olastrom.com

Tag: windows 365

  • Ignite 2025 – Recap

    Ignite 2025 – Recap

    It’s that time of the year that everyone working in the Microsoft sphere is looking forward to. Microsoft Ignite! (Almost like Christman!).

    This year, I decided to follow the event from home since I for several different reasons was not able to make the trip over to San Francisco this year. It’s not the same thing, but you still get all the information you want, but you miss out on the networking with the community. But on the upside, you can watch Ignite in your sweatpants without anyone noticing!

    If last year’s theme was “AI, AI, AI and AI”, this year’s theme was “Agents, Agents, Agents and Agents”. Sprinkle that with a little bit of Windows 365 and you got the highlights for the digital workplace area.

    But I thought I would share some of the highlights from Ignite that covers Windows, Windows 365 and Intune!

    You can find all the news in the Book of News!

    The recap!

    Previous years I’ve listed all news with links to all the new things. This year I’ll give you the links to the good official blogs.

    So if you want to read about all the cool Windows stuff, you can find it here: Your guide to Windows at Microsoft Ignite 2025 – Windows IT Pro Blog and here: Evolving Windows: new Copilot and AI experiences at Ignite 2025 | Microsoft Community Hub

    The Intune stuff can be found here Your Guide to Intune at Microsoft Ignite 2025 – Microsoft Intune Blog and here What’s new in Microsoft Intune at Ignite – Microsoft Intune Blog

    If you are looking for the Edge for Business news, you can find them here: Edge for Business presents: the world’s first secure enterprise AI browser – Microsoft Edge Blog

    But what caught my attention the most?

    If I pick my two favourite news at Ignite, which I think will have big impact on how we use Windows and Intune.

    Agents in Intune

    The most exciting news, in my opinion, is the agents in Intune. This is truly a game changer for how we will work with Microsoft Intune in the future. Given that Security Copilot is now included in the Microsoft 365 E5 license (400 SCU per 1000 licenses), the old blocker in cost is being removed.

    Working as a consultant seeing a lot of different customer needs and hearing peers talking about “how should we configure things?” and “what impact will this change have?”, I think the new agents will help A LOT. I’m most excited about the Policy Configuration Agent, which on paper will help you configure your tenant using natural language. From my end I imagine uploading my high-level design and the agent configuring based on what I want to accomplish, returning business real business value. I’ve not yet played around with this, but I think introducing agents into Intune makes perfect sense since you usually want to accomplish an outcome, and there are not that many ways to do it (but there are a lot of settings to click through).

    Agents in Windows

    Staying on the topic of agents, there was a lot of news around agents in Windows as well. From Windows 365 for Agents, where you assign a Cloud PC to an agent that will go and work under your supervision to easier access to agents in Windows through what today is the search box on the task bar. I’m personally an avid user of Copilot in my daily work, to help with anything from researching topics and analyzing data to just help me get started with documents and presentations.

    We are also getting a “wake word” for Copilot on Windows. This gave me major flashbacks to the “Hey Cortana” time. Given that Copilot can actually assist you, I think it will be more of a success! However, I’m still really uncomfortable talking to my computer if there are people around, even though I’ve gotten more into dictating messages on my phone instead of typing.

    Key take aways!

    This Ignite was building on top of the narrative we saw from last year. AI is not just a buzzword; it’s a crucial part of the Microsoft ecosystem regardless which product you are working with.

    What I liked was that it’s not just “Copilot” and “AI” we are talking about now, we are seeing more hands-on adoptions with agents creating solutions for us to use. Not just “here go create something”, we actually get value straight away. I think this makes this even more interesting, and useful for a larger crowd!

    The introduction of agents in Intune actually got me excited about Intune again, and I think this is just the start of a pretty exciting journey for all Intune admins out there.

    What was your favorite news from Ignite 2025?

  • Running Microsoft Teams in Windows 365 Cloud Apps

    Running Microsoft Teams in Windows 365 Cloud Apps

    If you have played around with Windows 365 Cloud Apps, which currently is in public preview, you might have noticed that unless you create a custom image you can only publish a subset off applications. However, MSIX applications like MS Teams is currently not supported.

    One feature that you MIGHT have missed with Cloud Apps is that published apps are allowed to launch other apps.

    This means that we can actually start applications we didn’t publish. Which can be a lot of fun to play around with, or if you publish Outlook and need to open an attachment.

    If you want to read more about the Windows 365 Cloud Apps, you can check out the Microsoft Learn page here.

    What I also noticed thanks to a fellow Windows 365 friend, was that if we download let’s say Teams. We can install and run it from the Windows 365 Frontline Shared Cloud PC which is in the back of Cloud Apps.

    What you need to keep in mind however is that once your session ends and your user profile is thrown out; your applications will be gone. Windows 365 Frontline Shared is still running in the background for this, which means that we have the Windows 365 version of a non-persistent Cloud PC.

    Before we get started, I just want to point out that this is more poking around with Windows 365 Cloud Apps rather than being a useful scenario. But it also means you can try stuff out on a conceptual level to figure out if Cloud Apps would work in your organization in the future. I also want to point out that none of these things are supported use of the Windows 365 Cloud Apps, just to be clear on that!

    What apps can I install and run?

    What I’ve found while playing around with this, is that there are some apps which will work and some which will not work. The ones that tend to work is applications which does not require administrator privilege to install (like Teams, Spotify, VScode, Chrome or most apps in the Microsoft Store). These are installed in the user directory where I’m allowed to make changes without being an admin.

    When I tried installing Audacity, which requires admin approval, I was meet with this window asking for admin credentials. For me, it just looped when entering credentials with admin privileges. I also tried to launch an elevated PowerShell session, but it wont let me.

    But I can without a problem install and run Teams and VSCode.

    The downside of this is once I close the application, there is no good way to get back to it. With Teams you can just click the install file or “Open in Teams” if you are using Teams on the web. But for other applications its a bit tricker such as VSCode in this example where I need to run the installation again.

    What more can we do? Well we can start the Microsoft Store by browsing to the web version and click “Open Store app” unless you block it with any policy in your environment.

    From here we can just find let’s say Windows Terminal and launch it.

    And now we have the Terminal running in our Cloud Apps making it possible for us to access even more apps from e.g. Winget or launch about anything we want.

    But let’s move back to Teams.

    Installing and running Microsoft Teams

    Being able to run other apps which are not published is quite a good thing since this means that we can open links and other things. What did surprise me was that I out of the box can install applications which does not require administrator privileges.

    Like I said, Microsoft Teams is one of those apps and maybe an app which is interesting for many to use. So far, I haven’t found a good way to do it but I think it’s a good start that you can do it. And it shows that “yeah we can use Teams this way”.

    How I setup this to work is that I defined the start page Microsoft Edge to be the download page of Microsoft Teams through an Intune policy. When I launch my Edge Cloud app, the Teams installation file is automatically downloaded and once I click “Open file”, Teams will install and launch.

    You could also do this from the Teams web app, and select to download the desktop app. What I’ve noticed is that sometimes you might need to open it several time before it actually launches. But once it has launched, you can use a fully Cloud PC optimized Teams!

    Bonus finding

    While playing around with this, I also noticed that I could open the file explorer through the download tab in Edge by pressing the small folder next to the file name.

    If you navigate to “%ProgramData%\Microsoft\Windows\Start Menu\Programs” you will find all the apps listed in the Windows 365 Cloud Apps page, which is the default start menu for all users on this Cloud PC.

    Key take aways

    Being able to launch applications which are not published could be really useful, and making it possible for me to install something and just run that application while my session is active.

    What is even more useful is that this is applicable for wherever you can use the Windows app. So, I can run the Edge Cloud App from my iPhone and launch Microsoft Teams. Don’t ask me why I would, but I can.

    Given that this is a preview feature, and Microsoft has stated that a lot of things are in the making (like discovering MSIX applications like MS Teams), I would say that this is more fun to play around with than actually useful in a production scenario or real-life scenario. If running Teams as a Cloud App is an important feature for you, I would suggest you wait for the final product rather than doing this hack/workaround since this is not supported.

    If you just want to mess around and try out what you could do, feel free to explore this further and if you figure out any cool scenarios, share them!

    Given that this is in preview, I would assume that it’s not in it’s final shape and form. While writing this, Microsoft Ignite is around the corner and we can always hope for some cool updates related to this!

  • Making changes to existing Cloud PCs

    Making changes to existing Cloud PCs

    Since Windows 365 and Cloud PCs is a service which is constantly being updated with new feature and available regions, making updates to an existing provisioning policy and all your existing Cloud PCs.

    A while back, Microsoft introduced the possibility to apply the updates provisioning policy to all existing Cloud PC, but this will not cover all modifications, some need a re-provisioning. But if we look at things we can update without re-provisioning the Cloud PC, we have three things:

    • Changes to Entra single sign-on for all devices
    • Changes to region or Azure network connection for all devices
    • Changes to region or Azure network connection for a single device

    For enabling single sign-on (SSO), the Cloud PC will not need to be restarted unless it was provisioned prior to April 2023. For changes to the region or Azure Network, the Cloud PC will be shut down during the move and unavailable to the end-user, meaning that this needs to be planned and users will lose any unsaved data when they are disconnected due to the move.

    But let’s look at each one of these and see how they work.

    Changes to Entra single sign-on

    Back in 2023, Microsoft finally made the move to put the single sign-on as generally available after having been in preview for quite some time. This is, when I’m writing this, about 2 years ago meaning that a lot of organizations might have already enabled this. But if you haven’t this is how its done.

    In Microsoft Intune, navigate to Devices and Windows 365 and select the Provisioning policy tab to view all your policies. Find the policy you want to update and select it. Click on “Edit” next to General to edit the part where SSO is located.

    At the bottom of the page, find “Use Microsoft Entra single sign-on” and check the check-box next to it. Then press Next then Update at the bottom of the screen to update the policy.

    You have now successfully updated the policy for all NEW Cloud PCs being created with this policy. But what about the existing ones?

    Well, back at the policy overview page, you have an option to select “Apply this configuration”, which makes it possible to update existing Cloud PCs with some of your updated configuration.

    When you click the “Apply this configuration” button, you will get three options where you select “Microsoft Entra single sign-on for all devices“, since we want to update the SSO settings.

    When you click this option, you will get a notification that the update has started.

    If your Cloud PCs where provisioned before April 2023, the Cloud PC will shut down during the update. Please notice that this does not happen instantly, it can take a while to apply for all machines in a larger environment.

    Changes to Region or Azure network connection

    The other change you can do is to move the Cloud PC to a new region. This could be due to that the user has moved location or due to new regions opening up and you want to move the Cloud PC closer to the end-user. Or you want to move it to a different Azure network.

    Please be aware that you CANNOT move from Entra join to Hybrid join using using this method. This will require a re-provisioning. You can however move a Cloud PC from an Azure Network Connection (ANC) to a Microsoft hosted network and vice versa given that they are Entra ID joined. For Hybrid joined you can move them between different ANCs

    Supported move scenarios

    Given that our move scenario is supported, we can go a head and update our provisioning policy by navigating to Devices and Windows 365 and select the Provisioning policy. Then open the provisioning policy you want to update and select Edit on the General section.

    Scroll to down to the bottom and find the Join type details section.

    In this example I want to update the policy to use a Azure Network Connection instead of a Microsoft hosted network. But you can just as well update to another region if you are using Microsoft hosted networks, or update to another ANC.

    When I’m done I click Next then Update on the bottom of the screen.

    We once again select the “Apply this configuration” option, but we select the Region or Azure network connection option.

    As you can see, we have the option to either update ALL Cloud PCs related to this policy or we can update selected devices. If you select the bottom one (to update selected devices), you will get the option to select which devices when you press Apply.

    PLEASE BE AWARE that this action will disconnect and shutdown the Cloud PCs fot the end-users, so it’s a good idea to do this change in a controlled manner and make user aware of that the change will happen before you click apply. It’s a good idea to do this during a weekend or other time frame when users are not expected to use these machines.

    Intune will give you a notification that the process has started, and this process will take a several hours to complete.

    Take away

    Using these features, you can update your Cloud PC configuration to some extent if you e.g. didn’t enable SSO when you initially configured your device.

    It’s also great to optimize the use of regions and move users between networks for different reason.

    But as I mentioned, we cannot move from Hybrid join to Entra join using these features. For that scenario a full reprovisioning is needed for the Cloud PC since the join type cannot be changed in a easy way.

  • Hide the shutdown button in Windows 365 after update to Win 11 24h2

    Hide the shutdown button in Windows 365 after update to Win 11 24h2

    Some of you might have noticed that when updating a Windows 365 Cloud PC to Windows 11 24H2, the shutdown button appears out of nowhere in the start menu, which can cause some weird behavior for the end-users.

    Shutting down the Cloud PC isn’t really anything you should be bothered with. Restarting, yes, but if you do a shutdown, it will boot back up again within a few minutes.

    With the Windows 11 24H2 update to Windows 365, if you upgrade from an earlier Windows 11 version, this registry value will be reset.

    While I still encourage you to provide feedback to Microsoft, the fix for this problem is fairly simple!

    There are two ways we could go about addressing this. We could either create a configuration using the Settings Catalog or use proactive remediation. We will get the same result in the end, so it depends on how you like to do it. I will show you both ways in this blog post, and how you can configure it.

    Settings catalog

    In Microsoft Intune, head into Devices > Windows > Configuration and create a new configuration profile by clicking “+ Create“. Select Settings catalog as the profile type and click create.

    Give the profile a good name which makes sense in your environment.

    Search for “Start” and find “Hide Shutdown” in the list, then check the checkbox next to it. Close the fly-out.

    Make sure to enable the setting before moving to the next step.

    In my case, I will skip scope tags and move straight to Assignments, where I select “All devices” and filter out Windows 365 with a filter.

    Last step is to review and create the policy. And then you just need to wait for the policy to apply.

    Proactive remediation

    The scripts

    The easiest way to deploy a scripted solution for this is to use remediation, since then we can also get feedback on how many devices had this issue. We can have it continuously checking or just run once.

    But in order to set up a remediation, we need a detection and a remediation script (you could run everything in the detection script, but you won’t get any feedback if you want to run it more than once).

    You can find the scripts either on my GitHub repository or just copy them from here.

    Detection script

    # Created by Ola Ström, olastrom.com
# Date: 2025-01-21
# Version: 1.0

# PowerShell script to update the registry value

# Define the registry path and value
$registryPath = "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown"
$valueName = "value"

# Check the current value
$currentValue = (Get-ItemProperty -Path $registryPath -Name $valueName).$valueName

# Check the value and set the appropriate exit code
if ($currentValue -eq 1) {
    Write-Output "Registry value is set to 1."
    exit 0
} else {
    Write-Output "Registry value is not set to 1."
    exit 1
}

    Remediation script

    # Created by Ola Ström, olastrom.com
# Date: 2025-01-21
# Version: 1.0

# PowerShell script to update the registry value
$registryPath = "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown"
$registryName = "value"
$registryValue = 1

# Set the registry value
Set-ItemProperty -Path $registryPath -Name $registryName -Value $registryValue

Write-Output "Registry value updated successfully."

    Intune part

    In Microsoft Intune, navigate to Devices > Scirpts and remediations.

    Select “+ Create” in the ribbon and give your remedation a good name, then press next.

    Now we will add the detection and remediation scripts, which you need to save as PowerShell scripts on your device to upload to Microsoft Intune. Change the “Run script in 64-bit PowerShell” to yes, but leave all the other options at their default values and press next.

    On the Assignment tab, select your target group. I’m using “All devices” with a filter for Windows 365.

    On this step, you also set the schedule by pressing on the text “Daily”, which is the default value. You can then choose if you want it to run once, hourly, or daily.

    When you have selected your schedule, press next to review your settings before pressing create.

    And now we wait until the remedation runs…

    Monitoring the remediation

    You can follow up the progress of your remediation by checking the device status on the remediation you just created.

    In this view, you can follow up on individual devices and see how many devices were affected.

    If the script detects that the value is set to anything other than “1”, it will run the script to fix it, and you can see here if the issue was fixed or not. This is not dependent on whether the script runs on a schedule or just once; you will still get feedback if any issues were found.

    What happens on the Cloud PC?

    Both ways will give the same end result for the end-user: the shutdown button will disappear, removing the option to shut down the Cloud PC (which is good).

    Take aways

    I’m not saying that one way or the other is the correct way; it’s just different ways to address the problem. Both of them have advantages, where the settings catalog will set the value and always keep it that way, and the remediation will check if the value is incorrect and change it if needed.

    You can also reuse this script for other registry entries you would like to change, so feel free to reuse it!

  • Windows 365 Link – What’s the fuzz all about?

    Windows 365 Link – What’s the fuzz all about?

    One of the things that it felt like a lot of people during Microsoft Ignite were really excited about, at least people working in the device management space, was the announcement of Windows 365 Link. A small black box with the Microsoft logo on it.

    Front and side view of Windows 365 Link device (cube shape)

    What I do think, after seeing a lot of posts on social media about it, is that some people didn’t exactly get what it is (but they were still excited). There were talk about “What’s the performance on this thing?”, “Can I use it as a media center?” and “Those are only legacy ports”.

    Well this isn’t your regular computer. This is what the IT business has defined as a thin client for several years, but done in a more Microsoft way! And that is actually the reason I’m excited. It’s a Microsoft device, running Windows, which we can use for ONLY connecting to the Windows 365.

    Let’s dig into what this device is, and what it isn’t!

    What it is and what it isn’t

    So let’s start of by talking about what this device is.

    This is a small, fanless, computer made out of 90-100% recycled material (90% recycled aluminum, 100% recycled copper and  96% recycled tin solder). It also runs Windows, but not your regular Windows 11. This runs a special version called Windows CPC which has been developed specifically for this device. The Windows CPC operating system is stripped of all things that are not needed to keep the device secure and being able to use Windows 365. So if you where hopeing that you would get the Microsoft version of a Mac Mini, I’m afraid you will be disapointed. If you had you hopes up that this would be your new NUC or media PC, you will have to rethink why you should get this device.

    It’s also has a lot of what some people would concider “legacy” ports. But imagine the usecase for this. Maybe a call center, hot desking scenario or maybe even a sales station. If we take an honest look at what our perifirals are using today out in the business, we will see a lot of USB type A cabels for our mouse, keyboards and headsets. So keeping in mind where this device belongs, it makes sense at least to me since we will see USB type A for a forseeable future in those scenarios.

    I think what is important to point out as well is that this device is secure by default. All applicable secuirut features (TPM, Bitlocker, SecureBoot, Hypervisor Code Integrity, Defender for Endpint) are enabled and CANNOT be turned off. This to make sure that this device is as secure as can be at all points. We can also use FIDO keys to easily sign into our Windows 365 session!

    But I want to manage this thing!

    Like I said, this is a purpose built device for Windows 365 and what makes it special is that its running a specialized version of Windows. This also means that we can manage it from Microsoft Intune. No need to have yet another tool to manage your thin clients. For me, not beeing a hardcore EUC person, this is a kille feature.

    In my experiance, a lot of device management teams always strive to minimize and optimize the amount of tools used to manage the workplace. If we can have everything in Microsoft Intune, that is a strong selling point in my book. I understand that others might not feel this way, but let’s face it, there are a lot of other great products that you can use in that case! Same thing goes for if you are looking to use this for Azure Virtual Desktop or DevBox. This is Windows 365 only.

    Given that it’s Windows based and we can manage it from Microsoft Intune, guess how we onboard this device? Ofcourse we will use Windows Autopilot. In the demos shown at Ignite, this process was very fast since not that much needs to happen. It will be very interesting seeing this one in live action when released!

    When can I get my hands on this device?

    Microsoft announced at Microsoft Ignite 2024 that this device will be launhed in public preview in January 2025, and to get in the preview you will need to talk to your Microsoft sales contacts. The launch of this device in general availability will be around April in 2025 and will cost $349.

    Screenshot of Windows 365 Link device (cube shape) between and connected to two monitors

    The announced countires which will initially be supported in the preview are United States, Canada, United Kingdom, Germany, Japan, Australia, and New Zealand.

    So getting your hands on this device might not be that easy, but worth a try if you have some awesome usecases you want to use this in. It has great potential, but for some really specific usecases. I’m not seeing this as the device for all information workers, but it could be a great fit for frontline workers who comes and goes, especially between different places.

    If you want to read more about the Windows 365 Link, check out the Microsoft blog post which was released during Microsoft Ignite.

    My thoughts on the Windows 365 Link

    So what are my thoughts on this device?

    In my world this will simplify the adoption of virtual clients even more for a lot of organizations. Organizations already running VDIs and have a big infrastructure in place around thin clients might just say that “we have been doing this for X amount of years, this isn’t new”. Then this device might not be for you initially to be honest.

    But if you are looking into moving into a virtualization space, or want to get rid of those dreadfull shared computers your frontline workers are using. This is a very easy way forward if you combine it with Windows 365 Frontline!

    Microsoft is also pushing a lot for sustainability with the Windows 365 Link, and it’s great that this has been a big part of the product development (I love it). But let’s face it, the best option from a sustainability perspective is to re-use old hardware that you already have, and there are great options to do this using e.g. IGEL OS or simply build a Windows based kiosk device.

    But if you want to keep everything in Microsoft Intune and don’t really have any old hardware you can repurpose, this is a great option. I’m really curious to see how this device performs out in the wild, and how the look and feel is.

    Oh and did you notice that I didn’t mention any hardware specs? Well since we will run everything in the cloud, that doesnt really matter to be honest as long as it’s powerfull enought. My guess is that the public preview being launched will show if that is the case or not!

  • Let’s improve onboarding for Windows 365!

    Let’s improve onboarding for Windows 365!

    Through out the years, I’ve worked with a lot off different customers, and almost all of them use some kind of ITSM tool (such as Jira ServiceNow) to order new services and hardware for users. This is usually where Windows 365 is added as a service where I as an end user, or manager, can request it.

    But what if you don’t have an ITSM tool, but I still want to offer the self-service option?

    Well, in Entra ID there is something called “Access packages” which we can use for this puropse. If you want to read more about what that is, check out the Microsoft documentation here.

    With Access packages, we can create a self-service portal, where end-users can request memebership to a group. This group can then have a license tied to it, what is also known as Group Based Licensing. The user will then request membership to the group, you can add approvals and set a time frame that this membership should be valid. You can also add access reviews to check in with the user to see if they are still using the service.

    So let’s jump into how an easy setup of this would look like, and then have a look at the user experiance. However, this setup is assuming you have already setup group based licensing for Windows 365.

    This setup also assumes that you are targeting provisining policies to all users already (I’m using dynamic, country based groups as descibed in this post).

    Setting upp Access packages

    To set up access packages, we head into the Entra portal (https://entra.microsoft.com) and navigate to Identity > Identity Governance > Entitlement Management and then look for “Access packages” in the menu.

    We will just create a very basic setup for this, so lets go ahead and click on “+ New Access Package“. First step is to give your policy a name and descripton. Remeber, the description is a required field. We will leave the catalog to “General” which is the default value. When done, hit next on the bottom of the windows.

    Since we want to configure a memebership to a group, select the option “+ Groups and Teams” and find

    Since we are just going with default values, you might need to check the “See all Groups and Teams…” check-box in order to find your group. When you have found the group, click select. If you are not already targeting users with a provisioning group, you need to add that here as well.

    When you have added your group, remeber to change the Role to member before hitting next.

    In the next step, we will define our Request flow. In this example I will make this apply for all users in my tenant, and I will allow all users to place a request.

    The next part is to define the approval process. You can also remove approvals completely, but since Windows 365 comes with a cost we want a manager to approve this request. You can also add additional approvers if required. Default value is that manager will be the approved, and we will leave it to default. What you need to add is a “fallback” approver, and as you can see here I added my Help Desk team for this. Choose an approriate user/group for this task.

    Last step on this section, is to select how we will enable this request flow. I’ve also enabled the preview features for this example, but you dont need to do that. Just make sure to enable the top one since this is what makes this request available. We will skip the Verified ID part and press the Next button.

    On this step, we could add additional questions or justifications for the requestor, but we will leave this to default and press next. We will still get a question for business justification in the request.

    Next step is to set the lifecycle for this, which we in this case will set to 180 days since that is roughly 6 months. And just for the purpose of usign access reviews, we will enable that as well but leave all values to default. When you are done, press next until you reach “Review + Create“.

    On the last step, you can review all your settings before pressing Create. It will validate your configuration, and if you missed something or something is wrong it will ask you to correct this before moving forward.

    We have now successfully create a Access package for our Cloud PCs!

    Let’s have a look at what this looks like when a user requests this.

    The request flow

    The place where you need to direct your users for placing requests is https://myaccess.microsoft.com/ where they will see all available request packages for them. As you can see, I have three different access packages for Cloud PC I can request. To start a request, I simply click on “Request” on the service I want to request.

    This windows will then appear, and you just click continue.

    Next step is to add a business justification for my request, here I can also set it to a specific period if I like since we enabled that option when setting things up.

    I then submit the request and it is sent of to the approver, which in this case is the manager.

    Approver experiance

    When the request has been sent, the approved will recieve an email looking like this, where they are asked to approve the request. This email also contains the business justification added by the requestor.

    When the approver clicks the blue button in the email, they are redirected to the approval site on My Access.

    When the approved selects to approve the request, they will be asked to enter a justification before approval is sent.

    When the approver has approved the request, a confirmation email will be sent to the user. However, what is imporant to keep in mind is that this will initiate the provisioning of the Cloud PC.

    The process of provisioning will now start and the Cloud PC will be done within usually 30-40 minutes depending on how fast your provisining policy is!

    Key take aways

    Estalishing a good on- and off-boarding process is important in all IT organsations. This walk though shows you that you can establish this without setting up more advanced tools. However, this is not close to as powerful as proper ITSM tools, but you can build simpler request flows to suite your needs.

    This principle can also be applied to other things, not just Windows 365 and Cloud PCs.

  • Slimcore: Revolutionizing Teams for VDI Environments

    Slimcore: Revolutionizing Teams for VDI Environments

    Last week, Microsoft dropped a bombshell with the release of Slimcore for Teams, specifically designed for VDI environments. Let’s unpack what this means for us and how it can supercharge our virtual desktops.

    What is Slimcore?

    Slimcore is the new media engine for Teams, tailored for VDI setups like Azure Virtual Desktop and Windows 365. It’s packed with improvements that make Teams more efficient and user-friendly in virtual environments. No longer is the Teams client for VDI a long lost cousin of Teams, now we will see feature parity!

    Key Features and Benefits

    So what are the key features and benefits with moving to Slimcore from WebRTC?

    • Enhanced Performance: Slimcore cuts down on resource consumption, leading to faster call setup times and smoother performance. This is a game-changer for those of us juggling multiple virtual desktops.
    • High-Fidelity Media: Enjoy top-notch audio and 1080p video at up to 30fps. This ensures our meetings and presentations are crystal clear, even in a virtual setup.
    • Advanced Meeting Capabilities: Features like gallery view, custom backgrounds, and presenter mode are now available, making our virtual meetings more interactive and engaging.
    • Auto-Updates: The decoupled architecture allows for quicker feature rollouts without needing to overhaul the entire VDI infrastructure. Staying current with the latest features has never been easier.

    Installing Slimcore on Windows 365 Clients

    Prerequisites: Make sure you have the latest version of Microsoft Teams (version 24193.1805.3040.8975 or higher) and the Remote Desktop client (version 1.2.5405.0 or higher) or the new Windows app (version 1.3.252 or higher).

    Install the Plugin: The plugin (MsTeamsPluginAvd.dll) is bundled with both the Remote Desktop client and the new Windows app. It will automatically download and manage Slimcore. No admin rights or reboots are required.

    Verify Installation: After installation, the plugin will silently provision and register Slimcore for the user. You can verify this by check in the Teams client on the Cloud PC that the Slimcore client is being used by going to Settings – About Teams. Look for the text “AVD Slimcore Media Optimized”.

    User Experience Improvements

    One of the standout aspects of Slimcore is how it aligns the Teams experience between physical and virtual desktops. This consistency is crucial for user satisfaction and productivity. This gives the user a familiar experiance with the features they expect to find in Teams!

    Conclusion

    Slimcore is a significant step forward for Teams in VDI environments. It brings enhanced performance, high-fidelity media, and advanced meeting capabilities, all while simplifying updates and maintenance. If you haven’t tried it yet, now is the perfect time to explore what Slimcore can do for your virtual desktop setup.

  • Improving Decision Making with Intune Advanced Analytics Data

    Improving Decision Making with Intune Advanced Analytics Data

    One thing that many IT administrators tackles every day is the discussion about “my computer feels slow” or “I need a faster computer”. Sometime the feeling of having a slow computer is legit, and sometimes it’s something else.

    There are numerous DEX (Digital Employee Experience) tools out there on the market. This can provide you with a great overview of your whole ecosystem, ranging from Teams call quality to desktop experience. However, even if those tools are great, they come with a new set of data to analyze in a new tool. And in bigger organizations, the complicated puzzle of “who owns this and who makes remediations?” arises.

    Since I write a lot about Microsoft stuff, we will dive into the Intune Advanced Analytics part of the Intune Suite.

    Intune Advanced Analytics is a native part of Intune, which gives you more extensive reporting on your Windows devices. I know Windows isn’t 100% of the fleet in modern organizations but we need to start somewhere.

    Setting up Intune Advanced Analytics

    To start using Intune Advanced Analytics, you will need these three things.

    • Intune environment
    • Intune Suite licenses or Intune Advanced Analytics stand-alone license (remember, this is user based)
    • Configuring Endpoint analytics in Intune

    I won’t go through how to obtain license, since this will vary from case to case depending on your setup.

    Configuring Endpoint Analytics

    The first thing you need to do is to configure Endpoint Analytics to receive data from your devices. Since I’m all in the cloud, we will look at how you do this for Intune managed devices. To do this, you need to have the Intune Service Administrator role, also known as Intune Administrator.

    Head over to the Endpoint Analytics blade in Intune (you can find it under Reports or at https://aka.ms/endpointanalytics). When in there, select the Settings blade.

    You can see that my tenant already uses the Intune data collection policy. This default policy exists in all tenants, but you need to make sure it’s assigned to your devices.

    Manually create the policy

    If you can’t find the policy in your environment, it’s no big deal. You just need create a new policy based on the template for Windows Health monitoring.

    If you are configuring this for the first time, make sure to switch Health monitoring to Enable and set the Scope to Endpoint analytics.

    Deploy this policy to your devices using either the built in “All devices” group or use a device group.

    When you set this up for the first time, it can take up to 24 hours for the data to populate. If you are looking to use Advanced Analytics, expect up to 48 hours.

    Allow access to URLs

    The last step to do is to make sure that your devices are allowed to reach the URL needed for Endpoint Analytics. This is important if you have a restrictive firewall or if you use a webfilter/proxy to run all your traffic through.

    For Intune, the needed URL is:

    https://*.events.data.microsoft.com

    If you want to read more about how to set this up for Configuration Manager managed devices, check out the Microsoft Learn page.

    Getting access to the data

    Now when 24 hours have passed, we should start seeing data being populated. If you have additional people who should not be admins who need to review the data. There are a few different built-in roles you can use, or create a custom role.

    These are the different options you have:

    Role nameMicrosoft Entra roleIntune roleEndpoint analytics permissions
    Global AdministratorYesRead/write
    Intune Service AdministratorYesRead/write
    School AdministratorYesRead/write
    Endpoint Security ManagerYesRead only
    Help Desk OperatorYesRead only
    Read Only OperatorYesRead only
    Reports ReaderYesRead only

    Once we have our roles in order, we can start looking at the data!

    Looking at the data

    The Endpoint Analytics feature consist of 6 different blades

    • Startup Performance
    • Application reliability
    • Work from anywhere
    • Resource performance
    • Remoting connection

    These features are available with the regular Intune license. With the Intune Advance Analytics license you will get a few more. And it’s automatically integrated into the Intune administrator experience.

    • Custom device scopes
    • Anomalies
    • Enhanced device timeline
    • Device query
    • Battery health

    If you want to read more about what’s included, I would suggest checking out this Microsoft Learn article.

    Reviewing my devices

    But as I stated in the beginning of the post, let’s talk about reviewing resource performance. With the regular Intune license, you will gain access to resource performance for your Cloud PCs. With this, I get insights which Cloud PCs are meeting my targets and what Cloud PCs I should investigate upgrading to a different SKU. This data can be broken down to a device or model. This gives me great data about my environment on CPU and RAM spikes when they are being used.

    All devices get a score based on their performance, and you can configure what your baseline is in the Endpoint Analytics settings.

    You can break the numbers down based on model or individual device performance to get a better understanding.

    With the 2408 Intune Service update, this was also made available for physical devices if you have the Intune Advance Analytics license enabled. This will provide me with insights on how my physical devices are performing when it comes to RAM and CPU. I can also learn if they have continuous spikes indicating that they need an upgrade.

    If we stand in the “Device performance” tab, we can see all Cloud PCs and physical PCs gathered in the same place. You can also compare Cloud PC and physical PC performance.

    Looking at specific devices

    If we click on the name of a device, you will be redirected to the blade “User experience” on the device itself. You can also find it if you search for a device in the device list and click in to view that device.

    From here, you can see a lot of data about the device around its performance.

    As you can see, my Surface Laptop Go 3 has had a few minor spikes in RAM the last 14 days but nothing major.

    And if we look at the overall score, it’s pretty okay.

    Device timeline

    There is one more really nice feature with the Intune Advanced Analytics we can see, and that is a Device Timeline (last tab on the top).

    In here, we can see historical data on events that has happened on the device which impact the user experience. As you can see on this device, I’m having a few issues with applications.

    And if we jump back and look at another device, a Cloud PC, we can see the same kind of data.

    One interesting thing I found while writing this blog post is that I compared my Surface Laptop Go 3 i5 with 16gb RAM with my 4vCPU/16GB Cloud PC. What I can see was that my Cloud PC scores higher. I would say that I use them in a similar way, the same amount of time. I do know that the Cloud PC has a little bit of a more powerfull CPU (being a cloud PC),

    The Cloud PC scores 98 in resource performance.

    While my Surface Laptop Go 3 scores 77.

    So performance wise, Cloud PCs are doing a lot better. However, the Surface Laptop Go 3 is not a fair comparance being a more “low tier” PC. However, they are still both performing really good for what I use them for. So this is important to take into considerations when looking at the data.

    Take away

    Knowing how the performance of the devices in your environment chelan p you figure out when devices needs to be replaces or upgraded. As you already know, backing your decisions using data is key! Intune can provide you with a lot of data on your device without the need to buy a third party tool and deploying/maintaining a client on the device.

    However, if we start looking at “real” DEX products, Intune Advanced Analytics does not provide the same level of data. You will also need to combine several parts of Intune to be able to perform e.g. remediations on the things you find. You still need to manually take actions or create remediation scripts on your findings.

    But if you are just getting started and need “something”, this will provide you with a great overview of your environment! This will help you make better decisions and help your end-users even better!

    I hope you liked this post and that it gave you some insights to what you can do with Intune Advanced Analytics!

  • Summer recap – what did we miss?

    Summer recap – what did we miss?

    Like all Swedes, summer means vacation mode for 4-5 weeks and that means not keeping up with what’s happening in the world.

    So here is a recap of what’s been happening during the summer months.

    MVP renewal

    In the begning of July, the MVP renewals where announced and I’m happy to announce that I’ve been renewed as a Windows and Devices MVP for the 3rd time.

    Big congratulation to all my fellow MVPs that got renewed for 2024!

    Windows 365 updates

    July was full of Windows 365 updates, there has been updates for Windows 365 each week since July 1st which is really awesome. A lot of great updates.

    Here are some highlights, but if you want to see the full list check it out here.

    Cross region disaster recovery

    Windows 365 cross region disaster recovery is an optional service for Windows 365 Enterprise which protects the Cloud PCs and data against regional outages. This is a seperatly licensed service which can be purchased as an add-on to your existing service.

    Cross region disaster recovery in Windows 365 | Microsoft Learn

    Windows 365 Cloud PC gallery images use new Teams VDI

    The new Teams for VDIs has been added to the Windows 365 image gallery, containing all the optimizations for Windows 365. All your newly previsioned Cloud PCs will containg the new optimizations.

    Microsoft Teams on Cloud PCs | Microsoft Learn

    Cloud PC support for FIDO devices and passkeys on macOS and iOS (preview)

    Windows 365 Cloud PCs now support FIDO devices and passkeys for Microsoft Entra ID sign in on macOS and iOS.

    Updated default settings for Windows 365 security baselines

    Microsoft has released an updated version of the security baseline for Windows 365. You can find a full list of the updated settings here: List of the settings in the Windows 365 Cloud PC security baseline in Intune.

    New GPU offerings for Cloud PCs are now generally available

    Microsoft has finally released the new GPU offering! The GPU offerings are suitable for graphical intense workloads requiring a more optimized performance. The offering consists of three different SKUs called Standard, Super and Max with different configurations for different kinds of workloads.

    GPU Cloud PCs in Windows 365 | Microsoft Learn

    Uni-directional clipboard support is now generally available

    The clipboard settings for Windows 365 and AVD has been in preview for a while, but have now been

    moved into general availability with some pretty nice added functionallity. You can configure a lot of new different content type, and you can select to allow which direction clipboard should be allowed. This applies to both Windows 365 and Azure Virtual Desktop.

    Configure the clipboard transfer direction in Azure Virtual Desktop | Microsoft Learn

    Intune updates

    The list for Windows 365 was long (in the aspect of Windows 365 updates), but there has been even more Intune updates.

    If you want to read the full list of updates during the summer months, check out the full list here.

    Update for Apple user and device enrollments with Company Portal

    Microsoft has updated the registration process for Apples devices using the Intune Company Portal. The main change is that now the Entra ID registration happens after the enrollment, instead of during the enrollment. This applies for both iOS/iPadOs devices and macOS devices.

    The change means that if you are using dynamic device Entra ID groups which rely on the device registration, you need to make sure that the users complete the whole process.

    iOS/iPadOS device enrollment guide for Microsoft Intune | Microsoft Learn

    New configuration capabilities for Managed Home Screen

    If you are using managed home screen for Android, you can now enable the virtual app-switcher button to allow users to switch between apps on a kiosk device.

    Configure the Microsoft Managed Home Screen app for Android Enterprise

    Copilot in Intune now has the device query feature using Kusto Query Language (KQL) (public preview)

    If you are using Copilot in Intune, you can now generate a KQL query using Copilot while asking in natural language. Great way to learn KQL or get inspiration for your querys!

    Microsoft Copilot in Intune

    New setting in the Device Control profile for Attack surface reduction policy

    Microsoft has added the “Allow Storage Card” setting to the Attack surface reduction policy, which can also be found in the settings catalog.

    AllowStorageCard 

    New operatingSystemVersion filter property with new comparison operators (preview)

    There is a new filter property for operatingSystemVersion, which is available in a public preview.

    This filter allows you to use operators like GreaterThan, GreaterThanOrEquals, LessThan and LessThanOrEquals to your oprating system version and is available for Android, iOS/iPadOS, macOS and Windows!

    Consolidation of Intune profiles for identity protection and account protection

    Microsoft has done some cleaning up around identity and account protection policies and added them all into a single profile called Account protection which can be found in the account protection policy node of endpoint security. This is the only template which will be available going forward for identity and account protection. The new profile also includes Windows Hello for Business and Windows Credential Guard.

    Account protection policy for endpoint security in Intune

    New Intune report and device action for Windows enrollment attestation (public preview)

    There is a new report in public preview for finding out if a device has attested and enrolled securly while being hardware-backed.

    Windows enrollment attestation

    New support for Red Hat Enterprise Linux

    Microsoft Intune now supports device management for Red Hat Enterprise Linux. You can enroll and manage Red Hat Enterprise Linux devices, and assign standard compliance policies, custom configuration scripts, and compliance scripts.

    Deployment guide: Manage Linux devices in Microsoft Intune 

    Newly available Enterprise App Catalog apps for Intune

    The Enterprise App Catalog has updated to include additional apps. For a complete list of supported apps.

    Apps available in the Enterprise App Catalog.

    New actions for Microsoft Cloud PKI

    The Microsoft Cloud PKI has been updated with some new features.

    • Delete: Delete a CA.
    • Pause: Temporarily suspend use of a CA.
    • Revoke: Revoke a CA certificate.

    Delete Microsoft Cloud PKI certification authority

    ACME protocol support for iOS/iPadOS and macOS enrollment

    Microsoft has started a phased rollout of the infrastructure change to support the Automated Certificate Management Environment (ACME) protocol. When a new Apple devices enroll, the management profile from Intune receives an ACME certificate instead of a SCEP certificate. Existing OS and hardware eligible devices do not get the ACME certificate unless they re-enroll. 

    Windows updates

    The realse of Windows 11 24h2 is getting closer and closer, and it could be guessed to be released in a September/October time frame looking at past releases.

    One thing that is also important to highlight is that we are getting closer and closer to the Windows 10 EOS, which means that we really need to focus on getting those devices migrated or removed.

  • How to Save the Planet with Windows 365

    How to Save the Planet with Windows 365

    Okay so this is a blogpost I’ve been putting off for a long time without any good reason to be honest. I think I’m wanting this to be perfect since it’s a combination of several things I care deeply about. This will probably be like a part 1. So here we go.

    TLDR;

    One of the benefits of Windows 365 is that it can reduce the environmental footprint of IT operations by shifting the energy consumption and emissions from the end-user devices to the cloud servers. According to a study by Microsoft, the Microsoft cloud is between 22 and 93 percent more energy efficient than traditional enterprise datacenters, depending on the specific comparison being made. When taking into account Microsoft’s renewable energy purchases, the Microsoft cloud is between 72 and 98 percent more carbon efficient.

    Microsoft has also committed to be a carbon negative, water positive, and zero waste company by 2030, and to protect more land than it uses by 2025. In its 2022 Environmental Sustainability Report, Microsoft shared its progress, challenges, and learnings on its journey to meet these goals. The report also showcases how Microsoft is delivering digital technology for net zero, such as Microsoft Cloud for Sustainability, which helps customers measure and manage their environmental impact.

    What is Windows 365

    If you have been reading my blog for a while, you are familiar with what Windows 365 is, but in case you have missed it let’s do a short intro.

    Windows 365 is a cloud-based service to provide what Microsoft calls a Cloud PC. This is in fact a virtual computer based on the Azure Virtual Desktop (AVD) platform, but instead of you having to maintain any infrastructure, you consume it as a SaaS solution. The performance of the Cloud PC is based on what license you have purchased. Compared to AVD, you pay a fixed price per month for the license instead of paying for your consumption.

    Since this is a cloud service, you can access it from whatever device you prefer, or even just a browser.

    Since we can run a controlled and managed Windows device in a remote context, we are open to allowing more secure ways of working from a broader range of devices since we are in full control of the remote session.

    The sad truth about hardware

    One of the largest environmental impact we have within IT is our devices. Many companies replaces their computers on a ~3 year basis. For a larger company this is a huge amount of new devices being bought every year, and as many devices being decommissioned. The market for reselling computers are growing by the day and we see more and more companies offering this service to their customers, and even consumers.

    Computers which are three years old aren’t that old to be fair. They are not the latest and greatest, but can still do a really good job for most usecases.

    Reducing the need to renew hardware

    By utilizing Windows 365, we can actually extend the life time of a computer since we can run Windows 365 on anything with Windows 10 or never. Windows 11 is one of the major reason hardware will need to be replaced, since there is a Windows 11 only supports Intel 8th generations processors and newer (let’s be fair, Intel is the most commonly used today). 8th generation means mid-2017 as earliest which is about six and a half year ago when this post is being written.

    This is something that has been stuck in my head that we will see A LOT of computers being obsolete on the 14th of October 2024. Then Microsoft released a very interesting statement about end of service for Windows 10 and Extended Security Updates (ESUs). You will get the ESU included in the Windows 365 if you are accessing your Cloud PC from a Windows 10 host. This will extend the life of these computers another 3 years.

    This means that you could move over to Windows 11 but keep some older hardware around for accessing Cloud PCs. Since there is no Windows 365 Boot for Windows 10, you could build a kiosk based on this post to make sure your users ONLY access their Windows 365 Cloud PC, which would be running Windows 11.

    By utilizing Windows 365 and Cloud PCs, we can actually keep our computers current for a much longer time. Instead of getting a new computer with the latest, faster, processor and more memory we can utilize the server grade equipment in the Azure datacenters which are a lot more powerful than our laptops are anyways. Since Windows 365 is license based, this means that when we need more computing power on our Cloud PC, we can upgrade the license and after a reboot we have a more powerful PC.

    The hardware in the Azure data centers are lifecycled and replaced, but Microsoft are putting a lot of effort in to reusing old equipment, reducing the environmental impact. Sever hardware is also recycled to minimize the constraint on the environment.

    Running workloads on shared resources, like in Azure, is much more energy efficient as well. However, lets not forget that data centers uses a lot of energy to be operate. But today Microsoft data centers are run on renewable energy improves this even further while Microsoft is also striving to be carbon negative by 2030.

    Read more:

    There has been a report put out on the environmental impact of Windows 365 compared to other VDI solutions and physical hardware. This is where I got parts of my data. Long but worth reading: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW10vtL

    Fellow MVP Thomas Marcussen wrote about reducing your carbon footprint with Windows 365: Reduce Your Carbon Footprint with Windows 365 – Thomas MarcussenThomas Marcussen