Microsoft released their new subscription-based Windows 365 Cloud PCs. With Cloud PCs, you rent a desktop environment in Microsoft Azure. There is a variety of CPU, RAM and storage options. They reside directly in your Azure AD tenant while also actively managed by Microsoft Intune.
I am seeing this as the sweet spot between a desktop virtualisation environment while giving users the freedom to create their own modern workspace. Let’s dive in and see what this new product has to offer.
Sign up for a free trial
You can sign up for a free trial of Microsoft 365 Enterprise Cloud PCs right from the Microsoft 365 Admin Center. Go to Billing, click on Purchase services and search for Windows 365 Enterprise. Select the plan with 2vCPU’s, 8GB of RAM and 128GB storage and click on Start free trial.
Note: A valid billing address is required to confirm the trial. There is no creditcard needed. Make sure your billing details are up to date before continuing.
The license is now available within your Azure AD tenant for 30 days. Next, assign the license to a user to start testing with Cloud PCs.
Create a provisioning policy
Provisioning policies are required to be configured before users can start using Cloud PCs. You configure these policies in Intune. They hold provisioning rules that let the Windows 365 service setup and configure the Cloud PCs for your users.
We are not complicating things for now and stick with the basics.
- Within the Microsoft Endpoint admin center, go to Devices > Windows 365 > Provisioning policies and click on Create policy.
- On the general page, enter a Name and Description for the new policy.
- You can choose to join Cloud PCs with Azure AD only, or bind them to on-premises Active Directory with an Azure Hybrid join. Choose Azure AD joined.
- As network, select Microsoft hosted network and use West Europe as region.
- Choose an image. You can pick from a different range of standard images such as Windows 11, Windows 11 with Microsoft 365 apps, Windows 10 and Windows 10 with Microsoft 365 apps. Select Windows 11 with Microsoft 365 apps. In fact, it is possible to use your own image as well.
- Assign an Azure AD group to this policy. If you only use one provisioning profile, create a dynamic group with users who have a license for Windows 365 Enterprise assigned.
- Create the profile and click on the tab All Cloud PCs. You should now see that a Cloud PC is in a provisioning state for the users you’ve just assigned the license for.
Note: It takes a while for the Cloud PC to provision. In the meantime the user cannot access this resource.
Access a Cloud PC
Users can access Cloud PCs in two different ways;
- https://windows365.microsoft.com
- Microsoft Remote Desktop
For the web version, Cloud PCs supporting Windows, macOS, ChromeOS and Linux through Microsoft Edge, Google Chrome, Safari, or Mozilla Firefox (v55.0 and later).
To demonstrate the new Cloud PC, let us use the Windows 365 Portal.
We are greeted with the Windows Autopilot enrolment screen. Any application/policy assignments scoped to Cloud PCs are enforced first. If there are any active Conditional Access policies assigned to the user, you might need to login with your Azure AD credentials including Multi-factor authentication.
Finally ending up on the desktop, it is finally time to start using our brand now Cloud PC.
Scoping policies and apps to Cloud PCs
We obviously want to configure and secure these resources because it is likely to be an environment where your users work with company data. Facilitate apps, configuration and more by using the standard functionality already present in Microsoft Intune. Overall this is not too different when managing physical hardware.
But there are some differences. For example, Cloud PCs do not support BitLocker and therefore your standard compliance policies mark them as non compliant. Use the rules below to either create a dynamic Azure AD group or a device filter.
# Dynamic membership for Azure AD
(device.deviceModel -startsWith "Cloud PC")# Device filter within Microsoft Intune
(device.model -startsWith "Cloud PC")Note: Please keep in mind that BitLocker is not supported when using Cloud PCs. Make sure that your compliance policy does not check for enforcement since it will always result in a non-compliant state.
Conclusion
Since the concept of a desktop virtualisation environment is not entirely new, I was sceptical at first. Just another Azure Virtual Desktop of some sort. However, taking the first steps using Windows 365 Enterprise Cloud PCs leaves a lot of thoughts on what is actually possible.
Surprisingly this new offer from Microsoft opens up a sweet spot between a cloud management environment without the need to buy expensive hardware and the flexibility for the user to configure their own workspace within the boundaries of company policies.
Lastly, the ability to use all the features and services that Microsoft Intune has to offer, enables system administrators to offer end users a flexible, secure and robust modern workplace.
There is still a lot that I didn’t cover in this post and I am excited to explore different features in the coming weeks.
Note: Update! On September 26th I published a second article regarding Windows 365 Cloud PCs in combination with Hybrid Azure AD join. Check it out here!