Windows 365 Intune

Windows 365: technical design

by Niklas Tinner 6 min read

Introduction

This post is the second part of my Windows 365 series, where we look into all technical considerations and the technology to provide Cloud PCs.

Windows 365
This coast is all about Windows 365 and the Windows cloud experiences! Windows 365: the easy introIntroduction My first blog posts on Windows 365 were already 2 years old. This year I attended Workplace Ninja Summit in Switzerland and I got hooked by it again. Therefore I want to revive
OceanleafNiklas Tinner

Before you start a proof-of-concept, you should know:

  1. The business (use cases) and IT requirements
  2. The technology and design aspects (in this post)
  3. Make decisions on how to setup and configure Windows 365

Prerequisites

Before we start you should ensure that your environment meets the prerequisites of Windows 365.

  • Licensing
    • Windows E3, Intune, Microsoft Entra ID P1, and Windows 365
  • Management
    • You must have an Entra ID & Intune tenant
  • Networking
    • Ensure network endpoints are available for the physical client
    • Don't use any traffic interception technologies like SSL inspection
    • Depending on network architecture you choose:
      • Microsoft hosted network: none
      • Azure Network Connection (ANC): Azure subscription with various resources - More information
        • Ensure availablity to the Microsoft Intune service, to Azure Virtual Desktop and to the Windows 365 service
    • Read about the bandwith specifications to get to know how inbound and outbound network data traffic is treated. Simply put:
      • Microsoft hosted network: Inbound free / outbound data per month is based on the RAM of the Cloud PC
      • ANC: Inbound free / Outbound is charged consumption-based
  • Supported Azure regions for Cloud PC provisioning
  • If you plan for Hybrid Entra Join, verify domain requirements

Provisioning

The provisioning of a Cloud PC is the first phase during its lifecycle. Provisioning means the initial setup, preparation and foundational configuration. This requires a Provisioning Policy, which is create in the Intune portal and has 4 elements:

  • General
  • Image
  • Configuration
  • Assignments

provisioning-policy-elements-3

provisioning-policy

🗒️
In a complex environment you probably have multiple provisioning policies. These may be separated, because:
-Enterprise/Frontline differentiation
-Other network requirements
-Custom images
-Geography is different for users over the globe
-Assignment is made to other users / groups
ℹ️
Note, that you can reapply configuration changes to existing Cloud PCs if you make changes in the provisioning policy.

General

License type

Choose from Windows 365 Enterprise or Frontline Learn more

Join type

The join type to Entra defines the identity trust and enables capabilities like single sign on. Two common ways exist:

  • Entra joined
    • Computer object only exists in Entra
    • Sign in with Entra cloud account
    • Works out of the box
  • Hybrid Entra joined
    • Computer object exists in local Active Directory and Entra
    • Sign in with Entra account to Windows 365 and with local AD identity to Windows
    • Requires
      • Entra Connect Sync enabled
      • Azure Network Connection to establish communication with your domain controllers
💡
Recommendation: Regardless of Windows 365 or any other use case: Entra Join is the way to go.

 

Network

Networking and connection is an important topic, since Windows 365 runs as a service in Microsoft's network. This means, that the traffic in- and outgoing is already with high-performance. But there is no direct connection to your on-premises network and resources. Basically, there are 2 network types to choose from in a provisioning profile:

  • Microsoft hosted network
    • Microsoft provisions, maintains and runs the network for your Cloud PCs
    • The Cloud PC stands "directly" in the internet
    • Set up a point-to-site VPN if needed to access on-premises

microsoft-hosted-network-option
Source

  • Azure network connection (requires Azure resources)
    • Bring your own network - the Cloud PC has connection to an Azure network, which you provision, maintain and run
    • Route traffic over your network to apply full controls, including granular security
    • Set up a site-to-site VPN via Expressroute so that the Azure network has a seamless connection to your on-premises

azure-network-connection-azure-ad-join
Source

Connection to on-premises network

There are 2 ways to establish connection to resources located in your on-premises network:

  • Point-to-site VPN
    • A VPN agent is installed on the Windows 365 machine and the user/device. authenticates
  • Site-to-site VPN
    • The Windows 365 machine is in an Azure network that has a direct connection (Expressroute for example) with your on-premises. No client installation, not authentication on the machine.

Client connectivity

The network performance and stability from your access device to your Cloud PC must have a good internet connection. Orientate with this resource
To improve the network connectivity in complex networks, take a look at RDP shortpath

ℹ️
Note, that I will not go into details of bring your own network with an Azure Network Connection in this post.
💡
Recommendation: Depending on your use case.
If you don't need network connection to internal resources, choose a Microsoft hosted network.
If you need connection to internal resources or need to redirect the traffic for security reasons, choose an Azure network connection.

 

Geography and region

Geographical dataceneter location, where the Cloud PC is hosted

💡
Recommendation: Choose the nearest location of the end user.

 

Entra single sign-on

Use a single prompt to authenticate users for Windows 365 and their Cloud PC. Means that the authentication through Entra to the Windows 365 service also signs you into Windows.

💡
Recommendation: Enable for the best user experience.

 

Image

When it comes to the image, so the operating system platform that is used to provision Cloud PCs, we have two options to choose from:

  • Gallery image
    • Microsoft provides the latest image for you
    • Windows 10/11 with Microsoft 365 Apps or OS optimizations is available
  • Custom image
    • Bring your own image, provide a source from Azure
    • Must be generalized, generation 2 and Windows 10 Enterprise or newer
    • The Windows 365 service principal must have reader access on your subscription more information
💡
Recommendation: Use gallery images provided by Microsoft, so you don't need to care about maintaining and updating an image. This is the simplest way to go and offers the best compatibility.

 

Configuration

Language & Region

Select the preferred language and Region or country for your Cloud PCs.

💡
Recommendation: Choose the one fitting for the end user. Language switch after provisioning can be achieved with Microsoft Store Language Experience Packs or PowerShell.

 

Cloud PC naming

Specify a naming template for the hostname and display in Intune.

💡
Recommendation: For easier identification choose a naming template. I would advice to give all Cloud PCs a prefix of W365-
Use the %USERNAME:x% or %RAND:y% macro.

 

Additional Services (Windows Autopatch)

Equip your Cloud PC with additional services. Windows Autopatch is a service from Microsoft to handle Windows Updates automatically for your Intune enrolled machines. Learn more

Assignments / Cloud PC onboarding for users

The effective provisioning of a Cloud PC for a user is very simple. Verify the following steps:

  1. User has a Windows 365 license assigned (either direct or through group)

license

  1. A Windows 365 Provisioning policy is set up and assigned to a group, where the user is member of

provisioning-policy-final

  1. The Cloud PC will automatically start to provision (usually takes ~30 minutes) See the different states of a Cloud PC:
  • Failed - provisioning is not finished and failed for some reason
  • In grace period - license was revoked and Cloud PC still works for 7 days until it gets deprovisioned (this will trigger an alert)
  • Provisioned - ready to connect & use
  • Provisioned with warning - ready to connect & use, but with something gone wrong
  • Provisioning - the Cloud PC is currently getting prepared and can not be connected, await
  • Not provisioned - license assigned to user, but the provisioning has not started

status

That's it! 🚀

Alerts

If you deploy Windows 365 in your tenant make sure to enable alert rules that will inform you when there is a service issue in your environment that has a high impact on the Cloud PC infrastructure.

alerts

Learn more about custom alerts for Windows 365:

Custom alerts for Windows 365
Windows 365 built-in alerts are found in Intune>tenant administration>alerts — although these may not provide you all use cases that you…
MediumNiklas Tinner
Oceanleaf
Technology blog on Microsoft Cloud. Learn about cutting edge tech, explained simply & straightforward in quality focused blog posts.
OceanleafNiklas Tinner
Read more posts by this author

Niklas Tinner

The link has been copied!
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.