Categories
Windows 365

Conditional access and Windows 365

Securing the access to Windows 365 could is important. Today, MFA something everyone should use and you should definitely use it to access your Cloud PCs!

Given that you have Azure AD Premium P1 or P2 (it’s included in at least the Enterprise SKU of M365), you are able to use Conditional Access (CA) to enforce MFA. It’s a great idea to always require MFA for all cloud services.

Windows 365 is like you might have guessed a cloud service, which will in that case get the MFA requirement.

But what if you want to add other conditions that are specific to Windows 365 and Cloud PCs? Making sure that these are only accessed from e.g. your managed devices. There are some caveats to this however what I’ve noticed, like for example if you have added the Cloud PC to the Remote Desktop app it will only evaluate the CA rules when adding the account, but if you are using the browser the policy hits each time.

If you set up the CA rules prior to getting your users going however, you will be able to control this in a much better way.

Creating the policy

To create the Conditional Access policy, you must first of have the correct role to do so (e.g. Security Administrator, Conditional Access Administrator, or Global Administrator).

Next up, in Microsoft Endpoint Manager, navigate to Devices > Conditional Access and press “+ New Policy”.

Start by giving your new policy a name.

Next step is to select what users to include in this CA rule. In this example I’m assigning this to all users.

We now have to select what cloud apps are included in this CA rule by going to “Cloud apps or actions”.

Choose “Selected apps” as included, search and add “Windows 365” and “Azure Virtual Desktop” to make sure that your rules applies to all your cloud PCs.

Once you have selected the apps, go to Conditions.

Here we will add Any Device under “Device platforms”.

And also Browser and Mobile apps and desktop clients under “Client apps”.

Once you have added these, move further to Grant under Access control and add your requirements for granting access.

In this example, I’m only allowing compliant devices to sign in to the service, which means devices which are marked as compliant in Microsoft Endpoint Manager, which means that they are managed and healthy devices. You can also add additional requirements here and have it set to require to fulfill only one of the requirements, e.g. complaint OR require MFA. You can of course also set it to require both being compliant AND require MFA, this is controlled under the “For multiple controls” section. In this case, I’ve left it to it’s default value.

Once you have added all your settings, make sure to set the “Enable policy” switch to ON instead of “Report-only” to activate the policy. However, be aware that you could potentially look your self out by doing a faulty CA rule.

Click create at the bottom of the screen and your policy will take effect within minutes!

The experience

So what happens when this Conditional Access rule hits?

For the Remote Desktop app, it will only take affect when adding a new account. So if you already have an account added, nothing will really happen.

But when you try to add a new account, it will not grant you access unless you meet the requirements set in the policy.

For the browser, when accessing your Cloud PC through the Windows 365 portal (https://windows365.microsoft.com) you will also be met by a message not granting you access. This message is however a bit more cryptic and doesn’t really tell you what’s wrong. But

Conclusion

That is a quick guide how to get started with controlling the access to your Cloud PCs using Conditional Access. You could do a lot of cool stuff with this based on your scenarios and needs. You could also throw some session control into this or only granting specific user roles access to this combined with a few more policies to create a cloud based Privileged Access Workstation (PAW).

You could also compliment the policy with a session control to control how often it needs to be re-evaluated.

This configuration I didn’t doesn’t really support the “work from any device” concept, but I just wanted to show what was possible!

Categories
Windows 365

Azure AD joined vs hybrid joined Cloud PC

It has finally arrived, and while writing this we are hopefully getting close to a general availability release. I’m talking about the Azure AD joined Windows 365 machines!

This is something that makes this solution a truly cloud-based solution since we can now let go of the on-premises AD for the device part (let’s face it, we still have our users in there in the real world).

However, there are still use cases for both scenarios, depending on what your want’s and need’s are! So there is a decision to make here, and it might be that you need both!

The difference

Let’s start of by briefly looking at what the difference between Azure AD joined and hybrid joined is, and I’ll simply A LOT now.

Having a Azure AD joined computer means that the device is only registered to the Azure AD, which is your cloud AD so to speak. This AD is a lot different than your traditional AD since you are missing things like OUs and GPOs for example. The cloud relies on a flatter and different approach to handling objects and settings. I’ve once gotten Azure AD explained to me once as one big AD forest where each tenant is an OU, just to put it in perspective. Joining a computer only to Azure AD also means that there will be NO trace of the computer object in the on-premise AD, hence we cannot use the computer object to authenticate towards things but you can still use e.g. Kerberos for SSO.

If you join your computer to the Azure AD you would typically manage it from Microsoft Intune.

Having a Hybrid Azure AD joined computer means that we join the computer to both the on-premise AD and the Azure AD. One could say you get the best out of both worlds. That is to some extent true, but you are still very reliant on your computer talking to a domain controller to get policy updates, since you would in many case manage these computers with GPOs.

Hybrid Azure AD joined devices are typically co-managed by Configuration Manager and Microsoft Intune. But you can of course manage them using only Microsoft Intune as well.

With that said, it comes down to your tools and needs in what approach is best for your Cloud PC.

Advantages hybrid Azure AD joined Cloud PC

So one of the biggest advantage with hybrid Azure AD joined Cloud PCs are that you know this already and most likely this is how you manage your physical PCs today. You have them hybrid joined, manage them with some GPOs, maybe some Intune policies and you also add some Config Manager stuff on top. Nothing strange here, this is just another computer but is virtual. You still need the Microsoft Endpoint Manager admin center to configure your Cloud PC provisioning, but the rest is like you know by heart. A setup you know, love, and trust!

Using hybrid join is also great for those applications requiring a computer object to be present in the AD for authentication or such. Or it could just be as simple that you need “system” to be able to access a file share. Then this is perfect!

Hybrid joined Cloud PCs are no different from your regular PCs in that sense, they are just physically in the Microsoft datacenter.

BUT by using hybrid joined Cloud PCs you still have great dependency towards your on-premise infrastructure.

Advantages Azure AD joined Cloud PC

The benefits with the Azure AD joined Cloud PC can be argued to be the exact opposites as the hybrid join. No GPOs, no ConfigMgr, no hybrid. No legacy stuff. Just cloud.

However, I would say that that’s not where the strength lies with Azure AD joined Cloud PC. The strength that I’ve seen when you combine this with thinking about where these computers should be hosted. With Azure AD joined you can either host them on a Azure VNet you manage, or you can choose to use the Microsoft managed VNet which is basically on internet.

Hybrid joined Cloud PCs can only be hosted on a Azure VNet in your subscription, which is great! You are in full control of the traffic flows and can put them on the corporate network if you like. This also goes for Azure AD joined.

Azure AD joined Cloud PCs are similar to having a “cloud only” physical client. You manage it with only cloud tools and you shouldn’t have o big dependencies towards on-premise services. You will manage it from Microsoft Intune and GPOs are now a thing of the past.

For many organizations, this is a journey. Moving to cloud based management is a journey which many are on. Utilizing Windows 365 Cloud PC to get going could be a great place to start, since your users will then potentially have both of your two worlds!

Conclusion

Choosing one or the other comes down to what your needs are, and how you would like to manage your devices.

If you are yet not on your road to Azure AD only devices, well then you will probably need the hybrid joined version for the time being. But like I said earlier, you can of course have both and transition over.

If you have a group of users who only need access to e.g. SaaS based applications, then what’s the point in putting them “behind the firewall”? There are so many scenarios for which you can say the one or the other is the best, but what’s best for you might not be the best for someone else.

I personally is a firm believer and advocate for going cloud only for device management so I always try to challenge to see how far you can take it. It’s usually further than you would think. Same goes for Windows 365, make use of the fact that it’s a cloud service and native to Microsoft Endpoint Manager by going Azure AD only. You can still put the device on “corp-net” using Azure VNets, but skip the on-premise AD stuff.

Adding Azure AD joined will increase the scenarios, and it’s actually a lot easier to get started with Azure AD only then involving on-premise AD, which in an IT organization often means that you need the identity team to help you to some extent.

If you want to get started with cloud management for devices, looking at setting up Azure AD join for Cloud PCs and manage them through Microsoft Endpoint Manager is a great place to start!

Categories
Windows 365

Different ways of accessing a Cloud PC

There are a few ways you can access your Cloud PC. You probably have your favorite way to access your Cloud PC, but I though I would go through them all and the benefits with each.

Microsoft has also announced an upcoming Windows 11 feature called Windows 365 Switch which will be a native Windows 365 app in Windows 11. I will not cover that in this post since it’s yet to be released at the time of this blogpost.

Browser

Connecting to your Cloud PC through the browser is in my humble opinion the coolest way, and really convenient since you can then access your computer from what ever device you are using without any issues (as long as the browser is a modern browser like Edge, Chrome, Safari, or Firefox). Okay, not any device, but Windows-, macOS-, ChromeOS-, or Linux-based device.

You access the Windows 365 service through https://windows365.microsoft.com and sign in with your account.

In this portal, you will see all Cloud PCs assigned to you.

To connect to the Cloud PC, you simply press “Open in browser” and the Cloud PC will open in a new tab.

You can also perform some remote tasks on the Cloud PC such as restart, restore, rename or troubleshoot. Or see System information.

The restart is exactly what it sounds like, you will remotely restart your Cloud PC. Restore can be used to go back to a previous point in time (I cover that in this blogpost).

Rename option will allow you to give your Cloud PC a new friendly name instead of the generated name.

If you as an end-user are experiencing issues with connecting to your Cloud PC, you can use Troubleshoot to see what’s causing the issues. It will check that the service is healthy and that there aren’t any connectivity issues.

If you click the “System information”, you will see some details about your Cloud PC such as device name and license.

Remote Desktop app

Working with your Cloud PC everyday, I would say that this is the best option to connect.

Simply download the Remote Desktop app from Microsoft for your desired operating system. For Windows I would suggest to use the desktop version and not the Microsoft Store version, the desktop version works a little bit smoother in my experience.

One thing that is good to keep in mind is that if you are using macOS, you cannot currently have multiple accounts in the Remote Desktop app.

When you have downloaded and installed the application and start it for the first time, you will be asked to sign in. Sign in with you account and the resources you have assigned to you will be added. These could be Windows 365 resources, but also Azure Virtual Desktop resources and published apps.

As you can see by the picture, running the app in Windows I can have multiple accounts and resources in the same place, giving me easy access to several environment.

To launch the Cloud PC, I simply dubble click on the computer icon, provide my credentials and I’m signed in.

I can choose to run this in a full screen experience or a windowed experience depending on my personal preferences.

Using the Remote Desktop app, you don’t get all the remote features as you do in the web-portal, but you have easier access to your Cloud PC on a daily basis.

Mobile app

Lastly, mobile app. There is a Remote Desktop app available for iPhone/iPad and Android devices which can be used to connect to your Cloud PC. I will show some screen shots from and iPhone which is maybe not the smoothest way to work with the Cloud PC due to the screen size. For this, and iPad would be a much better option.

To connect, click the + sign at the top right corner and select “Add workspace“. You will need to enter the subscription URL found here and then sign in with your account. One thing to keep in mind with the mobile app is that you can only have one account associated with the workspace, so no support for multiple accounts.

Once you have signed in, you will see all resources which are assigned to this account.

To connect, simply tap on the computer you which to connect to and enter your credentials when asked to and you will be connected to your Cloud PC.

You can now use your Cloud PC from your mobile device, and keep working where you left your desktop! This is a great option when you have to check something on the go, to simply just connect to your Cloud PC.

Feature vice, the mobile app is pretty limited but you can easily connect to your desktop. If you have a larger screen, the experience will be better so an iPad or Android tablet with a keyboard would be ideal even though it works surprisingly well using an iPhone as you can zoom in and out if needed.

Categories
Windows 365

Restore a Cloud PC

One pretty neat feature with virtual clients is that you can have restore-points. If you have ever used Hyper-V, you have probably used or seen the checkpoints which you could use to go back to a previous state. This kind of feature is available in other virtualization platforms as well, but Hyper-V is the one I’m familiar with. Citrix, being an old player in the VDI game, also offers this feature.

The restore point option is now also available for Windows 365 and your Cloud PC. Meaning that if you mess something up or manage to delete something really important you had stored locally, you can roll your device back to a previous state. Please be aware that this is stilla preview feature, so the final feature might not be the exact same things as shown in this post.

You can restore either as an admin, or have your end-user do the action. To allow your end-users to do this, you need to configure this setting.

If you enable this for your users, they can restore on a much tighter intervall than you can as an admin. You as an admin have 12 hour restore points, but you can configure for your end-users to be able to configure to have restore points every 4 hours.

Of course, if a backup is restored from a restore point, any data stored on the Cloud PC between the current time and restore point time will be lost.

Setting up user initiated restore

To configure the restore point service, navigate to Devices > Windows 365 and select the User Settings tab.

Press “+ Add” and give your profile a name.

In the “Point in time restore service” part of the profile, check the check-box for “Allow user to initiate restore service” and then select the frequency for your restore points.

Hit Next and assign your profile to a group of users, I’m assigning it to the group I’m using for my provisioning profile.

Press next to review your settings and than create the profile.

The user restore point service will only be available to users included in the group you have assigned the profile to.

Restoring as an admin

As an admin, you can restore Cloud PCs on a 12 hour interval. You can restore the Cloud PC by going to Devices > Windows > Windows devices and find your Cloud PC.

Once looking at the device, you can choose “Restore (preview)” from the ribbon and it will show you all available store points.

Once you click “Select” and confirm that you want to restore, the restore is initiated. If you look under Devices > Windows 365 and the All Cloud PCs tab, you will see that restore is in progress.

Restoring as an end-user

To restore my Cloud PC as an end-user, I need to brows to the Windows 365 portal, windows365.microsoft.com and sign in.

Once signed in, I will see my assigned Cloud PCs.

To initiate a restore, I simply click the gear icon on the Cloud PC I want to restore and select “Restore (preview)“.

Once I click that, I get this screen telling me as an end-user what will happen and I need to confirm that I really want to restore and then select which point.

Once I’ve clicked restore the Cloud PC will get a banner saying “Restoring Cloud PC” and which indicates that the process has started. I will see the same thing if a administrator has initiated a restore for me as well.

Once the restore has completed, my Cloud PC is ready to use again and will contain the same data as it did at the point in time of the restore point I selected.

Categories
Windows 365

Upgrading your Windows 365 machine

As you might know, the size of a Cloud PC is based on the license you have purchased and assigned to a user. However, sometimes you might assign a too small machine for a user which is causing performance issues for them.

How your Cloud PC is performing is measured and presented to you under Reports > Endpoint Analytics in the Microsoft Endpoint Manager admin center (MEM). The report called Resource performance will show you how your Cloud PCs are performing, and if you need to upgrade any of them. (Note that it will take up to 24 hours before you can see data on your Cloud PC)

As you can see, the top two machines has a very low performance score, and if you look at the individual machines they have different needs for an upgrade, one needs more RAM and the other a better CPU.

There are however two caveats to re-sizing a machine.

  1. You can only upgrade, not downgrade
  2. If you are using group-based licensing, this does not work
  3. You can not resize Azure AD joined Cloud PCs

The benefit to resizing a Cloud PC compared to just assigning a larger license to the user is that the Cloud PC will remain, just the specification will be upgraded. So all user data is preserved, however, the user will get kicked out of the session while the resizing is happening.

Resize a Cloud PC

Resizing a machine is really simple, you simply navigate to the device in MEM and click the “Resize (preview)” button in the ribbon

When you have clicked this button, a fly-out menu will open to the left showing you the different sizes. You will be able to see all sizes, but you can only select and apply the size that you have licenses for, so if you select a size you don’t have licenses for it will show an error message as in the picture below and you cannot continue.

When you have selected the new license through the resizing portal and clicked Resize, the machine will re-provision itself which will take a while.

Once the machine has been reprovisioned, you will notice that you have the same stuff on your Cloud PC as before the resizing but with a different configuration.

Categories
Windows 365

Make it easier to connect to Cloud PCs

One of the best ways to access your Windows 365 Cloud PC is by using the Remote Desktop application which you can either download from the Microsoft website or deploy from Microsoft Intune if you are using a managed client.

This post was inspired by a blog post from Microsoft that seems to have disappeared.

To simplify the “adding your Cloud PC/Azure Virtual Desktop to Remote Desktop” process for your users, you can actually create a configuration profile in Microsoft Endpoint Manager which automatically adds the signed-in user to the Remote Desktop with the correct subscription URL.

Please be aware that depending on which version of AVD (Azure Virtual Desktop) you are using, the URL might vary so check the documentation beforehand!

Let’s start by adding Remote Desktop to MEM.

Adding Remote Desktop as an application

The first step is to download the Remote Desktop application, which can be found here.

When you have downloaded the MSI, you will need to use the Microsoft Win32 Content Prep Tool to create a .intunewin file of the MSI.

Download the tool from GitHub and run the tool in PowerShell.

When the tool has successfully created the intunewin-file, you will find the .intunewin file in the output folder you specified.

Head over to Microsoft Endpoint Manager and navigate to Apps > Windows and select “+ Add” and then Windows app (Win32) as App type.

On the first page, find your .intunewin file created in the earlier step and upload it. Update any information about the application as needed add press next.

Leave all settings to default on the next tab.

On the Requirements tab, update Operating System Architecture to correlate to the version of Remote Desktop you downloaded and add which the minimum OS version needs to be. In this case, I’m using a 64-bit version of the app and I require Windows 10 21h1 or newer.

On the next tab, Detection rule, add a custom detection rule using MSI as rule type and leaving all values to default.

Leave Dependencies and Supersedence empty and add a group on which you wish to deploy the application. In this example, I’m deploying it to all users but filtering out that it needs to be a Windows 11 computer.

Review your settings and then create your application. It takes a few minutes for the application to upload.

Automatically adding virtual machines to remote desktop

The next step is to create a new configuration profile, based on a setting from Settings Catalog.

Navigate to Devices > Windows > Configuration Profiles and create a new profile by clicking “+ Create profile” and then select “Windows 10 and later” as a platform and “Settings catalog” as Profile type.

On the first page, give your profile a good name and press next.

On the next page, click “+ Add setting“, find and click Remote Desktop in the list, then check the box next to “Auto-subscription (user)“. Then close the flyout using the X in the upper right corner.

Add the subscription URL to the settings. The one used in this example works for Windows 365 and Azure Virtual Desktops.

https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery

Press next and assign your profile to a group, in this example I’m using the same settings as for the Remote Desktop app (All users and a filter for Windows 11).

Click next and skip the Scope section. Review and create your profile.

User experience

When the user opens the Remote Desktop the first time, they will see all Cloud PCs and AVD that they are assigned to.

If they are not assigned to any virtual clients, they will get a message saying that no machines are assigned.

Categories
Windows 365

Get started with Windows 365 Enterprise

So you have decided to get going with Windows 365 Enterprise? There are a few steps we need to take care of before you can start consuming the future!

What you will need:

  • Windows 365 licenses
  • Microsoft Endpoint Manager
  • Microsoft 365 licenses of some sort
  • An Azure subscription if you want to use an Azure V-net and not the Microsoft hosted network – optional

Windows 365 is a great way to get started with virtual clients, and it’s actually pretty simple to get going and administrate compared to Azure Virtual Desktop.

Windows 365 licenses

The first thing you need to take care of is obtaining Windows 365 licenses through your licensing partner or where you usually get your licenses. I will leave that one up to you!

There are several different licenses for Windows 365, and there is also a business version that I will not cover in this blog post.

Windows 365 licensing is based on what “size” of a machine you want, basically how many CPUs, the amount of RAM memory, and disk size. As I’m writing this, there are 3 different SKUs of CPUs you can select from (2, 4, and 8). In each SKU of CPUs, there are a few different options in RAM memory and disk size as you can see in the picture below. There is also actually a 1 vCPU version, but that one does not support Windows 11 so I wouldn’t recommend getting that one.

Source: Windows 365 Plans and Pricing | Microsoft

Selecting the correct size of the machine might be a little bit tricky, but Microsoft has actually created a simple cheat sheet you can use to get a feeling of what license to buy which you can find here Windows 365 size recommendations | Microsoft Docs. It’s actually a great guide to get a sense of what size to choose.

One great thing with Windows 365 is that you can upgrade the machines by upgrading the license assigned to the user. However, this does not work if you are using group-based licensing to assign licenses.

Licenses are assigned the same way you assign other Microsoft 365 licenses, either through the Microsoft 365 Admin center or the Azure AD, I will cover this further down

Microsoft Endpoint Manager setup

In Microsoft Endpoint Manager, navigate to Devices > Windows 365 which has now been enabled for you since you have purchased licenses.

To get going with a really basic setup using Azure AD joined and Microsoft hosted network, you only need to create a Provisioning policy and then you are ready.

Click on the Provisioning policies tab and select “+ Create policy”.

On the General step, give your policy a name and select which join type you want, in this example, I will use the Azure AD join and use a Microsoft Hosted network in Western Europe. Please do notice that Azure AD join is still in preview.

When you press next, you will get to select what image you will use. You can either use a gallery image or a custom image, and I will in this example use a gallery image by selecting Gallery image in the drop-down menu and then pressing select. I then get a list of all the available images in the gallery, and also the recommended size/license for each image. I select the image I want, in this case, the Windows 11 image, and press select followed by next.

The next step is to select the region and language for your machine. The default selection is English (United States). In this example, we will leave that to English and press next.

The next step is to assign this to a group of users. I’ve created an Azure AD group which I will assign this to called Windows 365 user, which I will use for my users located in Western Europe since my provisioning policy is creating a Cloud PC in the Western Europe Azure region.

After pressing next we can now review our settings and press Create.

Assigning licenses

There are a few ways of assigning licenses to a user, but in this instance, I will do this from within Microsoft Endpoint Manager.

Search and find the user you want to assign a license to by going to Users > All users on the left side navigation three.

When you have found your user, click on their name then select Licenses to see what licenses they have assigned.

By selecting “+ Assignments” we can add or remove licenses from the user. In this case, we want to add our Windows 365 license which you do by checking the checkbox next to the license, then pressing Save.

You have now successfully assigned a Windows 365 license to your user!

Make sure your user is a member of your provisioning policy group which we selected earlier. When you head back to Devices > Windows 365 and select the All Cloud PCs tab you can see that the provisioning process has started.

Assign configuration profiles and compliance policies

While we are waiting for our Cloud PCs to be provisioned, this usually takes a while, we can go ahead and make sure that we are assigning our configuration policies towards the Cloud PCs. We can either create new ones, specifically for the Cloud PCs, or reuse our existing ones. Since in this case, I’m treating a Cloud PC as any other PC, I will reuse the profiles I already have created for my physical PCs.

If you are assigning configuration profiles and compliance policies towards “All devices” you do not need to do anything. If you are using filters, you need to update your filters to also include Windows 365.

The first thing we need to do is to create a device group that dynamically adds our Cloud PCs by going to Groups in the left side menu and creating a new dynamic group.

We want to add a query looking for devices where the Device model contains “Cloud PC Enterprise”.

The query could look like this:

(device.deviceModel -contains "Cloud PC Enterprise")

When you have added your rule. Save the group and let’s head over to Devices > Windows and add that group to our configuration profiles and compliance policies where we target devices. We can also assign any applications which we deploy to devices using this group.

Connect to your Cloud PC

The easiest way to connect to your Cloud PC is to browse to https://windows365.microsoft.com and sign in with your user.

You can either connect to your VDI directly from the browser, which is a pretty cool experience, by clicking “Open in browser” on the Cloud PC.

You can also download the Remote Desktop app and add the Cloud PC in there. There is a link in the Windows 365 portal to download the application and how to add the Cloud PC.

Categories
Windows 365

CloudLAPS on CloudPC?

So I’ve been playing around a bit with Windows 365 Enterprise and thinking about “okay, what cool things should we try?”.

First step is of course to set it up and I thought about writing a guide about that. Halfway through my guide I realised that the one written by Christiaan Brinkhoff was far superior to mine, so go check his guide out!

One thing came to mind however, could you get CloudLaps to work on a Cloud PC?

Of course, we needed to try this even though I’m not a 100% sure that you need it.

What CloudLaps does it that it provides your PCs with a unique, randomized password for the local admin account on the machines which is rotated on a given interval (default is every 3 days). By using this functionality, all your PCs will have unique passwords for their local admin accounts meaning that if this is handed out to an end-user or support personal, the password will stop working when the password is updated.

The Cloud PC configuration

If you have not yet implemented CloudLaps, have a look at the guide in the link above, but if you have it in place, you are ready to go.

Since CloudLaps is built on proactive remediations in Microsoft Intune, you will need to make sure that the Cloud PCs are included in the assignment by using (or adding) a group containing all your Cloud PCs. Windows 365 Enterprise gives you the benefit that Cloud PCs are being automatically enrolled into Microsoft Intune which gives you the possibility to manage them directly without any further actions!

In this example, all the Cloud PCs are included in the same group as all other PCs since we want all these PCs to have the same settings. This was done by adding an extra rule to our Dynamic Group.

device.deviceModel -contains "Cloud PC Enterprise"

No additional configuration needed!

The outcome

The outcome of this test was as expected, worked perfectly fine!

A local admin password is populated in the CloudLaps portal, and I can use it on the machine to elevate my rights on the Cloud PC.

Since you can use the exact same configuration for Cloud PCs as physical PCs, you will not need to separate how you manage the Cloud PCs. They are just another PC, but in the cloud!

Categories
Modern Workplace Windows 365

Trying to understand Windows 365

You know, devices and new stuff are always fun. But what if you would provide a kick-ass, safe, Windows experience on any device without having to invest in infrastructure or administrative work? To semi-quote on of my all-time favourite TV-show: “Haaaave you met W365” (it’s supposed to be Ted, not W365).

Have You Met Ted GIFs | Tenor

I remember hearing about the new Windows Virtual Desktop at Ignite 2018 and thinking “Wow, this is sooo cool! Finally, someone simplified the complexity of VDI solutions a little!”

It was not perfect, but it had potential! Up until then Azure hadn’t really provided any good solutions for Windows 10 based clients. You could run Windows clients if you imported an image, but it was far from great. It was more for playing around with Windows.

Windows Virtual Desktop later became Azure Virtual Desktop, but it required a decent amount of work to set up initially. Don’t get me wrong, it’s super awesome given the flexibility it provides you could run anything on it. But it comes with a big challenge, especially if you are not familiar with VDIs. It requires a decent amount of configuration before you can get going. The Azure Virtual Desktop is however GREAT for scenarios where users don’t need a dedicated machine, their session can run in a host pool to make the most out of your Azure resources!

Windows 365 enters the stage

Microsoft announced Windows 365 during the summer 2021 (I remember noticing it during my summer vacation). I had a really hard time positioning this compared to the AVD solution, when should I pick what?

But finally, the coin dropped for me. Windows 365 is for when you just need a virtual computer with no super specific needs (since the configurations are a set list). Like for instance you have a consultant working in your company who already has their own device which they can run a Windows 365 machine on, instead of you having to source and ship a physical device.

Current sizing of Windows 365

It also has the quite nice feature of being simple to assign and setup since you assign a provisioning policy and a license to the end user, and you are good to go! This is truly VDI made for the masses if you ask me.

Of course, there are things you need to setup if you are running this in an enterprise, such as the network connectivity and on-premises domain connection (yes you sadly still need an on-premises AD and hybrid join for this in the enterprise setup, but AAD only is coming). You would also need to setup management profiles in Microsoft Intune or just reuse the ones you have for your physical machines. In Microsoft Intune, the Cloud PC is just a computer amongst all the others, but model will be Cloud PC instead of e.g. Surface Laptop.

Coming from a device management background, I also really love that you manage everything from the Microsoft Endpoint Management portal, no other fancy tools needed or a need to find your way around the Azure portal!

Who should use a Cloud PC?

So, who is the Windows 365 Cloud PC for really? Saying everyone is not the wrong answer, but when you face reality and leave the marketing slides behind, you will notice that most of your users don’t need this. But some absolutely do, and those are in this case the interesting users.

In the perfect of worlds, you could easily “only” have Cloud PCs and let your users use whatever device they want to access those. In an enterprise scenario, with a lot of history, which would not be feasible. At least not for your FTEs to start with unless you provide them with more lightweight devices and provide a beefier Cloud PC to do their work on.

In the scenarios I mostly have seen and discussed, there is one main use case we are discussing, and that is consultants who already has a computer (or device for that matter) and instead of providing them with a 5-year-old computer which got put in the spare pile you give them a virtual machine which they can access from their PC. This scenario is also valid for providing consultants with a more basic PC and “beef” it up using a powerful Cloud PC.

One thing I find useful is that you can run either Windows 10 or Windows 11 on it, you select the image yourself. This means that you could potentially have your physical machine on Windows 10 but run your virtual machine with Windows 11. This could be beneficial in a transition period from Windows 10 to 11 if you want to do some application testing without needing to re-install computers.

I’ll keep exploring Windows 365, and I’m really hoping Ignite will bring more cool stuff around for it!