Categories
Intune Windows 365

Microsoft Ignite 2024 Recap

Microsoft Ignite 2024 was once again back in Chicago, where it all started in 2015. I remeber having such FOMO not being able to go there, since one of my favourite bands at the time (the Chigaco band Fall Out Boy) played at Ignite.

But it was great being back at a large event, and Microsoft does a good job running big events. This was still a “small” Ignite with about 10 000 participants, but that is still A LOT of people. I went there with my colleagues from Advania, which was a lot of fun!

The red tread through Ignite 2024 was of course Copilot, “the UI of AI”. So it was Copilot everything, and you can really tell that this is the big bet going forward. So if you haven’t paied attention to Copilot yet, now is the time to start.

But since that Copilot is the big thing, I decided to actually put Copilot into good use and help me find all the important updates around Windows, Windows 365 and Intune for this blog post. This is the prompt I used to create my draft, it did however miss a few important points so consider using this prompt for drafts.

Can you help me gather all news around Windows, Windows 365 and Microsoft Intune from Microsoft Ignite 2024. I want to devided into each topic, with the topic stated as the H1 heading, and then each news per area as H2 headings.
for each news, write a short descriptive text.
make sure to only reference Microsoft sources

Microsoft gathers all news from Ignite in the Book of News which was released on the first day of Microsoft Ignite. If you want to check out the full list, you can find the Book of News 2024 here.

It was also great meeting all the community people which I haven’t seen in a while, both MVPs and Microsoft people.

Windows

Windows Resiliency Initiative

Microsoft introduced the Windows Resiliency Initiative to enhance the reliability and security of Windows. This initiative aims to allow more applications to run without requiring admin privileges, implement stronger controls for apps and drivers, and improve identity protection. These measures are designed to make Windows more robust and secure for all users[1].

Windows Hotpatching

Windows 11 Enterprise, version 24H2, introduces hotpatch updates that apply security patches immediately without requiring a restart, reducing disruptions. Devices receive a standard monthly security update and restart in the first month of each quarter, followed by hotpatch updates in the next two months. Managed via Intune and Windows Autopatch, hotpatching can auto-detect eligible devices and streamline update deployment. The public preview invites user feedback to improve the service before general availability, with more information to be shared as the rollout continues.

Read more here: Hotpatch for client comes to Windows 11 Enterprise

Quick Machine Recovery

This new feature allows IT administrators to remotely execute targeted fixes from Windows Update on PCs that are unable to boot. This capability is particularly useful for quickly resolving issues without needing physical access to the affected machines, thereby reducing downtime and improving efficiency[1].

Collaboration with Endpoint Security Partners

Microsoft is working closely with endpoint security partners to improve security and reliability. This collaboration includes new requirements for partners, such as controlled gradual rollouts and enhanced incident response processes. These efforts aim to ensure that security updates and patches are deployed smoothly and effectively[1].

Windows Hello has been extended to support passkeys, offering a simpler and safer way to sign in. This enhancement aims to improve user convenience while maintaining high security standards[1].

Administrator Protection

This new feature allows employees to make system changes using temporary admin tokens. By granting temporary admin privileges, this feature enhances security by reducing the risk of unauthorized changes while still allowing necessary modifications[1].

Read more about Administrator Protection here: Administrator protection on Windows 11

Windows 365

Windows 365 Link

The Windows 365 Link is a new class of devices built to connect securely to Windows 365 in seconds. These devices are designed to provide a seamless and secure connection to the cloud, enabling users to access their Windows environment from anywhere[1].

You can read more about the Windows 365 Link here: Windows 365 Link—the first Cloud PC device for Windows 365

Windows 365 Frontline shared mode

Windows 365 Frontline now supports shared mode for brief, ad-hoc tasks. This feature allows multiple users to share a single device for short-term tasks, improving flexibility and resource utilization[2].

Want to read more? Check this official Microsoft blog post: Windows 365 Frontline shared mode now in public preview – Windows IT Pro Blog

Windows in Mixed Reality

Windows 11 capabilities are now available on mixed reality headsets like Meta Quest 3. This integration brings the power of Windows to the mixed reality space, enabling new immersive experiences and applications[2].

Mobile Application Management (MAM)

Enhanced device redirection and security features are now available on unmanaged devices. These improvements provide better control and security for mobile applications, even on devices that are not fully managed by IT[2].

Microsoft Intune

AI and Analytics

Intune Enhanced device hardware inventory

Intune now offers enhanced device hardware inventory, allowing administrators to query multiple devices and take remote actions based on the query results. This feature provides deeper insights and more control over the device fleet[3].

You can read more here: Enhanced hardware inventory in Intune coming in December

Security Copilot in Intune

Security Copilot brings AI-powered endpoint security to Intune, offering real-time threat detection and response. This integration enhances the security posture of managed devices by leveraging advanced AI capabilities[3].

Device Management

Cross-Platform Device Inventory

Intune’s device inventory capabilities are expanding to include iOS, Android, and macOS devices by early 2025. This expansion allows for comprehensive management of a diverse range of devices from a single platform[3].

Enhanced macOS Management

New options for certificate storage in the user keychain have been introduced for macOS devices. These enhancements improve the security and manageability of macOS devices within the Intune environment[3].

Specialty Devices

App Protection Policies for Apple Vision Pro

Intune now supports configuring app protection policies and Conditional Access for Apple Vision Pro. This support ensures that these advanced devices can be securely managed and used within enterprise environments[3].

EPM Support for ARM64

Elevation requests from ARM64-based Windows devices are now supported in Intune. This feature allows for better management and security of ARM64 devices, which are becoming increasingly popular[3].

References

[1] Microsoft Ignite 2024: Embracing the future of Windows at work

[2] Microsoft Ignite 2024 Book of News

[3] Microsoft Intune news at Microsoft Ignite 2024

Categories
Intune Windows 365

Let’s improve onboarding for Windows 365!

Through out the years, I’ve worked with a lot off different customers, and almost all of them use some kind of ITSM tool (such as Jira ServiceNow) to order new services and hardware for users. This is usually where Windows 365 is added as a service where I as an end user, or manager, can request it.

But what if you don’t have an ITSM tool, but I still want to offer the self-service option?

Well, in Entra ID there is something called “Access packages” which we can use for this puropse. If you want to read more about what that is, check out the Microsoft documentation here.

With Access packages, we can create a self-service portal, where end-users can request memebership to a group. This group can then have a license tied to it, what is also known as Group Based Licensing. The user will then request membership to the group, you can add approvals and set a time frame that this membership should be valid. You can also add access reviews to check in with the user to see if they are still using the service.

So let’s jump into how an easy setup of this would look like, and then have a look at the user experiance. However, this setup is assuming you have already setup group based licensing for Windows 365.

This setup also assumes that you are targeting provisining policies to all users already (I’m using dynamic, country based groups as descibed in this post).

Setting upp Access packages

To set up access packages, we head into the Entra portal (https://entra.microsoft.com) and navigate to Identity > Identity Governance > Entitlement Management and then look for “Access packages” in the menu.

We will just create a very basic setup for this, so lets go ahead and click on “+ New Access Package“. First step is to give your policy a name and descripton. Remeber, the description is a required field. We will leave the catalog to “General” which is the default value. When done, hit next on the bottom of the windows.

Since we want to configure a memebership to a group, select the option “+ Groups and Teams” and find

Since we are just going with default values, you might need to check the “See all Groups and Teams…” check-box in order to find your group. When you have found the group, click select. If you are not already targeting users with a provisioning group, you need to add that here as well.

When you have added your group, remeber to change the Role to member before hitting next.

In the next step, we will define our Request flow. In this example I will make this apply for all users in my tenant, and I will allow all users to place a request.

The next part is to define the approval process. You can also remove approvals completely, but since Windows 365 comes with a cost we want a manager to approve this request. You can also add additional approvers if required. Default value is that manager will be the approved, and we will leave it to default. What you need to add is a “fallback” approver, and as you can see here I added my Help Desk team for this. Choose an approriate user/group for this task.

Last step on this section, is to select how we will enable this request flow. I’ve also enabled the preview features for this example, but you dont need to do that. Just make sure to enable the top one since this is what makes this request available. We will skip the Verified ID part and press the Next button.

On this step, we could add additional questions or justifications for the requestor, but we will leave this to default and press next. We will still get a question for business justification in the request.

Next step is to set the lifecycle for this, which we in this case will set to 180 days since that is roughly 6 months. And just for the purpose of usign access reviews, we will enable that as well but leave all values to default. When you are done, press next until you reach “Review + Create“.

On the last step, you can review all your settings before pressing Create. It will validate your configuration, and if you missed something or something is wrong it will ask you to correct this before moving forward.

We have now successfully create a Access package for our Cloud PCs!

Let’s have a look at what this looks like when a user requests this.

The request flow

The place where you need to direct your users for placing requests is https://myaccess.microsoft.com/ where they will see all available request packages for them. As you can see, I have three different access packages for Cloud PC I can request. To start a request, I simply click on “Request” on the service I want to request.

This windows will then appear, and you just click continue.

Next step is to add a business justification for my request, here I can also set it to a specific period if I like since we enabled that option when setting things up.

I then submit the request and it is sent of to the approver, which in this case is the manager.

Approver experiance

When the request has been sent, the approved will recieve an email looking like this, where they are asked to approve the request. This email also contains the business justification added by the requestor.

When the approver clicks the blue button in the email, they are redirected to the approval site on My Access.

When the approved selects to approve the request, they will be asked to enter a justification before approval is sent.

When the approver has approved the request, a confirmation email will be sent to the user. However, what is imporant to keep in mind is that this will initiate the provisioning of the Cloud PC.

The process of provisioning will now start and the Cloud PC will be done within usually 30-40 minutes depending on how fast your provisining policy is!

Key take aways

Estalishing a good on- and off-boarding process is important in all IT organsations. This walk though shows you that you can establish this without setting up more advanced tools. However, this is not close to as powerful as proper ITSM tools, but you can build simpler request flows to suite your needs.

This principle can also be applied to other things, not just Windows 365 and Cloud PCs.

Categories
Windows 365

Slimcore: Revolutionizing Teams for VDI Environments

Last week, Microsoft dropped a bombshell with the release of Slimcore for Teams, specifically designed for VDI environments. Let’s unpack what this means for us and how it can supercharge our virtual desktops.

What is Slimcore?

Slimcore is the new media engine for Teams, tailored for VDI setups like Azure Virtual Desktop and Windows 365. It’s packed with improvements that make Teams more efficient and user-friendly in virtual environments. No longer is the Teams client for VDI a long lost cousin of Teams, now we will see feature parity!

Key Features and Benefits

So what are the key features and benefits with moving to Slimcore from WebRTC?

  • Enhanced Performance: Slimcore cuts down on resource consumption, leading to faster call setup times and smoother performance. This is a game-changer for those of us juggling multiple virtual desktops.
  • High-Fidelity Media: Enjoy top-notch audio and 1080p video at up to 30fps. This ensures our meetings and presentations are crystal clear, even in a virtual setup.
  • Advanced Meeting Capabilities: Features like gallery view, custom backgrounds, and presenter mode are now available, making our virtual meetings more interactive and engaging.
  • Auto-Updates: The decoupled architecture allows for quicker feature rollouts without needing to overhaul the entire VDI infrastructure. Staying current with the latest features has never been easier.

Installing Slimcore on Windows 365 Clients

Prerequisites: Make sure you have the latest version of Microsoft Teams (version 24193.1805.3040.8975 or higher) and the Remote Desktop client (version 1.2.5405.0 or higher) or the new Windows app (version 1.3.252 or higher).

Install the Plugin: The plugin (MsTeamsPluginAvd.dll) is bundled with both the Remote Desktop client and the new Windows app. It will automatically download and manage Slimcore. No admin rights or reboots are required.

Verify Installation: After installation, the plugin will silently provision and register Slimcore for the user. You can verify this by check in the Teams client on the Cloud PC that the Slimcore client is being used by going to Settings – About Teams. Look for the text “AVD Slimcore Media Optimized”.

User Experience Improvements

One of the standout aspects of Slimcore is how it aligns the Teams experience between physical and virtual desktops. This consistency is crucial for user satisfaction and productivity. This gives the user a familiar experiance with the features they expect to find in Teams!

Conclusion

Slimcore is a significant step forward for Teams in VDI environments. It brings enhanced performance, high-fidelity media, and advanced meeting capabilities, all while simplifying updates and maintenance. If you haven’t tried it yet, now is the perfect time to explore what Slimcore can do for your virtual desktop setup.

Categories
Intune Windows 365

Improving Decision Making with Intune Advanced Analytics Data

One thing that many IT administrators tackles every day is the discussion about “my computer feels slow” or “I need a faster computer”. Sometime the feeling of having a slow computer is legit, and sometimes it’s something else.

There are numerous DEX (Digital Employee Experience) tools out there on the market. This can provide you with a great overview of your whole ecosystem, ranging from Teams call quality to desktop experience. However, even if those tools are great, they come with a new set of data to analyze in a new tool. And in bigger organizations, the complicated puzzle of “who owns this and who makes remediations?” arises.

Since I write a lot about Microsoft stuff, we will dive into the Intune Advanced Analytics part of the Intune Suite.

Intune Advanced Analytics is a native part of Intune, which gives you more extensive reporting on your Windows devices. I know Windows isn’t 100% of the fleet in modern organizations but we need to start somewhere.

Setting up Intune Advanced Analytics

To start using Intune Advanced Analytics, you will need these three things.

  • Intune environment
  • Intune Suite licenses or Intune Advanced Analytics stand-alone license (remember, this is user based)
  • Configuring Endpoint analytics in Intune

I won’t go through how to obtain license, since this will vary from case to case depending on your setup.

Configuring Endpoint Analytics

The first thing you need to do is to configure Endpoint Analytics to receive data from your devices. Since I’m all in the cloud, we will look at how you do this for Intune managed devices. To do this, you need to have the Intune Service Administrator role, also known as Intune Administrator.

Head over to the Endpoint Analytics blade in Intune (you can find it under Reports or at https://aka.ms/endpointanalytics). When in there, select the Settings blade.

You can see that my tenant already uses the Intune data collection policy. This default policy exists in all tenants, but you need to make sure it’s assigned to your devices.

Manually create the policy

If you can’t find the policy in your environment, it’s no big deal. You just need create a new policy based on the template for Windows Health monitoring.

If you are configuring this for the first time, make sure to switch Health monitoring to Enable and set the Scope to Endpoint analytics.

Deploy this policy to your devices using either the built in “All devices” group or use a device group.

When you set this up for the first time, it can take up to 24 hours for the data to populate. If you are looking to use Advanced Analytics, expect up to 48 hours.

Allow access to URLs

The last step to do is to make sure that your devices are allowed to reach the URL needed for Endpoint Analytics. This is important if you have a restrictive firewall or if you use a webfilter/proxy to run all your traffic through.

For Intune, the needed URL is:

https://*.events.data.microsoft.com

If you want to read more about how to set this up for Configuration Manager managed devices, check out the Microsoft Learn page.

Getting access to the data

Now when 24 hours have passed, we should start seeing data being populated. If you have additional people who should not be admins who need to review the data. There are a few different built-in roles you can use, or create a custom role.

These are the different options you have:

Role nameMicrosoft Entra roleIntune roleEndpoint analytics permissions
Global AdministratorYesRead/write
Intune Service AdministratorYesRead/write
School AdministratorYesRead/write
Endpoint Security ManagerYesRead only
Help Desk OperatorYesRead only
Read Only OperatorYesRead only
Reports ReaderYesRead only

Once we have our roles in order, we can start looking at the data!

Looking at the data

The Endpoint Analytics feature consist of 6 different blades

  • Startup Performance
  • Application reliability
  • Work from anywhere
  • Resource performance
  • Remoting connection

These features are available with the regular Intune license. With the Intune Advance Analytics license you will get a few more. And it’s automatically integrated into the Intune administrator experience.

  • Custom device scopes
  • Anomalies
  • Enhanced device timeline
  • Device query
  • Battery health

If you want to read more about what’s included, I would suggest checking out this Microsoft Learn article.

Reviewing my devices

But as I stated in the beginning of the post, let’s talk about reviewing resource performance. With the regular Intune license, you will gain access to resource performance for your Cloud PCs. With this, I get insights which Cloud PCs are meeting my targets and what Cloud PCs I should investigate upgrading to a different SKU. This data can be broken down to a device or model. This gives me great data about my environment on CPU and RAM spikes when they are being used.

All devices get a score based on their performance, and you can configure what your baseline is in the Endpoint Analytics settings.

You can break the numbers down based on model or individual device performance to get a better understanding.

With the 2408 Intune Service update, this was also made available for physical devices if you have the Intune Advance Analytics license enabled. This will provide me with insights on how my physical devices are performing when it comes to RAM and CPU. I can also learn if they have continuous spikes indicating that they need an upgrade.

If we stand in the “Device performance” tab, we can see all Cloud PCs and physical PCs gathered in the same place. You can also compare Cloud PC and physical PC performance.

Looking at specific devices

If we click on the name of a device, you will be redirected to the blade “User experience” on the device itself. You can also find it if you search for a device in the device list and click in to view that device.

From here, you can see a lot of data about the device around its performance.

As you can see, my Surface Laptop Go 3 has had a few minor spikes in RAM the last 14 days but nothing major.

And if we look at the overall score, it’s pretty okay.

Device timeline

There is one more really nice feature with the Intune Advanced Analytics we can see, and that is a Device Timeline (last tab on the top).

In here, we can see historical data on events that has happened on the device which impact the user experience. As you can see on this device, I’m having a few issues with applications.

And if we jump back and look at another device, a Cloud PC, we can see the same kind of data.

One interesting thing I found while writing this blog post is that I compared my Surface Laptop Go 3 i5 with 16gb RAM with my 4vCPU/16GB Cloud PC. What I can see was that my Cloud PC scores higher. I would say that I use them in a similar way, the same amount of time. I do know that the Cloud PC has a little bit of a more powerfull CPU (being a cloud PC),

The Cloud PC scores 98 in resource performance.

While my Surface Laptop Go 3 scores 77.

So performance wise, Cloud PCs are doing a lot better. However, the Surface Laptop Go 3 is not a fair comparance being a more “low tier” PC. However, they are still both performing really good for what I use them for. So this is important to take into considerations when looking at the data.

Take away

Knowing how the performance of the devices in your environment chelan p you figure out when devices needs to be replaces or upgraded. As you already know, backing your decisions using data is key! Intune can provide you with a lot of data on your device without the need to buy a third party tool and deploying/maintaining a client on the device.

However, if we start looking at “real” DEX products, Intune Advanced Analytics does not provide the same level of data. You will also need to combine several parts of Intune to be able to perform e.g. remediations on the things you find. You still need to manually take actions or create remediation scripts on your findings.

But if you are just getting started and need “something”, this will provide you with a great overview of your environment! This will help you make better decisions and help your end-users even better!

I hope you liked this post and that it gave you some insights to what you can do with Intune Advanced Analytics!

Categories
Intune Windows 365

Summer recap – what did we miss?

Like all Swedes, summer means vacation mode for 4-5 weeks and that means not keeping up with what’s happening in the world.

So here is a recap of what’s been happening during the summer months.

MVP renewal

In the begning of July, the MVP renewals where announced and I’m happy to announce that I’ve been renewed as a Windows and Devices MVP for the 3rd time.

Big congratulation to all my fellow MVPs that got renewed for 2024!

Windows 365 updates

July was full of Windows 365 updates, there has been updates for Windows 365 each week since July 1st which is really awesome. A lot of great updates.

Here are some highlights, but if you want to see the full list check it out here.

Cross region disaster recovery

Windows 365 cross region disaster recovery is an optional service for Windows 365 Enterprise which protects the Cloud PCs and data against regional outages. This is a seperatly licensed service which can be purchased as an add-on to your existing service.

Cross region disaster recovery in Windows 365 | Microsoft Learn

Windows 365 Cloud PC gallery images use new Teams VDI

The new Teams for VDIs has been added to the Windows 365 image gallery, containing all the optimizations for Windows 365. All your newly previsioned Cloud PCs will containg the new optimizations.

Microsoft Teams on Cloud PCs | Microsoft Learn

Cloud PC support for FIDO devices and passkeys on macOS and iOS (preview)

Windows 365 Cloud PCs now support FIDO devices and passkeys for Microsoft Entra ID sign in on macOS and iOS.

Updated default settings for Windows 365 security baselines

Microsoft has released an updated version of the security baseline for Windows 365. You can find a full list of the updated settings here: List of the settings in the Windows 365 Cloud PC security baseline in Intune.

New GPU offerings for Cloud PCs are now generally available

Microsoft has finally released the new GPU offering! The GPU offerings are suitable for graphical intense workloads requiring a more optimized performance. The offering consists of three different SKUs called Standard, Super and Max with different configurations for different kinds of workloads.

GPU Cloud PCs in Windows 365 | Microsoft Learn

Uni-directional clipboard support is now generally available

The clipboard settings for Windows 365 and AVD has been in preview for a while, but have now been

moved into general availability with some pretty nice added functionallity. You can configure a lot of new different content type, and you can select to allow which direction clipboard should be allowed. This applies to both Windows 365 and Azure Virtual Desktop.

Configure the clipboard transfer direction in Azure Virtual Desktop | Microsoft Learn

Intune updates

The list for Windows 365 was long (in the aspect of Windows 365 updates), but there has been even more Intune updates.

If you want to read the full list of updates during the summer months, check out the full list here.

Update for Apple user and device enrollments with Company Portal

Microsoft has updated the registration process for Apples devices using the Intune Company Portal. The main change is that now the Entra ID registration happens after the enrollment, instead of during the enrollment. This applies for both iOS/iPadOs devices and macOS devices.

The change means that if you are using dynamic device Entra ID groups which rely on the device registration, you need to make sure that the users complete the whole process.

iOS/iPadOS device enrollment guide for Microsoft Intune | Microsoft Learn

New configuration capabilities for Managed Home Screen

If you are using managed home screen for Android, you can now enable the virtual app-switcher button to allow users to switch between apps on a kiosk device.

Configure the Microsoft Managed Home Screen app for Android Enterprise

Copilot in Intune now has the device query feature using Kusto Query Language (KQL) (public preview)

If you are using Copilot in Intune, you can now generate a KQL query using Copilot while asking in natural language. Great way to learn KQL or get inspiration for your querys!

Microsoft Copilot in Intune

New setting in the Device Control profile for Attack surface reduction policy

Microsoft has added the “Allow Storage Card” setting to the Attack surface reduction policy, which can also be found in the settings catalog.

AllowStorageCard 

New operatingSystemVersion filter property with new comparison operators (preview)

There is a new filter property for operatingSystemVersion, which is available in a public preview.

This filter allows you to use operators like GreaterThan, GreaterThanOrEquals, LessThan and LessThanOrEquals to your oprating system version and is available for Android, iOS/iPadOS, macOS and Windows!

Consolidation of Intune profiles for identity protection and account protection

Microsoft has done some cleaning up around identity and account protection policies and added them all into a single profile called Account protection which can be found in the account protection policy node of endpoint security. This is the only template which will be available going forward for identity and account protection. The new profile also includes Windows Hello for Business and Windows Credential Guard.

Account protection policy for endpoint security in Intune

New Intune report and device action for Windows enrollment attestation (public preview)

There is a new report in public preview for finding out if a device has attested and enrolled securly while being hardware-backed.

Windows enrollment attestation

New support for Red Hat Enterprise Linux

Microsoft Intune now supports device management for Red Hat Enterprise Linux. You can enroll and manage Red Hat Enterprise Linux devices, and assign standard compliance policies, custom configuration scripts, and compliance scripts.

Deployment guide: Manage Linux devices in Microsoft Intune 

Newly available Enterprise App Catalog apps for Intune

The Enterprise App Catalog has updated to include additional apps. For a complete list of supported apps.

Apps available in the Enterprise App Catalog.

New actions for Microsoft Cloud PKI

The Microsoft Cloud PKI has been updated with some new features.

  • Delete: Delete a CA.
  • Pause: Temporarily suspend use of a CA.
  • Revoke: Revoke a CA certificate.

Delete Microsoft Cloud PKI certification authority

ACME protocol support for iOS/iPadOS and macOS enrollment

Microsoft has started a phased rollout of the infrastructure change to support the Automated Certificate Management Environment (ACME) protocol. When a new Apple devices enroll, the management profile from Intune receives an ACME certificate instead of a SCEP certificate. Existing OS and hardware eligible devices do not get the ACME certificate unless they re-enroll. 

Windows updates

The realse of Windows 11 24h2 is getting closer and closer, and it could be guessed to be released in a September/October time frame looking at past releases.

One thing that is also important to highlight is that we are getting closer and closer to the Windows 10 EOS, which means that we really need to focus on getting those devices migrated or removed.

Categories
Intune Windows 365

Alerts for Windows 365

Did you know that you can get automated alerts for certain events for your Cloud PC environment?

Microsoft released this feature back in February of 2023, and has added quite a few differents alerts by now, not only the network, provisioning, and image upload error alerts.

Today, you can find 6 different alerts you can setup:

  • Azure Network Connection failure
  • Cloud PC grace period
  • Cloud PCs that aren’t available (preview)
  • Frontline Cloud PCs near concurrency limit (preview)
  • Provisioning failure impacting Cloud PCs
  • Upload failure for custom images

You can select how you want to get notified in the event of something happening,

How to set up alerts?

To setup alerts, head into Microsoft Intune and navigate to Tenant Administration and find Alerts in the menu.

In this first view you will see any active alerts that you have in your environment. Like this alert that I have one Cloud PC in grace period.

If we move over to the second tab, that’s where we can configure our alerts.

As you can see, you have six different alerts you can enable. You don’t need them all, enable the ones which makes sense to you. as you can see I have not configured the “Azure Network Conneciton failure” nor “Upload custom image” in my tenant, since I don’t use these features at the moment. A sharp eye might notive that “Fronline Cloud PCs near concurrency limit” isn’t configure either, but we will do that now by clicking on the name of the alert.

This will take us to the configuration page.

If we start of with the conditions for the alert, these are a bit different depending on the alert, but for some you can select another value type. For this one, we will set this to 90% of instances, meaning that if 90% or more of our Frontline Cloud PCs are reaching their concurrency limit, we will get an alert.

Next up is the severity level of this alert. This is up to us to choose the correct level, and we will this at default as a warning.

The status part is defining if this alert should be active or not, so let’s go ahead and change this to ON.

The last part of this is how we want to get notified. We can select to either just get a pop-up in the Intune portal or if an email should be sent somewhere. This could be a great way to e.g. raise tickets in you ITSM tool without needing any additional integrations.

When I get the notification Intune, this is what it looks like:

And this is what the email looks like:

Why use alerts?

So why do we want to use alerts? Well it’s a really good way to get notified if something happens with the Windows 365 service you provide to your users, without you having to sit and look at everything all the time. You could even find issues before they arrise and your IT Helpdesk gets jammed with a lot of calls from end users.

Take a look at alerts if you are a Windows 365 administrator, this could really simplify your life!

Categories
Windows 365

How to Save the Planet with Windows 365

Okay so this is a blogpost I’ve been putting off for a long time without any good reason to be honest. I think I’m wanting this to be perfect since it’s a combination of several things I care deeply about. This will probably be like a part 1. So here we go.

TLDR;

One of the benefits of Windows 365 is that it can reduce the environmental footprint of IT operations by shifting the energy consumption and emissions from the end-user devices to the cloud servers. According to a study by Microsoft, the Microsoft cloud is between 22 and 93 percent more energy efficient than traditional enterprise datacenters, depending on the specific comparison being made. When taking into account Microsoft’s renewable energy purchases, the Microsoft cloud is between 72 and 98 percent more carbon efficient.

Microsoft has also committed to be a carbon negative, water positive, and zero waste company by 2030, and to protect more land than it uses by 2025. In its 2022 Environmental Sustainability Report, Microsoft shared its progress, challenges, and learnings on its journey to meet these goals. The report also showcases how Microsoft is delivering digital technology for net zero, such as Microsoft Cloud for Sustainability, which helps customers measure and manage their environmental impact.

What is Windows 365

If you have been reading my blog for a while, you are familiar with what Windows 365 is, but in case you have missed it let’s do a short intro.

Windows 365 is a cloud-based service to provide what Microsoft calls a Cloud PC. This is in fact a virtual computer based on the Azure Virtual Desktop (AVD) platform, but instead of you having to maintain any infrastructure, you consume it as a SaaS solution. The performance of the Cloud PC is based on what license you have purchased. Compared to AVD, you pay a fixed price per month for the license instead of paying for your consumption.

Since this is a cloud service, you can access it from whatever device you prefer, or even just a browser.

Since we can run a controlled and managed Windows device in a remote context, we are open to allowing more secure ways of working from a broader range of devices since we are in full control of the remote session.

The sad truth about hardware

One of the largest environmental impact we have within IT is our devices. Many companies replaces their computers on a ~3 year basis. For a larger company this is a huge amount of new devices being bought every year, and as many devices being decommissioned. The market for reselling computers are growing by the day and we see more and more companies offering this service to their customers, and even consumers.

Computers which are three years old aren’t that old to be fair. They are not the latest and greatest, but can still do a really good job for most usecases.

Reducing the need to renew hardware

By utilizing Windows 365, we can actually extend the life time of a computer since we can run Windows 365 on anything with Windows 10 or never. Windows 11 is one of the major reason hardware will need to be replaced, since there is a Windows 11 only supports Intel 8th generations processors and newer (let’s be fair, Intel is the most commonly used today). 8th generation means mid-2017 as earliest which is about six and a half year ago when this post is being written.

This is something that has been stuck in my head that we will see A LOT of computers being obsolete on the 14th of October 2024. Then Microsoft released a very interesting statement about end of service for Windows 10 and Extended Security Updates (ESUs). You will get the ESU included in the Windows 365 if you are accessing your Cloud PC from a Windows 10 host. This will extend the life of these computers another 3 years.

This means that you could move over to Windows 11 but keep some older hardware around for accessing Cloud PCs. Since there is no Windows 365 Boot for Windows 10, you could build a kiosk based on this post to make sure your users ONLY access their Windows 365 Cloud PC, which would be running Windows 11.

By utilizing Windows 365 and Cloud PCs, we can actually keep our computers current for a much longer time. Instead of getting a new computer with the latest, faster, processor and more memory we can utilize the server grade equipment in the Azure datacenters which are a lot more powerful than our laptops are anyways. Since Windows 365 is license based, this means that when we need more computing power on our Cloud PC, we can upgrade the license and after a reboot we have a more powerful PC.

The hardware in the Azure data centers are lifecycled and replaced, but Microsoft are putting a lot of effort in to reusing old equipment, reducing the environmental impact. Sever hardware is also recycled to minimize the constraint on the environment.

Running workloads on shared resources, like in Azure, is much more energy efficient as well. However, lets not forget that data centers uses a lot of energy to be operate. But today Microsoft data centers are run on renewable energy improves this even further while Microsoft is also striving to be carbon negative by 2030.

Read more:

There has been a report put out on the environmental impact of Windows 365 compared to other VDI solutions and physical hardware. This is where I got parts of my data. Long but worth reading: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW10vtL

Fellow MVP Thomas Marcussen wrote about reducing your carbon footprint with Windows 365: Reduce Your Carbon Footprint with Windows 365 – Thomas MarcussenThomas Marcussen

Categories
Windows 365

I hate computers

I’ve come to realize one thing lately.

I hate computers.

This will be a different post. But bare with me on this one, okay. It will make sense in the end (I hope).

My epiphany about hating computers happened when my lab machine all of a sudden decided that “I don’t have a bluetooth adapter anymore” after about 2 years of actually having one. I did about everything but reinstalling Windows on the machine, but the bluetooth adapter was not recognized by my computer. I even opened up the NUC to see if I could see if there was any obvious physical damage (I’m not an expert), but nothing.

THE DAY I decided that “fudge this, I’ll just reinstall it” it started working again. No new driver updates, no new patches. It just started working. I still have no clue what happened to be honest.

That was the moment I started hating computers.

I just want to be productive

Living without a functioning Bluetooth adapter in the computer meant that I needed to find the USB-receiver for ALL my wireless accessories (headset, mouse, keyboard) in order to even work from this machine.

This ment that I needed to take time out of my day (mostly late afternoons) and firstly try to figure out the issue and secondly since I suck at troubleshooting hardware, find all the USB receivers for all my stuff since I had of course also lost my USB Bluetooth receiver 🤦‍♂️.

I’m one of those computer guys who don’t really like troubleshooting, I just want stuff to work.

Reinstalling Windows is a breeze now adays, and it would have taken me an hour or two to be back up and running. I work from a strict policy to save EVERYTHING in the cloud so that wiping my computer isn’t an issue anymore, I will just lose what ever app I didn’t add to Intune. But it’s still a hick-up in my flow.

Automate drivers

This “incident” has gotten me thinking a bit. One thing I tend to hear with customers is that there is a fear to patch/update drivers for example, since we are afraid that it will break something in the OS or an application. I’ve been doing Intune work for the last 10 years, and I’ve strongly advocated to “maybe it’s time to also update drivers” for the past 7 years since it’s usually more risky to run pre-release versions of drivers than the latest. OEMs tend to also update drivers only when they have to, and the 700 million consumer Windows machines out there with the latest drivers seems to be working fine (don’t quote me on the numbers). One thing I’ve seen way to often is that an old driver breaks Microsoft Teams. The camera stops working usually and as soon as you install the latest driver. Poof! The camera works!

When you start think about it, what if we stopped caring so much about drivers and just automated it with Windows Autopatch? New drivers are installed when released and needed.

Windows 365 to the rescue?

Let’s take it one step further. What if we use Windows 365 to consume our apps and desktop experience instead and we only need to make sure that the OS and out applications are up to date. The hardware we are accessing through could be any kind of device, not neccesarily a Windows based device. Windows 365 makes it possible to actually be device independent. The bare minimum I need is something with a browser.

This is actually something which excites me a bit too much. I started my career in the mobile device management field, managing iPhone in the “mobile first” era when we though we would be able to do EVERYTHING from our mobile. If we can access a virtual desktop from our mobile, all of a sudden we actually can even consume those legacy Win32 apps from a mobile device.

I’m really excited about the Motorola ThinkPhone with the Windows 365 integration even though I don’t own one and I really don’t like Android since I’ve had an iPhone the last 15 years. But the idea of only having one device is something that excites me. Or at least in some situations only need one device. Still not enough to by the darn thing, but I love the concept of it.

So what is the point of this post?

Well, maybe we should start to rethink the workplace and what devices we need. Do I really need a desktop, a laptop, a phone and a tablet? Maybe not the reality for everyone but I know a lot of people running on such a setup. What if I just needed one or two devices, but I could still do all the stuff I need.

Looking at my current setup, I’ve downsized to one phone from two and I prioritized battery life over performance when getting a new laptop. I even went with an ARM-based Surface with the knowledge that “I can always use Windows 365 if I need more power” which is really comforting to know. This opens up that I can go for more slim formfactors and prioritize different aspects.

Moving the workloads to a Cloud PC would also reduce the need of getting the “latest and greatest” machine to do things. Our Cloud PC will be kept up to date since Microsoft is lifecycling the infrastructue in Azure, which for me as a user would mean that I always have “the best” configuration.

There are of course a lot of if’s and but’s around this, like the need for constant internet connetivity. But let’s face it, how often do we work without internet connectivity? You can even get some what reliable connectivity on an airplane today.

Problem with this appraoch is that this is how I reason, I still have way to many laptops on my desk for different customer engagements and testing things, since this is not the reality yet. But maybe it’s the future?

If you ever meet me and also hate computers, let me know and I’ll give you “I hate computers” sticker!

Categories
Windows 365

The new Windows app

Microsoft announced a new app to consume your Windows 365 Cloud PC, Azure Virtual Desktops, published apps and other remote desktop sessions. This app is simply called “Windows app”.

But we already have apps for this one might say, and that is true. But we need different apps for AVD and Windows 365 today. If you use the Microsoft Remote Desktop app you will be able to see and connect to both your Windows 365 Cloud PC, your Azure Virtual Desktops, and your published apps, but you will miss some key features to WIndows 365.

To get all those nice features for our Windows 365 Cloud PCs, we today must use the Windows 365 app.

If we look at how things are in many businesses, a lot of times we have a mix of Cloud PCs, AVDs and published apps. Today that means that we need to separate apps to get the full experience, which from a user perspective can be confusing since I will see my Cloud PCs in the Microsoft Remote Desktop app, but I won’t see my AVDs or published apps in the Windows 365 app.

The announcement at Microsoft Ignite around the new app is to bridge that gap and get everything into one app, the Windows app.

Before going forward, PLEASE be aware that this is still in preview. Things might change and be added/removed.

What is the Windows app?

Introducing the Windows app. This is your new place to consume all your remote desktop session!

The new Windows app brings all the awesome new features in Windows 365 and combines them with the Microsoft Remote Desktop features like support for AVD and published apps.

I think one of the killer features is also that now we will have the same app, across multiple platforms. Today you need to use one or two different apps on Windows, and a less full feature one on all the other platforms. But the new Windows app changes that!

Borrowed from MS Learn

Getting started!

The first thing you need to do, if you haven’t done so already, is to download the Windows 365 app from the Microsoft Store (or have it provisioned to you from e.g. Intune).

Once you are signed in, you will notice a small button in the top menu saying “Preview”. Click on that! If you cannot see the preview button, make sure your app is up to date!

Once you have enabled this, the app will close and the new one will launch (might take a second or two), and you will be asked to sign in again. Once you have signed in, you will now be in the new app experience!

Using the app

This is the new landing screen, to which you can pin your Cloud PCs, AVDs and published apps. And if I want to pin something to my home screen, I head into “Devices” and select the three dots on the resource I want to pin, then select “Pin to” and select “Pin to home“.

As you can see, all the other remote actions available in the Windows 365 app are also there so I can in the same menu do a restart, restore, inspect connection etc. And if I want to pin it to the task view or taskbar, I can do so from here.

But there is also a Microsoft Remote Desktop feature in this app which I was missing in the Windows 365 app; the possibility to not start the session in full screen. You find this by going to Settings on the machine in question and setting “Use default settings” to off. If you then select “Single display” in the Display configuration section, you will be able to turn off “Start in full screen“. If you jump back and forth or have a large screen, this is a really good feature.

You can of course also select your theme, if you want light mode or dark mode, or if you want the app to use whatever you are using in the operating system. Just click the settings icon in the lower left part of the app and select which mode!

And the last thing… The app supports multiple accounts so you can jump back and forth between tenants. Crucial feature for a consultant!

Other platform

Like I said, the app is today available for Windows, macOS, iOS/iPadOS and Android is still not yet released but it’s coming.

I’ve tested it on my iPhone, and to be honest the experience was way better than I anticipated.

One feature I really like is that when just leaving the app and having the desktop open, the session will continue when I come back without the need to re-connect.

The iOS app is a lot like the Microsoft Remote Desktop app in look and feel, but with a few improvements. I still can’t restart my Cloud PC from the app, but I can restore it if needed. However, it’s not a farfetched guess that it will come in a later release.

All the apps are still in preview, and if you want the iOS/iPadOS or macOS app, you will have to head over to Microsoft Learn and fins the links.

Bonus

What I haven’t covered is that there is also a new web portal, which has the same look and feel as the new Windows app.

The new address to the new web-app is https://windows.cloud.microsoft/. You can read more about it in the Microsoft Learn guide as well.

Categories
Intune Windows 365

Let’s move our Cloud PC!

I actually ran into this working with a customer. We had setup the Cloud PCs using an Azure Vnet in connected to the wrong landing zone (test environment) and we had 100+ Cloud PCs up and running and there was no possibility due to internal processes to move that network to the production environment.

This could also be relevant if you want to move a provisioning policy from one Microsoft hosted network region to another.

In this post we will cover how this looks when using Microsoft hosted networks, but they could just as well be Azure Network Connections. The beauty is that we don’t need to re-provision them, we can just update the provisioning policy!

Update provisning profile

Since we are moving from one Microsoft hosted network to another, we won’t need to do any updates outside the provisioning policy. If we are moving to another Azure Network Connection, we need to first create a new connector for our new network. This could be in the same subscription but be another subnet for example. Once you have created this, you can move on to updating the provisning policy.

So, the first step is to head into our provisioning policy. In this example we are updating our policy which is currently set up to use US East as a the region, but we want to move this to Europe instead.

What we need to do here is to update the geography and region in our policy, and of course also the name since I have the region in my policy.

Once I’ve done my updates to the region, I simply click next to the bottom of the screen, and I end up on the summary page where I as always get an overview of my policy. When I’m done reviewing this, I click Update.

But we are not done yet. We also need to apply this update to our machines, unless we do that this only applies to newly provisioned Cloud PCs, and we want to move all of them to the EU.

When we are back on the overview blade for our policy, there is a action at the top called “Apply current configuration”.

When we click on this text, we get prompted whit this pop-up asking us if we want to apply the region change or the SSO change. Since we didn’t make any SSO changes in this policy, things would happen, but this is a fantastic way to enable SSO for all your Cloud PCs without having to redeploy them. But let’s select the “Apply region change” and hit Apply.

Once you have applied the change, your Cloud PCs will start updating.

During the update, the Cloud PC will not be available since work is being done in the back end.

Once the move has been completed, which took about 10-15 minutes for me, you can sign back into the Cloud PC and keep using it in the new region!