olastrom.com

Tag: windows 365

  • Windows 365 Boot – What is the fuzz about?

    Windows 365 Boot – What is the fuzz about?

    If you are, just like me, a BIG Windows 365 fan you probably haven’t missed the news around Windows 365 Boot. There was an update released in the end of January which enabled what is called Windows 365 Boot Dedicated mode and Windows 365 Boot Shared mode.

    There are a lot of awesome posts out there how to configure these, like these to from my fellow Windows 365 MVP Dominiek Verham, which I really recommend you to check out!

    Two really awesome posts about how to get started.

    But why should you use it and why should we pay attention to this?

    In this post, I’ll discuss a little around my view on why these to features will play a crutial part in the Windows 365 journey and the future of Windows. These

    And also let’s adress the elephant in the room. Windows 365 Boot is basically Microsofts take on thing clients on Windows. This has been done before by others, but never using the standard management tools. I think that is one of the key things with Windows 365 Boot, we manage a regular Windows installation with Microsoft Intune.

    Windows 365 Boot Dedicated mode

    Lets start of with what it is.

    Windows 365 Boot Dedicated mode is a new Windows 365 feature which enables you to have a PC which is using Windows 365 Boot that is, just like the name says, is dedicated to one user. Right now, this feature is in public preview.

    Previosuly when we have looked at Windows 365 Boot, you have not had a user assigned to the machine which meant that using passwordless solutions like e.g. Windows Hello for Business was not possible.

    Now with Windows 365 Dedicated mode, I can have my PC setup as a Windows 365 machine and each time I sign in to my computer I will end up in my Cloud PC session using Windows Hello for Business.

    This opens for a lot of new cool scenarios which we could do and I think this might be the bigger and maybe a scenario which is harder for many to related to. We are so used to having our “own” computer locally, and maybe connect out to a virtual session when ever we need to switch context to a different environment or such. This would make your primary device a cloud based computer, which in my world is kind of awesome.

    Some scenarios I can think of top of mind where this could be usefull are:

    • Extend life of older hardware
    • Upgrade a PC to a higher spec without needing to have physcal access to the device
    • Provide cheaper hardware for certain scenarios
    • Ensure data is not lost when using devices in more extreme environments (hardware failure)

    One kind of weird scenario that came to mind was also that you could by your self also switch between computers, by selecting in the Windows 365 web portal which device to connect to. This means that you could for extended times work from one typ och device, and then easliy change this through the webportal.

    Why should we care?

    To be honest, I think this scenario could potenitally be a hard sell to IT people, since we are very used to working with out operating system locally. The host machine would still require to run Windows 11, but you would never really see it and you would still need to patch the OS on a regular basis.

    I think the biggest selling point here is that if you go with a Cloud PC in this way, you will always run on “hardware” which is preforming. No need to wory about disk crashes, slowness or anything like that. You will also gain insane traffic thorugh put, since your computer is not actually connected to your own network. It’s connected to the Microsoft network which is playing in a different legue when it comes to upload/download speeds then our usual home internet. This would actually benefit you if you work with a lot of large files, OneDrive and SharePoint syncs insanly fast. This is however a feature of Windows 365 as a service, not the dedicated mode.

    In my mind, this is something we need to keep attention to how it develops, even if many of us are not ready to take the leap today. My bet is that THIS will be a big part of the future of Windows.

    Windows 365 Boot Shared mode

    Windows 365 Boot Shared mode is more like the Windows 365 Boot which went into GA last September, but with some updates. One of the major differences is that you can now add your company logo on the sign-in page to make it more relatable to your brand.

    The concept behind this is to provide a shared workstation which many different users work from. Looking at different scenarios I’ve seen with customers, this could cover that “kiosk” computer in the break room in a workshop. Or maybe a good and simple way to provide a great experiance to personal working in a callcenter where you don’t have your own desk. And why not that sales station which is used by several people.

    If you combine the Windows 365 Boot Shared mode with a Windows 365 Frontline license, you pretty much hit the sweet spot. Then you can sprinkle with a FIDO2 key (like Yubikey) and you even simplify the sign-in process and make it passwordless!

    One big issue has always been “how do we provide a great experiance on a shared device”. Traiditionally, there has always been an issue with user profiles (if you have to many things break) but that can be addressed with the shared device policy in Microsoft Intune. However, you are still not giving a full computer experiance to the users, they are usually pretty limited and distributing applications is not as smooth as if you had a personal computer.

    This would also mean that if you are working in a setup where you move around a lot, and maybe not always come back to the same computer, you can continue your work exactly where you left of but from a different computer.

    Windows 365 Boot Shared mode gives you that personal experiance, but on a shared device.

    Why should we care?

    One thing that always seams to be a complex and tricky scenario to solve are those shared devices, especially if the user moves around a lot. Think clients of different sorts has always been a big thing here, but for many IT admins the thin clients means another tool to administrate in, instead of the tool they are spend most of their time in for managing the other devices. Using Windows 365 Boot we can leverage Microsoft Intune and bulding thin clients on Windows, by just deploying a set of policies from Microsoft Intune.

    For many organization, intorducing a new management tool for thin clients is a little bit of a bump in the road since this means getting that tool approved, setup and educating the adminsitrators on how to use it if there is no pre-exisiting knowledge. It’s not necesserially a hard thing to learn a new tool, but it could slow down the implementation process for some organizations.

    Key take aways

    What I think we need to think about is that Windows as we know it is about to change, it won’t be over night but something is happening now. Imagine when we started seeinf Office 365 which later became Microsoft 365? That was a journey, and I think that right now we are seeing the start of this journey for Windows. I might be naive and sprinkled a little wishfull thinking over this whole thing, but I really think we will see a change over the next couple of years in what we think of as Windows and what we expect. Mind you, these are my personal thoughts and ideas.

    However, the Windows 365 Boot features brings some really intersting things to the table. We can now easily deploy and manage thin clients without needing any additional tools or licenses. I think that is pretty sweet as someone who works with customers who hare heavily invested in the Microsoft echosystem. It might not be as far along and flexible as e.g. IGEL. But this would potentially get more companies started with thin clients since there really isn’t any roadblocks anymore like there used to.

  • I hate computers

    I hate computers

    I’ve come to realize one thing lately.

    I hate computers.

    This will be a different post. But bare with me on this one, okay. It will make sense in the end (I hope).

    My epiphany about hating computers happened when my lab machine all of a sudden decided that “I don’t have a bluetooth adapter anymore” after about 2 years of actually having one. I did about everything but reinstalling Windows on the machine, but the bluetooth adapter was not recognized by my computer. I even opened up the NUC to see if I could see if there was any obvious physical damage (I’m not an expert), but nothing.

    THE DAY I decided that “fudge this, I’ll just reinstall it” it started working again. No new driver updates, no new patches. It just started working. I still have no clue what happened to be honest.

    That was the moment I started hating computers.

    I just want to be productive

    Living without a functioning Bluetooth adapter in the computer meant that I needed to find the USB-receiver for ALL my wireless accessories (headset, mouse, keyboard) in order to even work from this machine.

    This ment that I needed to take time out of my day (mostly late afternoons) and firstly try to figure out the issue and secondly since I suck at troubleshooting hardware, find all the USB receivers for all my stuff since I had of course also lost my USB Bluetooth receiver 🤦‍♂️.

    I’m one of those computer guys who don’t really like troubleshooting, I just want stuff to work.

    Reinstalling Windows is a breeze now adays, and it would have taken me an hour or two to be back up and running. I work from a strict policy to save EVERYTHING in the cloud so that wiping my computer isn’t an issue anymore, I will just lose what ever app I didn’t add to Intune. But it’s still a hick-up in my flow.

    Automate drivers

    This “incident” has gotten me thinking a bit. One thing I tend to hear with customers is that there is a fear to patch/update drivers for example, since we are afraid that it will break something in the OS or an application. I’ve been doing Intune work for the last 10 years, and I’ve strongly advocated to “maybe it’s time to also update drivers” for the past 7 years since it’s usually more risky to run pre-release versions of drivers than the latest. OEMs tend to also update drivers only when they have to, and the 700 million consumer Windows machines out there with the latest drivers seems to be working fine (don’t quote me on the numbers). One thing I’ve seen way to often is that an old driver breaks Microsoft Teams. The camera stops working usually and as soon as you install the latest driver. Poof! The camera works!

    When you start think about it, what if we stopped caring so much about drivers and just automated it with Windows Autopatch? New drivers are installed when released and needed.

    Windows 365 to the rescue?

    Let’s take it one step further. What if we use Windows 365 to consume our apps and desktop experience instead and we only need to make sure that the OS and out applications are up to date. The hardware we are accessing through could be any kind of device, not neccesarily a Windows based device. Windows 365 makes it possible to actually be device independent. The bare minimum I need is something with a browser.

    This is actually something which excites me a bit too much. I started my career in the mobile device management field, managing iPhone in the “mobile first” era when we though we would be able to do EVERYTHING from our mobile. If we can access a virtual desktop from our mobile, all of a sudden we actually can even consume those legacy Win32 apps from a mobile device.

    I’m really excited about the Motorola ThinkPhone with the Windows 365 integration even though I don’t own one and I really don’t like Android since I’ve had an iPhone the last 15 years. But the idea of only having one device is something that excites me. Or at least in some situations only need one device. Still not enough to by the darn thing, but I love the concept of it.

    So what is the point of this post?

    Well, maybe we should start to rethink the workplace and what devices we need. Do I really need a desktop, a laptop, a phone and a tablet? Maybe not the reality for everyone but I know a lot of people running on such a setup. What if I just needed one or two devices, but I could still do all the stuff I need.

    Looking at my current setup, I’ve downsized to one phone from two and I prioritized battery life over performance when getting a new laptop. I even went with an ARM-based Surface with the knowledge that “I can always use Windows 365 if I need more power” which is really comforting to know. This opens up that I can go for more slim formfactors and prioritize different aspects.

    Moving the workloads to a Cloud PC would also reduce the need of getting the “latest and greatest” machine to do things. Our Cloud PC will be kept up to date since Microsoft is lifecycling the infrastructue in Azure, which for me as a user would mean that I always have “the best” configuration.

    There are of course a lot of if’s and but’s around this, like the need for constant internet connetivity. But let’s face it, how often do we work without internet connectivity? You can even get some what reliable connectivity on an airplane today.

    Problem with this appraoch is that this is how I reason, I still have way to many laptops on my desk for different customer engagements and testing things, since this is not the reality yet. But maybe it’s the future?

    If you ever meet me and also hate computers, let me know and I’ll give you “I hate computers” sticker!

  • The new Windows app

    Microsoft announced a new app to consume your Windows 365 Cloud PC, Azure Virtual Desktops, published apps and other remote desktop sessions. This app is simply called “Windows app”.

    But we already have apps for this one might say, and that is true. But we need different apps for AVD and Windows 365 today. If you use the Microsoft Remote Desktop app you will be able to see and connect to both your Windows 365 Cloud PC, your Azure Virtual Desktops, and your published apps, but you will miss some key features to WIndows 365.

    To get all those nice features for our Windows 365 Cloud PCs, we today must use the Windows 365 app.

    If we look at how things are in many businesses, a lot of times we have a mix of Cloud PCs, AVDs and published apps. Today that means that we need to separate apps to get the full experience, which from a user perspective can be confusing since I will see my Cloud PCs in the Microsoft Remote Desktop app, but I won’t see my AVDs or published apps in the Windows 365 app.

    The announcement at Microsoft Ignite around the new app is to bridge that gap and get everything into one app, the Windows app.

    Before going forward, PLEASE be aware that this is still in preview. Things might change and be added/removed.

    What is the Windows app?

    Introducing the Windows app. This is your new place to consume all your remote desktop session!

    The new Windows app brings all the awesome new features in Windows 365 and combines them with the Microsoft Remote Desktop features like support for AVD and published apps.

    I think one of the killer features is also that now we will have the same app, across multiple platforms. Today you need to use one or two different apps on Windows, and a less full feature one on all the other platforms. But the new Windows app changes that!

    Borrowed from MS Learn

    Getting started!

    The first thing you need to do, if you haven’t done so already, is to download the Windows 365 app from the Microsoft Store (or have it provisioned to you from e.g. Intune).

    Once you are signed in, you will notice a small button in the top menu saying “Preview”. Click on that! If you cannot see the preview button, make sure your app is up to date!

    Once you have enabled this, the app will close and the new one will launch (might take a second or two), and you will be asked to sign in again. Once you have signed in, you will now be in the new app experience!

    Using the app

    This is the new landing screen, to which you can pin your Cloud PCs, AVDs and published apps. And if I want to pin something to my home screen, I head into “Devices” and select the three dots on the resource I want to pin, then select “Pin to” and select “Pin to home“.

    As you can see, all the other remote actions available in the Windows 365 app are also there so I can in the same menu do a restart, restore, inspect connection etc. And if I want to pin it to the task view or taskbar, I can do so from here.

    But there is also a Microsoft Remote Desktop feature in this app which I was missing in the Windows 365 app; the possibility to not start the session in full screen. You find this by going to Settings on the machine in question and setting “Use default settings” to off. If you then select “Single display” in the Display configuration section, you will be able to turn off “Start in full screen“. If you jump back and forth or have a large screen, this is a really good feature.

    You can of course also select your theme, if you want light mode or dark mode, or if you want the app to use whatever you are using in the operating system. Just click the settings icon in the lower left part of the app and select which mode!

    And the last thing… The app supports multiple accounts so you can jump back and forth between tenants. Crucial feature for a consultant!

    Other platform

    Like I said, the app is today available for Windows, macOS, iOS/iPadOS and Android is still not yet released but it’s coming.

    I’ve tested it on my iPhone, and to be honest the experience was way better than I anticipated.

    One feature I really like is that when just leaving the app and having the desktop open, the session will continue when I come back without the need to re-connect.

    The iOS app is a lot like the Microsoft Remote Desktop app in look and feel, but with a few improvements. I still can’t restart my Cloud PC from the app, but I can restore it if needed. However, it’s not a farfetched guess that it will come in a later release.

    All the apps are still in preview, and if you want the iOS/iPadOS or macOS app, you will have to head over to Microsoft Learn and fins the links.

    Bonus

    What I haven’t covered is that there is also a new web portal, which has the same look and feel as the new Windows app.

    The new address to the new web-app is https://windows.cloud.microsoft/. You can read more about it in the Microsoft Learn guide as well.

  • Microsoft Ignite 2023 recap

    Microsoft Ignite 2023 recap

    It’s that time of the year again. Not Christmas. Microsoft Ignite time!

    This year I decided not to go to Seattle, but instead follow it virtually from home. I can say now when Microsoft Ignite is over that I’ve had a severe case of FOMO the last couple of days, by just seeing all the pictures it looked like it was a really awesome event!

    But since MS Ignite is over, it means that it’s time for a recap. What did I find most interesting?

    For starters. There was a clear theme this year. AI, AI, Copilot, Copilot and Copilot. 😂

    Oh, and the picture in the top of this post is of course created using AI!

    Windows 365

    There was a bunch of new things released within Windows 365 at Ignite, and Windows 365 actually got time in the main keynotes!

    New Windows app – A preview of a new app to support not only Windows 365 and Cloud PC, but to also give you all your Azure Virtual Desktops, DevBox and published apps in the same place. The cool thing is that it’s also platform independed so we will see the same experiance on all major platforms going forward. You be able to have a “Windows” app on your iPad.

    Windows 365 GPU support – Microsoft announced that GPU support for graphic design work is coming to Windows 365, and this will really be great for a lot of customer scenarios! It will be really interesting to see the pricetag on the GPU SKU, I would kind of guess that you really need to have a good business case and not just have it’s because GPUs are cool…

    Windows 365 AI capabilities – It was also announced that you as an IT admin will be able to get AI based recommendation on sizing the Cloud PCs. This to help improving cost efficiency and user sattisfaction. Preview will be released soon.

    Single-sign on (SSO) and passwordless authentication – SSO and passwordless has for quite some time now been in preview in the Intune portal, but it’s not in general availability. This also applies to approved AVD providers!

    Watermarking, screen capture protection, and tamper protection – in order to increase security and prevent dataloss, these features which have been in public preview for a while are now in general availablity on both Windows 365 and AVD.

    Windows 365 Customer Lockbox – To ensure that Microsoft support engineers can’t access content to do service operations without explicit approval, you can use Customer Lockbox. This is similar to other Customer Lockbox within the Microsoft ecosystem. This is in public preview.

    Windows 365 Customer Managed Keys – I think this is a pretty cool update. You will soon be able to use your own encryption keys for encrypting the Windows 365 Cloud PC disk.

    Windows

    Eventhough Microsoft Build is usually where we see most Windows news, there were a couple during Ignite this year.

    Copilot in Windows – This was actually announced at the event earlier this fall and went in to public preview for selected markets on the 1st of November. During Ignite Microsot announced that it will go into general availablity in December, so let’s cross out fingers Europe is included!

    Windows Autopatch for frontline workers– Windows Autopatch is not new, but Windows Autopatch is now included in the Microsoft 365 F3 subscription to ensure frontline workers are kept up to date.

    Windows Autopilot and Windows Update for Business merging – Microsoft is streamlining the interface to handle updates

    Microsoft Intune

    There were a few big announcements for Microsoft Intune, and I would say the two biggest were around macOS management, Security Copilot in Intune and the Intune Suite.

    MacOS management – Microsoft has for a while now been very loud about their story around macOS and Intune, and we are now starting to see the outcome of this. I wouldn’t say that there were that much news related to Ignite around this, but they were pushing for that Intune is now in the forefront of device management for Mac, which means that you no longer need to have Jamf or such to have extensive macOS management.

    Security Copilot for Intune – As part of the Copilot and Ai journey we are on, Security Copilot will help you dentify annomolies or issues in your environment. It will help you analyze big chunks of data in no time to find security related events. But Security Copilot is more than that, it will also integrate in Microsoft Intune to help you create new policies or figure out how to solve issues that arrises. This will be such a great feature for many admins out there!

    Microsoft Intune suite updates – Microsoft Intune Suite was announced back in March this year and has so far mostly been focues on Endpoint Privilegde Management and Remote Help. Microsoft has now announced three more features that are coming; Enterprise App Management, Advanced Analytics and Cloud PKI. These three additional services will make the Intune Suite bundle even better and are expected to all be available in February of 2024.

    Summary

    To be honest, this years focus at Ignite was Copilot. The word “Copilot” is mentioned 289 times in the book of news. That kind of set the tone for Ignite. Don’t get me wrong, I’m super excited for Copilot but this year was crazy!

    Any how, lot of cool stuff coming out of Ignite this year and I think we will see things moving even faster now around AI since post-Ignite there has been some news around people from OpenAI joining Microsoft… What a time to be alive!

    One thing that I take with me is that next year, I want to go to Seattle and be there in person. My feeds has been filled with Ignite related pictures and the FOMO has been real!

  • Let’s move our Cloud PC!

    Let’s move our Cloud PC!

    I actually ran into this working with a customer. We had setup the Cloud PCs using an Azure Vnet in connected to the wrong landing zone (test environment) and we had 100+ Cloud PCs up and running and there was no possibility due to internal processes to move that network to the production environment.

    This could also be relevant if you want to move a provisioning policy from one Microsoft hosted network region to another.

    In this post we will cover how this looks when using Microsoft hosted networks, but they could just as well be Azure Network Connections. The beauty is that we don’t need to re-provision them, we can just update the provisioning policy!

    Update provisning profile

    Since we are moving from one Microsoft hosted network to another, we won’t need to do any updates outside the provisioning policy. If we are moving to another Azure Network Connection, we need to first create a new connector for our new network. This could be in the same subscription but be another subnet for example. Once you have created this, you can move on to updating the provisning policy.

    So, the first step is to head into our provisioning policy. In this example we are updating our policy which is currently set up to use US East as a the region, but we want to move this to Europe instead.

    What we need to do here is to update the geography and region in our policy, and of course also the name since I have the region in my policy.

    Once I’ve done my updates to the region, I simply click next to the bottom of the screen, and I end up on the summary page where I as always get an overview of my policy. When I’m done reviewing this, I click Update.

    But we are not done yet. We also need to apply this update to our machines, unless we do that this only applies to newly provisioned Cloud PCs, and we want to move all of them to the EU.

    When we are back on the overview blade for our policy, there is a action at the top called “Apply current configuration”.

    When we click on this text, we get prompted whit this pop-up asking us if we want to apply the region change or the SSO change. Since we didn’t make any SSO changes in this policy, things would happen, but this is a fantastic way to enable SSO for all your Cloud PCs without having to redeploy them. But let’s select the “Apply region change” and hit Apply.

    Once you have applied the change, your Cloud PCs will start updating.

    During the update, the Cloud PC will not be available since work is being done in the back end.

    Once the move has been completed, which took about 10-15 minutes for me, you can sign back into the Cloud PC and keep using it in the new region!

  • Windows 365 Switch – The best feature so far?

    Just after the summer, Microsoft announced that Windows 365 Switch was available for public preview. And to be honest, this is probably my favorite feature so far, and makes using the Cloud PC a lot easier!

    Back at Microsoft Ignite in 2022, the product team announced three major features coming to Windows 365:

    • Windows 365 Boot
    • Windows 365 Switch
    • Windows 365 in offline mode

    Back in May, Windows 365 Boot was available as public preview and since the beginning of August, Windows 365 Switch is also available to start testing!

    Today, to use Windows 365 Switch, there are some pre-requisites:

    • Windows 11 Insider (Dev or Beta is supported) on you local PC and your Cloud PC
    • The Windows 365 app
    • Windows 365 licenses

    You of course also need provisioning policies and so on to be able to provision your Cloud PC, if you want to learn how that is done you can check out this post.

    Setting up Windows Insider

    There are different ways to enable Windows Insider on you device depending on how your setup is. You can do it directly from the Settings app under Windows Update, but I will show you how to configure this through Microsoft Intune, since this is probably the more common scenario to onboard devices in to Windows Insider in a larger environment.

    What you need to do is to create a update policy for the Windows Insider program releases in Microsoft Intune to enable this feature. You can of course also update your current policies to allow Insider builds.

    Go to Microsoft Intune and navigate to the Device section and find Update rings for Windows 10 and later. Create a new profile by clicking “+ Create profile“.

    Give your new profile a name and click next.

    Configure the profile to match your needs when it comes to the generic settings, in this example I will leave it to default. The important setting is “Enabled pre-release builds“. Enable that and select either the Beta or Dev channel (both are supported for Windows 365 Switch).

    Add a group of devices you want to include for the Windows Insider Dev channel. Make sure to include both the local PC and the Cloud PC in this group. Click Next.

    Review your settings and create the policy by pressing Create.

    Note: You can also update any of your existing policies to allow pre-release builds. What I’ve done in my lab environment is to allow this in my test ring in Windows Autopatch and move any machine I want to enable this on into the test-ring.

    Opting in for Windows Insider builds

    The updates are not automatically enforced on the client, it enables the user to opt in to the program, the user needs a Windows Insider Program account. You can read all about it here: Getting started with the Windows Insider Program (microsoft.com).

    Easiest way to get started is to search the start menu for Windows Insider and open the “Windows Insider Programme settings”. This has to be done on both the local PC and the Cloud PC to opt in to Windows Insider.

    First time user opens the settings blade, they will need to press the “Get started” button inorder to link an account to the Windows Insider program.

    When the account has been linked, user will see what channel they have been added to. Since we are managing this setting from Intune, all the alternatives has been grayed out and the “Dev Channel” is selected, since that is the one we configured.

    One you have opted in for Windows Insider builds, head over to Windows Update and run the update. You will see Windows Insider build as an update which will start to download.

    IMPORTANT: Perform these steps on both your local PC and your Cloud PC.

    The Windows 365 app

    The next step is to make sure that we have the Windows 365 app installed on our local machine. This can be done either by deploying it from Microsoft Intune or downloading it from the store.

    Easier way is to simply download it from the store.

    Once you have installed the Windows 365 app, the wait begins. Things needs to be configured and happen in the background. This normally takes a few hours, so don’t give up if its not there right away!

    Once Windows 365 Switch has been configured for you, you will get a new option on your Cloud PC called “Add to taks view”.

    When you select this, you will see a ribbon on the Cloud PC you selected this on that it has been added to the task view.

    Now when you open the Task View, from either the task bar or win + tab, you will see your Cloud PC as a desktop.

    When you select the Cloud PC for the first time, the connection will be setup and you will have to wait while it’s connecting.

    Once this initial connection has been done, you will be able to switch back and forth as this would have been just another desktop from within your Cloud PC.

  • Back from vacation – what did we miss?

    Like the swede I am, I’ve been off work for the last 4 weeks to get my summer vacation. I’ve actually done my best to try to stay away from IT stuff this summer, to disconnect and focus on other things (like golf and getting our house in order).

    But the world of IT does not slow down just because of summer, so here is a summary of some of the highlights that I missed during my time off!

    I got renewed as MVP

    Okay, this I already knew before the summer. But I was awarded for my 2nd year as an MVP within Windows and Devices for IT. I’m truly honored to be awarded for yet another year and being part of such a cool community of awesome people!

    Ola Ström | Most Valuable Professionals (microsoft.com)

    I will be speaking at WPNinja Summit

    I was picked to do two session at the WPNinja Summit in Baden, Switzerland, the 27th to 29th of September.

    I will do one session about Windows 365 networks and one about how to do better deployments of Windows 365.

    I’m really looking forward to this and I hope to see you all there!

    Windows 365 Switch in public preview

    At Microsoft Ignite 2022, Microsoft introduced three big new features coming to Windows 365. In May, Windows 365 Boot reached public preview as the first of the three. Now in August, the second and maybe my favorite, Windows 365 Switch reached public preview!

    Windows 365 Switch lets you switch between your physical PC and your Cloud PC through the task viewer, just like the other desktops you can have. It’s a really cool feature and I will cover this in a blogpost the upcoming weeks!

    You can read more about it in the official Microsoft blogpost found here: Windows 365 Switch now available in public preview – Microsoft Community Hub

    Windows 365 Frontline released

    This was actually announced before I left for summer vacation, but Windows 365 Frontline finally reached general availability!

    For those of you not familiar with this concept, this is a different licensing modell designed for scenarios where the users are not using their device all the time, user who work in shift where you have users coming an going. The concept is that you buy one license, but you get three Cloud PCs but only one can be used at the time.

    It sounds a little bit tricky, I know, but I covered this in an earlier blog post which you can have a look at.

    Read more about it in the Microsoft blogpost: Windows 365 Frontline is now generally available | Windows IT Pro Blog (microsoft.com)

    What’s new in Windows 365?

    Windows 365 got some other great updates during the summer as well as Microsoft released a lot of new features in both July and August.

    Some of the new features released was:

    • Move Cloud PC is now generally available
    • New setting to allow users to reprovision their own Cloud PC
    • Azure network connection (ANC) least privilege update
    • Provide feedback button for admins is now generally available
    • Windows 365 web client camera support (preview)
    • Group-based license support for Cloud PC resizing
    • Windows 365 app update notifications for users

    You can read more in details here about the new features: What’s new in Windows 365 Enterprise | Microsoft Learn

    Windows 11 23h2 release update

    Microsoft released new information about the Windows 11 23h2 update coming later this year. It is currently scheduled to be released in Q4 and will be released as an enablement package. This means that there are no big changes coming to the code base of Windows 11, and you can keep doing you testing on Windows 11 22h2 if you are still transitioning over to Windows 11.

    Microsoft also mentions a Windows 11 LTSC version in this update, which means that if you are waiting for that release, you can start preparing.

    Windows client roadmap update: July 2023 – Microsoft Community Hub

    What’s new in Intune?

    As per usual, Microsoft Intune has gotten it’s weekly updates during the summer. I think the most impactful update was the fact that uninstalling applications as an end-user in Company Portal is FINNALLY available! I know this has been something a lot of IT Pros has been waiting for. There are also a lot of new stuff in the 2307 Service release.

    Some highlights:

    • Uninstall Win32 and Microsoft store apps using the Windows Company Portal
    • Use the Turn off the Store application setting to disable end user access to Store apps, and allow managed Intune Store apps
    • New BitLocker profile for Intune’s endpoint security Disk encryption policy
    • Intune supports new Google Play Android Management API
    • Change to default settings when adding Windows PowerShell scripts
    • New settings available for the iOS/iPadOS web clip app type
    • Settings insight within Intune Security Baselines is generally available
    • Tamper protection support for Windows on Azure Virtual Desktop
    • Endpoint Privilege Management support to manage elevation rules for child processes

    What’s new in Microsoft Intune | Microsoft Learn

    Screen capture protection and watermark

    During the summer Microsoft updated how you can enable screen captrue protection and watermarks for Windows 365 (and Azure Virtual Desktop).

    Previously, you had to upload a custom ADMX template to enable these settings (or GPO), but they have now been made available in the built-in ADMX profile in Intune, making this setting much more accessible.

    I will cover this more in a future blog post

    Azure Virtual Desktop Watermarking Support – Microsoft Community Hub

    Screen capture protection in Azure Virtual Desktop – Azure | Microsoft Learn

    Microsoft Inspire 2023

    During the summer, Microsoft also held their Inspire conference which is usually more targeted towards partners, but there was a lot of good stuff announced and shared during the conference.

    Check out the main keynote here: Microsoft Inspire Keynote

    Any also the rest of the sessions: Session catalog (microsoft.com)

  • Boot directly to your Cloud PC

    Boot directly to your Cloud PC

    Windows 365 Boot was first announced at Ignite in 2022, but no dates were announced at that point.

    But now it has finally happened! Windows 365 Boot is in public preview and ready for you to test! There is, however, at the time being a need to use Windows 11 Insider Preview for this to work.

    Windows 365 Boot is a concept which is exactly what it sounds like, the possibility to boot your physical PC straight into your Cloud PC. One could almost argue that this is a Windows take on a thin client concept but based on Windows 11 instead of some Linux distribution. We will see where this will take us in the future, but I can see a lot of cool scenarios for this combined with Windows 365 Frontline!

    A while back, I wrote a post about creating a shared Windows 365 kiosk setup for Windows 10 or Windows 11, a poor man’s Windows 365 boot for impatient administrators. But now we have the real thing, so let’s set it up!

    Setting up boot to cloud

    The simplest way to setup Windows 365 Boot is to use the Microsoft provided guided scenario, which can be found here.

    The guided scenario will help you create all policies and profiles you will need for this but do keep in mind that you still need to create your Windows 365 provisioning policy!

    The first step in the guided scenario will give you an overview of what will be done and what it’s used for. If you have ever used guided scenarios before, this will be a familiar experience!

    On the next step, we will add a prefix for our policies. This would typically be something you use in your naming convention. Please be aware that Microsoft only allows you to set the prefix of the names, not the whole policy name. If you want to change this to follow your naming convention, you will need to do that manually once everything has been created.

    Next step is to set how updates should be handled. I’ve just added 0 on all values for days and gone with the default active hours, but this would typically reflect your normal patching/upgrade cadence.

    On the next step, we can add some additional settings. I’ve just added a Wi-Fi profile, but you can add a VPN profile if needed as well. The last step on this tab is to select the language/region. I’ve selected to go with the operating system default that I have on the device I will deploy to.

    On the last step before the automated creation starts, we will take care of assignments. You can either create a new group or use an existing group (please give us this feature in the other assignment flows Microsoft!). I’ve selected to create a new one called All W365 BtC Devices.

    Once we have reviewed our settings, the deployment of policies, profiles and groups will start. You can follow and monitor the deployment (much like in Azure). For me, this was a fast process.

    Getting the client ready!

    As I mentioned, you need Windows 11 Insider Preview to be able to use Windows 365 Boot. You can either upgrade your machine manually or use Intune to upgrade your machine to the Insider Preview Dev channel.

    You can modify the update policy created to allow the Insider Preview Dev channel for your Windows 365 Boot machine (please keep in mind that this is a preview) or you can create a new policy for this. What you are looking to enable is the following.

    To upgrade your machine manually to Windows Insider Preview, go to Settings > Windows Update > Windows Insider Program and opt in for insider builds on the machine.

    ATTENTION!!

    Don’t forget to add your devices to the group you assigned your Windows 365 Boot policies to, otherwise nothing will happen!

    What I’ve also found is that you need to reset your device for this to work to 100%. At least my clients, if not reset, are not able to connect to the Cloud PCs. So hot tip!

    The experience

    When our computer is running Windows 11 Insider Preview and has gotten all out new Intune policies and profile, the magic will happen!

    When the computer boots, it will take you to the Windows 365 Boot sign in page instead of the regular Windows sign in. From here, you will sign straight into your Cloud PC instead of your local PC!

  • Session time limit for Windows 365 Frontline

    Session time limit for Windows 365 Frontline

    Since we now have successfully set up and provisioned Windows 365 Frontline in our environment, we need to add some additional layers of configuration to make operations as smooth as possible, and especially to make sure that we use the licenses in the best way possible.

    With Windows 365 Frontline, each license is reserved as long as the user has the session running. This means that users could potentially have active sessions but are idle which would result in them locking one license.

    Since users might forget to end the session, you can configure a policy that will end idle sessions for the end-user.

    Create the policy

    To create the policy, head over to Intune (https://intune.microsoft.com) and navigate to Devices > Windows > Configuration profiles and select “+ Create profile“.

    Select the profile type to be Settings catalog and press Create.

    Give your profile a name that makes sense to you and your organisation, I will go with something that follow my name standard for my environment that indicates it’s for Windows 365 Frontline and what the profiles does. When you have given the profile a name, press Next.

    Select “+ Add setting” to open the settings picker.

    In the settings picker, search for session time limits and select the category for Session Time Limits.

    In the settings name section, check the box for “End session when time limits are reached and “Set time limit for active but idle Remote Desktop Services sessions“, and your setting will appear in the policy. Once you have selected the setting name, close the fly-out settings picker.

    Enable the settings and choose the time limit that matches your needs and corporate policies. In this example I’ve selected 1 hour, which is good value to start with. Once you have enabled these settings, press Next.

    Unless you use Scope tags you can skip this section and move right to Assignments where we will deploy this towards all our Windows 365 Frontline devices. I’m doing this by assigning the policy to the built in All devices group and applying a filter I’ve created for Windows 365 Frontline.

    The rule syntax you want to use when creating a filter for Windows 365 Frontline machines is at least this one, but it can of course have additional lines depending on your needs:

    (device. Model -startsWith "Cloud PC Frontline")

    Once you have made the assignments as needed, press Next and then Create.

    Your policy will now assigned to all your Windows 365 Frontline Cloud PCs and you can track the progress in Intune by looking at the policy.

  • Windows 365 Frontline – Getting started!

    Windows 365 Frontline – Getting started!

    Windows 365 Frontline is still in public preview, but you can sign-up for the preview on this link! Since it’s still in preview, there is currently no information on pricing.

    When you have gotten yourself licenses it’s time to configure, and since this is Windows 365 you do everything from Microsoft Intune.

    One thing that differs the Frontline version from the Enterprise version is how licenses are assigned. For Enterprise you assign a license to a user to provision a Cloud PC, but for Frontline this works differently. You never assign the license to a user, and we will cover what you do instead further down in the post. It’s really clever!

    Setting up a frontline Cloud PC

    What you will need for this, except for the obvious Microsoft Intune and all its pre-requisites, is of course the Windows 365 Frontline license. This license gives you the right to provision 3 Cloud PCs per license. What you would typically also add to this is a Microsoft 365 F3 or E3/E5 license (or equivalent licensing) to gain all the features needed for managing and working with the digital workplace.

    You will also need a few groups (Azure AD groups or synced on-premises AD groups) with the users you are providing with a Cloud PC, this could e.g., be your IT Service Desk team.

    Once we have that in place, we can start configuring!

    Head over to https://intune.microsoft.com and navigate to Devices > Windows 365 and select the “Provisioning policies” tab.

    Click on the “+ Create policy” button to create your new Windows 365 Frontline provisioning policy.

    On the “General” step, give your profile a good name and make sure to select Frontline as license type. Then select the join type you would like to use, followed by the network settings. For this example, we will user Azure AD join and Microsoft Hosted network, and we will place the Cloud PCs in Sweden Central. When done, click Next.

    In the next step, we will select which image we will use. In this case, we will use the default value and just click Next.

    In the next step, we will apply a custom naming convention to differentiate these from our regular Cloud PCs, but this is mostly for my own convenience, and you can leave this to default. We will also add these computers to Windows Autopatch since I have that active in my environment. When done, click the Next button.

    In the next step, this is where the magic happens. Since you never assign licenses directly to a user you will need to add which groups should get Cloud PCs based on this policy, but also which license these groups should use. You can add multiple groups and have different machine sizes assigned to the separate groups. In this example, since I only have one license type, we will assign the same license to the same groups.

    You will also be able to see how many Cloud PCs you have left to assign.

    Once you have set up your groups and assigned the licenses to them, click on the Next button to review your settings before creating the policy. If everything is in order, click Create.

    Monitor Cloud PC provisioning

    Once you have created the provisioning policy and populated the assigned groups, your Windows 365 Frontline Cloud PCs will start to provision, and you can as always track this in the “All Cloud PCs” tab. What I’ve found is that I need to clear any filters applied before I can see the Frontline machines, so if you don’t see them just clear the filter.

    Once the Cloud PCs are provisioned, they will get name based on what we set in the naming template part of the provisioning policy and your Windows 365 Frontline Cloud PCs are ready to use!

    Connecting to Cloud PC Frontline

    As with all other Cloud PCs, there are a few different ways to connect to your Cloud PC Frontline, but the preferred way should always be using the Windows 365 app since this provides the best end-user experience.

    Once you sign in the to the Windows 365 application, you will see all your Cloud PCs listed. You will see both your assigned Enterprise and Frontline Cloud PCs. This will look similar in the Windows 365 web portal as well.

    As you can see in the picture, the Cloud PC Frontline machines are tagged with the word “Frontline” which provides me as an end-user a great way to differentiate the two different versions from each other. As you can also see, I can have several Cloud PC Frontlines assigned to me based on different profiles.

    When you click connect, the initial connection will take a little longer and you will see this ribbon on the Cloud PC.

    One the machine has booted; you will get a pop-up telling you to make sure to disconnect when you are done since the disconnection is what makes the license available for other users. The time-out time can also be set with policy on the Cloud PC using Intune.

    Once I confirm the connection, my Cloud PC will boot up and my session will start.

    From here, things are just as with my regular Cloud PC except that applications will be closed, and the Cloud PC will be turned off when I leave the session which results in that I will need to start my applications again. It is not that different from a physical PC which is turned off.

    Remote user actions

    In the Windows 365 app, as long as your Cloud PC Frontline is up and running, you can perform remote actions such as restart, troubleshoot or restore. But as soon as it’s powered down, you can only see system information and rename your Cloud PC.