Since Windows 365 and Cloud PCs is a service which is constantly being updated with new feature and available regions, making updates to an existing provisioning policy and all your existing Cloud PCs.
A while back, Microsoft introduced the possibility to apply the updates provisioning policy to all existing Cloud PC, but this will not cover all modifications, some need a re-provisioning. But if we look at things we can update without re-provisioning the Cloud PC, we have three things:
- Changes to Entra single sign-on for all devices
- Changes to region or Azure network connection for all devices
- Changes to region or Azure network connection for a single device
For enabling single sign-on (SSO), the Cloud PC will not need to be restarted unless it was provisioned prior to April 2023. For changes to the region or Azure Network, the Cloud PC will be shut down during the move and unavailable to the end-user, meaning that this needs to be planned and users will lose any unsaved data when they are disconnected due to the move.
But let’s look at each one of these and see how they work.
Changes to Entra single sign-on
Back in 2023, Microsoft finally made the move to put the single sign-on as generally available after having been in preview for quite some time. This is, when I’m writing this, about 2 years ago meaning that a lot of organizations might have already enabled this. But if you haven’t this is how its done.
In Microsoft Intune, navigate to Devices and Windows 365 and select the Provisioning policy tab to view all your policies. Find the policy you want to update and select it. Click on “Edit” next to General to edit the part where SSO is located.
At the bottom of the page, find “Use Microsoft Entra single sign-on” and check the check-box next to it. Then press Next then Update at the bottom of the screen to update the policy.
You have now successfully updated the policy for all NEW Cloud PCs being created with this policy. But what about the existing ones?
Well, back at the policy overview page, you have an option to select “Apply this configuration”, which makes it possible to update existing Cloud PCs with some of your updated configuration.
When you click the “Apply this configuration” button, you will get three options where you select “Microsoft Entra single sign-on for all devices“, since we want to update the SSO settings.
When you click this option, you will get a notification that the update has started.
If your Cloud PCs where provisioned before April 2023, the Cloud PC will shut down during the update. Please notice that this does not happen instantly, it can take a while to apply for all machines in a larger environment.
Changes to Region or Azure network connection
The other change you can do is to move the Cloud PC to a new region. This could be due to that the user has moved location or due to new regions opening up and you want to move the Cloud PC closer to the end-user. Or you want to move it to a different Azure network.
Please be aware that you CANNOT move from Entra join to Hybrid join using using this method. This will require a re-provisioning. You can however move a Cloud PC from an Azure Network Connection (ANC) to a Microsoft hosted network and vice versa given that they are Entra ID joined. For Hybrid joined you can move them between different ANCs
Given that our move scenario is supported, we can go a head and update our provisioning policy by navigating to Devices and Windows 365 and select the Provisioning policy. Then open the provisioning policy you want to update and select Edit on the General section.
Scroll to down to the bottom and find the Join type details section.
In this example I want to update the policy to use a Azure Network Connection instead of a Microsoft hosted network. But you can just as well update to another region if you are using Microsoft hosted networks, or update to another ANC.
When I’m done I click Next then Update on the bottom of the screen.
We once again select the “Apply this configuration” option, but we select the Region or Azure network connection option.
As you can see, we have the option to either update ALL Cloud PCs related to this policy or we can update selected devices. If you select the bottom one (to update selected devices), you will get the option to select which devices when you press Apply.
PLEASE BE AWARE that this action will disconnect and shutdown the Cloud PCs fot the end-users, so it’s a good idea to do this change in a controlled manner and make user aware of that the change will happen before you click apply. It’s a good idea to do this during a weekend or other time frame when users are not expected to use these machines.
Intune will give you a notification that the process has started, and this process will take a several hours to complete.
Take away
Using these features, you can update your Cloud PC configuration to some extent if you e.g. didn’t enable SSO when you initially configured your device.
It’s also great to optimize the use of regions and move users between networks for different reason.
But as I mentioned, we cannot move from Hybrid join to Entra join using these features. For that scenario a full reprovisioning is needed for the Cloud PC since the join type cannot be changed in a easy way.
Leave a Reply