This is the third part of the Windows 365 series on my blog focusing on the Intune integration and management.

Windows 365
This coast is all about Windows 365 and the Windows cloud experiences! Windows 365: the easy introIntroduction My first blog posts on Windows 365 were already 2 years old. This year I attended Workplace Ninja Summit in Switzerland and I got hooked by it again. Therefore I want to revive

Why is this so important? Because Intune + Windows 365 is a match made in heaven!
These two products life in the same ecosystem and where designed to work together seamlessly to provide the best experience for IT admins and end users.

Think of that, you will integrate your Cloud PCs into Intune and you also plan to have all other OS managed with it. Of course this is a strategic decision to follow a first-party strategy, but it would bring enormous benefits from my perspective and experience:

  • Use the existing knowledge of IT admins from Intune
  • Cost savings due to supporting only one platform (for every single IT department, from engineering to operations up to SecOps)
  • Apply existing profiles/policies and deploy existing apps from your Intune inventory
  • Benefit from seamless security integrations, monitoring and reports
  • Single-pane of glass experience for all endpoint management regardless of the OS
  • Integrated licenses for Intune (remark that Windows 365 is always a separate license)


Intune + Windows 365

Now learn about the key aspects:


I don't need to talk about the setup, because it is so easy and straightforward to provision a Cloud PC in Intune. All is integrated at the devices overview in the Intune portal

If you want to learn more about the technical setup, read this post:

Windows 365: technical design
Introduction This post is the second part of my Windows 365 series, where we look into all technical considerations and the technology to provide Cloud PCs. Windows 365This coast is all about Windows 365 and the Windows cloud experiences! Windows 365: the easy introIntroduction My first blog posts…


Assignment & targeting strategy

Next up is the assingment & targeting strategy. In Intune we can assign different device management profiles, policies or apps in order to manage, secure and control the behavior and look of our endpoints. Generally, in Intune we have:

  • Configuration profiles - configure any aspect of Windows
  • Compliance policy - validate compliance requirements on the endpoint
  • Endpoint Security - security baselines or security technologies like Defender, Firewall or Attack Surface Reduction (ASR)
  • Platform scripts & remediations - execute or schedule PowerShell scripts to run in the system or user context
  • Apps - deploy applications from the Microsoft Store or custom packaged

Specific to Windows 365 are:

  • Provisioning policies
  • User settings

This is individual for each Intune tenant but all share some common best practices. I would recommend to create groups & filters in Intune to distinctly target all your Windows 365 endpoints:


Type Description Dynamic query (rule syntax)
Security group Contains all Windows 365 Cloud PCs (device.deviceModel -contains "Cloud PC")
Intune filter Filters for all Windows 365 Cloud PCs (device.model -contains "Cloud PC")


Principally, I recommend to assign policies & apps to devices, but if you have user specific contents consider user groups too. Remember that mixing is not supported.


Endpoint profile list

To always know which technical configurations or content is applied to your Windows 365 machines, I would suggest to create a so called endpoint profile list. I have already explaind this in my Intune operations post:

Intune operations par excellence
💡Learn about how to align organizational operations, to deliver technology with excellence!Introduction Im my daily work as engineer and consultant I accompany organizations from several industries on their way to modern endpoint management with Microsoft Intune. Beside the technical challenges, I…

My recommendation

See the following list how my Cloud PC setup would look like. Adjust or extend it with more content or other types. This will help you throughout implementation and operation of your infrastructure to always get an overview how the Cloud PC looks like from a technical perspective.


Profile Type Profile/content type 1
Entra group W365-ProvisioningDefault
License type Enterprise
Geography Switzerland
Join type Entra
Networking Microsoft hosted network
Provisioning policy W365-ProvisioningDefault
User setting W365-UserDefault
Enrollment status page W365-ESP
Compliance policies W365-Compliance
Configuration profiles W365-WindowsSettings, W365-Edge, W365-OneDrive, W365-TrustedCertificate, W365-Updates, W365-VPN, W365-MMR
Endpoint Security W365-Defender, W365-Firewall, W365-ASR, W365-AccountProtection, W365LAPS
Default apps Company Portal, M365 Apps
Remediations LAPS-admin


It is up to you, if you want to use existing profiles that you already use or duplicate them and assign specifically for this Windows 365 use case. Depending on your environment and operations one way or another can make sense. (keep it simple = use existing | complex environment = duplicate and adjust existing)


Remote actions

As with every other endpoint that is onboarded to Intune, you can perform remote actions on the device such as synchronization, delete, wipe, collect diagnostics and more. For a Cloud PC, there are some dedicated applicable actions which I want to describe.

  • Restore - revert the Cloud PC to a restore point (image capture) of the past (restore periods are configured in the user settings)
  • Reprovision - reset the Cloud PC, the Microsoft service will automatically reprovision the Cloud PC again
  • Resize - up- or downgrade the specs (CPU, RAM and storage) of the Cloud PC without reprovisioning (will disconnect the user once for the action)
  • Place Cloud PC under review - put Cloud PC disk on an Azure storage account (seperate resource) for download and investigation or forensics




There are a built-in reports for Cloud PC to analyze their performance, connection (quality), utilization and health. Navigate to Intune>Reports and Cloud PC to view them all and gain valuable insights. Learn more

Recommendation: optimize licenses, especially for Frontline by analyzing the Connected Frontline Cloud PCs report.


If you want more insights to your Intune infrastrucutre, consider my Intune change tracking workbook



We have a few specialties for Windows 365 in combination with Intune management. I will highlight these topics here.

Grace periods
The grace period kicks in for a Cloud PC, when the license was removed from the user, but he can still use it for 7 days. An admin can also manually end the grace period. Learn more

Windows 365 encrypts data at rest and in transit and does not support BitLocker. Therefore, you should not apply a data encryption profile. Learn more

Multimedia redirection (MMR)
The multimedia redirection is available with a few prerequisites as Browser store app. It redirects HTML5 multimedia content directly to the host system for a better performance. Configure an Edge profiles as follows to install the add-on automatically and silent.


Quality profile
To configure the quality level of the remote desktop protocol compression algorithm (RDP) configure a settings catalog with Configure compression for RemoteFX data


Resource redirection
You can configure various resource redirection settings at Settings Catalog > Administrative templates Windows Components > Remote Desktop Services > Remote Desktop Session Host


Framerate unlock
The default frame rate of Windows 365 streaming is 30 frames per second (FPS). If you want to unlock the maximum up to 60 FPS, you can deploy a remediation script. This reg key set to 15, means a max frame rate of 60. Learn more

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\DWMFRAMEINTERVAL

Find the script package here

Provisioning policy modification (move Cloud PC or config change)
Imagine a scenario where the Cloud PC must be moved to another geographic location or a change to the fundamental configuration is made by the admin within the provisioning policy. Windows 365 supports a few changes that can also apply to already provisioned instances. Do this in the provisioning policy. Learn more


Idle time
Windows 365 disconnects a user session if the user signs off, the browser is closed or the Cloud PC is inactive for 2 hours. Especially for the Frontline license, where 3 users share 1 concurrent license, this should be implemented so the resources are always optimally used. Learn more


Watermarking & screen capture protection
To ensure data protection within a confidential session of a Cloud PC, it can make sense to apply a watermark and protect/block screen capture. Configure the following settings:


Keep in mind that in terms of data protection you should strive to Azure Information Protection with Microsoft Purview.

Endpoint Management with Microsoft Intune
Welcome to this coast! Learn everything on Endpoint Management with Microsoft Intune to deploy, manage, secure and monitor endpoints from all platforms through the cloud. Introduction, experience and thoughts Introduction to the Microsoft Intune product familyIntroduction This post is recommended f…
Technology blog on Microsoft Cloud. Learn about cutting edge tech, explained simply & straightforward in quality focused blog posts.
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.