Windows 365: Intune integration management
Introduction
This is the third part of the Windows 365 series on my blog focusing on the Intune integration and management.
Niklas Tinner
Why is this so important? Because Intune + Windows 365 is a match made in heaven!
These two products life in the same ecosystem and where designed to work together seamlessly to provide the best experience for IT admins and end users.
Think of that, you will integrate your Cloud PCs into Intune and you also plan to have all other OS managed with it. Of course this is a strategic decision to follow a first-party strategy, but it would bring enormous benefits from my perspective and experience:
- Use the existing knowledge of IT admins from Intune
- Cost savings due to supporting only one platform (for every single IT department, from engineering to operations up to SecOps)
- Apply existing profiles/policies and deploy existing apps from your Intune inventory
- Benefit from seamless security integrations, monitoring and reports
- Single-pane of glass experience for all endpoint management regardless of the OS
- Integrated licenses for Intune (remark that Windows 365 is always a separate license)
Intune + Windows 365
Now learn about the key aspects:
Setup
I don't need to talk about the setup, because it is so easy and straightforward to provision a Cloud PC in Intune. All is integrated at the devices overview in the Intune portal
If you want to learn more about the technical setup, read this post:
Niklas Tinner
Assignment & targeting strategy
Next up is the assingment & targeting strategy. In Intune we can assign different device management profiles, policies or apps in order to manage, secure and control the behavior and look of our endpoints. Generally, in Intune we have:
- Configuration profiles - configure any aspect of Windows
- Compliance policy - validate compliance requirements on the endpoint
- Endpoint Security - security baselines or security technologies like Defender, Firewall or Attack Surface Reduction (ASR)
- Platform scripts & remediations - execute or schedule PowerShell scripts to run in the system or user context
- Apps - deploy applications from the Microsoft Store or custom packaged
Specific to Windows 365 are:
- Provisioning policies
- User settings
This is individual for each Intune tenant but all share some common best practices. I would recommend to create groups & filters in Intune to distinctly target all your Windows 365 endpoints:
| Type | Description | Dynamic query (rule syntax) |
|---|---|---|
| Security group | Contains all Windows 365 Cloud PCs | (device.deviceModel -contains "Cloud PC") |
| Intune filter | Filters for all Windows 365 Cloud PCs | (device.model -contains "Cloud PC") |
Endpoint profile list
To always know which technical configurations or content is applied to your Windows 365 machines, I would suggest to create a so called endpoint profile list. I have already explaind this in my Intune operations post:
Niklas Tinner
My recommendation
See the following list how my Cloud PC setup would look like. Adjust or extend it with more content or other types. This will help you throughout implementation and operation of your infrastructure to always get an overview how the Cloud PC looks like from a technical perspective.
| Profile Type | Profile/content type 1 |
|---|---|
| Entra group | W365-ProvisioningDefault |
| License type | Enterprise |
| Geography | Switzerland |
| Join type | Entra |
| Networking | Microsoft hosted network |
| Provisioning policy | W365-ProvisioningDefault |
| User setting | W365-UserDefault |
| Enrollment status page | W365-ESP |
| Compliance policies | W365-Compliance |
| Configuration profiles | W365-WindowsSettings, W365-Edge, W365-OneDrive, W365-TrustedCertificate, W365-Updates, W365-VPN, W365-MMR |
| Endpoint Security | W365-Defender, W365-Firewall, W365-ASR, W365-AccountProtection, W365LAPS |
| Default apps | Company Portal, M365 Apps |
| Remediations | LAPS-admin |
Remote actions
As with every other endpoint that is onboarded to Intune, you can perform remote actions on the device such as synchronization, delete, wipe, collect diagnostics and more. For a Cloud PC, there are some dedicated applicable actions which I want to describe.
- Restore - revert the Cloud PC to a restore point (image capture) of the past (restore periods are configured in the user settings)
- Reprovision - reset the Cloud PC, the Microsoft service will automatically reprovision the Cloud PC again
- Resize - up- or downgrade the specs (CPU, RAM and storage) of the Cloud PC without reprovisioning (will disconnect the user once for the action)
- Place Cloud PC under review - put Cloud PC disk on an Azure storage account (seperate resource) for download and investigation or forensics
Reports
There are a built-in reports for Cloud PC to analyze their performance, connection (quality), utilization and health. Navigate to Intune>Reports and Cloud PC to view them all and gain valuable insights. Learn more
If you want more insights to your Intune infrastrucutre, consider my Intune change tracking workbook
Specialties
We have a few specialties for Windows 365 in combination with Intune management. I will highlight these topics here.
Grace periods
The grace period kicks in for a Cloud PC, when the license was removed from the user, but he can still use it for 7 days. An admin can also manually end the grace period. Learn more
BitLocker
Windows 365 encrypts data at rest and in transit and does not support BitLocker. Therefore, you should not apply a data encryption profile. Learn more
Multimedia redirection (MMR)
The multimedia redirection is available with a few prerequisites as Browser store app. It redirects HTML5 multimedia content directly to the host system for a better performance. Configure an Edge profiles as follows to install the add-on automatically and silent.
Quality profile
To configure the quality level of the remote desktop protocol compression algorithm (RDP) configure a settings catalog with Configure compression for RemoteFX data
Resource redirection
You can configure various resource redirection settings at Settings Catalog > Administrative templates Windows Components > Remote Desktop Services > Remote Desktop Session Host
Framerate unlock
The default frame rate of Windows 365 streaming is 30 frames per second (FPS). If you want to unlock the maximum up to 60 FPS, you can deploy a remediation script. This reg key set to 15, means a max frame rate of 60. Learn more
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\DWMFRAMEINTERVALFind the script package here
Provisioning policy modification (move Cloud PC or config change)
Imagine a scenario where the Cloud PC must be moved to another geographic location or a change to the fundamental configuration is made by the admin within the provisioning policy. Windows 365 supports a few changes that can also apply to already provisioned instances. Do this in the provisioning policy. Learn more
Idle time
Windows 365 disconnects a user session if the user signs off, the browser is closed or the Cloud PC is inactive for 2 hours. Especially for the Frontline license, where 3 users share 1 concurrent license, this should be implemented so the resources are always optimally used. Learn more
Watermarking & screen capture protection
To ensure data protection within a confidential session of a Cloud PC, it can make sense to apply a watermark and protect/block screen capture. Configure the following settings:
Niklas Tinner
Niklas Tinner