admins to focus on other activities and tasks. Want to learn how to enable Windows Autopatch as tenant in Microsoft Intune? See Enroll your tenant.

Enabling Windows Autopatch for Cloud PCs is extremely easy. Simply enable it via the provisioning policy process and you’re all set.

800x486?v=v2.png

Modern policy management via Intune


Modern management of Windows devices is achieved through mobile device management (MDM) solutions, such as Microsoft Intune. MDM providers allow configuration of Windows settings in a very similar way to AD-based Group Policy Objects (GPO) that many admins are familiar with today. In Intune, configuration profiles allow an administrator to easily add settings related to security, systems configuration, device restrictions, and the user experience. Under the hood, these settings are delivered through Windows Configuration Service Providers (CSPs).

large?v=v2&px=999.png

Migrate GPOs to a Settings Catalog policy


Want to migrate your existing AD-based Group Policies into Microsoft Intune? This can be done with Group Policy analytics. Import your on-premises Group Policy Objects (GPOs), and create an Intune policy using your imported settings that can then be deployed to users and devices managed by your organization.

Based on the import and current usage, Group Policy analytics can find the equivalent setting in the Settings Catalog. To read more about the process, see Create a Settings Catalog policy using your imported GPOs in Microsoft Intune (public preview).

727x603?v=v2.png

Security policies and baselines


Security policies, or security baselines as they are commonly referred to, are pre-configured Windows settings that help you apply a known group of settings and default values that are recommended by Microsoft. When you create a security baseline, you’re creating a template that consists of hundreds of individual configuration policies.

Compliance policies


Compliance policies are used to evaluate a device’s compliance against a pre-defined baseline, such as the requirement for a device to be encrypted or to be within a defined minimum OS version.

There are two parts to compliance policies in Intune:

  • Compliance policy settings: Tenant-wide settings that are like a built-in compliance policy that every device receives. Compliance policy settings set a baseline for how compliance policy works in your Intune environment, including whether devices that haven’t received any device compliance policies are compliant or noncompliant.
  • Device compliance policy: Platform-specific rules you configure and deploy to groups of users or devices. These rules define requirements for devices, like minimum operating systems. Devices must meet these rules to be considered compliant.

Include actions that apply to devices that are noncompliant. Actions for noncompliance can alert users to the conditions of noncompliance and safeguard data on noncompliant devices. These can be combined with Conditional Access, which can block users and devices that don't meet the rules.

Security baselines


Security baselines are configuration options available in Intune for configuring profiles to help you secure and protect your devices and users. These new baselines feature an improved user interface and reporting experience, consistency and accuracy improvements, and the new ability to support assignment filters for profiles. It can save you a ton of time if you select the Windows 365 security baseline and attach it to the Microsoft Entra ID group that includes either your users or Cloud PCs to make them more secure. You can find the settings we enable in this baseline at the List of the settings in the Windows 365 Cloud PC security baseline in Intune. And, for more information, refer to Use security baselines to configure Windows devices in Intune.

large?v=v2&px=999.png

Zero Trust: Conditional Access management and MFA enforcement


It’s essential to secure access to Cloud PC devices in your Windows 365 environment. One way to achieve this is by using Conditional Access (CA), which allows you to secure your environment based on specific conditions. We strongly recommend implementing multi-factor authentication (MFA) for your Windows 365 environment, especially when accessing from unknown locations. Additionally, you may want to consider using security keys based on Fast Identity Online (FIDO) for authentication.

Including cloud app for Windows 365 and Azure Virtual Desktop in our CA policy helps secure all the different ways users are able to connect to their Cloud PCs. (Please note it might be called Windows Virtual Desktop instead of Azure Virtual Desktop in some Microsoft Entra ID tenants.)

Managing CA policies can be done in Microsoft Entra ID or in Microsoft Intune. The screenshot below shows Microsoft Intune, but the configuration is the same if you do it in Microsoft Entra ID.

large?v=v2&px=999.png

After activating this policy for your Cloud PCs, Conditional Access settings will apply and enforce MFA inside the Windows 365 app.

337x404?v=v2.png

Application delivery via Intune


Delivering applications to your end users, whether they’re working primarily on a physical PC or Cloud PC, is a very important factor for enterprises. We recommend that you read this article for great information on application deployment recommended practices.

Within Microsoft Intune, the process is easier as the back-end infrastructure is pre-built to start deploying apps almost immediately! So, what format of apps are supported as delivery types per operating system? Learn about all the supported app types in Intune more at Windows 10/11 app deployment by using Microsoft Intune.

398x349?v=v2.png

.IntuneWin – via Windows app (Win32)


The IntuneWin format is a way to pre-process Windows classic (Win32) apps. The tool converts application installation files into the .intunewin format. You can learn more about converting apps into this format at Prepare Win32 app content for upload.

450x270?v=v2.png

Connecting to on-premises back-end services


Most likely, your Cloud PC will need to connect to back-end services that are either living in a private cloud datacenter on-premises or in Azure. Windows 365 Enterprise supports all Azure Networking services to connect to your own networks via ExpressRoute, Site2Site VPN, or SD-WAN. You must configure this via Azure Networking, meaning it requires an Azure subscription, vNet, and VPN connection. For a proof of concept (POC), you can easily configure a site-to-site VPN connection to ensure your Cloud PCs can talk with your intranet, databases, and application servers. Check out this tutorial to learn how to configure site-to-site VPN.

Once you complete this step, navigate to the Intune admin center to configure an Azure Network Connection before creating the provisioning policy (covered later in the article). There are two kinds of Azure Network Connections (ANCs) based on join type. Both let you manage traffic and Cloud PC access to network based resources, but they have different connectivity requirements.

  • Microsoft Entra join: Doesn't require connectivity to a Windows Server Active Directory (AD) domain.
  • Hybrid Microsoft Entra Join: Requires connectivity to a Windows Server AD domain. You must provide the AD domain details when you create the ANC.

See our documentation to learn more about how to configure an Azure network connection.

large?v=v2&px=999.png

Co-management


Co-management combines your existing on-premises Configuration Manager environment with the cloud using Intune and other Microsoft 365 cloud services. You choose whether Configuration Manager or Intune is the management authority for the different workload groups.

If you are interested in connecting your existing Configuration Manager infrastructure to Microsoft Intune for Co-management, please read How to enable co-management in Configuration Manager for more technical information.

How to provision a Windows 365 Enterprise Cloud PC





Note: This section is enterprise focused. Windows 365 Business, which is designed for small-medium businesses with less than 300 users, can also be used, but we don’t cover that process in this post.

First, ensure that you have Windows 365 Enterprise licenses. You can get them from the admin.microsoft.com portal or your Microsoft Sales representative. If you’re interested in Windows 365 Enterprise trial licenses, please contact us via this form.

For this post, we’re going to focus on Entra ID Join Cloud PCs only. If you’re relying on Kerberos, Hybrid Entra ID Join, Entra ID Join only combined with hosted networking doesn’t require you to bring in your own Azure subscription or networking—it’s very easy to configure! I bet you can do it while watching Netflix. To learn more about Hybrid Entra ID Join, see AD Joined Hybrid Windows 365 management in Intune.

large?v=v2&px=999.png

large?v=v2&px=999.png

Once you have purchased the licenses, assign the licenses to either an Entra ID group or directly to the user's account. The benefit of attaching a license is that licenses and Cloud PCs are automatically assigned to users when they become a group member.

large?v=v2&px=999.png

  1. Go to Devices > Provisioning > Windows 365
  2. Then navigate to Provisioning policies

large?v=v2&px=999.png

  1. Click on + Create policy

large?v=v2&px=999.png

  1. Enter in a name for the provisioning policy.

large?v=v2&px=999.png

  1. Once done, configure your preferred Join type with either Microsoft Entra Join or Hybrid Microsoft Entra Join.
  2. Select the Geography and Region you want to use to deploy your Cloud PCs in. With the automatic region option, you assure yourself of a region that’s always available as fallback. You can also point to one specific region only.
  3. Select whether you want to enable Single Sign On (SSO) as end-user client experience.

801x366?v=v2.png




Note: If you want to connect to your own on-premises network, other Public Cloud or Private Cloud datacenter, make sure to select the Azure Network connection via the other option during the provisioning policy configuration.
  1. If you prefer on-premises network connectivity, you must select Azure Network Connection. There’s a setup process to perform first before you can complete this step.

525x73?v=v2.png

  1. Select the Windows image version you’d like to use. We recommend customers use our pre-configured Windows images with Microsoft 365 apps, Microsoft Teams optimizations, multimedia redirection and other pre-installed settings.
    • You’re also able to use custom images as an option to select (for more AVD custom image templates, see this video). Make sure to upload your images via Azure as Managed Image or via the Shared Image Gallery.

large?v=v2&px=999.png

  1. Now, select the language you prefer to configure as part of the Cloud PC.

842x691?v=v2.png

  1. To create a Cloud PC naming template to use when naming all Cloud PCs that are provisioned with this policy, select Apply device name template. When creating the template, follow these rules:
    • Names must be between 5 and 15 characters.
    • Names can contain letters, numbers, hyphens, and underscores.
    • Names can’t include blank spaces.
    • Use the %USERNAME:X% macro to add the first X letters of the username (optional).
    • Use the %RAND:Y% macro to add a random string of numbers, where Y equals the number of digits to add. Y must be 5 or more. Names must contain a randomized string (required).

869x250?v=v2.png

Another option is to enable Windows Autopatch to have Microsoft take care of the Windows Updates of the Cloud PCs you’re provisioning.

840x463?v=v2.png

  1. Assign the Provisioning policy to an Azure AD Group. Users in this group, need to have a Windows 365 Licenses assigned. In this example, I assigned licenses to the Windows in the Cloud group. So, I only have to add users inside to start provisioning Cloud PCs.

large?v=v2&px=999.png

  1. Once you validated the settings you configured via the summary, click on Create to start the Cloud PC provisioning process. It takes around 30 - 40 seconds to finalize the provisioning of Cloud PCs.

large?v=v2&px=999.png

Connect to your Cloud PC via the Windows 365 app, Boot, or Switch


To connect to your Cloud PCs, you can use various endpoint clients. The easiest way is to connect via the Windows 365 app. For full instructions to install the Windows 365 app, find it here.

large?v=v2&px=999.png

Want to deploy the app to more endpoints on a large scale? Use the new Microsoft Store integration to easily publish the Windows 365 app to all your Windows Endpoints. For full instructions, read the article, Using Intune, install the Windows 365 app on physical devices.

Windows 365 Boot


Windows 365 Boot lets admins configure Windows 11 physical devices so that users can:

  • Avoid signing in to their physical device
  • Sign in directly to their Windows 365 Cloud PC on their physical device

When a user turns on their physical device and signs in, Windows 365 Boot signs them in directly to their Cloud PC, not their physical device. If single sign-on is turned on for their Cloud PC, they don't have to sign in again to their Cloud PC. This expedited sign-in process reduces the time it takes the user to access their Cloud PC.

As for supported hardware devices, Windows 365 Boot works on any device that supports Windows 11. This also includes any mini pc–thin client form factors, such as the Asus/Intel NUC devices.

We’re working on adding a more personal sign-in experience with Windows Hello and extensive UBI key support soon! To learn more about Windows 365 Boot, also check out the blog post, Windows 365 Boot is now generally available!

826x547?v=v2.png

Windows 365 Switch


Windows 365 Switch enables a seamless experience from within Windows 11 via the Task view feature. Windows 365 will be required on the endpoint after which all relevant elements will show up automatically inside the Task view feature (see below).

This new round-tripping feature is extremely valuable for bring-your-own device (BYOD) scenarios when you connect from your own Windows device to a secure company owned Cloud PC. Especially in times when business wants to do more with less—this is a great experience.

Learn more about Windows 365 Switch, see Windows 365 Switch is now Generally Available!

large?v=v2&px=999.png

Citrix and VMware + Windows 365


Both Citrix and VMware provide solutions that leverage all the benefits of Windows 365 with the protocol and client benefits from these partner solutions. It’s extremely easy to enable both solutions via our partner connectors integration inside Microsoft Intune.

Citrix


Citrix HDX Plus for Windows 365 lets you integrate Citrix Cloud with Windows 365. This integration gives you access to Citrix HDX technologies for enhanced Cloud PC security and manageability. You can find more information to configure Citrix and Windows 365 at Set up Citrix HDX Plus for Windows 365 Enterprise.

VMware


VMware Horizon is a cloud-based service that lets you deliver Windows 365 Enterprise desktops to your users from any device and location. With VMware Horizon, you can use the power and security of Windows 365 Enterprise while simplifying the management and deployment of your virtual desktop infrastructure (VDI).

VMware Horizon for Windows 365 Enterprise is in limited public preview. To submit a request to join this preview, see Tech Preview – VMware Horizon extending Microsoft Windows 365. You can find more information about VMware and Windows 365 at Set up VMware Horizon for Windows 365 Enterprise.

large?v=v2&px=999.png

Want to learn more?


Here is list of resources to dive deeper into Microsoft Intune and Windows 365.

Windows in the Cloud – video series:


Additional links:


Books:

  • Mastering Windows 365: order via Amazon
  • Mastering Microsoft Endpoint Manager/Intune: order via Amazon (The new revisited 2023 2nd book version is coming soon.)

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X/Twitter. Looking for support? Visit Windows on Microsoft Q&A.

Continue reading...
 
Back
Top