As many probably know, Microsoft released a bigger update to Windows 11 with the March Patch-Tuesday release. This patch was more than just patches, this included also some new features like the Windows 365 app which reached GA earlier this year, video recording in the Snipping tool and some pretty cool AI features from Bing.
But one of the better new features is, according to me, the new energy recommendations to help you decrease your carbon footprint. This new feature is just a set of recommended settings to set for your computer to be more energy efficiant.
The end-user could implement these settings themselves, but let’s face it, no one outside the IT department would look for that in the settings.
Since Windows does not enforce the policies to be changed, someone needs to make an active decision here.
This is what my device looked like when just jumping into the settings. What options you see might vary depending on what device you are using, and you can even get recommendations on a Cloud PC. In this example, I’m using a desktop PC. As you can see I have two settings which are not in line with Microsoft recommendations, and one which is managed by Intune. If I had a laptop, there would have been more options for me such as screen brightness and battery optimization.
Here I can select if I want to apply all or just a subset of actions. If I click on apply all, all settings will be updated to the recommended value.
I can also now see, if I step back in the settings menu, that I have enabled all available settings.
Even if this is a small update, I think it’s a good and important one to adopt. You can of course look into having these defined within your environment, which will mean that users cannot change these settings themself if they would like for some reason.
This is a balance between enforcement and spreading awareness amongst users. There might be reasons for users needing increased brightness on their screen as an example. But looking at this from a sustainability perspective, this is a great place to start working with your computers around this even more.
Windows 365 and Cloud PCs are as you know PCs running in Azure somewhere. But what if you want to control this “somewhere” and pinpoint the region they are running in? You might have noticed that spinning up a Cloud PC in e.g., Western Europe gives you Google and all web-based things in Dutch. This isn’t too convenient for the end-users who doesn’t speak Dutch. So, let’s try to address that and give a more “local” experience.
I’m thinking of putting users in a Windows 365 region as close as possible to them, hopefully even within the same country. And to top it off, let’s provide them with a Windows experience in their local language, just for the sake of it.
How can we achieve this?
Well, we need two things, we need a provisioning profile per country and an Azure AD group which has been populated with users for each country. The region selected in the network for Windows 365 decides in which region the Cloud PC is hosted.
Setting up Azure AD groups
There are as many ways to do this as there are IT pros, but I decided to make this easy and just look at three things for my groups, attributes that I know all my users have.
What I decided to look at is that:
The account is enabled
Usage location for the user is set to Sweden
And the country for the user is set to Sweden
That got me the following query for my dynamic group.
(user.accountEnabled -eq True) and (user.usageLocation -eq "SE") and (user. Country -eq "Sweden")
To create a new group, head to Groups in the Intune portal and create a new group by pressing “New group“.
Give your group a name, in my case I’ve called it “All users Sweden” since we will gather all Swedish users in this group. Also make sure to set “Membership type” to Dynamic User so that we can create a query to automatically populate the group based on user attributes.
Add your query to your group by pressing “Add dynamic query” and enter your rule. You can take my example and modify it if you like, copy the rule syntax above and press “Edit” on the rule syntax windows and paste it there. This will populate the fields for you, and you can modify them to suit your needs. Or create your own! Keep in mind that the usage location uses the two-letter country code e.g., Sweden is SE, Norway is NO, Netherlands is NL, USA is US.
Press Save when you have created, and validated, your rule and press Create.
We have now successfully created a dynamic group which will be populated with all active accounts which has their country and usage location set to Sweden.
Creating provisioning policies
Now that we have our groups, we want to put them to effective use. Let’s head into the Windows 365 pane in Microsoft Intune by navigating to Devices > Windows 365 and selecting the “Provisioning policies” tab. To create a new policy, click the “+ Create policy” button on the ribbon.
First off, as always, we will give our policy a name, in my case I’m giving it a name indicating that this is a Windows 11 image, Azure AD joined and running on Microsoft hosted network. And this is for my Swedish users.
The next step is to select what kind of join type you will use and which network. In this example, I will use Azure AD join and using the Microsoft hosted network. The dreadful thing about using Sweden as an example here is that we don’t have Windows 365 in Sweden Central, so we will use the next best thing. Norway East!
You can do this for Azure v-nets, but then you need to set the region stuff when setting up the Azure v-net. There is a limit to the amount of how many Azure Network Connections (ANC) you can define per tenant, you can find out more here. If you know that you have multiple locations and want to put the service as close as possible to the end-user, it’s much easier to use the Microsoft hosted network.
The next step is to select an image, I will go with a gallery Windows 11 image since this will reduce the amount of maintenance I need to do since Microsoft is curating the image. Press next when you have selected your image.
Next, we will configure language and region settings. Like I said, the ambition here is to provide the Windows 365 experience in the user’s local language. So, for this I will select Swedish for this policy.
In this section, you can also choose to opt-in to Windows Autopatch straight away if you have this enabled in your tenant. If you do not wish to do so, just leave it to the default value. But since I have it activated in my tenant, I will add this as well and then press next.
The next step is to assign this policy to our group created in the first part. If you wish, you can add multiple groups to the same provisioning profile. But I only have one which will be used for this one, so I will select my group with all Swedish users and press next.
Final step is to review the settings we have selected and then press “Create“.
Now when a Windows 365 license is assigned to a user, their Cloud PC will be provisioned in the region based on which provisioning policy they are assigned to using our dynamic Azure AD group.
The groups don’t need to be dynamic and you could just as easily accomplish this using assigned groups. Also, you could utilize this setup to also include e.g., your developers who need access to a specific Azure v-net for example. In this case you would have provisioning profiles connected to those networks instead of the Microsoft hosted network, giving those users access to that network.