Categories
Windows 365

Deploying Cloud PCs in different regions

Windows 365 and Cloud PCs are as you know PCs running in Azure somewhere. But what if you want to control this “somewhere” and pinpoint the region they are running in? You might have noticed that spinning up a Cloud PC in e.g., Western Europe gives you Google and all web-based things in Dutch. This isn’t too convenient for the end-users who doesn’t speak Dutch. So, let’s try to address that and give a more “local” experience.

I’m thinking of putting users in a Windows 365 region as close as possible to them, hopefully even within the same country. And to top it off, let’s provide them with a Windows experience in their local language, just for the sake of it.

How can we achieve this?

Well, we need two things, we need a provisioning profile per country and an Azure AD group which has been populated with users for each country. The region selected in the network for Windows 365 decides in which region the Cloud PC is hosted.

Setting up Azure AD groups

There are as many ways to do this as there are IT pros, but I decided to make this easy and just look at three things for my groups, attributes that I know all my users have.

What I decided to look at is that:

  • The account is enabled
  • Usage location for the user is set to Sweden
  • And the country for the user is set to Sweden

That got me the following query for my dynamic group.

(user.accountEnabled -eq True) and (user.usageLocation -eq "SE") and (user. Country -eq "Sweden")

To create a new group, head to Groups in the Intune portal and create a new group by pressing “New group“.

Give your group a name, in my case I’ve called it “All users Sweden” since we will gather all Swedish users in this group. Also make sure to set “Membership type” to Dynamic User so that we can create a query to automatically populate the group based on user attributes.

Add your query to your group by pressing “Add dynamic query” and enter your rule. You can take my example and modify it if you like, copy the rule syntax above and press “Edit” on the rule syntax windows and paste it there. This will populate the fields for you, and you can modify them to suit your needs. Or create your own! Keep in mind that the usage location uses the two-letter country code e.g., Sweden is SE, Norway is NO, Netherlands is NL, USA is US.

Press Save when you have created, and validated, your rule and press Create.

We have now successfully created a dynamic group which will be populated with all active accounts which has their country and usage location set to Sweden.

Creating provisioning policies

Now that we have our groups, we want to put them to effective use. Let’s head into the Windows 365 pane in Microsoft Intune by navigating to Devices > Windows 365 and selecting the “Provisioning policies” tab. To create a new policy, click the “+ Create policy” button on the ribbon.

First off, as always, we will give our policy a name, in my case I’m giving it a name indicating that this is a Windows 11 image, Azure AD joined and running on Microsoft hosted network. And this is for my Swedish users.

The next step is to select what kind of join type you will use and which network. In this example, I will use Azure AD join and using the Microsoft hosted network. The dreadful thing about using Sweden as an example here is that we don’t have Windows 365 in Sweden Central, so we will use the next best thing. Norway East!

You can do this for Azure v-nets, but then you need to set the region stuff when setting up the Azure v-net. There is a limit to the amount of how many Azure Network Connections (ANC) you can define per tenant, you can find out more here. If you know that you have multiple locations and want to put the service as close as possible to the end-user, it’s much easier to use the Microsoft hosted network.

The next step is to select an image, I will go with a gallery Windows 11 image since this will reduce the amount of maintenance I need to do since Microsoft is curating the image. Press next when you have selected your image.

Next, we will configure language and region settings. Like I said, the ambition here is to provide the Windows 365 experience in the user’s local language. So, for this I will select Swedish for this policy.

In this section, you can also choose to opt-in to Windows Autopatch straight away if you have this enabled in your tenant. If you do not wish to do so, just leave it to the default value. But since I have it activated in my tenant, I will add this as well and then press next.

The next step is to assign this policy to our group created in the first part. If you wish, you can add multiple groups to the same provisioning profile. But I only have one which will be used for this one, so I will select my group with all Swedish users and press next.

Final step is to review the settings we have selected and then press “Create“.

Conclusion

Now when a Windows 365 license is assigned to a user, their Cloud PC will be provisioned in the region based on which provisioning policy they are assigned to using our dynamic Azure AD group.

The groups don’t need to be dynamic and you could just as easily accomplish this using assigned groups. Also, you could utilize this setup to also include e.g., your developers who need access to a specific Azure v-net for example. In this case you would have provisioning profiles connected to those networks instead of the Microsoft hosted network, giving those users access to that network.

Categories
Intune Windows 365

Ignite 2022 – live in Seattle!

So, 2022 was the year Microsoft Ignite was FINALLY a physical event again, and for the first time on Microsoft home turf in Seattle.

Being an ex-Microsoft FTE, this gave me major flashbacks to TechReady, which was an internal training event Microsoft used to host in Seattle. Same location as Ignite, just no hilarious videos with Norm Judah encouraging everyone to fill out the evaluations.

Ignite was different this year since it’s a hybrid event, and the first big such for Microsoft which means that they are still trying out the concept.

Overall, I had a lot of fun. For me, meeting up with peers and having the time to focus on the content is important, if sessions are digital or physical doesn’t really matter. Some sessions made more sense virtually. But in-person sessions are usually the best, and you could really tell that people wanted this. Especially the big keynotes are always more fun in-person.

But I was missing the expo where you can meet vendors or just mingle with Microsoft people, there wasn’t really any space for this, except for an awesome Surface expo.

However, the width that the “old” Ignite had was missing and the break-down sessions were missing. The feeling was that this hybrid thing was more focused on people attending remote, and people on site were more the live audience.

There was a lot of news and I’ve picked out the ones I found most interesting.

Windows

Just before Ignite kicked off, there was a Surface event where some news around Windows 11 was released. Check it out here:

Introducing new Surface devices that take the Windows PC into the next era of computing | Microsoft Devices Blog

If you want to read more about all the Windows 365 news, check this out: What’s new in Windows 365: Microsoft Ignite 2022 edition – Microsoft Community Hub

Microsoft 365 and Windows 365 in the Metaverse

This was released a few days prior to Microsoft Ignite, but Microsoft 365 and Windows 365 will be supported on Meta Quest devices, providing a new kind of experience for productivity in the Metaverse.

This means that you will be able to run a fully supported productivity setup in the Metaverse with e.g., Microsoft Teams and Windows 365. Windows 365 is not yet released for Metaverse, but this indicates strongly which direction VR is heading now.

On top of Microsoft 365 apps being supported, you will also be able to manage the Meta Quest and Meta Quest 2 using Azure Active Directory and Microsoft Intune, which would provide IT admins with a whole new option of what a PC or workstation is for their end-users. You can read more on this blogpost by Microsoft: Microsoft and Meta partner to deliver immersive experiences for the future of work and play – The Official Microsoft Blog

The new Windows 365 app (preview)

The Remote Desktop app has for long been the go-to application for your VDIs, but now for Windows 365 you can use the brand-new Windows 365 app which is now in public preview. This app aligns more with the Windows 365 features found on the web portal but with the advantages of the desktop app! Read more here:

Experience the Windows 365 app: public preview available now – Microsoft Community Hub

Organizational messages

Getting messages out to end-users is always a struggle within IT. There is a new feature for Windows 11 where you can send organizational messages, natively in Windows, to your users instead of sending them email using Microsoft Intune coming in November to Windows 11 22h2. Read more here:

Deliver organizational messages with Windows 11 and Microsoft Intune – Microsoft Community Hub

Microsoft Intune

No more MEM…

The brand Microsoft Endpoint Manager or MEM is going away. The new product-family name will be Microsoft Intune where a bunch of things will be included, Configuration Manager amongst others. You can read more about the anoncment here:

Introducing the Microsoft Intune product family – Microsoft Community Hub

Add-ons for Microsoft Intune

Add-ons for Microsoft Intune is obviously here to stay, and it’s also growing bigger than just Remote Help which has been an add-on for a while now.

Out of the list of new add-ons coming, what caught my eye especially was these two which I think will solve a lot of headaches for a lot of IT admins.

You can read more here about all new add-ons:

Reduce your overall TCO with a new Microsoft Intune plan – Microsoft Community Hub

Endpoint privilege management in preview

Enabling local admin for users on a temporary basis has been a struggle with Intune managed devices. Old solutions relying on attributes in the on-premises AD do not work and there aren’t really any “best practices” established around this yet.

However, Microsoft is looking to solve this with the Endpoint Privilege Management which is in public preview. Read more in the link above.

Automated app patching as add-on

Keeping applications up to date is something that many stuggles with, and there are products around to solve that. Now Microsoft are throwing themselves into this game as well, which makes a lot of sense. This is just briefly mentioned in the “Further value and looking forward” part of the article, but if they are able to deliver on a native Microsoft Intune feature for this, that would simplify things a lot!

Categories
Windows 365

Cloud PC licensing and where to start

This is a topic that keeps on coming back when you start to talk about Windows 365 and Cloud PCs.

“This sounds really cool, but there are sooooo many licenses to choose from. Which one should I get?”

The answer is just as hard as the question. It depends.

It depends mostly on what your users will use their Cloud PCs for, and what you consider to be a fair machine to provide your users with.

Licenses are rarely someone’s favorite subject (I know there are some people who do favorite it thought), but for Windows 365 it’s really simple and straight forward and this is something you as an admin should care about.

Different sizes

Licenses is what defines how powerful your Cloud PC will be, meaning how many vCPUs, how much RAM and how many Gb of storage you will get. Licenses for Cloud PCs are also subscription based, billed on a monthly basis (this could vary depending on your agreements), meaning that you can easily adjust your volumes.

There are a few different ways to look at this, but the image below is a pretty good pointer in when to use what. Like the example below states, you could classify this into three categories:

  • Basic
  • Standard
  • Premium

Depending on what your users workloads are, you can quite easily find a good place to start using this simple matrix.

Windows 365 enterprise plans and pricing | Microsoft

If you want to expand even further, there are a lot more variations available than just those three. There are today 11 different licenses available for Cloud PCs today, divided into 4 different vCPU and RAM categories, where storage adds the variation. Depending on your vCPU and RAM configuration you can select between 64 Gb up to 512 Gb storage.

Windows 365 Plans and Pricing | Microsoft

But where do I start?

Going back to the initial question, what licenses should you get?

I kind of have to stick to my initial statement, “it depends“, because this really comes down to what these machines will be used for. If you are looking at users running mostly productivity and Line of Business (LOB) applications, the 4vCPU/8Gb RAM/128 Gb storage is a pretty sweet deal. Since most of us today are using OneDrive, local storage isn’t that important anymore for many users on a Cloud PC and this license is usually where I recommend many to start since it would fill the basic needs of their user base.

The 4 vCPUs and 8 Gb of RAM will provide you with a great user experience and wont at the same time cost you are fortune. The step-up from this license is the 8 vCPU with 16 Gb RAM if you need a more powerful machine running heavier workloads.

If this size is to small or big, you can always scale up or down using the resize feature (which I’ve written about in this post).

But what about diskspace? To be honest, this is probably the least of your concerns, the performance with RAM and CPUs are more important. Local storage is not to important in a world where most documents are stored in OneDrive or SharePoint, that leaves diskspace to be used by applications. For most scenarios you wont need more than 128 Gb disk, bit of course there are always use cases where local storage is key. But diskspace is like all the other parts, it can be expanded. HOWEVER, you cannot decrease diskspace. This means that you can move from 128 Gb disk to 512 Gb, but not the other way around. This is an important thing to keep in mind!

Final thoughts

The most important part is to get started somewhere if you want to utilize the awesome benefits that Cloud PC brings, and you can always adjust along the way!

I hope this gave some kind of pointers in where to start!

Categories
Windows 365

Alerts in Windows 365

Monitoring is an important part of all IT operations, and knowing when something fails is crucial. Also knowing before end-users starts calling is even better!

Microsoft has released a new feature in Microsoft Endpoint Manager admin center (MEM) which could help with this called Alerts, which is currently in public preview for Windows 365 features.

With Alerts you can setup notifications, both in the MEM admin center but also through email. This would allow you to get the information and take action as soon as something happens.

There are today three types of alerts you can configure:

  • Azure network connection failure
  • Upload failure for custom images
  • Provisioning failure impacting Cloud PCs

Set up your alerts

Setting up your alerts are really simple. Start by browsing to the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com).

Then navigate to Tenant Administration > Alerts (Preview) > Alert rules. This is where you will see available alerts, configure and enable them.

Click the alert rule you want to configure, in this case we will configure the “Provisioning failure impacting Cloud PCs” alert.

You have three sections to configure: Conditions, Settings and, Notifications.

Under Conditions you can specify how many events need to happen before an alert is triggered. For this alert we can either choose a number of Cloud PCs or a percentage of Cloud PC needs to fail before we get an alert. I would consider the suggested setting in this case to be good, since I want to know if one or more Cloud PCs fail.

Next part is Settings where we need to select the severity of the alert and the status of the alert. Microsofts recomendation is to clasify this as critical, which sounds like a good setting and we will set the status to On since we want to enable this alert.

Last and final part is the notifications, if you want to get a notification in the portal and by email. By enabling “Portal pop-up” a notification will show up in the portal if a provisioning fails.

The email part is for where an email notification should be sent. You can add multiple recipients, and I’ve added my Service Desk email adress in this instance, since I want them to get the information. This could also be set to an administrator or the operations team for Cloud PCs, that totally up to you!

After doing all our settings, click “Apply” at the bottom of the screen and your rule will be enabled.

You can at any time easily turn on or off an alert rule by checking the check-box next to it and use the “On” and “Off” buttons.

And now you just need to sit and wait for the alerts to hopefully never show up!

Since making the Cloud PC provisioning isn’t something I’ve figured out how to do on command, I’m not able to do on command I don’t have any screenshots of the alerts.

If you want to see some screen shots of this, I suggest you head over to my fellow MVP Morten Pedholts blog, who actually got a machine to fail in provisioning.

Final thoughts

Alerts in MEM has great potential, and I can really see this expanding going forward to other things than just Windows 365 and the three alerts we are limited to today. Really looking forward to see how this feature will evolve!

Categories
Windows 365

Cloud PCs and the Impossible travel

Once upon a time, in a data center far far away….

Here is something I learned the hard way in my own tenant. Windows 365 kind of messes with your account security if you are consuming Microsoft 365 services from another device than your cloud PC. Especially if you live in a country like Sweden where the Windows 365 service is yet not available in Sweden Central. Further more, it seams to only affect you the first few times you sign in, before the algorithms learn your behavior.

What happened to me was that Identity Protection and user risk blocked me out from my Cloud PC, since I had defined it to block if user risk was too high and not password change.

It took me a while to just realize what had happened, and how to get around it (since Identity Protection is not an area I’m to familiar with).

Why is that?

Well, there is something called “Impossible travel” or atypical travel which is used to assess the risk of your account being compromised, which means that it’s very unlikely that you would travel from let’s say Stockholm to Amsterdam within a few seconds. This is a very good thing to have in place since it will increase the security of your accounts a lot!

This feature is a part of the Identity Protection part of the Azure AD (which requires a Azure AD P2 license), and can help you identify and take action on risky sign-ins performed by users, or detect if their credentials has been stolen.

There are two key parts of this, Sign-in risk and User risk, and you can control what happens if a user does not live up to the expected level. And of course, Multifactor Authentication (MFA), plays a key role.

Conclusion

I’m not going to dig deep into this at all, just sharing an observation basically. If you want to read more about Identity Protection, I really recommend you having a look at the Microsoft Learn documentation, it provides a good overview.

Like I stated in the beginning of my post, this was something I noticed in my lab, but I’ve not seen it in the wild so far in any production environment. For my environment, I solved it by dismissing the risk for my user which eventually allowed me to sign in.

I’ve spent a good amount of time trying to reproduce this sign-in block, but I haven’t been able to yet.

Have you seen something like this with Cloud PCs?

Categories
Intune Windows 365

Get started with Microsoft Dev Box

Some of you might have seen something called Microsoft Dev Box flash by in your feeds. Something called Dev Box doesn’t really sound like something device-related, it sounds more like something your developers would care about. They probably will, but there is a big reason you should care too.

Microsoft Dev Box is a new tool in the toolbox for you, this time to provide Cloud PCs to your developers or such. There are many similarities between Dev Box and Windows 365, but also Azure Virtual Desktop (AVD). However, your developers can themself deploy computers to your tenant based on a template that you create, which means that a developer could create a new test PC when they need one without really involving you as an admin.

Microsoft Dev Box is not licensed-based like your Windows 365 Cloud PC, instead, it’s consumption-based like an AVD. But you have the simplicity of setting up new computers from Windows 365, so it’s almost like a mix of the two. However, the user target group is different since you can get more powerful machines that are deployed by the user themself.

You can read more about the Microsoft Dev Box here, and what Microsoft calls a “Dev Workstation in the cloud”.

Getting started with Microsoft Dev Box

To get started with Microsoft Dev Box you need the following:

  • An Azure subscription
  • Azure AD
  • Intune tenant
  • Windows licenses (typically as part of your EMS or M365 license)

Setting up the Microsoft Dev box is completely taken care of in the Azure portal, not the Microsoft Endpoint Manager admin center.

To start off, you need to head over to portal.azure.com and make sure you have an active Azure subscription to provision this. Then, search for Microsoft Dev Box.

This is where your different environments will be hosted. You can have multiple Dev Boxes set up for different parts of the organization. In each Dev Box, you can also create different projects. In the real world, you would probably configure this in a landing zone specifically set up for your dev-users who will work on certain projects.

The first step is to create a new Dev-center by pressing “+ Create” in the Microsoft Dev Box pane. Select what subscription and resource group you want to deploy this too and give your Dev-center a name. You will also need to select an Azure region where your machines will be hosted. Since this is a preview, the selection of what Azure data center regions are available is limited. Once you have selected this, press “Review + Create” and create your Dev-center.

Once the Dev-center has successfully deployed, you need to create a Network Connection where you define if your Dev Box PCs should be hybrid-joined or Azure AD joined. Head back to the Microsoft Dev Box pane and select Network Connections (or search Azure for Network Connections).

Select “+ Create” to create a new Network Connection by selecting what subscription and resource group to use. Also, give the network connection a name and select what Azure Vnet you would like to use (if you haven’t created a Vnet already, you will need to do that first). Press “Review + Create” and create your Network Connection.

In this example I’m using Azure AD joined devices as selected as “Domain join type”. If you want to use Hybrid join instead, you will need to add some additional information about your domain.

Once you have created your Network Connection, you will need to create a project. This is where gather each project you would like to use the Dev Box PCs in and define what machines are available by creating Dev Box pools. In the Microsoft Dev Box pane, select Projects.

To create a new Project, click “+ Create” and select what subscription and resource group you want to use. Select which Dev-center you would to use and give your project a name. Press “Review + Create” and create your Project.

Now we need to define what machines are available for our users by creating a Dev box pool. There are a few different “sizes” available, and you can read more about them on Microsoft site about Microsoft Dev Box, where you can find out the pricing for each.

To create a new Dev box definition, navigate to the project you created earlier and select Dev box definition on the bottom of the left-hand menu.

To create a new Dev box definition, select “+ Create“. Give your definition a name and then select a Windows image to use, in this example we will use a Microsoft-provided image, but you could upload your own if you would like. Make the appropriate selections of what size you would like on the machine and click “Create”.

The next step is to create a Dev box pool in your project, do this by navigating to your project you created earlier and selecting Dev box pool.

Create a new Dev box pool by pressing “+ Create” and giving your new pool a name. Select the Dev box definition created earlier and also the network connection. You will also need to confirm that your organization has Azure Hybrid Benefit, you can read more about what that means here.

Once you have filled out this, create the dev box pool by clicking “Create” at the bottom of the page.

The last thing we need to do is to assign users the rights to consume machines and work in our project. Prior to this, it’s a good idea to create an Azure AD group that will contain our users.

To configure the access to our project we will head into “Access control (IAM)” in our project.

To add a new assignment, click “+Add” and select “Add role assignment”. In the list of roles, find and select the “DevCenter Dev Box User” role and press next.

On the next page, add your Azure AD group which contains the users who should have access to the project. Once you have added this group to “Members” press “Review + assign” to finalize your role assignment.

You can verify that the assignment was successful by looking in the list for the role and validating that your group is listed.

And that’s it! You have now successfully prepared your environment to use Microsoft Dev Box!

User experience

For users to create new Microsoft Dev Box machines, they will need to access devbox.microsoft.com and sign in with their user account.

Once signed in, the experience is similar to the Windows 365 end-user portal, but there is a new button called “+New Dev box” where users can deploy machines themself.

Once you click that button, a fly-out will appear where you can see the specification on the machine you are allowed to deploy (based on the definition we made earlier) and you are asked to give your machine a name. Once you have given the machine a name, which will be the name displayed to you for your convenience (MEM will show a CPC-xxxxx name), press “Create“.

The creation of a machine will take somewhere around 30-90 minutes. Once the machine is done, it will show in the portal where you are right now but also in the Remote Desktop app where you have all your other Windows 365 machines. A bonus fact is that it will also appear in the Windows 365 portal, marked as Dev box, but you cannot create new machines from there.

Once the machine has been created, you can connect to it and start using it!

Categories
Intune Windows 365

Disabling ESP on Cloud PC

One thing you will notice if you are deploying Cloud PCs is that the Enrollment Status Page (ESP) from Windows Autopilot will or might appear when a machine is being set up. I’ve seen numerous instances where the ESP has failed causing the Cloud PC to lock out the user at the initial start. This is usually fixed by reprovisioning, but an unnecessary call to the service desk can cause frustration with your users and your administrators.

The ESP is not an important part of the Windows 365 provisioning in most cases, hence it can be disabled by a custom policy.

Create the policy

To create a custom configuration policy, go to the Microsoft Endpoint Manager admin center (endpoint.microsoft.com) and navigate to Devices > Windows > Configurations Profiles.

Select to create a new profile and select Custom as template.

Give your profile a name based on your naming convention and press Next.

Add a new OMA-URI setting by pressing Add.

OMA-URI: /Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage

Data type: Boolean

Value: True

Save your setting and press Next.

Select to target All devices, but filtered to only target Windows 365 devices. You can read more about how to do that in this blog post about filters.

Finish the wizard by clicking Next until you reach the last step, then click Create.

You have now successfully created a configuration profile that will skip the ESP for all your Cloud PCs.

Summary

The ESP is something that in Windows Autopilot is very useful, but for Windows 365 it’s not crucial. This will also reduce the risk of random errors during provisioning.

Applications that are needed before the user starts working can be assigned using the assignments to “All Devices” and filter out your Cloud PCs since this will evaluate a lot faster than Azure AD groups.

Categories
Windows 365

Conditional access and Windows 365

Securing the access to Windows 365 could is important. Today, MFA something everyone should use and you should definitely use it to access your Cloud PCs!

Given that you have Azure AD Premium P1 or P2 (it’s included in at least the Enterprise SKU of M365), you are able to use Conditional Access (CA) to enforce MFA. It’s a great idea to always require MFA for all cloud services.

Windows 365 is like you might have guessed a cloud service, which will in that case get the MFA requirement.

But what if you want to add other conditions that are specific to Windows 365 and Cloud PCs? Making sure that these are only accessed from e.g. your managed devices. There are some caveats to this however what I’ve noticed, like for example if you have added the Cloud PC to the Remote Desktop app it will only evaluate the CA rules when adding the account, but if you are using the browser the policy hits each time.

If you set up the CA rules prior to getting your users going however, you will be able to control this in a much better way.

Creating the policy

To create the Conditional Access policy, you must first of have the correct role to do so (e.g. Security Administrator, Conditional Access Administrator, or Global Administrator).

Next up, in Microsoft Endpoint Manager, navigate to Devices > Conditional Access and press “+ New Policy”.

Start by giving your new policy a name.

Next step is to select what users to include in this CA rule. In this example I’m assigning this to all users.

We now have to select what cloud apps are included in this CA rule by going to “Cloud apps or actions”.

Choose “Selected apps” as included, search and add “Windows 365” and “Azure Virtual Desktop” to make sure that your rules applies to all your cloud PCs.

Once you have selected the apps, go to Conditions.

Here we will add Any Device under “Device platforms”.

And also Browser and Mobile apps and desktop clients under “Client apps”.

Once you have added these, move further to Grant under Access control and add your requirements for granting access.

In this example, I’m only allowing compliant devices to sign in to the service, which means devices which are marked as compliant in Microsoft Endpoint Manager, which means that they are managed and healthy devices. You can also add additional requirements here and have it set to require to fulfill only one of the requirements, e.g. complaint OR require MFA. You can of course also set it to require both being compliant AND require MFA, this is controlled under the “For multiple controls” section. In this case, I’ve left it to it’s default value.

Once you have added all your settings, make sure to set the “Enable policy” switch to ON instead of “Report-only” to activate the policy. However, be aware that you could potentially look your self out by doing a faulty CA rule.

Click create at the bottom of the screen and your policy will take effect within minutes!

The experience

So what happens when this Conditional Access rule hits?

For the Remote Desktop app, it will only take affect when adding a new account. So if you already have an account added, nothing will really happen.

But when you try to add a new account, it will not grant you access unless you meet the requirements set in the policy.

For the browser, when accessing your Cloud PC through the Windows 365 portal (https://windows365.microsoft.com) you will also be met by a message not granting you access. This message is however a bit more cryptic and doesn’t really tell you what’s wrong. But

Conclusion

That is a quick guide how to get started with controlling the access to your Cloud PCs using Conditional Access. You could do a lot of cool stuff with this based on your scenarios and needs. You could also throw some session control into this or only granting specific user roles access to this combined with a few more policies to create a cloud based Privileged Access Workstation (PAW).

You could also compliment the policy with a session control to control how often it needs to be re-evaluated.

This configuration I didn’t doesn’t really support the “work from any device” concept, but I just wanted to show what was possible!

Categories
Windows 365

Azure AD joined vs hybrid joined Cloud PC

It has finally arrived, and while writing this we are hopefully getting close to a general availability release. I’m talking about the Azure AD joined Windows 365 machines!

This is something that makes this solution a truly cloud-based solution since we can now let go of the on-premises AD for the device part (let’s face it, we still have our users in there in the real world).

However, there are still use cases for both scenarios, depending on what your want’s and need’s are! So there is a decision to make here, and it might be that you need both!

The difference

Let’s start of by briefly looking at what the difference between Azure AD joined and hybrid joined is, and I’ll simply A LOT now.

Having a Azure AD joined computer means that the device is only registered to the Azure AD, which is your cloud AD so to speak. This AD is a lot different than your traditional AD since you are missing things like OUs and GPOs for example. The cloud relies on a flatter and different approach to handling objects and settings. I’ve once gotten Azure AD explained to me once as one big AD forest where each tenant is an OU, just to put it in perspective. Joining a computer only to Azure AD also means that there will be NO trace of the computer object in the on-premise AD, hence we cannot use the computer object to authenticate towards things but you can still use e.g. Kerberos for SSO.

If you join your computer to the Azure AD you would typically manage it from Microsoft Intune.

Having a Hybrid Azure AD joined computer means that we join the computer to both the on-premise AD and the Azure AD. One could say you get the best out of both worlds. That is to some extent true, but you are still very reliant on your computer talking to a domain controller to get policy updates, since you would in many case manage these computers with GPOs.

Hybrid Azure AD joined devices are typically co-managed by Configuration Manager and Microsoft Intune. But you can of course manage them using only Microsoft Intune as well.

With that said, it comes down to your tools and needs in what approach is best for your Cloud PC.

Advantages hybrid Azure AD joined Cloud PC

So one of the biggest advantage with hybrid Azure AD joined Cloud PCs are that you know this already and most likely this is how you manage your physical PCs today. You have them hybrid joined, manage them with some GPOs, maybe some Intune policies and you also add some Config Manager stuff on top. Nothing strange here, this is just another computer but is virtual. You still need the Microsoft Endpoint Manager admin center to configure your Cloud PC provisioning, but the rest is like you know by heart. A setup you know, love, and trust!

Using hybrid join is also great for those applications requiring a computer object to be present in the AD for authentication or such. Or it could just be as simple that you need “system” to be able to access a file share. Then this is perfect!

Hybrid joined Cloud PCs are no different from your regular PCs in that sense, they are just physically in the Microsoft datacenter.

BUT by using hybrid joined Cloud PCs you still have great dependency towards your on-premise infrastructure.

Advantages Azure AD joined Cloud PC

The benefits with the Azure AD joined Cloud PC can be argued to be the exact opposites as the hybrid join. No GPOs, no ConfigMgr, no hybrid. No legacy stuff. Just cloud.

However, I would say that that’s not where the strength lies with Azure AD joined Cloud PC. The strength that I’ve seen when you combine this with thinking about where these computers should be hosted. With Azure AD joined you can either host them on a Azure VNet you manage, or you can choose to use the Microsoft managed VNet which is basically on internet.

Hybrid joined Cloud PCs can only be hosted on a Azure VNet in your subscription, which is great! You are in full control of the traffic flows and can put them on the corporate network if you like. This also goes for Azure AD joined.

Azure AD joined Cloud PCs are similar to having a “cloud only” physical client. You manage it with only cloud tools and you shouldn’t have o big dependencies towards on-premise services. You will manage it from Microsoft Intune and GPOs are now a thing of the past.

For many organizations, this is a journey. Moving to cloud based management is a journey which many are on. Utilizing Windows 365 Cloud PC to get going could be a great place to start, since your users will then potentially have both of your two worlds!

Conclusion

Choosing one or the other comes down to what your needs are, and how you would like to manage your devices.

If you are yet not on your road to Azure AD only devices, well then you will probably need the hybrid joined version for the time being. But like I said earlier, you can of course have both and transition over.

If you have a group of users who only need access to e.g. SaaS based applications, then what’s the point in putting them “behind the firewall”? There are so many scenarios for which you can say the one or the other is the best, but what’s best for you might not be the best for someone else.

I personally is a firm believer and advocate for going cloud only for device management so I always try to challenge to see how far you can take it. It’s usually further than you would think. Same goes for Windows 365, make use of the fact that it’s a cloud service and native to Microsoft Endpoint Manager by going Azure AD only. You can still put the device on “corp-net” using Azure VNets, but skip the on-premise AD stuff.

Adding Azure AD joined will increase the scenarios, and it’s actually a lot easier to get started with Azure AD only then involving on-premise AD, which in an IT organization often means that you need the identity team to help you to some extent.

If you want to get started with cloud management for devices, looking at setting up Azure AD join for Cloud PCs and manage them through Microsoft Endpoint Manager is a great place to start!

Categories
Windows 365

Different ways of accessing a Cloud PC

There are a few ways you can access your Cloud PC. You probably have your favorite way to access your Cloud PC, but I though I would go through them all and the benefits with each.

Microsoft has also announced an upcoming Windows 11 feature called Windows 365 Switch which will be a native Windows 365 app in Windows 11. I will not cover that in this post since it’s yet to be released at the time of this blogpost.

Browser

Connecting to your Cloud PC through the browser is in my humble opinion the coolest way, and really convenient since you can then access your computer from what ever device you are using without any issues (as long as the browser is a modern browser like Edge, Chrome, Safari, or Firefox). Okay, not any device, but Windows-, macOS-, ChromeOS-, or Linux-based device.

You access the Windows 365 service through https://windows365.microsoft.com and sign in with your account.

In this portal, you will see all Cloud PCs assigned to you.

To connect to the Cloud PC, you simply press “Open in browser” and the Cloud PC will open in a new tab.

You can also perform some remote tasks on the Cloud PC such as restart, restore, rename or troubleshoot. Or see System information.

The restart is exactly what it sounds like, you will remotely restart your Cloud PC. Restore can be used to go back to a previous point in time (I cover that in this blogpost).

Rename option will allow you to give your Cloud PC a new friendly name instead of the generated name.

If you as an end-user are experiencing issues with connecting to your Cloud PC, you can use Troubleshoot to see what’s causing the issues. It will check that the service is healthy and that there aren’t any connectivity issues.

If you click the “System information”, you will see some details about your Cloud PC such as device name and license.

Remote Desktop app

Working with your Cloud PC everyday, I would say that this is the best option to connect.

Simply download the Remote Desktop app from Microsoft for your desired operating system. For Windows I would suggest to use the desktop version and not the Microsoft Store version, the desktop version works a little bit smoother in my experience.

One thing that is good to keep in mind is that if you are using macOS, you cannot currently have multiple accounts in the Remote Desktop app.

When you have downloaded and installed the application and start it for the first time, you will be asked to sign in. Sign in with you account and the resources you have assigned to you will be added. These could be Windows 365 resources, but also Azure Virtual Desktop resources and published apps.

As you can see by the picture, running the app in Windows I can have multiple accounts and resources in the same place, giving me easy access to several environment.

To launch the Cloud PC, I simply dubble click on the computer icon, provide my credentials and I’m signed in.

I can choose to run this in a full screen experience or a windowed experience depending on my personal preferences.

Using the Remote Desktop app, you don’t get all the remote features as you do in the web-portal, but you have easier access to your Cloud PC on a daily basis.

Mobile app

Lastly, mobile app. There is a Remote Desktop app available for iPhone/iPad and Android devices which can be used to connect to your Cloud PC. I will show some screen shots from and iPhone which is maybe not the smoothest way to work with the Cloud PC due to the screen size. For this, and iPad would be a much better option.

To connect, click the + sign at the top right corner and select “Add workspace“. You will need to enter the subscription URL found here and then sign in with your account. One thing to keep in mind with the mobile app is that you can only have one account associated with the workspace, so no support for multiple accounts.

Once you have signed in, you will see all resources which are assigned to this account.

To connect, simply tap on the computer you which to connect to and enter your credentials when asked to and you will be connected to your Cloud PC.

You can now use your Cloud PC from your mobile device, and keep working where you left your desktop! This is a great option when you have to check something on the go, to simply just connect to your Cloud PC.

Feature vice, the mobile app is pretty limited but you can easily connect to your desktop. If you have a larger screen, the experience will be better so an iPad or Android tablet with a keyboard would be ideal even though it works surprisingly well using an iPhone as you can zoom in and out if needed.