When I think back to how my 3D printing journey started, it all began with a big box of parts and a manual that felt like it was translated by an AI still in beta. That was the Anet A8 Plus—my very first printer. It was as DIY as it gets. You didn’t just build the prints—you practically built the printer itself.
The A8 Plus was a fantastic learning tool. I learned what a stepper driver was, how to flash firmware, how to fix a failed thermistor, and that fire hazards were very real if you weren’t careful with your wiring.
Later, I upgraded to the Creality Ender-5 Pro, which felt like a huge step up. It was sturdier, more consistent, and less prone to spontaneous meltdowns. But even that required regular tinkering—manual bed leveling, frequent nozzle changes, and more “printer babysitting” than I liked to admit.
Then came the Bambu Lab X1 Carbon.
If the A8 Plus was the equivalent of building your own race car and the Ender-5 Pro was a dependable but clunky commuter, the X1C is a Tesla Model S of printers: sleek, fast, nearly autonomous, and kind of magical.
The Evolution of Setup: Screws, Springs, and… Silence?
The Anet A8 Plus was where I learned patience. Assembly took hours. Wiring felt like a bomb defusal mission. Firmware? Let’s just say I bricked it once and learned to never skip backups again.
The Ender-5 Pro was pre-assembled to an extent, but still required manual leveling and tuning. Every time I moved the printer, I had to redo everything. Good prints were possible—but they weren’t guaranteed.
Then the Bambu Lab X1C showed up.
Fully assembled. No Z-bracing hacks needed. No fiddling with springs and wheels. It booted up with a clean interface, and after a few taps on the touchscreen, that was easly mounted, it auto-calibrated everything from bed leveling to flow rate compensation.
It felt like jumping into a self-driving car after years of clutch-kicking old stick shifts.
Unboxing: From Cardboard Chaos to Premium Packaging
The Ender-5 Pro came in a box filled with foam blocks, mystery screws, and semi-labeled bags. Not quite chaos, but you definitely needed a good table and some spare time.
Unboxing the Bambu Lab X1 Carbon was a totally different experience. Think “Apple product”. Everything was labeled, secured, and neatly packed. The AMS (Automatic Material System) had its own box, clearly organized with guides and quick-start instructions.
In 20 minutes, I had it powered on and connected to Wi-Fi. No zip ties. No half-translated instructions. Just plug-and-play. And it felt luxurious.
First Print: A Benchmark Benchy, But Make it Beautiful
We all do it. The first print is always a Benchy. But with the X1C, it wasn’t just to test the printer—it was to witness what modern hardware could do with zero tinkering.
This Benchy came out faster, cleaner, and more detailed than any print I’d ever done on my Ender-5 Pro or Anet A8 Plus. The hull was smooth, the portholes were crisp, and the layers? Practically invisible.
No first layer anxiety. No extrusion hiccups. Just hit “print” and watch it go.
AMS: The Game-Changer I Didn’t Know I Needed
Back on the A8 and Ender, multi-color printing was a manual mess. Pause the print, swap the filament, purge, hope the printer doesn’t blob up the nozzle, and repeat.
With the AMS, that whole drama vanished. I loaded four filaments, selected colors in Bambu Studio, and let it run. The AMS handled filament switching, detection, and purging all on its own.
Watching it print a multicolor model—with seamless transitions—felt like magic.
Speed and Precision: CoreXY Muscle
On the Ender-5 Pro, I had to balance speed with quality. Push too fast, and the prints got sloppy. Stick to 50mm/s and you’d wait overnight.
The X1C prints at up to 500mm/s thanks to its CoreXY motion system. That’s not a typo. And somehow, it doesn’t shake, doesn’t wobble, and doesn’t lose accuracy.
A model that took 7 hours on the Ender now finishes in under 3. And with better quality.
Noise and Smell: Office Friendly at Last
Both the Anet and Ender were noisy. Stepper motor whine, fans, open-frame echoing… not something you want running next to your desk.
The X1C is enclosed and well-insulated. The AMS adds some clicking during filament changes, but overall it’s just a soft hum. No PLA smell. No ABS fumes. Finally, a printer that doesn’t dominate the room it’s in.
Slicer Experience: From Cura Tuning to Bambu Smoothness
Cura served me well, especially on the Ender. But getting prints dialed in took work—adjusting profiles, testing retraction, tuning speeds.
Bambu Studio is built for the X1C. It has presets that just work, but also allows deep customization. It connects directly to the printer, offers real-time monitoring, and even supports remote starts.
I send models from my laptop and start prints from my phone. No SD card shuffle. No hassle.
Downsides? A Few.
Cost: It’s a premium machine, and the AMS adds to the price. Not for budget tinkerers.
Filament Drying: AMS isn’t a dryer. You still need dry storage for hygroscopic filaments.
Ecosystem Lock-In: It works best with Bambu gear and software. You can go open-source, but it takes more effort.
Still, these are minor trade-offs compared to the value and time it saves.
What I Still Use the Ender For
Believe it or not, the Ender-5 Pro still gets some use. It’s great for rough prototypes, quick PETG brackets, or experimental filaments I don’t want to risk clogging the AMS.
The A8 Plus? It retired with honors. It taught me everything I needed to know about 3D printing—the hard way.
Final Thoughts: Worth the Hype
The Bambu Lab X1 Carbon changed how I think about 3D printing. It’s no longer a technical project—it’s a creative tool. It’s fast, reliable, versatile, and smart.
For anyone coming from the tinker-heavy days of Anet or Creality machines, the X1C feels like stepping into the future.
Would I recommend it? 100%. If you want to focus on printing instead of troubleshooting, the X1C is the printer you’ve been waiting for.
Windows Autopilot is a set of technologies that is built to simplify the process of deploying, setting up, and configuring new devices. By using this technology, users can avoid going through the traditional imaging process and save countless productive hours.
However, Autopilot is not without its faults. One of the more common instances of running into problems occurs when using Managed Installer policies with Win32 app deployment during the Autopilot device preparation phase. As an issue that can cause quite a headache, this blog will help you better understand this problem as well as provide you with solutions for addressing it.
Windows Autopilot Explained
Windows Autopilot gives organizations a solution that eliminates the challenges that come with building, maintaining, and generally applying custom images. IT admins can use this service to set up new desktops to join pre-existing configuration groups and apply profiles to the desktops. What this does is give users the opportunity to access fully functional desktops from their first login.
Importance of Managed Installer Policies
Managed Installer policies are useful for dictating which applications can be installed on your organization’s devices. Once enabled, Managed Installer uses a special rule collection in AppLocker to designate binaries. These are trusted by your organization as an authorized source for application installation.
The problem IT admins will run into is that currently Windows Autopilot device preparation doesn’t guarantee the delivery of the Managed Installer policy before trying to install Win32 apps. Because of this, you may end up with deployment failures during the App Installation phase of Autopilot.
INVESTIGATING THE PROBLEM
A regular deployment scenario follows a series of steps that begins with the launch of the Autopilot Device Preparation process. Following this, Win32 apps are then scheduled for installation as part of the device preparation policy.
At this point, the Managed Installer policy won’t yet have been installed. The reason why you may see the Win32 app installations failing is because the policy is set up to block apps from unverified sources.
WHAT TO EXPECT With Windows Autopilot
One of the things you can expect to see because of this issue is the Autopilot deployment process stopping at the app installation phase. You will also get error messages showing application deployment failures. Another thing to expect is that deployment reports will show failed Win32 app installations. Lastly, end-users may receive incomplete or improperly configured devices.
How has Microsoft addressed the issue?
Microsoft is fully aware of the issue at hand and has offered some recommendations that provide a temporary solution. IT admins can start by removing Win32 apps from all Autopilot device preparation policies.
Also, devices should be left to complete Autopilot and reach the desktop. Furthermore, Win32 apps and Managed Installer policies need to be applied after the user gets to the desktop.
In October 2024, Microsoft announced service release 2410 that introduced some new changes that will see Win32 and Microsoft Store apps being automatically skipped during device preparation and instead continuing to the desktop. To implement these solutions, you’ll need to follow the steps below:
AUDIT YOUR EXISTING Windows AUTOPILOT DEVICE PREPARATION POLICIES
For this process, organizations need to identify all device preparation policies configured in Intune. You’ll also need to verify any Win32 apps included in these policies. With all this done, make sure to document these apps as well as their purpose.
REMOVE WIN32 APPS FROM DEVICE PREPARATION POLICIES
Navigate to Microsoft Intune and edit your existing device preparation policies. Then, proceed to remove all Win32 apps from these policies. Once these tasks are complete, save and apply the updated policies.
MONITOR DEPLOYMENT STATUS
Use the updated policies to deploy your devices. You can track the progress of this process using the Autopilot Deployment Report. Make sure that you check that devices reach the desktop without app installation failures.
DEPLOY WIN32 APPS POST-ENROLLMENT
Once a device has reached the desktop, you can reassign your Win32 apps to deploy. You’ll need to use Required or Available for enrolled devices deployment settings in Intune. The success of app installation can be monitored using Intune’s reporting tools.
Alternative Options
In addition to the recommendations by Microsoft, there are other options that organizations can consider to address the above-mentioned issue. These include:
PRE-STAGE CRITICAL APPLICATIONS
One thing that organizations can consider doing is pre-staging key apps that are required to be on the device at deployment. This can be done using offline methods such as:
Injecting apps into the Windows image using tools like OSDCloud or Configuration Manager.
App deployment using PowerShell scripts post-Autopilot.
CONDITIONAL ACCESS AND APP PROTECTION POLICIES
If your organization is worried about security, then using Conditional Access policies will help block access to corporate resources until the necessary apps have been installed. An example of this would be enforcing Conditional Access policies to ensure that non-compliant devices are prevented from accessing the organization’s resources.
Optimize Enrollment Status Page (ESP) Configuration
The Enrollment Status Page plays a key role in controlling app deployment during Windows Autopilot. This is done by dividing the deployment into several stages, thus allowing you to prioritize the apps you consider more important.
USER VS DEVICE ASSIGNMENTS
With device-based deployments, there is a greater likelihood of encountering problems with Managed Installer policies. Because of this, it’s worth considering changing your app deployment from device-based to user-based assignments.
PILOT AND TEST NEW CONFIGURATIONS
Before rolling out new deployment configurations to the entire organization, it’s always wise to test them on a small pilot group. Doing it this way gives you the opportunity to identify problems and address them early.
Monitoring and Troubleshooting
The availability of Autopilot Deployment Reports in Microsoft will provide organizations with key information concerning the deployment process. This allows them to evaluate skipped apps, failed deployments, and device readiness status.
Additionally, organizations should also use Intune Diagnostics and Event Viewer to analyze deployment logs. By evaluating these logs, IT admins can pinpoint specific app failures and then determine whether they’re related to the Managed Installer policy.
If all else fails and your deployment issues are still yet to be resolved, you’ll have the option of reaching out to Microsoft Support for any help you need. Alternatively, engaging with the Intune community on X may yield assistance from those who have dealt with the issues you may be confronting.
Wrap Up
Windows Autopilot offers organizations a powerful tool to help simplify the process of deploying and setting up devices. Processes are made simpler and faster, thus helping businesses operate more efficiently. And although there may be issues with Wind32 app deployment during device preparation, there are ways to deal with it.
But, in addition to the workaround, we can look forward to Microsoft developing a more permanent solution to this challenge. Updates are sure to be forthcoming and we will be keeping an eye on what Autopilot will bring us next.
The evolution of powerful cloud computing has resulted in the development of platforms like Windows 365 and Azure Virtual Desktop (AVD). These services can offer numerous benefits to businesses including greater degrees of flexibility and efficiency.
Additionally, employees can get better computing performance by leveraging the resources that Windows 365 and AVD can offer. However, the key to getting the most from these solutions is implementing effective security and compliance strategies. Below, we’ll be looking at some of the strategies you can use to enhance organizational security and improve operations.
Introducing Windows 365 and Azure Virtual Desktop
WHAT IS WINDOWS 365?
Windows 365 is a cloud-based solution that offers users Windows virtual machines (Cloud PCs). Each of these Cloud PCs will be assigned to an individual user and this becomes their dedicated Windows device. Simply put, Windows 365 is your PC in the cloud accessible from anywhere.
WHAT IS AZURE VIRTUAL DESKTOP?
With Azure Virtual Desktop, Microsoft offers clients a desktop and app virtualization service that runs on Azure. By using this service, businesses get a virtual desktop infrastructure that provides multi-session Windows experiences. AVD is generally considered more technical than Windows 365 and this allows for more customization.
DIFFERENCES BETWEEN WINDOWS 365 AND Azure Virtual Desktop
Identity Management
Security Policies
Multi-session
Built-in Security
Windows 365
Azure AD
Intune and Endpoint security
Single user Cloud PC
Fully Microsoft managed
Azure Virtual Desktop
Hybrid Azure AD or AD DS integration
Group Policies, Intune, and NSGs
Offers multi-session Windows experiences
Can be customized but this would require hands-on security setup
Why is Security and Compliance So Important?
Every organization needs to put in place strong security measures to minimize the risks of any data breaches or loss. Without advanced security and compliance strategies, malicious actors can take advantage and attempt to compromise your network. This is why it’s vital for organizations that are adopting cloud-based computing solutions to enhance their cybersecurity so that remote access does become a vulnerability.
Moreover, most industries such as finance and healthcare will have certain strict regulations that businesses must adhere to. Such regulations have been put in place to not only safeguard businesses but to ensure that sensitive client data remains protected. Some of the risks to protect against include Identity theft, unsecured endpoints, and malware attacks among others.
Utilizing Zero Trust Security with Windows 365 and Azure Virtual Desktop
Zero Trust security employs a system that strictly verifies the identity of every individual and device attempting to access the resources of an organization’s network. This security model is essential for providing a high standard of protection for Windows 365 and Azure Virtual Desktop.
By using Zero Trust, no one is trusted by default whether in or outside the organization’s network. This means that everyone needs to be authenticated and authorized before being granted access.
In addition to the above, those verified will only be provided the minimum level of access necessary for whatever tasks they may need to carry out. But, even with such a strategy in place, breaches may still occasionally occur. Fortunately, the Zero Trust model was built with this in mind and is designed to minimize the impact of a network breach.
Effective Advanced Security Strategies
CONDITIONAL ACCESS AND MULTI-FACTOR AUTHENTICATION
Conditional Access enforces security policies that determine who gets access to which resources and under what conditions. As an integral element of Azure AD security, Conditional Access can help organizations control access to Cloud PCs. To get the best from Conditional Access, organizations need to force all external connections to perform multi-factor authentication (MFA).
But, even with this in place, access from high risk locations still needs to be blocked. Furthermore, as an organization, you need to have strict compliance regulations governing which devices will be considered compliant and thus granted access to corporate resources.
ENDPOINT SECURITY POLICIES
Endpoint Security policies aim to help you improve the security of your endpoints and mitigate the risk of malicious attacks. One of the main Endpoint Security policies is Antivirus Protection which is responsible for ensuring that Microsoft Defender is functioning properly and regularly updated.
Another key policy is Disk Encryption which implements BitLocker on all Windows 365 devices. Furthermore, organizations also benefit from Firewall Rules that establish firewall policies designed to reduce attack surfaces.
MICROSOFT DEFENDER FOR CLOUD AND ADVANCED THREAT PROTECTION
These solutions will ensure that your organization gets high level security for both Windows 365 and AVD environments. With the availability of Threat Detection capabilities, you can rest assured that all suspicious activity will be identified and dealt with accordingly.
Moreover, you also have Compliance Monitoring which assesses security configurations before making the appropriate recommendations. In addition, integration with Azure Sentinel means centralized incidence response and monitoring.
Compliance Strategies
As mentioned earlier, different industries, including government departments, have certain regulations that they need to adhere to. For instance, there is the well known General Data Protection Regulation (GDPR), HIPAA for the healthcare sector, and PCI-DSS for the finance sector, among others. To ensure that these compliance regulations are met, organizations need to:
Put in place Data Loss Protection policies that safeguard sensitive data
Leverage Azure Policy to enforce regulatory requirements at the infrastructure level.
Conduct regular reviews of security strategies and baselines enabling you to make the appropriate changes when necessary.
Monitoring, Auditing, and Incident Response
The monitoring tools available include Azure Monitor which gives you insights into resource health and performance. Another tool is Microsoft Defender for Endpoint responsible for detecting and acting on endpoint threats. Additionally, Azure Sentinel is available to offer centralized logging and threat detection for Windows 365 and AVD environments.
To get the best incidence response, you can start by configuring Automated Playbooks in Azure Sentinel for swift responses. Furthermore, you should regularly test security policies and run tabletop exercises.
Managing Security and Compliance with Windows 365 & Azure Virtual Desktop
To effectively manage security and compliance, you need a complete understanding of an organization’s compliance requirements. With that done you can implement a Zero Trust model so that all policies align with Zero Trust principles. Then, you should select a small group of users to pilot and test security policies before expanding.
Additionally, you should also enable automated security updates and use Intune and Microsoft Defender for updates and patches. Another good practice would be using Azure Sentinel and Microsoft Defender to help you continuously monitor your environments. And then arguably the most important tool available to an organization is ensuring that end users have a comprehensive understanding of security policies.
Wrap up
Virtual computing environments offer countless benefits to organizations. Increased flexibility, potentially lowering hardware costs, and excellent computing performance, among others immediately come to mind. However, to get the most from solutions like Windows 365 and Azure Virtual Desktop, effective advanced security and compliance strategies are necessary. Without such strategies, organizations leave themselves open to malicious attacks.
In today’s business environment, securely exchanging data with external partners is essential. Azure Blob Storage with native SFTP support offers a scalable, secure solution, while Microsoft Entra ID provides robust identity management. Together, these tools help organizations share data with external users while ensuring security and compliance.
This go-to guide will walk you through configuring Azure Blob Storage for SFTP, managing user access with Entra ID, and showcase three real-world use cases—payment reconciliation, logistics data sharing, and healthcare data exchange.
Why Use Azure Blob Storage with SFTP and Entra ID?
Azure Blob Storage with native SFTP support simplifies secure file transfers without the need for third-party SFTP servers. Integrating Microsoft Entra ID enhances security by enforcing multi-factor authentication (MFA), conditional access, and role-based access control (RBAC).
Benefits at a Glance
Scalable and Cost-Effective: Pay only for the storage you use.
Secure File Transfer: Use the SFTP protocol for encrypted data transfer.
Centralized Access Management: Use Entra ID to control and monitor external access.
Automation and Integration: Seamless integration with tools like Azure Logic Apps and Power Automate.
Step 1: Setting Up Azure Blob Storage with SFTP Support
Follow these steps to set up Azure Blob Storage for SFTP access.
Create a new Conditional Access Policy to enforce MFA and restrict access based on location.
3.2 Role-Based Access Control (RBAC)
Assign roles to external users to limit their access to only the relevant Azure Blob containers.
Step 4: Real-World Use Cases
Case 1: Payment Reconciliation – Mastercard Data Exchange
A retail company needs to securely exchange Mastercard transaction data with an external payment processor for daily reconciliation.
Workflow:
The payment processor uploads transaction data to the SFTP endpoint.
Azure Blob Storage receives and stores the files.
Business Central or an ERP system processes the data for reporting and reconciliation.
Security Measures:
Use MFA and Conditional Access for external user authentication.
Configure audit logging to monitor access and activity.
Case 2: Logistics Data Sharing – Real-Time Inventory Updates
A manufacturing company needs to share real-time inventory data with its logistics partner.
Workflow:
The logistics partner downloads inventory files and uploads shipping updates to the SFTP server.
An Azure Function processes these updates and integrates them into the company’s ERP.
Security Measures:
RBAC ensures the logistics partner only accesses relevant files.
Data encryption protects information in transit and at rest.
Case 3: Healthcare Data Exchange – Secure File Transfers with External ClinicsA hospital exchanges patient data with external clinics, ensuring compliance with GDPR and HIPAA regulations.
Workflow:
Clinics upload test results and patient data to the hospital’s SFTP endpoint.
An Azure Logic App validates and integrates the data into the hospital’s EMR system.
Doctors receive automatic notifications for new updates.
Security Measures:
Conditional Access restricts access by IP and enforces MFA.
Data masking during processing protects sensitive information.
Step 5: Automating Data Processing
Azure Logic Apps
Automate file processing with Logic Apps to trigger workflows when a file is uploaded.
Azure Functions
Run custom code to process files and integrate them with external systems.
Power Automate
Create simple automation workflows for notifications and approvals.
Step 6: Security Best Practices
Enforce Multi-Factor Authentication for all external users.
Use Conditional Access Policies to limit access by device and location.
Encrypt Data at Rest and in Transit.
Rotate SSH Keys Regularly.
Audit and Monitor Access Logs for unusual activity.
Conclusion
Azure Blob Storage with SFTP support and Microsoft Entra ID provides a powerful and secure platform for exchanging data with external partners. Whether you are exchanging financial data, inventory files, or healthcare records, this setup ensures security, compliance, and scalability.
By following this step-by-step guide and using the real-world use cases as inspiration, you can create a secure, reliable solution for your organization’s external data exchange needs.
The business environment today is constantly evolving and organizations that fail to adapt can quickly find themselves falling behind. And in this era of rapid technology changes, it can sometimes prove impossible to catch up. If we look back at just the last five years, for instance, we have witnessed significant change in hybrid work acceptance. Services such as Windows 365 have given organizations a secure, reliable platform that enables employees to remain productive anywhere.
With this kind of flexibility as well as the capability to access Cloud PCs from any device, business productivity can soar. By introducing Windows 365 Link, the advantages will be even greater.
Onboarding Windows 365 Link devices
Having gone over the process for setting up Windows 365 Link in a previous post, today we’ll be looking at how you can onboard Windows 365 Link devices to your organization’s environment. As you get started with this process, it’s important to remember that Windows 365 Link devices have been designed to be shared.
After unboxing and turning on your Link device, the first time it boots it will load the Out of Box Experience to guide you through a straightforward process. This process joins the device to Entra ID and enrolls into Intune management. With this complete, the device will display a sign-in screen from where any user can authenticate and connect to their own Cloud PC.
Any standard user can onboard Windows 365 Link devices using the OOBE process as long as they have the requisite permissions. However, organizations can also decide to have admins onboard Windows 365 Link devices and complete the onboarding before delivering the devices to users. Another option would be to split the tasks with admins onboarding some devices and users onboarding others. To help you decide, you can consider the following information:
Considerations
Admin-driven Onboarding
User-driven onboarding
Device will be availed to multiple, different users.
Yes.
Device will be availed to one specific user.
Yes.
Users will not be allowed to join or register devices.
Yes.
Users will get their devices shipped directly to them.
Yes.
Admin-driven Onboarding
An account with the designation of a Device Enrollment Manager (DEM) can onboard devices shared by multiple users. Although this account doesn’t require admin privileges in the tenant, it can still enroll up to 1000 devices in Intune. DEMs remain subject to the limit on the number of devices allowed to join to Entra ID. With this in mind, you may want to consider increasing the maximum number of devices per user to a value you expect a DEM to enroll.
By using this DEM account to onboard Link devices, this will:
Enroll the Windows 365 Link devices in a shared device mode.
Bypass any Intune enrollment restrictions for platforms as well as any device limits that may be in place.
Eliminate the need for any changes to allow personal Windows devices.
Not require designating a primary user of the device. And with no primary user of the device, Windows 365 Link will not appear in a user’s list of devices in Intune, Entra, Company Portal, or other places.
Setting up a DEM account to onboard Your Link devices.
This requires you to follow the steps below:
Create the account you’ll be using for Windows 365 Link device onboarding.
Verify that the user has the requisite permissions to join devices to Microsoft Entra ID.
The user will then need to be added to the list of Device Enrollment Managers.
Lastly, you need to provision a Cloud PC for this DEM account so that you can validate connectivity.
Onboarding Your Windows Link devices using the DEM account.
This requires you to follow the steps below:
Turn on the Windows 365 Link device.
Sign in with the DEM account. You can only join the device to Microsoft Entra and enroll in Intune by completing all the authentication steps.
After you’ve connected to the Cloud PC, you’ll need to then disconnect and restart Windows 365 so that any available updates can properly install.
Shut down Windows 365 Link.
Once the above steps have are complete, the Windows 365 Link device is now ready for use by anyone in the organization with a Cloud PC.
User-driven Onboarding
Organizations don’t need to have IT admins onboard each Windows Link and can instead have users complete the OOBE to join them to Microsoft Entra and enroll them in Intune. By using this method:
A user will need to be designated as the primary user of the device.
The Windows 365 Link will subsequently appear in their list of devices.
All users within the organization can then use the device to access their own Cloud PCs.
THINGS TO VERIFY
All users should have the necessary licenses.
All users need to have permissions to join devices to Microsoft Entra IP.
Users must not exceed the maximum number of devices that can be joined.
Users must not be blocked from Intune enrollment by any restrictions or device limits.
Each user should have a Cloud PC provisioned and consented to single sign-on.
Steps for Onboarding Windows 365 Link Link Devices
Provide users with the Windows 365 Link devices.
Turn the device on.
Sign in with the user’s account. You can only join the device to Microsoft Entra and enroll in Intune by completing all the authentication steps.
After you’ve connected to the Cloud PC, you’ll then disconnect and restart Windows 365 so that any available updates can install properly.
Shut down Windows 365 Link.
Once the above steps have been successfully completed, the Windows 365 Link device is now ready for use by anyone in the organization with a Cloud PC.
Wrap up
Windows 365 Link is designed to make accessing Cloud PCs a faster and more secure process. It does this by addressing latency issues and complicated sign in processes to name but two problems. Windows 365 is all about being easy to use so it’s not surprising that onboarding Link devices to your organization’s environment is a relatively straightforward process. Whether you give the task to admins or the users do it themselves, getting your Windows Link devices up and running should be quick and hassle-free.
Microsoft has recently announced a new product that is built to bring significant changes to how clients interact with Windows 365. The new Windows 365 Link device which is scheduled to be available from April 2025, will potentially show us which direction virtualization could take in the future.
With this thin client device, Microsoft is giving Windows 365 users a product that is purpose-built to connect to Windows 365. Once connected, users will get a seamless Cloud PC experience with easy access to all of the Microsoft 365 apps.
Windows 365 recap
A few years ago, Microsoft introduced a cloud-based service that automatically creates a new version or type of Windows virtual machine known as a Cloud PC. This service allows organizations to provide employees with the tools they need to be productive on any device regardless of where they physically are.
By subscribing to the Windows 365 service, end-users can get their desktops, with all files, apps, and settings included, streamed to whatever devices they are using.
Essentially, Microsoft has built a service that gives you your own personal PC in the cloud. Undoubtedly, one of the greatest advantages of Cloud PCs is getting access from anywhere.
This can fit in perfectly with the hybrid work approaches that many businesses are implementing. As long as there is an internet connection, employees can maintain their productivity levels from any location.
Introducing Windows 365 Link
As an increasing number of organizations are adopting Windows 365, Microsoft has chosen the opportune moment to introduce the first Cloud PC device. Now in public preview, this small device has a Windows-based OS that will connect you to Windows 365 in seconds.
After quickly signing in to your Cloud PC, you can securely connect to your familiar Windows desktop in the Microsoft cloud.
To simplify use, Microsoft has designed it such that admins can leverage Intune to manage Windows 365 Link devices alongside other devices. This means that IT will benefit from a more streamlined management experience.
Additionally, IT can continue using the knowledge and policies they already have to ensure maximum efficiency regarding device management. Before you can use Windows 365 Link, you need to meet the following requirements:
Purchase a Windows 365 Link device.
Ensure management by your organization using Microsoft Intune.
Have a Windows 365 license for your Cloud PC.
Optimizing cloud performance
Although there has been a big push for organizations to migrate to the cloud, the simple reality is that inefficiency can often slow down adoption. Some of the more concerning problems that Microsoft has noted include latency issues, difficult sign-in processes, and peripheral incompatibility. These are exactly the types of issues that the Windows 365 Link device has been designed to address, especially in shared workspace situations.
The small, compact design means that you won’t have space concerns while taking advantage of faster access processes. Users should be happy with the few seconds the device takes to boot as well as the dual 4K monitor support, 4 USB ports, an Ethernet port, Wi-Fi 6E, and Bluetooth 5.3, that the devices comes with. Furthermore, the local processing capabilities on the device provide high-performance video playback and conferencing that is ideal for enhanced productivity.
Device description
As already mentioned, the Windows 365 Link device is a small, compact product that will be easy to move around the workplace as needed. Because of its size and light weight, you can easily place it anywhere on your desk or maybe even attach it to the back of a monitor. The dimensions of the device are given in the table below:
Dimension
Units metric
Units imperial
Length
120mm
4.72 inches
Width
120mm
4.72 inches
Height
30mm
1.18 inches
Weight
418 grams
14.75 ounces
The device will run on a small, Windows-based operating system known as Windows CPC and there will be no local applications or local users. In addition, there will be a strict application control policy that you cannot disable. To add to the convenience already on offer, updates will automatically download seamlessly in the background and then install at night.
Inside the computer, there will be an Intel chip that comes with 8GB of RAM and 64GB of storage. Even though the device has no moving parts, it will have the following ports:
Three USB-A 3.2 ports.
One USB-C 3.2 port.
One HDMI port.
One DisplayPort.
3.5mm headphone jack.
Ethernet port.
Kensington lock slot.
A port for the power cord.
Enhanced security
One of the things that Microsoft has emphasized about Windows 365 Link is that not only will it provide quick access to Windows 365 but it will do so very securely. As one can imagine, this is a very important issue to address as secure access is arguably one of the biggest concerns that businesses have about virtual solutions. Fortunately, the Windows 365 Link device will come with multiple features that guarantee optimum security including:
Discrete Trusted Platform Model 2.0.
Secure boot.
Virtualization-based security.
Hypervisor-protected Code Integrity.
BitLocker drive encryption.
Strict Application Control policy.
No local user with administrative rights.
No local data storage.
No local apps.
Security baseline policies are enabled by default.
Microsoft Defender EDR Sensor.
Wrap up
One of the chief ideas that Microsoft has reiterated over the years is how Windows 365 should simplify the use of virtualization technology. The ultimate goal is to see organizations migrate to the cloud and have a service that is quick, easy to use, and secure.
Windows 365 Link offers an additional update to the innovative measures that Microsoft has introduced to enhance the Windows 365 Cloud PC experience even more. And with the devices being available in just a few month’s time, it’ll be interesting to see the client responses during this public preview period.
New features and updates are paramount to improving the functionality of the various devices and applications that businesses use. This is necessary, especially if companies expect high levels of performance. It’s also essential as the tasks that we deal with grow more complex.
Not only do companies want to maintain performance but they also need tech companies to address any existing issues. As a result, organizations like Microsoft will offer many new features. These updates are for services like Microsoft Intune and Windows 365.
Because of the updates, released in 2024, overall user experiences will greatly improve. Let’s discuss the recent additions and explore how they might help elevate, simplify, and improve your business operations.
Improvements to Microsoft Intune
2024 has been a year with a lot of innovation from Microsoft across its various products and services. Plenty of this effort prioritizes Microsoft Intune improvements, bringing us features such as:
New capabilities for Windows Autopilot
Windows Autopilot is a service that makes the device deployment process faster and less complex. Companies benefit immensely from Autopilot’s ability to do away with the labor-intensive process previously necessary to provision new devices. And, Microsoft has additional service improvements to share.
Earlier this year, an announcement introduced an exciting new release – device preparation. This brilliant new innovation will enable the accommodation of more devices and delivery of more efficient results. Moreover, it will allow for the provisioning of cloud instances such as Windows 365.
Still, Microsoft ensures customers that the original, existing Windows Autopilot architecture is still in place. Because of this, you still have access to all your favorite features. IT admins can now enjoy a faster and simpler addition of groups to devices. This is due to enrollment time grouping, which replaces dynamic grouping. This creates a process that assigns app policies and scripts to devices more efficiently.
NEW SECURITY BASELINE
A key reason for updating devices and applications is to strengthen security and address vulnerabilities. Companies want to make sure that their security measures can stay ahead of the methods being employed by cybercriminals.
Hence the introduction of an update to the Microsoft Defender for Endpoint security baseline. These one-click collections of policies can be applied to devices (and device groups) in Intune. They also provide you with a way to configure all your organization’s devices with the same security policies.
Setting up your security measures in this way makes it’s easier to maintain the same security levels across the entire enterprise. This particular update offers a much better way of implementing the configuration recommendations made by the Microsoft Defender for Endpoint team. Furthermore, because it’s based on the Windows unified settings platform, you also get:
Quicker turnaround for updates.
Improved reporting, including per-setting status reports.
Assignment filter support.
Improved UI.
Consistent names across Intune.
Platform single sign-on (SSO) has arrived for macOS device enrollment
Signing in to multiple applications and websites using different credentials can be a tedious task. It can also be difficult for many people to keep up with all their sign-in information and passwords. This is why Platform Single Sign On (SSO) is a wonderful solution for streamlining the authentication process.
Because of how local account credentials synchronize with an individual’s IdP, one will only need to log in once. Platform SSO can help your company improve its security posture and enhance productivity.
Owing to the integration of SSI with Apple’s Secure Enclave technology, your organization can enable phishing-resistant, hardware-bound, passwordless authentication on Mac through Intune. In addition to better security, end-users can enjoy a less complex and faster out-of-the-box experience. This is possible because all they’ll need to set up their devices are their Entra ID passwords.
End-users also get to work more efficiently. This SSO experience, unique to Intune, enables them to sign in to their Outlook, Teams, and other Microsoft 365 apps simultaneously.
Installation of macOS apps on demand via Intune
Microsoft has done plenty of work to develop systems that can provide more capable Mac management. Intune has made providing IT admins and end-users a better, more efficient platform one of its key objectives. And one of the main reasons they’ve been able to achieve that is by leveraging feedback from customers.
Of note among the latest developments, are options that admins can provide to users for downloading unmanaged applications. These specifically apply in PKG and DMG format via the Intune Company Portal app.
Furthermore, to reduce the reliance on line-of-business app workflow or third-party tools to deploy optional applications, Intune added the “available” assignment type to the well-known “required” type. As one of the most requested features by Mac device administrators, this should be a well-received development as it will help both end-users and admins save time.
Expanded support for Microsoft Managed Home Screen
Microsoft Managed Home Screen (MHS) is an enterprise launcher application that enables IT admins to customize their devices and restrict the capabilities that a user can access. If you configure in multi-kiosk mode in Intune, MHS launches automatically as the default home screen on the device. This customizable launcher serves as a key tool for IT admins to better manage devices. It also ensures that users are performing at the expected levels.
As organizations provide users with increasingly more powerful devices, they need to make sure that business operations improve accordingly. The availability of Managed Home Screen is expanding from just user-less kiosks or shared devices to corporate-owned, fully managed devices associated with a specific user as well. As a result, this means capabilities are will extend to a wider range of use cases and applications.
BitLocker RECOVERY KEY
Having access to a BitLocker recovery key allows you to unlock an Intune-enrolled PC if you have the misfortune of forgetting your sign-in password and getting locked out. The stored recovery key is accessible from the Intune Company Portal website. It’s also accessible in the Intune Company Portal app.
Without this key, users would typically need to contact the Help Desk for assistance. As one can imagine, it’s easy to see why this option is better. It offers greater support to users while lightening the load on IT professionals.
Going forward, this update will enable end-users to access their BitLocker recovery key directly from the Company Portal website. Because of this, your organization can expect to benefit from a more intuitive and streamlined path to recovery.
This should also help improve productivity because end-users won’t need to wait for the delays that sometimes occur while waiting for IT support to assist them. And with IT having this task taken care of for them, they will have more time to dedicate to more productive endeavors.
CORPORATE IDENTIFIERS
This feature aims to verify that corporate devices are labeled as corporate-owned as soon as they enroll. It does so by adding their corporate identifiers ahead of time in the Microsoft Intune admin center.
For businesses, corporate device management provides you with more capabilities than that for personal devices. This new change will help organizations restrict the application of the corporate-owned devices label only to authorized devices.
Adding corporate identifiers to Intune requires you to upload a file of corporate identifiers in the admin center or enter each identifier separately. Also important to note is the fact that you don’t need to add corporate identifiers for all deployments. During enrollment, Intune automatically assigns corporate-owned status to devices that join to Microsoft Entra via:
Device enrollment manager account (all platforms)
An Apple device enrollment program such as Apple School Manager, Apple Business Manager, or Apple Configurator (iOS/iPadOS only)
Windows Autopilot
Co-management with Microsoft Intune and group policy (GPO)
Azure Virtual Desktop
Automatic mobile device management (MDM) enrollment via provisioning package
Knox Mobile Enrollment
Android Enterprise management:
Corporate-owned devices with work profile.
Fully managed devices.
Dedicated devices.
Android Open Source Project (AOSP) management:
Corporate-owned user-associated devices
Corporate-owned userless devices
Google Zero Touch
Windows 365 Cloud PC security baseline updates
From the new, additional features and updates to Microsoft Intune, it’s clear to see that increasing efficiency matters. Strengthening security is also of utmost importance. And the same applies here.
Configuring security settings can often be a complex, time-consuming task that few will enjoy especially if you are still a novice. These deployed policy templates with Intune aim to establish Microsoft Security–recommended settings are central to the security strategies employed by Intune.
To ensure that you get the most from these measures, Intune has set it up such that these baselines can be tailored to your unique needs. Additionally, this particular update requires you to manually update your customizations, if any, from the previous baseline. This baseline, which comes highly recommended, will also give you:
Faster deployment of baseline version updates
Improved user interface and reporting experience (such as per-setting status reports)
More consistent naming across the Intune portal
Elimination of setting “tattooing”
Ability to use assignment filters for profiles
New updates and features for Windows 365
Similar to Microsoft Intune, Windows 365 has also introduced several updates to the Cloud PC service. Some of these include:
ADDITIONS TO DEVICE MANAGEMENT CAPABILITIES
Update
What it offers
Windows 11 Cloud PCs now support EN-NZ
As of September 2024, Windows 11 Cloud PCs now support EN-NZ.
Support for symmetric NAT with RDP Shortpath
The goal is to develop an RDP Short path in Windows 365 such that it can support setting up an indirect UDP connection using Traversal Using Relays around NAT (TURN) for symmetric NAT. Most are probably aware that TURN is a widely accepted standard for device-to-device networking for low latency, high-throughput data transmission.
Uni-directional clipboard support is now generally available
With service release 2407 in July 2024, came the release of uni-directional clipboard support into general availability.
Closing port 3389 by default for newly provisioned and reprovisioned Cloud PCs
Going forward, expect to find the inbound port 3389 closed by default. This update has come about as a means to further safeguard your Windows 365 environment.
Chroma subsampling default change to 4:2:0
This change has been made to help reduce monitor support issues. The Windows 365 service will now default to the chroma subsampling at 4:2:0. instead of the previous 4:4:4.
Windows 365 Boot and Windows 365 Switch now support battery status redirection
In a move that should be welcomed by users, Windows 365 Boot and Windows 365 Switch will now offer support for battery status redirection. Therefore, you can now view your local PCs battery status on a Cloud PC.
Upgrade Windows 365 licenses in Microsoft admin center
All clients with Modern Microsoft Cloud Agreements can now upgrade their existing Windows 365 licenses in the Microsoft Admin Center.
New Windows 365 Cloud PC images available in the gallery
As of May 2024, you can now access new Cloud PC gallery images for Windows 10 and Windows 11. These improved images have harmonized optimizations with Windows 365 apps images for better policy management: Win 10 Enterprise Cloud PC: 21H2, 22H2,Win 11 Enterprise Cloud PC: 21H2, 22H2, 23H2
Manage redirections for Cloud PCs on iOS/iPadOS devices
The Intune admin center can now be used to handle redirections for iOS/iPadOS users who access their Cloud PCs using Microsoft Remote Desktop and Windows App.
DEVICE SECURITY UPDATES
Update
What it offers
Session lock experience configuration for single sign-on
This new update offers clients the ability to configure the remote session lock experience when single sign-on (SSO) is enabled between the default disconnect behavior and showing the remote lock screen. Enabling SSO allows you to use passwordless authentication and third-party Identity Providers that federate with Microsoft Entra ID to sign in to your Cloud PC. This tool offers an SSO experience when authenticating to the Cloud PC and inside the session when accessing Microsoft Entra ID-based apps and websites.
Windows 365 support for Microsoft Purview Customer Key
Windows 365 clients are also being given a feature that supports the encryption of Cloud PCs by setting up Microsoft Purview Customer Key.
Customer Lockbox
With service release 2407 is new Windows 365 Government support for Microsoft Purview Customer Lockbox. The Customer Lockbox prevents Microsoft from accessing your content without explicit approval. This feature gets you integrated into the approval workflow process that Microsoft uses thereby restricting access to your content only to authorized requests.
Single sign-on Windows 365 clients authentication change
Single sign-on for Windows 365 is switching to the use of the Windows Cloud Login Entra ID cloud app for Windows authentication. This change will begin with the Windows and Web clients.
FQDNs removed from requirement list
Several of the required FQDNs have in the past been moved to the *.infra.windows365.microsoft.com wildcard FQDN. This move reduces the initial configuration requirements and the change rate of connectivity requirements. As of May 2024, the old FQDNs have been removed from the requirement list.
Microsoft Purview Data Loss Prevention
In March 2024 (service release 2403), it was announced that Microsoft Purview Data Loss Prevention (DLP) will now support Windows 365 Enterprise. Getting access to DLP means that you can now monitor the actions that are being taken on items you’ve determined to be sensitive. Moreover, this also helps you block unintentional sharing of these items. As soon as you onboard devices into the Microsoft Purview solutions, data concerning what users are doing with sensitive items becomes available in activity explorer.
Windows 365 Boot shared mode supports FIDO
This change can help your business strengthen the security of your Windows 365 environment. Because Windows 365 Boot shared mode now supports FIDO, enterprises can leverage hardened authentication measures that minimize the risk of successful attacks.
MONITOR AND TROUBLESHOOT
Update
What it offers
New Intune report and device action for Windows enrollment attestation (public preview)
The device status attestation report gives you information about devices that have either Completed, Failed,or Not started enrollment attestation. With the new device attestation status report in Microsoft Intune, you can find out if a device has attested and enrolled securely while being hardware-backed.
Cloud PC utilization report for Windows 365 Government
The Cloud PC utilization report offers you a useful tool for monitoring and optimizing Cloud PC usage in your organization. You can glean from it information such as how much time users are spending on their Cloud PCs or when they last connected. As of June 2024, support for this feature is now available to Windows 365 Government.
Cloud PC size recommendations report
This Cloud PC recommendations report is now out of preview and generally available. The report is an AI-powered feature that enables administrators to determine the correct size for Cloud PCs. By assessing data such as end-user Cloud PC usage patterns, platform level resource utilization data, and performance needs, you can work out the best Cloud PC configuration for your users.
Cloud PCs that aren’t available report
Generally available as of May 2024 (service release 2404). Simplifies the task for admins by helping them identify Cloud PCs that may be currently unavailable. The report will give you information concerning conditions up to 5 to 15 minutes ago. As a result, you could potentially find Cloud PCs in the report that have already recovered.
Improvements to Cloud PC connection quality report
Several upgrades to the Cloud PC connection quality report became generally available in March. The improvements that you can look forward to include: A more comprehensive view of the overall performance of your Cloud PCs.A more detailed view of devices when they are in a state of poor performance due to high round trip times.Tenant level visibility to most recent/current for:Round Trip Time.Bandwidth.Connection Time.UDP Utilization.Connection specific detail on client IP and associated CPC Gateway.Filters for all columns.
Alerts for Windows 365 Frontline maximum concurrent Cloud PCs
Windows 365 administrators will be getting even more information to help them better manage their Cloud PC environments. With this update, admins receive alerts notifying them when the maximum concurrent Cloud PCs are active for Windows 365 Frontline subscriptions.
Device action data kept for 90 days
You get to view actions performed within the last 90 days. To access this information, navigate to the Overview page for individual Cloud PCs.
UPDATES TO WINDOWS 365 BOOT
Update
What it offers
Shared and dedicated Windows 365 Boot device
Using Windows 365 Boot, admins can configure Windows 11 physical devices so that users can: Avoid signing in to their physical device.Sign in directly to their Windows 365 Cloud PC on their physical device. To add to the flexibility, Windows 365 Boot now supports both dedicated and shared PC scenarios.
Windows 365 Boot sign-in page customization
Another update for Windows 365 Boot is the availability of sign-in page customization. Previously in preview, this feature became generally available in February.
Windows 365 Boot fail fast notifications
Adding to the previous new updates is fail fast notifications. Beginning in February as well, Windows 365 Boot detection and notification of network or application setup issues transitioned to general availability.
Management of local PC settings
The last update for February allowed for changes regarding the management of local PC settings. Going forward, users will be able to manage local PC settings through their Windows 365 Boot Cloud PC.
Wrap up
Ensuring that your IT environment is operating at peak efficiency is a goal that every company should have. Optimizing the functions of applications and devices is integral to maintaining elevated productivity levels. This is why one cannot overstate the importance of the new features and updates. It’s why we regularly see them from Microsoft Intune and Windows 365.
Not only do they keep your business running smoothly. They constantly address any issues that may arise. As a business, your needs change as the operating environment evolves. Therefore, there is a need for services like Intune and the Cloud PC that can keep up with those changes.
Synology NAS (Network Attached Storage) devices are known for their versatility, offering a wide array of features for data storage, sharing, and management. One feature that significantly enhances performance is the Synology SSD cache. This guide explores Synology SSD cache, its benefits, how to set it up, the importance of upgrading DiskStation Manager (DSM) versions, and how to verify if you’re running the latest DSM version.
What is Synology SSD Cache?
An SSD cache uses Solid-State Drives (SSDs) to accelerate data access on traditional Hard Disk Drives (HDDs). SSDs are much faster than HDDs due to their lack of mechanical parts, providing lower latency and higher throughput. In Synology NAS, SSD caching improves the performance of your storage pools without requiring a full SSD-only setup.
Types of SSD Cache in Synology NAS
Read-Only Cache:
Speeds up frequently accessed data by storing it in SSDs.
Improves read performance but does not affect write operations.
Read-Write Cache:
Boosts both read and write performance.
Requires at least two SSDs in RAID 1 for redundancy.
Benefits of SSD Cache
Enhanced Performance: Faster data access and improved application performance.
Cost-Effective: Combines HDDs and SSDs for performance gains without the expense of SSD-only setups.
Scalable: Easily added or removed as needed.
Optimized Utilization: Ensures frequently accessed data is quickly available.
When to Use SSD Cache
High I/O Workloads: For example, virtualization, databases, or file servers.
Mixed Storage Systems: Combining HDDs and SSDs for balanced performance.
Repetitive Access Patterns: Ideal for applications with predictable workloads.
Install SSDs in the designated bays or via an adapter card like the Synology M2D17 in PCIe Slot 1.
Verify installation using Synology DSM.
Create SSD Cache:
Navigate to Storage Manager > SSD Cache.
Choose the storage pool and cache type (read-only or read-write).
Follow the on-screen instructions.
Monitor Performance:
Use Resource Monitor to track cache efficiency.
Optimize Cache:
Update DSM for the latest features.
Adjust settings as needed.
Why Upgrade DSM?
DiskStation Manager (DSM) is the operating system powering Synology NAS devices. Regular upgrades are essential for:
New Features: Improved functionality and usability.
Security: Patches to keep your system secure.
Performance: Enhanced efficiency with updated algorithms.
Compatibility: Support for new hardware and apps.
Bug Fixes: Resolves known issues.
DSM Upgrade Steps
Prepare for the Upgrade:
Backup data using Hyper Backup.
Verify compatibility and system health.
Upgrade DSM:
Use the Control Panel > Update & Restore for automatic updates.
Perform manual updates by downloading the update file from Synology’s website.
Post-Upgrade Verification:
Test applications and review logs for errors.
Reconfigure settings as needed.
How to Verify DSM Version
DSM Interface: Navigate to Control Panel > Update & Restore to check for updates.
Synology Assistant: Use this tool to display the DSM version.
Command-Line: Run cat /etc/VERSION via SSH.
Mobile App: Use Synology’s DS Finder to check the version.
My Setup and Observations
I am using a DS1817+ with eight Seagate ST8000AS0002-1NA17Z 8 TB Archive HDDs, running without issues. Currently, I’m upgrading to 16 TB Western Digital WDC WD161KFGX-68AFPN0 HDDs. My SSD cache consists of two Samsung SSD 850 EVO M.2 (500 GB) drives installed using a Synology M2D17 adapter in PCIe Slot 1.
Hardware Highlights
Seagate ST8000AS0002 HDD:
Energy-efficient archival storage.
Reliable for long-term use.
Western Digital WDC WD161KFGX HDD:
High-capacity Ultrastar DC HC500 series.
Optimized for data centers with vibration resistance.
Samsung SSD 850 EVO M.2:
Advanced 3D V-NAND technology.
TurboWrite for faster write speeds.
High endurance and energy efficiency.
Best Practices for SSD Cache
Regular Maintenance: Monitor and optimize cache performance.
Use Compatible Hardware: Follow Synology’s compatibility guidelines.
Backup Data: Regularly back up to avoid data loss.
Conclusion
Synology SSD cache is a game-changer for optimizing NAS performance. Coupled with regular DSM upgrades, it ensures a reliable and high-performing system. Follow these best practices to maximize your NAS potential, enhance data security, and enjoy seamless compatibility.
As 2024 is drawing to a close, we can start to look back at the features that have been added to Microsoft Intune and Windows 365. These upgrades have enhanced the user experience, strengthened security measures, and enabled users to operate more efficiently.
As such, it will be exciting to look at what Microsoft could potentially add to these platforms in 2025. Businesses will be interested in seeing what Microsoft has on the horizon. They will also be eager to see what will improve these platforms even further while simultaneously addressing some common concerns they may have.
With this in mind, in this article, we’ll be going over the information Microsoft has released concerning features scheduled to be released in 2025.
What does 2025 hold for Intune?
Microsoft Intune: Managed device attestation for iOS/iPadOS and macOS device enrollment and ADE
When we consider the threat landscape that organizations constantly have to deal with, it’s easy to see why there is a great need for continually improving security measures. Hence why bringing ACME and managed device attestation support for eligible Apple devices to GA is a great move on Intune’s part. It should enable you to have better control over the verification processes of various devices.
Included in this update are device enrollment and ADE enrollments, notably AC2. Admins should note that this will apply to new enrollments with device enrollment (BYOD) and new enrollments with ADE or Apple Configurator tool. We can expect to see the rollout of this feature beginning in April 2025.
Microsoft Intune: Windows enrollment attestation
Staying with the same theme of enhancing security measures, businesses will also be getting this feature beginning in March 2025. You can expect to have physical devices attested at enrollment and enrollment credentials storage in the hardware of the device.
This can provide administrators with an extra bit of convenience. It will allow them to view device attestations in the new Device attestation status report. Additionally, they can force attestation from that report when necessary.
Microsoft Intune: Enhanced device inventory for Windows devices
Few things can increase work efficiency the way that easily having access to all the information you need when you need it can. This is what businesses will be getting when this service is rolled out in February 2025 enabling them to obtain more inventory information about their Windows devices. You get to specify which device properties you need to collect as well as from which devices. With this, you can view that information for your devices.
Microsoft Intune: Hardware-backed attestation – enhanced for Windows 11
This feature, which will be coming to you in January 2025, seeks to improve the Windows compliance policy. You should expect an improvement in device health due to the addition of five additional hardware attestation settings. These settings are specific to Windows 11 using advanced platform security features. The latter will include features such as firmware protection, virtualization-based security, Memory Integrity and Access Protection, and Early Launch Antimalware protection.
Microsoft Intune: macOS Platform SSO Support
Intune is constantly looking for ways to enhance the user experience for customers that use the macOS platform. To this end, features like this one in particular will give you better security and increase convenience. With the release planned for January 2025, customers should soon be able to log in on a managed Mac using their Entra ID password.
Microsoft Intune: Multiple managed accounts
Adding to the convenience that the upcoming Intune features will bring is this feature. As of January 2025, Microsoft plans on enabling users to use a single device with multiple company accounts to access company information through specific managed applications.
Microsoft Intune: Enrollment time grouping for Android Enterprise Corporate devices
Enrollment time grouping (ETG) for Android Enterprise Corporate devices is a feature that will help targeted apps and policies reach devices faster thus minimizing delays common with device setup. The rollout is slated for January 2025.
AI to boost the capabilities of the Cloud PC
Businesses cannot deny the immense potential that AI can offer them. This technology has vast applications that can positively impact business operations at just about every level. It’s therefore no surprise that Windows 365 is working on taking advantage of AI to improve the user experience for Cloud PC users. Already, Windows 365 can use AI to provide you with Cloud PC resizing recommendations that can help minimize costs and increase efficiency.
Windows 365 does this and more by leveraging AI to evaluate Cloud PC deployment and utilization. With this information in hand, companies can better plan their Cloud PC environments thus maximizing the value of their investment. These tailored, AI-powered insights will help you avoid several issues including:
Complex purchase discussions – when you lack specific information, your organization could spend vast amounts of time bogged down in discussions with vendors trying to figure out what’s most suitable for your needs.
Low productivity levels – if your environment operates with incorrect configurations, employees cannot perform at optimum levels and their output will be lower than it should be.
Fluctuations in usage and license churn – any discrepancies between your purchased licenses and actual use may cause irregular usage patterns which in turn negatively impacts cost management.
Wrap up
The various development teams at Microsoft appreciate the need to keep expanding the capabilities of the products and services they offer. As the modern work environment evolves, so too should the tools available to us. Companies need technologies that empower their employees, strengthen their security, and inspire business innovation.
Fortunately, the new features and capabilities that Microsoft Intune and Windows 365 are working on promise to deliver. Customers can plan excitedly for the future knowing that their platforms of choice will keep them ahead of the curve.
Setting up a virtual computing environment offers plenty of benefits for most organizations. But, businesses also need to understand the potential security issues involved and how best they can address them. Recently, Microsoft has been working on enhancing security measures for Windows 365 and Azure Virtual Desktop (AVD) clients. In addition to that, one of the key goals is to address the complexities that organizations often have to deal with regarding security policy management.
By doing so, Microsoft intends to provide clients with a robust suite of new security features. The new features will offer greater infrastructure protection.
Common security risks in virtual computing
Businesses are constantly dealing with various threats to their infrastructure and data breaches can be some of the most damaging. From huge financial losses to potential legal ramifications, data breaches pose serious threats to companies. Some organizations might even find it hard to bounce back from if left unprotected.
Another of the biggest challenges that businesses deal with on a daily basis is insider threat. What makes this such a tough issue to deal with is that it encompasses both negligent as well as malicious users. This kind of problem serves to highlight the importance of the new features Microsoft is launching. These latest features aim to strengthen identity and access management protocols.
Organizations can also get punished for a lack of due diligence. If one makes the mistake of engaging a virtual computing services provider without a full understanding of the security they have in place, it can end up being extremely costly.
Working with platforms, like Azure Virtual Desktop (AVD) and Windows 365, gives you the advantage of integrated services into the Microsoft security ecosystem. Not only do you get excellent security but you also get compliance with the appropriate regulations.
Ensuring security by default
One of the key things that Microsoft is doing to counteract security threats is putting in place features that provide security by default. This can be achieved by embedding Microsoft-recommended security settings right at the beginning when creating Cloud PCs or virtual machines. Putting in place measures like these serves to make security an integral part of these virtual services. It also provides you with robust security straight out of the box
SIMPLICITY with Azure Virtual Desktop
Implementing security by default also simplifies things by reducing the need for manual configurations. This allows you to have more productive time. IT admins will have even less to worry about, thanks to one of Microsoft’s newer updates. This update works by restricting Port 3389 by default on all newly provisioned and reprovisioned Windows 365 Cloud PCs. This update goes a long way in getting virtual services to the goal of automated, built-in security.
FLEXIBILITY with Azure Virtual Desktop
Despite the need for default security, Microsoft still appreciates that there may be times when IT admins may need to override these settings. For instance, think of a situation where IT admins have to customize security for their virtualization deployment to accommodate different devices and varying work models.
In anticipation of such scenarios, Microsoft gives clients the flexibility to override these security settings when the need arises. Ultimately, the key is to offer businesses solutions that are easy to use but not at the cost of improved security. Thus, the new features will simplify securing identity, data, and access. They’ll do so while simultaneously giving organizations the choice, flexibility, and control necessary to maintain a robust security structure.
Secure identity
Considering the threat landscape that businesses have to deal with, it’s extremely important to have the right technologies and processes to safeguard access to resources. Comprehensive solutions are necessary to secure identities ensuring that the right individuals get the right access at the right time.
Not only that, but end-users expect a seamless user experience that makes things easier for them. Needless to say, it’s equally or maybe even more important to have processes that curb malicious access.
FACILITATING SECURE ACCESS
In keeping with the goal of improved identity security, Microsoft recently preview launched Passkey support in Microsoft Entra for macOS and iOS devices with single sign-on and password-less authentication.
With this update, users can expect the end-to-end user experience to become more streamlined. Coupled with improved phish-resistant password-less security for Windows 365 and Azure Virtual Desktop, this launch will undoubtedly give organizations stronger identity processes.
Given that many individuals view Passkeys as not only easier to use but more secure than passwords, this move by Microsoft is bound to be very welcome. As a method of authentication reliant on cryptographic techniques combined with biometrics such as fingerprints, Passkeys can be a significant upgrade over conventional password-based authentication.
RE-AUTHENTICATION
In addition, clients can also look forward to new features. These include faster re-authentication (public preview) that will leverage sign-in frequency in Microsoft Entra Conditional Access policies. This is something that will give IT admins the necessary control to enforce secure, timely reauthentication based on their needs.
Users must re-authenticate only when needing to authenticate to a resource and also when a new access token is needed. Once a connection has been established, they won’t be prompted even if the connection lasts longer than the configured sign-in frequency.
Users also need to re-authenticate if a network disruption occurs that forces the session to be re-established after the configured sign-in frequency. Unfortunately, on unstable networks this probably means more frequent authentication requests.
Wrap up about Windows 365 and Azure Virtual Desktop
The threat landscape is constantly evolving thus creating new risks that organizations have to be prepared to face. With malicious actors working nonstop to expose vulnerabilities, businesses cannot afford to be lax in their approaches to data security. This is why Microsoft is committed to ensuring that clients using the Windows 365 and Azure Virtual Desktop platforms regularly receive new high-end security tools and updates. By doing so, organizations like yours can mitigate the risk of dangerous data breaches and financial losses with fortified security postures.
