olastrom.com

Category: Windows 365

  • Ignite 2025 – Recap

    Ignite 2025 – Recap

    It’s that time of the year that everyone working in the Microsoft sphere is looking forward to. Microsoft Ignite! (Almost like Christman!).

    This year, I decided to follow the event from home since I for several different reasons was not able to make the trip over to San Francisco this year. It’s not the same thing, but you still get all the information you want, but you miss out on the networking with the community. But on the upside, you can watch Ignite in your sweatpants without anyone noticing!

    If last year’s theme was “AI, AI, AI and AI”, this year’s theme was “Agents, Agents, Agents and Agents”. Sprinkle that with a little bit of Windows 365 and you got the highlights for the digital workplace area.

    But I thought I would share some of the highlights from Ignite that covers Windows, Windows 365 and Intune!

    You can find all the news in the Book of News!

    The recap!

    Previous years I’ve listed all news with links to all the new things. This year I’ll give you the links to the good official blogs.

    So if you want to read about all the cool Windows stuff, you can find it here: Your guide to Windows at Microsoft Ignite 2025 – Windows IT Pro Blog and here: Evolving Windows: new Copilot and AI experiences at Ignite 2025 | Microsoft Community Hub

    The Intune stuff can be found here Your Guide to Intune at Microsoft Ignite 2025 – Microsoft Intune Blog and here What’s new in Microsoft Intune at Ignite – Microsoft Intune Blog

    If you are looking for the Edge for Business news, you can find them here: Edge for Business presents: the world’s first secure enterprise AI browser – Microsoft Edge Blog

    But what caught my attention the most?

    If I pick my two favourite news at Ignite, which I think will have big impact on how we use Windows and Intune.

    Agents in Intune

    The most exciting news, in my opinion, is the agents in Intune. This is truly a game changer for how we will work with Microsoft Intune in the future. Given that Security Copilot is now included in the Microsoft 365 E5 license (400 SCU per 1000 licenses), the old blocker in cost is being removed.

    Working as a consultant seeing a lot of different customer needs and hearing peers talking about “how should we configure things?” and “what impact will this change have?”, I think the new agents will help A LOT. I’m most excited about the Policy Configuration Agent, which on paper will help you configure your tenant using natural language. From my end I imagine uploading my high-level design and the agent configuring based on what I want to accomplish, returning business real business value. I’ve not yet played around with this, but I think introducing agents into Intune makes perfect sense since you usually want to accomplish an outcome, and there are not that many ways to do it (but there are a lot of settings to click through).

    Agents in Windows

    Staying on the topic of agents, there was a lot of news around agents in Windows as well. From Windows 365 for Agents, where you assign a Cloud PC to an agent that will go and work under your supervision to easier access to agents in Windows through what today is the search box on the task bar. I’m personally an avid user of Copilot in my daily work, to help with anything from researching topics and analyzing data to just help me get started with documents and presentations.

    We are also getting a “wake word” for Copilot on Windows. This gave me major flashbacks to the “Hey Cortana” time. Given that Copilot can actually assist you, I think it will be more of a success! However, I’m still really uncomfortable talking to my computer if there are people around, even though I’ve gotten more into dictating messages on my phone instead of typing.

    Key take aways!

    This Ignite was building on top of the narrative we saw from last year. AI is not just a buzzword; it’s a crucial part of the Microsoft ecosystem regardless which product you are working with.

    What I liked was that it’s not just “Copilot” and “AI” we are talking about now, we are seeing more hands-on adoptions with agents creating solutions for us to use. Not just “here go create something”, we actually get value straight away. I think this makes this even more interesting, and useful for a larger crowd!

    The introduction of agents in Intune actually got me excited about Intune again, and I think this is just the start of a pretty exciting journey for all Intune admins out there.

    What was your favorite news from Ignite 2025?

  • Running Microsoft Teams in Windows 365 Cloud Apps

    Running Microsoft Teams in Windows 365 Cloud Apps

    If you have played around with Windows 365 Cloud Apps, which currently is in public preview, you might have noticed that unless you create a custom image you can only publish a subset off applications. However, MSIX applications like MS Teams is currently not supported.

    One feature that you MIGHT have missed with Cloud Apps is that published apps are allowed to launch other apps.

    This means that we can actually start applications we didn’t publish. Which can be a lot of fun to play around with, or if you publish Outlook and need to open an attachment.

    If you want to read more about the Windows 365 Cloud Apps, you can check out the Microsoft Learn page here.

    What I also noticed thanks to a fellow Windows 365 friend, was that if we download let’s say Teams. We can install and run it from the Windows 365 Frontline Shared Cloud PC which is in the back of Cloud Apps.

    What you need to keep in mind however is that once your session ends and your user profile is thrown out; your applications will be gone. Windows 365 Frontline Shared is still running in the background for this, which means that we have the Windows 365 version of a non-persistent Cloud PC.

    Before we get started, I just want to point out that this is more poking around with Windows 365 Cloud Apps rather than being a useful scenario. But it also means you can try stuff out on a conceptual level to figure out if Cloud Apps would work in your organization in the future. I also want to point out that none of these things are supported use of the Windows 365 Cloud Apps, just to be clear on that!

    What apps can I install and run?

    What I’ve found while playing around with this, is that there are some apps which will work and some which will not work. The ones that tend to work is applications which does not require administrator privilege to install (like Teams, Spotify, VScode, Chrome or most apps in the Microsoft Store). These are installed in the user directory where I’m allowed to make changes without being an admin.

    When I tried installing Audacity, which requires admin approval, I was meet with this window asking for admin credentials. For me, it just looped when entering credentials with admin privileges. I also tried to launch an elevated PowerShell session, but it wont let me.

    But I can without a problem install and run Teams and VSCode.

    The downside of this is once I close the application, there is no good way to get back to it. With Teams you can just click the install file or “Open in Teams” if you are using Teams on the web. But for other applications its a bit tricker such as VSCode in this example where I need to run the installation again.

    What more can we do? Well we can start the Microsoft Store by browsing to the web version and click “Open Store app” unless you block it with any policy in your environment.

    From here we can just find let’s say Windows Terminal and launch it.

    And now we have the Terminal running in our Cloud Apps making it possible for us to access even more apps from e.g. Winget or launch about anything we want.

    But let’s move back to Teams.

    Installing and running Microsoft Teams

    Being able to run other apps which are not published is quite a good thing since this means that we can open links and other things. What did surprise me was that I out of the box can install applications which does not require administrator privileges.

    Like I said, Microsoft Teams is one of those apps and maybe an app which is interesting for many to use. So far, I haven’t found a good way to do it but I think it’s a good start that you can do it. And it shows that “yeah we can use Teams this way”.

    How I setup this to work is that I defined the start page Microsoft Edge to be the download page of Microsoft Teams through an Intune policy. When I launch my Edge Cloud app, the Teams installation file is automatically downloaded and once I click “Open file”, Teams will install and launch.

    You could also do this from the Teams web app, and select to download the desktop app. What I’ve noticed is that sometimes you might need to open it several time before it actually launches. But once it has launched, you can use a fully Cloud PC optimized Teams!

    Bonus finding

    While playing around with this, I also noticed that I could open the file explorer through the download tab in Edge by pressing the small folder next to the file name.

    If you navigate to “%ProgramData%\Microsoft\Windows\Start Menu\Programs” you will find all the apps listed in the Windows 365 Cloud Apps page, which is the default start menu for all users on this Cloud PC.

    Key take aways

    Being able to launch applications which are not published could be really useful, and making it possible for me to install something and just run that application while my session is active.

    What is even more useful is that this is applicable for wherever you can use the Windows app. So, I can run the Edge Cloud App from my iPhone and launch Microsoft Teams. Don’t ask me why I would, but I can.

    Given that this is a preview feature, and Microsoft has stated that a lot of things are in the making (like discovering MSIX applications like MS Teams), I would say that this is more fun to play around with than actually useful in a production scenario or real-life scenario. If running Teams as a Cloud App is an important feature for you, I would suggest you wait for the final product rather than doing this hack/workaround since this is not supported.

    If you just want to mess around and try out what you could do, feel free to explore this further and if you figure out any cool scenarios, share them!

    Given that this is in preview, I would assume that it’s not in it’s final shape and form. While writing this, Microsoft Ignite is around the corner and we can always hope for some cool updates related to this!

  • I took Windows 365 Link for a test drive

    I took Windows 365 Link for a test drive

    At Microsoft Ignite last year (2024), Microsoft release a small black computer called Windows 365 Link which I wrote a post about which you can find here.

    In the first release wave, only a few countries were included. When this post is being written, the second wave has just been announced and we now have the Link available in the following countires:

    • Australia
    • Canada
    • Denmark
    • France
    • Germany
    • India
    • Japan
    • Netherlands
    • New Zealand
    • Sweden
    • Switzerland
    • UK
    • USA

    And since I’m based in Sweden, we were included in the second wave so I just got my hands on a test unit!

    What is the Windows 365 Link and first impressions

    So the Windows 365 Link is a small computer, which is surprisingly heavy given it being a little bigger than an Apple TV. It’s a compact device and it feels sturdy. It has a matt black plastic casing and a non-slip bottom.

    The concept of Windows 365 Link is to be 100% honest not new on the market. Thin clients have been around for a long time. But this is like Windows 365 in general, it’s just made way simpler. It’s your link to Windows 365 and built for Windows 365 and not to work with any virtual environment. For what it’s built for, it’s an awesome device. Oh, and the best part (in my opinion) is that it runs Windows, and you manage it from Microsoft Intune. This means that your device management team can just treat it like any Windows device.

    When I first setup the device, I thought I did something wrong because I just booted it up, connected to a Wi-Fi and signed in. Then I was done. It was super fast and I was sure that something went wrong since I hadn’t added it to the corporate device identifier list for device preparation. Turns out I had enabled personal devices for testing something a while back and hence it went straight through!

    Before we start

    One thing you will learn either the hard way or if you read the Microsoft documentation, is that it’s recommended to supress the SSO prompt you get when you sign into a Cloud PC the first time. Using SSO with your Cloud PC is a requirement in order to use the Link.

    You will do this in two steps and I found the Microsoft documentation fairly easy to follow along. What you need to initially do is to create a Entra ID group where you place all your Cloud PCs (dynamic group would be preferred). You can use a dynamic device group query like this one:

    (device.deviceModel -startsWith "Cloud PC")

    When you have created your group, follow these two steps.

    1. Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID | Microsoft Learn
    2. Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID | Microsoft Learn

    What this does is to supress the SSO pop-up which will prohibit you from actually signing in to your Cloud PC on a Windows 365 Link since the Link does not support this interaction at this point in time.

    Setting up the device

    But how would we set up the device in a proper way?

    To be honest, Microsoft own guide for this is so good and easy to follow so I won’t even try to recreate it. You can find it here!

    In order to successfully enroll the device, you also need a Device Preparation Policy which is not described in the guide. If you have been playing around with this for physical devices (often called Autopilot V2), you can re-use the one you have. Otherwise, here is a guide to create one.

    Since most companies does not allow personal devices to be enrolled, you got two options. Create a new enrollment restriction policy targeting ONLY your Windows 365 Link devices (this is described in the Microsoft guide), or you need to add them to the “Corporate Device Identifier” list. You need to upload a CSV with all your Windows 365 Link device you want to enroll. The format should be something like this:

    Microsoft Corporation,Windows 365 Link,[DEVICE SERIAL NUMBER]

    What this does, is to allow you to enroll devices which are pre-registered using Device Preparation.

    When you have gone through all the preparations, you are now ready to go!

    Just plug it in to a monitor, connect keyboard and mouse!

    When enrolling the device, you can either join it as a personal device or as a shared device using a Device Enrollment Manager (DEM) account (we haven’t seen the need for those in a while). Depending on your usage scenario, you choose one of those, but the enrollment will happen in the same way.

    The OOBE is a lot slimmed down compared to a normal PC. You basically miss the enrollment if you blink. Enrollment is done with a personal user if this will be a user’s primary device, your you can enroll it using Device Enrollment Manager (DEM) account if it’s a shared device.

    When the enrollment is done when you are asked to sign in to your Cloud PC, and this means that you are ready to go!

    Using the Link

    I’ve been forcing myself to use the Link as my daily driver when working from home. Just to get sense of what the experience is. My experience with using thin clients is quite limited, so I might be blown away by obvious things here. But then you need to take into consideration that I come from a pure Intune background and my experience with the virtualization space is Windows 365.

    I’m really impressed by the responsiveness and how smooth the user experience is. When using it as my daily driver, I sometime forgot that I was using Windows 365. The experience is that good!

    What I do miss however is to be able to use Windows Hello for Business to sign in. I can use a FIDO2-key (like a Yubikey which I’m using) which works really well. But I can’t use my fancy Logitech camera with support for Hello. I kind of get it since this device has been positioned for hot desking. So, it makes sense from that aspect.

    What I do miss however is a USB-C port on the front. There are a few ports, including one USB-C port on the back. But on the front, we only get a USB-A. If you have gone for a more future proof FIDO2-key with USB-C, this gets a little bit more complicated to use since that port is on the back.

    I think one thing that becomes important as well might be to have a screen with a built in USB-hub. If you have a headset, mouse/keyboard and a web camera, you are missing one USB-port (if not one of these are USB-C).

    What I like and don’t like

    Overall, I really like the simplicity of the Windows 365.My “home office test” is probably not the ideal use case for this device. It makes more sense in shared office space to be honest.

    What I did like:

    • The simplicity.
    • The esthetics. It’s sleek and pretty discreate.
    • The “like local experience”. It makes Windows 365 feels like a physical PC.

    What I think could be improved:

    • The number of ports.
    • The lack of a dedicated user mode. (I get why though).
    • No way to control sound output source.

    My two cents

    Should you buy one for your personal office space? Probably not. It’s a nice device. But you kind of notice from the experience that maybe this is not really ment for personal use.

    Should you buy it for a shared workspace or hot desking? Absolutely! A great way to create a simplified shared environment.

    The more hardcore virtualization people will claim that “this is nothing new, it’s just a Microsoft thin client” and that is true. But what I really love about this is that your device team can deploy this by using the tools they already have. Sure, you don’t get the perks that e.g. IGEL brings, and you are locked into Windows 365 only (no AVD). But if you are looking to make a move to simplify your setup and use the “Windows 365 mindset” this device makes perfect sense.

    One thing I’ve heard people comment on is that: “there is no way to install agents on it, we require a webfilter/proxy agent for all our devices on the network”. To be honest, this device should live on the internet and not corp-net. All user traffic happen from the Cloud PC where you can have this agent installed. There is no way the end-user can browse the internet from the Link it-self. If you look at the documentation Microsoft specify which ports and URLs needs to be allowed in your firewall/proxy. I know we are not in a world where we put our devices on a pure internet connection yet (the zero trust way of doing things). Maybe this could be the driving factor to re-think how we are using devices in the office?

    Is it the perfect device? Probably not. Can you buy something else and get the same user experience? For sure.

    But can you buy something else and have such a simple end-to-end solution? No!

    I think this is where the Link fits into the puzzle. It’s simple and if you are just entering the world of Windows in the Cloud, this is a great entry ticket! It’s not just about the Link as a standalone device. You need to look at it as a part of a bigger picture and a key player in the Windows 365 eco system.

    After using it for a few days, I’m even more convinced that Windows in the Cloud is the future for Windows. Sure, you can close your laptop and just return to where you left of. But imagine being able to just leave the laptop and keep working from whatever device you have at hand, where you left of. We are only in the beginning of a reinvention of how we use Windows in our day-to-day life!

  • Making changes to existing Cloud PCs

    Making changes to existing Cloud PCs

    Since Windows 365 and Cloud PCs is a service which is constantly being updated with new feature and available regions, making updates to an existing provisioning policy and all your existing Cloud PCs.

    A while back, Microsoft introduced the possibility to apply the updates provisioning policy to all existing Cloud PC, but this will not cover all modifications, some need a re-provisioning. But if we look at things we can update without re-provisioning the Cloud PC, we have three things:

    • Changes to Entra single sign-on for all devices
    • Changes to region or Azure network connection for all devices
    • Changes to region or Azure network connection for a single device

    For enabling single sign-on (SSO), the Cloud PC will not need to be restarted unless it was provisioned prior to April 2023. For changes to the region or Azure Network, the Cloud PC will be shut down during the move and unavailable to the end-user, meaning that this needs to be planned and users will lose any unsaved data when they are disconnected due to the move.

    But let’s look at each one of these and see how they work.

    Changes to Entra single sign-on

    Back in 2023, Microsoft finally made the move to put the single sign-on as generally available after having been in preview for quite some time. This is, when I’m writing this, about 2 years ago meaning that a lot of organizations might have already enabled this. But if you haven’t this is how its done.

    In Microsoft Intune, navigate to Devices and Windows 365 and select the Provisioning policy tab to view all your policies. Find the policy you want to update and select it. Click on “Edit” next to General to edit the part where SSO is located.

    At the bottom of the page, find “Use Microsoft Entra single sign-on” and check the check-box next to it. Then press Next then Update at the bottom of the screen to update the policy.

    You have now successfully updated the policy for all NEW Cloud PCs being created with this policy. But what about the existing ones?

    Well, back at the policy overview page, you have an option to select “Apply this configuration”, which makes it possible to update existing Cloud PCs with some of your updated configuration.

    When you click the “Apply this configuration” button, you will get three options where you select “Microsoft Entra single sign-on for all devices“, since we want to update the SSO settings.

    When you click this option, you will get a notification that the update has started.

    If your Cloud PCs where provisioned before April 2023, the Cloud PC will shut down during the update. Please notice that this does not happen instantly, it can take a while to apply for all machines in a larger environment.

    Changes to Region or Azure network connection

    The other change you can do is to move the Cloud PC to a new region. This could be due to that the user has moved location or due to new regions opening up and you want to move the Cloud PC closer to the end-user. Or you want to move it to a different Azure network.

    Please be aware that you CANNOT move from Entra join to Hybrid join using using this method. This will require a re-provisioning. You can however move a Cloud PC from an Azure Network Connection (ANC) to a Microsoft hosted network and vice versa given that they are Entra ID joined. For Hybrid joined you can move them between different ANCs

    Supported move scenarios

    Given that our move scenario is supported, we can go a head and update our provisioning policy by navigating to Devices and Windows 365 and select the Provisioning policy. Then open the provisioning policy you want to update and select Edit on the General section.

    Scroll to down to the bottom and find the Join type details section.

    In this example I want to update the policy to use a Azure Network Connection instead of a Microsoft hosted network. But you can just as well update to another region if you are using Microsoft hosted networks, or update to another ANC.

    When I’m done I click Next then Update on the bottom of the screen.

    We once again select the “Apply this configuration” option, but we select the Region or Azure network connection option.

    As you can see, we have the option to either update ALL Cloud PCs related to this policy or we can update selected devices. If you select the bottom one (to update selected devices), you will get the option to select which devices when you press Apply.

    PLEASE BE AWARE that this action will disconnect and shutdown the Cloud PCs fot the end-users, so it’s a good idea to do this change in a controlled manner and make user aware of that the change will happen before you click apply. It’s a good idea to do this during a weekend or other time frame when users are not expected to use these machines.

    Intune will give you a notification that the process has started, and this process will take a several hours to complete.

    Take away

    Using these features, you can update your Cloud PC configuration to some extent if you e.g. didn’t enable SSO when you initially configured your device.

    It’s also great to optimize the use of regions and move users between networks for different reason.

    But as I mentioned, we cannot move from Hybrid join to Entra join using these features. For that scenario a full reprovisioning is needed for the Cloud PC since the join type cannot be changed in a easy way.

  • Hide the shutdown button in Windows 365 after update to Win 11 24h2

    Hide the shutdown button in Windows 365 after update to Win 11 24h2

    Some of you might have noticed that when updating a Windows 365 Cloud PC to Windows 11 24H2, the shutdown button appears out of nowhere in the start menu, which can cause some weird behavior for the end-users.

    Shutting down the Cloud PC isn’t really anything you should be bothered with. Restarting, yes, but if you do a shutdown, it will boot back up again within a few minutes.

    With the Windows 11 24H2 update to Windows 365, if you upgrade from an earlier Windows 11 version, this registry value will be reset.

    While I still encourage you to provide feedback to Microsoft, the fix for this problem is fairly simple!

    There are two ways we could go about addressing this. We could either create a configuration using the Settings Catalog or use proactive remediation. We will get the same result in the end, so it depends on how you like to do it. I will show you both ways in this blog post, and how you can configure it.

    Settings catalog

    In Microsoft Intune, head into Devices > Windows > Configuration and create a new configuration profile by clicking “+ Create“. Select Settings catalog as the profile type and click create.

    Give the profile a good name which makes sense in your environment.

    Search for “Start” and find “Hide Shutdown” in the list, then check the checkbox next to it. Close the fly-out.

    Make sure to enable the setting before moving to the next step.

    In my case, I will skip scope tags and move straight to Assignments, where I select “All devices” and filter out Windows 365 with a filter.

    Last step is to review and create the policy. And then you just need to wait for the policy to apply.

    Proactive remediation

    The scripts

    The easiest way to deploy a scripted solution for this is to use remediation, since then we can also get feedback on how many devices had this issue. We can have it continuously checking or just run once.

    But in order to set up a remediation, we need a detection and a remediation script (you could run everything in the detection script, but you won’t get any feedback if you want to run it more than once).

    You can find the scripts either on my GitHub repository or just copy them from here.

    Detection script

    # Created by Ola Ström, olastrom.com
# Date: 2025-01-21
# Version: 1.0

# PowerShell script to update the registry value

# Define the registry path and value
$registryPath = "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown"
$valueName = "value"

# Check the current value
$currentValue = (Get-ItemProperty -Path $registryPath -Name $valueName).$valueName

# Check the value and set the appropriate exit code
if ($currentValue -eq 1) {
    Write-Output "Registry value is set to 1."
    exit 0
} else {
    Write-Output "Registry value is not set to 1."
    exit 1
}

    Remediation script

    # Created by Ola Ström, olastrom.com
# Date: 2025-01-21
# Version: 1.0

# PowerShell script to update the registry value
$registryPath = "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown"
$registryName = "value"
$registryValue = 1

# Set the registry value
Set-ItemProperty -Path $registryPath -Name $registryName -Value $registryValue

Write-Output "Registry value updated successfully."

    Intune part

    In Microsoft Intune, navigate to Devices > Scirpts and remediations.

    Select “+ Create” in the ribbon and give your remedation a good name, then press next.

    Now we will add the detection and remediation scripts, which you need to save as PowerShell scripts on your device to upload to Microsoft Intune. Change the “Run script in 64-bit PowerShell” to yes, but leave all the other options at their default values and press next.

    On the Assignment tab, select your target group. I’m using “All devices” with a filter for Windows 365.

    On this step, you also set the schedule by pressing on the text “Daily”, which is the default value. You can then choose if you want it to run once, hourly, or daily.

    When you have selected your schedule, press next to review your settings before pressing create.

    And now we wait until the remedation runs…

    Monitoring the remediation

    You can follow up the progress of your remediation by checking the device status on the remediation you just created.

    In this view, you can follow up on individual devices and see how many devices were affected.

    If the script detects that the value is set to anything other than “1”, it will run the script to fix it, and you can see here if the issue was fixed or not. This is not dependent on whether the script runs on a schedule or just once; you will still get feedback if any issues were found.

    What happens on the Cloud PC?

    Both ways will give the same end result for the end-user: the shutdown button will disappear, removing the option to shut down the Cloud PC (which is good).

    Take aways

    I’m not saying that one way or the other is the correct way; it’s just different ways to address the problem. Both of them have advantages, where the settings catalog will set the value and always keep it that way, and the remediation will check if the value is incorrect and change it if needed.

    You can also reuse this script for other registry entries you would like to change, so feel free to reuse it!

  • Windows 365 Link – What’s the fuzz all about?

    Windows 365 Link – What’s the fuzz all about?

    One of the things that it felt like a lot of people during Microsoft Ignite were really excited about, at least people working in the device management space, was the announcement of Windows 365 Link. A small black box with the Microsoft logo on it.

    Front and side view of Windows 365 Link device (cube shape)

    What I do think, after seeing a lot of posts on social media about it, is that some people didn’t exactly get what it is (but they were still excited). There were talk about “What’s the performance on this thing?”, “Can I use it as a media center?” and “Those are only legacy ports”.

    Well this isn’t your regular computer. This is what the IT business has defined as a thin client for several years, but done in a more Microsoft way! And that is actually the reason I’m excited. It’s a Microsoft device, running Windows, which we can use for ONLY connecting to the Windows 365.

    Let’s dig into what this device is, and what it isn’t!

    What it is and what it isn’t

    So let’s start of by talking about what this device is.

    This is a small, fanless, computer made out of 90-100% recycled material (90% recycled aluminum, 100% recycled copper and  96% recycled tin solder). It also runs Windows, but not your regular Windows 11. This runs a special version called Windows CPC which has been developed specifically for this device. The Windows CPC operating system is stripped of all things that are not needed to keep the device secure and being able to use Windows 365. So if you where hopeing that you would get the Microsoft version of a Mac Mini, I’m afraid you will be disapointed. If you had you hopes up that this would be your new NUC or media PC, you will have to rethink why you should get this device.

    It’s also has a lot of what some people would concider “legacy” ports. But imagine the usecase for this. Maybe a call center, hot desking scenario or maybe even a sales station. If we take an honest look at what our perifirals are using today out in the business, we will see a lot of USB type A cabels for our mouse, keyboards and headsets. So keeping in mind where this device belongs, it makes sense at least to me since we will see USB type A for a forseeable future in those scenarios.

    I think what is important to point out as well is that this device is secure by default. All applicable secuirut features (TPM, Bitlocker, SecureBoot, Hypervisor Code Integrity, Defender for Endpint) are enabled and CANNOT be turned off. This to make sure that this device is as secure as can be at all points. We can also use FIDO keys to easily sign into our Windows 365 session!

    But I want to manage this thing!

    Like I said, this is a purpose built device for Windows 365 and what makes it special is that its running a specialized version of Windows. This also means that we can manage it from Microsoft Intune. No need to have yet another tool to manage your thin clients. For me, not beeing a hardcore EUC person, this is a kille feature.

    In my experiance, a lot of device management teams always strive to minimize and optimize the amount of tools used to manage the workplace. If we can have everything in Microsoft Intune, that is a strong selling point in my book. I understand that others might not feel this way, but let’s face it, there are a lot of other great products that you can use in that case! Same thing goes for if you are looking to use this for Azure Virtual Desktop or DevBox. This is Windows 365 only.

    Given that it’s Windows based and we can manage it from Microsoft Intune, guess how we onboard this device? Ofcourse we will use Windows Autopilot. In the demos shown at Ignite, this process was very fast since not that much needs to happen. It will be very interesting seeing this one in live action when released!

    When can I get my hands on this device?

    Microsoft announced at Microsoft Ignite 2024 that this device will be launhed in public preview in January 2025, and to get in the preview you will need to talk to your Microsoft sales contacts. The launch of this device in general availability will be around April in 2025 and will cost $349.

    Screenshot of Windows 365 Link device (cube shape) between and connected to two monitors

    The announced countires which will initially be supported in the preview are United States, Canada, United Kingdom, Germany, Japan, Australia, and New Zealand.

    So getting your hands on this device might not be that easy, but worth a try if you have some awesome usecases you want to use this in. It has great potential, but for some really specific usecases. I’m not seeing this as the device for all information workers, but it could be a great fit for frontline workers who comes and goes, especially between different places.

    If you want to read more about the Windows 365 Link, check out the Microsoft blog post which was released during Microsoft Ignite.

    My thoughts on the Windows 365 Link

    So what are my thoughts on this device?

    In my world this will simplify the adoption of virtual clients even more for a lot of organizations. Organizations already running VDIs and have a big infrastructure in place around thin clients might just say that “we have been doing this for X amount of years, this isn’t new”. Then this device might not be for you initially to be honest.

    But if you are looking into moving into a virtualization space, or want to get rid of those dreadfull shared computers your frontline workers are using. This is a very easy way forward if you combine it with Windows 365 Frontline!

    Microsoft is also pushing a lot for sustainability with the Windows 365 Link, and it’s great that this has been a big part of the product development (I love it). But let’s face it, the best option from a sustainability perspective is to re-use old hardware that you already have, and there are great options to do this using e.g. IGEL OS or simply build a Windows based kiosk device.

    But if you want to keep everything in Microsoft Intune and don’t really have any old hardware you can repurpose, this is a great option. I’m really curious to see how this device performs out in the wild, and how the look and feel is.

    Oh and did you notice that I didn’t mention any hardware specs? Well since we will run everything in the cloud, that doesnt really matter to be honest as long as it’s powerfull enought. My guess is that the public preview being launched will show if that is the case or not!

  • Microsoft Ignite 2024 Recap

    Microsoft Ignite 2024 Recap

    Microsoft Ignite 2024 was once again back in Chicago, where it all started in 2015. I remeber having such FOMO not being able to go there, since one of my favourite bands at the time (the Chigaco band Fall Out Boy) played at Ignite.

    But it was great being back at a large event, and Microsoft does a good job running big events. This was still a “small” Ignite with about 10 000 participants, but that is still A LOT of people. I went there with my colleagues from Advania, which was a lot of fun!

    The red tread through Ignite 2024 was of course Copilot, “the UI of AI”. So it was Copilot everything, and you can really tell that this is the big bet going forward. So if you haven’t paied attention to Copilot yet, now is the time to start.

    But since that Copilot is the big thing, I decided to actually put Copilot into good use and help me find all the important updates around Windows, Windows 365 and Intune for this blog post. This is the prompt I used to create my draft, it did however miss a few important points so consider using this prompt for drafts.

    Can you help me gather all news around Windows, Windows 365 and Microsoft Intune from Microsoft Ignite 2024. I want to devided into each topic, with the topic stated as the H1 heading, and then each news per area as H2 headings.
for each news, write a short descriptive text.
make sure to only reference Microsoft sources

    Microsoft gathers all news from Ignite in the Book of News which was released on the first day of Microsoft Ignite. If you want to check out the full list, you can find the Book of News 2024 here.

    It was also great meeting all the community people which I haven’t seen in a while, both MVPs and Microsoft people.

    Windows

    Windows Resiliency Initiative

    Microsoft introduced the Windows Resiliency Initiative to enhance the reliability and security of Windows. This initiative aims to allow more applications to run without requiring admin privileges, implement stronger controls for apps and drivers, and improve identity protection. These measures are designed to make Windows more robust and secure for all users[1].

    Windows Hotpatching

    Windows 11 Enterprise, version 24H2, introduces hotpatch updates that apply security patches immediately without requiring a restart, reducing disruptions. Devices receive a standard monthly security update and restart in the first month of each quarter, followed by hotpatch updates in the next two months. Managed via Intune and Windows Autopatch, hotpatching can auto-detect eligible devices and streamline update deployment. The public preview invites user feedback to improve the service before general availability, with more information to be shared as the rollout continues.

    Read more here: Hotpatch for client comes to Windows 11 Enterprise

    Quick Machine Recovery

    This new feature allows IT administrators to remotely execute targeted fixes from Windows Update on PCs that are unable to boot. This capability is particularly useful for quickly resolving issues without needing physical access to the affected machines, thereby reducing downtime and improving efficiency[1].

    Collaboration with Endpoint Security Partners

    Microsoft is working closely with endpoint security partners to improve security and reliability. This collaboration includes new requirements for partners, such as controlled gradual rollouts and enhanced incident response processes. These efforts aim to ensure that security updates and patches are deployed smoothly and effectively[1].

    Windows Hello has been extended to support passkeys, offering a simpler and safer way to sign in. This enhancement aims to improve user convenience while maintaining high security standards[1].

    Administrator Protection

    This new feature allows employees to make system changes using temporary admin tokens. By granting temporary admin privileges, this feature enhances security by reducing the risk of unauthorized changes while still allowing necessary modifications[1].

    Read more about Administrator Protection here: Administrator protection on Windows 11

    Windows 365

    Windows 365 Link

    The Windows 365 Link is a new class of devices built to connect securely to Windows 365 in seconds. These devices are designed to provide a seamless and secure connection to the cloud, enabling users to access their Windows environment from anywhere[1].

    You can read more about the Windows 365 Link here: Windows 365 Link—the first Cloud PC device for Windows 365

    Windows 365 Frontline shared mode

    Windows 365 Frontline now supports shared mode for brief, ad-hoc tasks. This feature allows multiple users to share a single device for short-term tasks, improving flexibility and resource utilization[2].

    Want to read more? Check this official Microsoft blog post: Windows 365 Frontline shared mode now in public preview – Windows IT Pro Blog

    Windows in Mixed Reality

    Windows 11 capabilities are now available on mixed reality headsets like Meta Quest 3. This integration brings the power of Windows to the mixed reality space, enabling new immersive experiences and applications[2].

    Mobile Application Management (MAM)

    Enhanced device redirection and security features are now available on unmanaged devices. These improvements provide better control and security for mobile applications, even on devices that are not fully managed by IT[2].

    Microsoft Intune

    AI and Analytics

    Intune Enhanced device hardware inventory

    Intune now offers enhanced device hardware inventory, allowing administrators to query multiple devices and take remote actions based on the query results. This feature provides deeper insights and more control over the device fleet[3].

    You can read more here: Enhanced hardware inventory in Intune coming in December

    Security Copilot in Intune

    Security Copilot brings AI-powered endpoint security to Intune, offering real-time threat detection and response. This integration enhances the security posture of managed devices by leveraging advanced AI capabilities[3].

    Device Management

    Cross-Platform Device Inventory

    Intune’s device inventory capabilities are expanding to include iOS, Android, and macOS devices by early 2025. This expansion allows for comprehensive management of a diverse range of devices from a single platform[3].

    Enhanced macOS Management

    New options for certificate storage in the user keychain have been introduced for macOS devices. These enhancements improve the security and manageability of macOS devices within the Intune environment[3].

    Specialty Devices

    App Protection Policies for Apple Vision Pro

    Intune now supports configuring app protection policies and Conditional Access for Apple Vision Pro. This support ensures that these advanced devices can be securely managed and used within enterprise environments[3].

    EPM Support for ARM64

    Elevation requests from ARM64-based Windows devices are now supported in Intune. This feature allows for better management and security of ARM64 devices, which are becoming increasingly popular[3].

    References

    [1] Microsoft Ignite 2024: Embracing the future of Windows at work

    [2] Microsoft Ignite 2024 Book of News

    [3] Microsoft Intune news at Microsoft Ignite 2024

  • Let’s improve onboarding for Windows 365!

    Let’s improve onboarding for Windows 365!

    Through out the years, I’ve worked with a lot off different customers, and almost all of them use some kind of ITSM tool (such as Jira ServiceNow) to order new services and hardware for users. This is usually where Windows 365 is added as a service where I as an end user, or manager, can request it.

    But what if you don’t have an ITSM tool, but I still want to offer the self-service option?

    Well, in Entra ID there is something called “Access packages” which we can use for this puropse. If you want to read more about what that is, check out the Microsoft documentation here.

    With Access packages, we can create a self-service portal, where end-users can request memebership to a group. This group can then have a license tied to it, what is also known as Group Based Licensing. The user will then request membership to the group, you can add approvals and set a time frame that this membership should be valid. You can also add access reviews to check in with the user to see if they are still using the service.

    So let’s jump into how an easy setup of this would look like, and then have a look at the user experiance. However, this setup is assuming you have already setup group based licensing for Windows 365.

    This setup also assumes that you are targeting provisining policies to all users already (I’m using dynamic, country based groups as descibed in this post).

    Setting upp Access packages

    To set up access packages, we head into the Entra portal (https://entra.microsoft.com) and navigate to Identity > Identity Governance > Entitlement Management and then look for “Access packages” in the menu.

    We will just create a very basic setup for this, so lets go ahead and click on “+ New Access Package“. First step is to give your policy a name and descripton. Remeber, the description is a required field. We will leave the catalog to “General” which is the default value. When done, hit next on the bottom of the windows.

    Since we want to configure a memebership to a group, select the option “+ Groups and Teams” and find

    Since we are just going with default values, you might need to check the “See all Groups and Teams…” check-box in order to find your group. When you have found the group, click select. If you are not already targeting users with a provisioning group, you need to add that here as well.

    When you have added your group, remeber to change the Role to member before hitting next.

    In the next step, we will define our Request flow. In this example I will make this apply for all users in my tenant, and I will allow all users to place a request.

    The next part is to define the approval process. You can also remove approvals completely, but since Windows 365 comes with a cost we want a manager to approve this request. You can also add additional approvers if required. Default value is that manager will be the approved, and we will leave it to default. What you need to add is a “fallback” approver, and as you can see here I added my Help Desk team for this. Choose an approriate user/group for this task.

    Last step on this section, is to select how we will enable this request flow. I’ve also enabled the preview features for this example, but you dont need to do that. Just make sure to enable the top one since this is what makes this request available. We will skip the Verified ID part and press the Next button.

    On this step, we could add additional questions or justifications for the requestor, but we will leave this to default and press next. We will still get a question for business justification in the request.

    Next step is to set the lifecycle for this, which we in this case will set to 180 days since that is roughly 6 months. And just for the purpose of usign access reviews, we will enable that as well but leave all values to default. When you are done, press next until you reach “Review + Create“.

    On the last step, you can review all your settings before pressing Create. It will validate your configuration, and if you missed something or something is wrong it will ask you to correct this before moving forward.

    We have now successfully create a Access package for our Cloud PCs!

    Let’s have a look at what this looks like when a user requests this.

    The request flow

    The place where you need to direct your users for placing requests is https://myaccess.microsoft.com/ where they will see all available request packages for them. As you can see, I have three different access packages for Cloud PC I can request. To start a request, I simply click on “Request” on the service I want to request.

    This windows will then appear, and you just click continue.

    Next step is to add a business justification for my request, here I can also set it to a specific period if I like since we enabled that option when setting things up.

    I then submit the request and it is sent of to the approver, which in this case is the manager.

    Approver experiance

    When the request has been sent, the approved will recieve an email looking like this, where they are asked to approve the request. This email also contains the business justification added by the requestor.

    When the approver clicks the blue button in the email, they are redirected to the approval site on My Access.

    When the approved selects to approve the request, they will be asked to enter a justification before approval is sent.

    When the approver has approved the request, a confirmation email will be sent to the user. However, what is imporant to keep in mind is that this will initiate the provisioning of the Cloud PC.

    The process of provisioning will now start and the Cloud PC will be done within usually 30-40 minutes depending on how fast your provisining policy is!

    Key take aways

    Estalishing a good on- and off-boarding process is important in all IT organsations. This walk though shows you that you can establish this without setting up more advanced tools. However, this is not close to as powerful as proper ITSM tools, but you can build simpler request flows to suite your needs.

    This principle can also be applied to other things, not just Windows 365 and Cloud PCs.

  • Slimcore: Revolutionizing Teams for VDI Environments

    Slimcore: Revolutionizing Teams for VDI Environments

    Last week, Microsoft dropped a bombshell with the release of Slimcore for Teams, specifically designed for VDI environments. Let’s unpack what this means for us and how it can supercharge our virtual desktops.

    What is Slimcore?

    Slimcore is the new media engine for Teams, tailored for VDI setups like Azure Virtual Desktop and Windows 365. It’s packed with improvements that make Teams more efficient and user-friendly in virtual environments. No longer is the Teams client for VDI a long lost cousin of Teams, now we will see feature parity!

    Key Features and Benefits

    So what are the key features and benefits with moving to Slimcore from WebRTC?

    • Enhanced Performance: Slimcore cuts down on resource consumption, leading to faster call setup times and smoother performance. This is a game-changer for those of us juggling multiple virtual desktops.
    • High-Fidelity Media: Enjoy top-notch audio and 1080p video at up to 30fps. This ensures our meetings and presentations are crystal clear, even in a virtual setup.
    • Advanced Meeting Capabilities: Features like gallery view, custom backgrounds, and presenter mode are now available, making our virtual meetings more interactive and engaging.
    • Auto-Updates: The decoupled architecture allows for quicker feature rollouts without needing to overhaul the entire VDI infrastructure. Staying current with the latest features has never been easier.

    Installing Slimcore on Windows 365 Clients

    Prerequisites: Make sure you have the latest version of Microsoft Teams (version 24193.1805.3040.8975 or higher) and the Remote Desktop client (version 1.2.5405.0 or higher) or the new Windows app (version 1.3.252 or higher).

    Install the Plugin: The plugin (MsTeamsPluginAvd.dll) is bundled with both the Remote Desktop client and the new Windows app. It will automatically download and manage Slimcore. No admin rights or reboots are required.

    Verify Installation: After installation, the plugin will silently provision and register Slimcore for the user. You can verify this by check in the Teams client on the Cloud PC that the Slimcore client is being used by going to Settings – About Teams. Look for the text “AVD Slimcore Media Optimized”.

    User Experience Improvements

    One of the standout aspects of Slimcore is how it aligns the Teams experience between physical and virtual desktops. This consistency is crucial for user satisfaction and productivity. This gives the user a familiar experiance with the features they expect to find in Teams!

    Conclusion

    Slimcore is a significant step forward for Teams in VDI environments. It brings enhanced performance, high-fidelity media, and advanced meeting capabilities, all while simplifying updates and maintenance. If you haven’t tried it yet, now is the perfect time to explore what Slimcore can do for your virtual desktop setup.

  • Improving Decision Making with Intune Advanced Analytics Data

    Improving Decision Making with Intune Advanced Analytics Data

    One thing that many IT administrators tackles every day is the discussion about “my computer feels slow” or “I need a faster computer”. Sometime the feeling of having a slow computer is legit, and sometimes it’s something else.

    There are numerous DEX (Digital Employee Experience) tools out there on the market. This can provide you with a great overview of your whole ecosystem, ranging from Teams call quality to desktop experience. However, even if those tools are great, they come with a new set of data to analyze in a new tool. And in bigger organizations, the complicated puzzle of “who owns this and who makes remediations?” arises.

    Since I write a lot about Microsoft stuff, we will dive into the Intune Advanced Analytics part of the Intune Suite.

    Intune Advanced Analytics is a native part of Intune, which gives you more extensive reporting on your Windows devices. I know Windows isn’t 100% of the fleet in modern organizations but we need to start somewhere.

    Setting up Intune Advanced Analytics

    To start using Intune Advanced Analytics, you will need these three things.

    • Intune environment
    • Intune Suite licenses or Intune Advanced Analytics stand-alone license (remember, this is user based)
    • Configuring Endpoint analytics in Intune

    I won’t go through how to obtain license, since this will vary from case to case depending on your setup.

    Configuring Endpoint Analytics

    The first thing you need to do is to configure Endpoint Analytics to receive data from your devices. Since I’m all in the cloud, we will look at how you do this for Intune managed devices. To do this, you need to have the Intune Service Administrator role, also known as Intune Administrator.

    Head over to the Endpoint Analytics blade in Intune (you can find it under Reports or at https://aka.ms/endpointanalytics). When in there, select the Settings blade.

    You can see that my tenant already uses the Intune data collection policy. This default policy exists in all tenants, but you need to make sure it’s assigned to your devices.

    Manually create the policy

    If you can’t find the policy in your environment, it’s no big deal. You just need create a new policy based on the template for Windows Health monitoring.

    If you are configuring this for the first time, make sure to switch Health monitoring to Enable and set the Scope to Endpoint analytics.

    Deploy this policy to your devices using either the built in “All devices” group or use a device group.

    When you set this up for the first time, it can take up to 24 hours for the data to populate. If you are looking to use Advanced Analytics, expect up to 48 hours.

    Allow access to URLs

    The last step to do is to make sure that your devices are allowed to reach the URL needed for Endpoint Analytics. This is important if you have a restrictive firewall or if you use a webfilter/proxy to run all your traffic through.

    For Intune, the needed URL is:

    https://*.events.data.microsoft.com

    If you want to read more about how to set this up for Configuration Manager managed devices, check out the Microsoft Learn page.

    Getting access to the data

    Now when 24 hours have passed, we should start seeing data being populated. If you have additional people who should not be admins who need to review the data. There are a few different built-in roles you can use, or create a custom role.

    These are the different options you have:

    Role nameMicrosoft Entra roleIntune roleEndpoint analytics permissions
    Global AdministratorYesRead/write
    Intune Service AdministratorYesRead/write
    School AdministratorYesRead/write
    Endpoint Security ManagerYesRead only
    Help Desk OperatorYesRead only
    Read Only OperatorYesRead only
    Reports ReaderYesRead only

    Once we have our roles in order, we can start looking at the data!

    Looking at the data

    The Endpoint Analytics feature consist of 6 different blades

    • Startup Performance
    • Application reliability
    • Work from anywhere
    • Resource performance
    • Remoting connection

    These features are available with the regular Intune license. With the Intune Advance Analytics license you will get a few more. And it’s automatically integrated into the Intune administrator experience.

    • Custom device scopes
    • Anomalies
    • Enhanced device timeline
    • Device query
    • Battery health

    If you want to read more about what’s included, I would suggest checking out this Microsoft Learn article.

    Reviewing my devices

    But as I stated in the beginning of the post, let’s talk about reviewing resource performance. With the regular Intune license, you will gain access to resource performance for your Cloud PCs. With this, I get insights which Cloud PCs are meeting my targets and what Cloud PCs I should investigate upgrading to a different SKU. This data can be broken down to a device or model. This gives me great data about my environment on CPU and RAM spikes when they are being used.

    All devices get a score based on their performance, and you can configure what your baseline is in the Endpoint Analytics settings.

    You can break the numbers down based on model or individual device performance to get a better understanding.

    With the 2408 Intune Service update, this was also made available for physical devices if you have the Intune Advance Analytics license enabled. This will provide me with insights on how my physical devices are performing when it comes to RAM and CPU. I can also learn if they have continuous spikes indicating that they need an upgrade.

    If we stand in the “Device performance” tab, we can see all Cloud PCs and physical PCs gathered in the same place. You can also compare Cloud PC and physical PC performance.

    Looking at specific devices

    If we click on the name of a device, you will be redirected to the blade “User experience” on the device itself. You can also find it if you search for a device in the device list and click in to view that device.

    From here, you can see a lot of data about the device around its performance.

    As you can see, my Surface Laptop Go 3 has had a few minor spikes in RAM the last 14 days but nothing major.

    And if we look at the overall score, it’s pretty okay.

    Device timeline

    There is one more really nice feature with the Intune Advanced Analytics we can see, and that is a Device Timeline (last tab on the top).

    In here, we can see historical data on events that has happened on the device which impact the user experience. As you can see on this device, I’m having a few issues with applications.

    And if we jump back and look at another device, a Cloud PC, we can see the same kind of data.

    One interesting thing I found while writing this blog post is that I compared my Surface Laptop Go 3 i5 with 16gb RAM with my 4vCPU/16GB Cloud PC. What I can see was that my Cloud PC scores higher. I would say that I use them in a similar way, the same amount of time. I do know that the Cloud PC has a little bit of a more powerfull CPU (being a cloud PC),

    The Cloud PC scores 98 in resource performance.

    While my Surface Laptop Go 3 scores 77.

    So performance wise, Cloud PCs are doing a lot better. However, the Surface Laptop Go 3 is not a fair comparance being a more “low tier” PC. However, they are still both performing really good for what I use them for. So this is important to take into considerations when looking at the data.

    Take away

    Knowing how the performance of the devices in your environment chelan p you figure out when devices needs to be replaces or upgraded. As you already know, backing your decisions using data is key! Intune can provide you with a lot of data on your device without the need to buy a third party tool and deploying/maintaining a client on the device.

    However, if we start looking at “real” DEX products, Intune Advanced Analytics does not provide the same level of data. You will also need to combine several parts of Intune to be able to perform e.g. remediations on the things you find. You still need to manually take actions or create remediation scripts on your findings.

    But if you are just getting started and need “something”, this will provide you with a great overview of your environment! This will help you make better decisions and help your end-users even better!

    I hope you liked this post and that it gave you some insights to what you can do with Intune Advanced Analytics!