Key Features For Managing Windows 365 Cloud PCs

Posted on by
Reply

When we talk about Windows 365, there are many things that come to mind. Accessibility from anywhere, flexibility, data security, and scalability are some of the most common benefits you’ll get when you sign up for Windows 365.

Together with the many others I haven’t mentioned, these benefits can significantly improve how your organization operates and can get your productivity levels trending upwards. But, as with any solution, the key to getting the most from your investment is fully understanding the features that Cloud PCs offer and how you can leverage them to enhance your operations.

Establishing a Windows 365 Environment

There are many steps to consider before administrators start providing end users with functional Cloud PCs. In a previous blog, I did a deep dive into how your organization can provision your Cloud PCs.

All of this begins with researching Windows 365, defining SMART (Specific, Measurable, Attainable, Relevant, and Time) objectives, considering the various Cloud PC provisioning scenarios, and then creating the provisioning policy.

Provisioning policies are the elements necessary for creating and assigning Cloud PCs to their users. They determine which operating system version will be used. They’ll also decide other key things, such as join type, language, and region. Once you create the provisioning policy, it will handle all the provisioning necessary to automatically get licensed users their Cloud PCs.

What if Provisioning Fails?

As with any tech solution, sometimes things go wrong and the installation process fails to deliver the expected result. When this happens with Cloud PC provisioning, Windows 365 will automatically retry the provisioning process a further 2 times. And if after these 3 attempts the provisioning still fails then:

  • The provisioning process stops.
  • The Cloud PC will mark as Failed.
  • An error message will display.

At this point, the administrator needs to figure out the cause of the failure before they can proceed. Finding the reason for this failure requires a detailed analysis of the specific error messages within the Microsoft Intune admin center as well as checking underlying dependencies.

Once admins identify the error message, they can then investigate common areas. These might include ANC failures, AD domain join failures, licensing and policy issues, Microsoft Entra Hybrid Join failures, and IP address exhaustion. After admins determine the root cause, they can manually trigger a retry of the provisioning process by pressing the Retry button in the error dialog.

Resizing a Cloud PC

Certain situations may present themselves where end users may require:

  • More RAM and vCPU cores to run CPU-intensive applications.
  • An increase in disk space for file storage.
  • Or, less RAM and vCPU cores to run their current workload applications.

In these scenarios, Windows 365 allows you to resize your Cloud PCs without compromising user and disk data. Moreover, the resizing can be performed without having to reprovision the affected Cloud PCs. Admins should be aware that although resizing won’t support GPU Cloud PCs, it does support the following:

  • Direct and group-based licenses.
  • Paid, preview, and trial licenses.
  • Bulk and single device operations.

The key to carrying out a successful resizing operation while minimizing the risk of potential issues is communicating and coordinating with the concerned end users. Because the resizing operation disconnects end users from their sessions, it’s best to choose a pre-agreed time that is convenient for all parties. And do so when there is no unsaved work that could be lost. To perform the resizing of Cloud PCs, you follow the steps below:

  • Start by checking to see if you have the appropriate license for the new Cloud PC size in your environment.
  • Start the resizing process from the Intune console. (Note: Before proceeding any further, you should know that if you remove the license before resizing, the device will be put in a grace period. And this in turn will prevent you from resizing.)
  • Navigate to the Intune portal and search for the device.
  • Click on Resize.
  • If the appropriate license is available, you can proceed with the new Cloud PC.
  • After starting the process, expect the Cloud PC to swiftly shut down and begin resizing. This process will take about 15 to 20 minutes, after which the end user can regain access to their device.

Reprovisioning A Cloud PC

Windows 365 makes it possible to modify provisioning policies if the need arises. But any changes made to a provisioning policy won’t apply to previously provisioned Cloud PCs. Not unless you first reprovision those virtual machines. Basically, the reprovisioning action is a feature that can prove particularly useful if:

  • You need to test different Cloud PC configurations.
  • You are having issues with a previously provisioned Cloud PC.
  • The end user requests a new Cloud PC.

In addition to the above scenarios, reprovisioning can also be the solution for Cloud PCs in a Failed provisioning state in the Windows 365 provisioning node. Simply put, you can think of the reprovisioning action as functioning in a similar manner to how one would reset a physical device.

Once reprovisioning is complete, the current Cloud PC is deleted, and a new one is recreated. This new Cloud PC won’t contain any of the previous user data, applications, and customizations, as they will have been deleted.

Instead, this new device is reprovisioned using the current configured settings in the provisioning policy that’s assigned to the user’s Microsoft Entra group. So, if an admin makes changes to a provisioning policy, such as changing the image referenced by the policy or any other modifications, these new configurations will be applied to the reprovisioned Cloud PC. And to simplify reprovisioning for Frontline Cloud PCs in shared mode, Windows 365 allows you to bulk reprovision all the Cloud PCs in a provisioning policy.

How To Restore A Cloud PC

The ability to revert a Windows 365 Cloud PC to a previous state gives users a great solution for when disruptive events occur. When restoring the Cloud PC to a selected restore point, issues like critical system failures, the need to reverse unfavorable changes, malware, and data recovery, among others, can be addressed. Reverting a Cloud PC to a previous point in time prevents having to completely wipe the device.

However, the process will still permanently delete data saved to the Cloud PC and any apps installed between the restore point and now. Before proceeding, be advised that the Cloud PC will not be available for the duration of the restoration. This action cannot be reversed. If you decide to proceed, you can follow the steps below:

  • Navigate to https://windows365.microsoft.com and sign in.
  • Find your Cloud PC and select the gear icon (Settings).
  • Select Restore.
  • From the drop-down menu that appears, choose the restore point that you would like to use.
  • Check the appropriate box and select Restore.

Admins can also initiate the restoration process for their end users by:

  • Going to the Intune Admin Center and signing in.
  • Head over to Devices > Windows 365 > All Cloud PCs, then choose the Cloud PC to restore.
  • Select Restore.
  • Choose the restore point that you want to use.
  • Check the appropriate box and select Restore.

How To Deprovision A Cloud PC

Every now and then, admins will face a situation requiring them to deprovision one or more of their organization’s Cloud PCs. This can happen when employees leave or change roles, or when the organization needs to reclaim unused licenses. It also happens when persistent technical issues need resolution, etc. Regardless of the reason, when it comes to the actual deprovisioning of a Cloud PC, there are a couple of ways to do it.

Method 1

Start by selecting the Cloud PC that you want to deprovision and then remove the Windows 365 license from that user. Doing this will move that Cloud PC into a 7-day Grace Period. Windows 365 has designed it this way so that Cloud PCs aren’t deleted accidentally.

This is a great setup to have because if an admin accidentally removes licenses from users whose Cloud PCs aren’t targeted for deprovisioning, those devices won’t immediately delete.

During those 7 days, an admin can still re-assign the license and manually end the Grace Period. It should also be noted that transferring the license to another user won’t end the Grace Period. This is because Cloud PCs cannot be moved from one user to another without provisioning a fresh Cloud PC.

Method 2

With this method, admins can deprovision Cloud PCs by removing the concerned users from the Group which is targeted by the Provisioning Policy which was used to provision the Cloud PC or Remove the Group from the Provisioning Policy Assignment. And similar to the first method, there will also be a 7-day Grace Period.

This gives you the option of keeping those Cloud PCs if you add the user back to the group or re-assign the group to the provisioning policy before the 7 days have elapsed.

Furthermore, Windows 365 gives you the choice to end the Grace Period early if you don’t want to wait 7 days to deprovision a Cloud PC. You can do so by clicking on the “In Grace Period” state and selecting End Grace Period. Having done this, the status of the Cloud PC is then changed to “Deprovisioning” while the Cloud PC is being deleted.

Unfortunately, this is not something you can do as a bulk action in the MEM console, meaning that you can only end the grace period one Cloud PC at a time. But admins who want to bulk deprovision multiple Cloud PCs simultaneously can still do so by leveraging PowerShell scripts.

Cleaning Up

After a Cloud PC provisioning failure or after a Cloud PC is deleted once the Grace Period has expired, the Windows 365 service will clean up all objects created during the provisioning process. You should typically expect the cleanup to occur around 3 hours after the failure. The following objects will clean up:

  • Intune Object
  • Microsoft Entra device objects
  • Azure vNIC

The cleanup won’t affect network security groups created for Cloud PCs because other objects may also be reliant on those groups. In addition, Windows 365 isn’t going to delete on-premises Microsoft Entra computer accounts joined to the domain during provisioning.

Redundant computer objects only disable because Windows 365 doesn’t have the necessary permissions to delete on-premises computer objects. With that in mind, a common recommendation is that businesses use their regular maintenance processes to clean up these disabled computer objects.

Evaluating Cloud PC Usage

Once all provisioning steps are complete and end users’ needs are being met, it’s important to monitor usage in your Cloud PC environment. To help you with this task, Windows 365 provides you with a utilization report that plays a vital role in monitoring and optimizing Cloud PC usage in your organization. Admins can use it to view information such as the amount of time end users are spending on their Cloud PCs, as well as when they last used them. Reviewing this data enables admins to:

  • Evaluate the underutilized Cloud PCs with the goal of possibly reassigning those licenses to end-users with a greater need for them.
  • Identify Cloud PCs that have remained inactive for extended periods of time. By targeting these devices for deprovisioning, admins can help cut costs for their organizations.

The Cloud PC utilization report is accessible by signing in to the Microsoft Intune Admin center and selecting Devices > Cloud PC performance > Cloud PC utilization.

Cloud PC utilization report page (tenant data)

This report displays the following tenant data aggregated for the chosen timespan (28, 60, or 90 days):

  • This histogram shows the number of Cloud PCs connected for each range:
    • High time connected –  More than 80 hours. Average time connected – 40-80 hours. Low time connected – Less than 40 hours.
    • None – Zero hours.
  • List of individual Cloud PCs with the following columns:
    • Device nameUser UPN – user’s identifier in Active Directory in the form of an email address.PC typeTime connected – total hours spent connected to the Cloud PC over the last 4 weeks. Date last connected – date last connected to Cloud PC within the last 60 days. If currently connected, you’ll see the most recent connection time.
    And if not, the last sign-out time will display.
        Date created –  date the Cloud PC was created.
    • Device type – Cloud PC type based on the offering (Enterprise, Frontline dedicated, Frontline shared).

Scaling Your Cloud PC Environment

Undoubtedly, one of the most attractive features of Windows 365 is that it allows organizations to scale their Cloud PC environments up or down according to need. This type of flexibility is perfect for the business environment because it gives you access to the resources you need when you need them. As a result, you can better manage IT expenditure and potentially reduce costs.

Scaling Up

Organizations can easily scale up their Cloud PC environments by purchasing more Windows 365 licenses. After procuring these additional licenses, you can assign them to the end users who need them.

At this point, you’ll need to assess your provisioning policies before deciding whether or not any modifications are necessary. And if you have new user groups that require different configurations, admins will have to make changes to their provisioning policies.

Additionally, carry out a careful evaluation of your network capacity to check if the increased load is manageable without issue.

Scaling Down

In like manner, scaling down is just as easy. It’s not a particularly complicated process. A detailed assessment of your environment will give you information about end users who no longer require Cloud PCs thus allowing you to remove their licenses.

Once done, the affected Cloud PCs move into a 7-day Grace Period before they deprovision. Admins can also start modifying or unassigning user groups from provisioning policies, depending on the gathered information.

Furthermore, it’s critically important that admins make sure that licenses are reclaimed and made available for reallocation.

Conclusion

Windows 365 delivers powerful virtual machines to businesses that help them improve operations and boost productivity. These Cloud PCs, which are accessible from anywhere using any device, provide users with a great degree of working flexibility.

Not only that, but the robust identity and access management protocols ensure a high level of network security, thereby alleviating the security concerns that often plague virtual computing solutions. And when you add the features discussed in this blog, as well as others not mentioned, businesses will have access to wonderful tools that can ease the management of Windows 365.

Fix Microsoft Teams Dial Pad Not Working

Posted on by
Reply

If you’ve ever had a user say:

“The dial pad is there, but I can’t click it.”
“Join meeting does nothing.”
“Teams opens, but it’s just broken.”

You already know what’s coming.

And no – it’s usually not licensing.

In many cases, it’s a corrupted local Teams client.

In this article, I’ll show you:

  • Why Microsoft Teams breaks like this
  • Which common error codes this reset resolves
  • When the issue is client-side vs policy-side
  • And a full PowerShell script to fix it properly

The Real Problem: Teams Is a Web App in Disguise

Microsoft Teams (especially New Teams) is essentially:

  • WebView2
  • Cached profile data
  • AAD token storage
  • Local state
  • MSIX container

When something corrupts:

  • WebView2 rendering
  • Authentication tokens
  • Local Teams cache
  • SSO credentials
  • Proxy configuration

The result is classic:

  • Dial pad visible but not clickable
  • Join meeting button does nothing
  • Blank white screen
  • Endless loading spinner
  • Random sign-in prompts

Common Microsoft Teams Error Codes This Script Fixes

This reset script resolves a large number of client-side errors, including:

Authentication Errors

  • CAA50021
  • CAA50024
  • CAA20002
  • 0xCAA70004
  • 0xCAA82EE2
  • 0x80048823
  • 0x800704CF

Meeting Join / UI Errors

  • Join button unresponsive
  • Dial pad not clickable
  • Blank calendar view
  • “We couldn’t connect you” error
  • “Something went wrong” generic UI errors

WebView2 / Rendering Issues

  • White screen on launch
  • UI elements missing
  • Buttons visible but not interactive
  • 0x80072EFD
  • 0x80072EE7
  • 0x801901F7

If Teams Web works but the desktop client does not -> this script is almost always the fix.

When This Script Will NOT Help

If the dial pad is greyed out, the problem is not the client.

It’s usually:

  • No Teams Phone license
  • No OnlineVoiceRoutingPolicy
  • No Calling Policy
  • Enterprise Voice not enabled

Client reset won’t fix licensing.

Clickable but broken = client
Greyed out = policy

Important distinction.

What the Script Actually Does

This is not just a “delete cache” script.

It performs a full user-context reset:

  1. Stops all Teams-related processes
  2. Removes Classic Teams folders
  3. Removes New Teams MSIX profile folders
  4. Clears WebView2 cache
  5. Optionally removes stored AAD/Office credentials
  6. Optionally resets WinHTTP proxy
  7. Relaunches Teams cleanly

It does NOT:

  • Uninstall Teams
  • Change licensing
  • Affect other users
  • Modify tenant configuration

Safe for enterprise usage.

Reset-TeamsClient.ps1 – https://github.com/ThomasMarcussen/assortedScripts/blob/master/Reset-TeamsClient.ps1

Simplifying The Creation of Windows 365 Provisioning Policies (part II)

Posted on by
Reply

Before an organization can deploy Windows 365, it needs to conduct research to gather the information needed to develop an execution plan. You need to look at your current IT setup so you can determine where your greatest need is and how Windows 365 Cloud PCs will integrate into your IT operations. And after looking at all of that, you also need to carefully consider how to set up a Cloud PC environment that will serve you well.

As discussed in the previous blog, part of those considerations should focus on how to properly create provisioning policies. In this second blog, we’ll be continuing with looking at how best to manage your provisioning policies so that you end up with Cloud PCs that function just as you envision.

The Provisioning Process

In the first blog, I went over the importance of provisioning policies and how they are responsible for creating, configuring, and deploying Windows 365 Cloud PCs. I talked about how you’ll first have to sign in to the Microsoft Intune admin center and provide some general information, including the experience and license type you want.

Subsequently, I provided information on the use of Azure Network Connections (ANCs) and how to go about selecting an image for a Cloud PC. Having understood these steps, let’s now take a look at configurations.

Determine Your Configurations

Start by going over to the Configurations page and selecting a Language & Region under the Windows Settings. The selected language will install on Cloud PCs provisioned with the policy that you’re creating.

This next step is not mandatory. It involves selecting a Apply device name template to create a Cloud PC naming template to use when naming all Cloud PCs provisioned with this policy. Admins should note that although the naming template will update the NETBIOS name, it won’t affect the display name of the Cloud PC. Additionally, there are certain rules to follow when creating the template:

  • Enterprise and Frontline dedicated mode:
  • Names should be between 5 and 15 characters.
  • Names can contain letters, numbers, and hyphens.
  • No blank spaces or underscores can appear in the names.
  • Use the %USERNAME:X% macro to add the first X letters of the username. (This is optional)
  • Use the %RAND:Y% macro to add a random string of characters, where Y equals the number of characters to add. Y must be 5 or more. Names must contain a randomized string. (This is a requirement)
  • Frontline shared mode:
  • Names must have exactly 15 characters.
  • Names can contain letters, numbers, and hyphens.
  • No blank spaces or underscores can appear in the names.
  • Prefix should contain 7 characters or less.
  • Use the %RAND:Y% macro to add a random string of characters, where Y equals the number of characters to add. Y must be 8 or more. Names must contain a randomized string. (This is a requirement).

ADDITIONAL SERVICES

This next step is also optional. Head over to Additional services and select a service to install on Cloud PCs provisioned with this policy:

  • Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. The service works on both physical and virtual devices. Admins should note that the Windows Autopatch option isn’t available for Frontline in shared mode.
  • Those who already have Windows Autopatch configured to manage their Cloud PCs need to know that this option replaces the existing policy. Consequently, they should be aware that the replacement could potentially disrupt any dynamic distribution that is already configured in Autopatch.
  • When you select Windows Autopatch, the system assigns devices to a new ring as the last ring of the Autopatch group.
  • You can manually enable dynamic distribution for your Cloud PCs by changing the Autopatch Groups dynamic distribution list to include the Entra ID group to which your Cloud PCs are being added.
  • None. Manage and update Cloud PCs manually.
  • Although Autopatch is not available for Frontline devices in shared mode. It still remains possible for these devices to enroll in Autopatch and receive Windows update policies.
  • Windows Autopilot is a collection of technologies to set up and pre-configure new devices, getting them ready for productive use. It helps ensure that Intune applications and scripts are installed during initial enrollment and setup. And with all the features it has, the main selling point for this service is how it simplifies the Windows device lifecycle. It does so for both IT and end users, from initial deployment to end of life.
  • User Experience Sync is a cloud-native solution that delivers a seamless and consistent experience for users across Cloud PC and Cloud App sessions. It is a feature that is available for Windows 365 Frontline Cloud PCs in shared mode. If you choose to enable it, Windows 365 will store user-specific Windows and app experience data in central cloud storage and reconnect it whenever the user signs in to the Cloud PC in this provisioning policy.

By preserving Windows personalization, users will benefit from a consistent, productive experience every time they sign in to their Cloud PC or Cloud App. User storage limits depend on the Frontline license type and are pooled across all assigned users.

When everything’s done, click Next.

Scope Tags

If you want, Windows 365 gives you the option to create scope tags for your provisioning policy. Scope tags are particularly important for ensuring that Admins’ access and visibility tie to what they expect to manage. Limiting access in this manner serves to enhance overall security for your organization.

Only admins assigned the Microsoft Entra Intune Administrator role can create, update, or delete scope tags. This means that admins with scope tags in their role assignments can’t update or delete the scope tag from the master list of scope tags. To create a scope tag:

  • Go to the Microsoft Intune Admin center and select Tenant administration > Roles > Scope (Tags) > Create.
    • On the Basics page, provide a Name and Description (optional). Choose Next.
    • Now you go to the Assignments page and select the groups containing the devices that you want to assign this scope tag. Click Next.
    • On the Review + create page, choose Create.

Creating Assignments

  • Navigate to the Assignments page, choose Select groups > choose the groups you want this policy assigned to > Select. Nested groups aren’t currently supported.
  • A Cloud PC size for each group in the policy will need to be selected for Windows 365 Frontline in dedicated mode.
  • Choose Select one > select a size under Available sizes > Select.
  • This step is optional. You can create an assignment to reserve licenses for the group members by following the steps given below:
  • Navigate to Assignment and type in an Assignment name.
  • Under Number of licenses, type in the number of licenses that you would like to reserve for the group. You can also see the number of unassigned licenses.
  • When it comes to Windows 365 Frontline in shared mode, you will need to:
  • Choose Select one > select a size under Available sizes > Select.
  • Now you need to enter a Friendly name > select a Cloud PC number > Next. This Friendly name will be visible in the end user’s Windows app.
  • Click Next.

Review and Create

Once you have completed all the steps that I have gone over and you’ve checked that everything is as it should be, you can now head over to the Review + create page and select Create. Those who use Microsoft Entra hybrid join as the join type should be prepared to wait for up to an hour for the policy creation process to complete.

Ultimately, how much time it takes will depend on when the Microsoft Entra Connect sync last happened. And then, following the creation and assignment of the provisioning policy, Windows 365 will automatically begin the process of provisioning Cloud PCs.

Making Changes to Provisioning Policies

In some instances, you may find yourself needing to make changes to your provisioning policies so that you can change assignments or key attributes, like image and network connection. To do so, you’ll need to:

  • Navigate to the Microsoft Intune Admin center and sign in. Then, select Devices > Windows 365 (under Provisioning) > Provisioning policies > select a policy.
  • Next, if you go to the policy page, you can make changes to the General information, Image, and Assignments by selecting Edit next to each header. Admins should note that no modifications take effect for previously provisioned Cloud PCs. This includes if the network, image, region, or single sign-on configuration in a provisioning policy is edited.

The changes that you are making to the provisioning policy will apply to newly provisioned or reprovisioned Cloud PCs. Therefore, if you want to change the image of your previously provisioned Cloud PCs to match the new image, then you will have to reprovision these Cloud PCs. And if you want the network, region, or single sign-on of previously provisioned Cloud PCs to adopt the new changes, you’ll need to apply the current configuration.

Name changing

Changing the name of the provisioning policy in the General information will result in the following modifications:

  • Any Cloud PC in the All Cloud PCs node applies the new policy name updated in the Provisioning policy column.
    • All new Cloud PCs resulting from the provisioning policy will apply the new name registered as the device’s enrollmentProfileName in Microsoft Entra ID and Microsoft Intune. Note that the enrollmentProfileName property for Cloud PCs applies only during initial enrollment. Admins must remember to edit any dynamic device group rules that use the enrollmentProfileName property if they decide to change the name of a provisioning policy. Doing so allows the rules to continue to include the correct Cloud PCs.
  • Property = enrollmentProfileName
  • Operator = Equals
  • Value = <New name for provisioning policy>

The provisioning process proceeds automatically when new users with valid Cloud PC licenses are assigned to the provisioning policy. On the other hand, if users are removed from the provisioning policy assignment:

  • The grace period triggers for Enterprise Cloud PCs.
  • Frontline Cloud PCs in dedicated mode are immediately deprovisioned, but those in shared mode remain unaffected.

Applying the Current Configuration for Enterprise and Frontline in Dedicated Mode

Applying a configuration change to existing Cloud PCs is easy. Just modify and then save the changes to an existing provisioning policy. After which, you go to the policy page and select Apply this configuration. With that done, you can now proceed to choose the configuration change to apply to existing Cloud PCs from the list provided, which includes region and single sign-on. Click Apply.

Applying the Current Configuration for Frontline in Shared Mode

Apply a configuration change to existing Cloud PCs by modifying and then saving the changes to an existing provisioning policy. After which, you go to the policy page and select Reprovision. Once you’ve done that, you’ll now need to decide on the percentage of Cloud PCs that you want to make sure is available for user connections. Then, select Continue.

Getting Started

After successfully completing the creation of a provisioning policy, the new Windows 365 policy will be deployed. A bit of patience is required because, as mentioned above, completing the policy creation process can take up to 60 minutes. Admins can keep an eye on the status of the policy deployment via the Intune portal.

When the process is complete, admins can then check if the provisioned Cloud PC is accessible. The verification happens using the Windows App or any web browser. And if the authentication succeeds, then the newly provisioned Cloud PC will appear as ready for use. End users can access their Cloud PCs according to the information in the table below.

Windows 365 EditionWindows Appwindows.clous.microsoft web clientMicrosoft Remote DesktopLG Web OS
Windows 365 Business              X              X               X              X
Windows 365 Enterprise              X              X               X              X
Windows 365 Frontline              X              X  
Windows 365 Government              X              X  

Note: Microsoft Remote Desktop support will end in March 2026. Furthermore, the Remote Desktop Connection client (mstsc.exe) is not a supported connection method for Windows 365 users. So, even though you may successfully use it for troubleshooting, you should not be reliant on it for daily access. Instead, use a supported client, such as the Windows App or the Microsoft Remote Desktop app.

Access Options

WINDOWS APP

Windows App connects remotely to your Windows devices and apps from Azure Virtual Desktop, Windows 365 Cloud PCs, Microsoft Dev Box, Remote Desktop Services, and PCs, securely connecting you to Windows devices and apps. It can be used on any device and is thus the recommended application to connect to Windows 365 Cloud PCs.

Users connecting using a web browser on a desktop or laptop will be able to do so without needing to download and install any software. Not only that, but Windows App is available for Windows, macOS, iOS/iPadOS, Android, Chrome OS, web browsers, as well as Meta Quest VR headset.

Windows 365 web site

Alternatively, users can access their Cloud PCs using the Windows 365 web site (windows.cloud.microsoft). However, for one to access their Cloud PC from this web site, they will need a device that runs a supported operating system such as Windows, macOS, ChromeOS, or Linux. Additionally, a modern browser like Microsoft Edge, Google Chrome, Safari, Mozilla Firefox (v55.0 and later), or LG webOS 23 will also be a requirement.

Home Page

After getting access to their Windows 365 home pages, users can see the Cloud PCs they have access to in the Your Cloud PCs section. On this page, users find 2 options for connecting to their Cloud PCs:

  • Open in browser – enables you to open your Cloud PC in the web client. This option is not available to mobile devices.
  • Open in Remote Desktop app – enables you to open your Cloud PC in Remote Desktop.

Conclusion

Adding Windows 365 Cloud PCs to your operations does not need to be an overly complicated process. Microsoft has designed Windows 365 with a vision of making it a platform that is easy to deploy, use, and maintain. But, as with any endeavor, careful planning can make all the difference. Hence, the reason behind this two-part blog. By going over all the steps involved in creating a provisioning policy, admins will have a much easier time setting up their Cloud PC environments.

Simplifying The Creation of Windows 365 Provisioning Policies (part I)

Posted on by
1

The importance of virtual machines to businesses continues to grow as the technology itself has constantly improved. Services like Windows 365 can become integral to an organization’s IT operations by providing highly secure, efficient, and scalable Cloud PCs.

As hybrid work environments grow even more popular among remote-capable employees, businesses need to take advantage of tested solutions such as Windows 365. Once you have made your decision, it’s also vital to provision your Cloud PCs correctly so your IT environment operates seamlessly.

Why Choose Windows 365?

A simple web search will probably show you several options that your business has when trying to pick a virtual machine solution. So, here are a few reasons why the Windows 365 Cloud PC may be the ideal solution for your organization:

  • Flexibility – one of the best features of Windows 365 is that it is accessible from anywhere using any device. This gives remote employees a great degree of convenience, too. This is because, in addition to accessing their desktops from anywhere. It’s equally convenient that the Cloud PC allows them to do so on any device they have on hand.
  • Scalability – unsurprisingly, this one is very popular with a lot of businesses. As a service that caters to both small and large enterprises, Windows 365 offers a range of solutions to meet each client’s specific needs. By providing flexible configurations, each organization receives a service plan that adequately meets its performance requirements while remaining cost-efficient. As the business evolves, computing resources can scale to meet usage needs.
  • Security – security concerns are often the primary reason organizations turn aways cloud-based services. Fortunately, Windows 365 addresses those concerns with security features such as Microsoft Defender and Zero Trust principles, among others. Such features play a major role in keeping your organization’s data extremely secure at all times.

Significance of Provisioning Policies

Provisioning policies are the elements necessary for creating and assigning Cloud PCs to their users. They will determine which operating system version to use, as well as join type, language, and region.

By using critical provisioning rules and settings, these policies will facilitate the building and configuring of Cloud PCs before availing them to end users. Once you create and assign a provisioning policy to the Microsoft Entra user security groups or Microsoft 365 Groups, the Windows 365 service will verify licensing and configure the Cloud PC.

KEY INFORMATION 

Before proceeding with the creation of provisioning policies, IT professionals should take note of the following information:

  • Windows 365 Enterprise – Windows 365 does not provision Cloud PCs for users in an assigned group who don’t have Cloud PC licenses assigned. Furthermore, each Cloud PC license assigned to a user will use only one provisioning policy to set up and configure the Cloud PC. A Cloud PC will always provision using the first assigned policy.
  • Windows 365 Frontline in dedicated mode – you should prepare for some users to not get their Cloud PCs. This occurs if there are more users in your Microsoft Entra user group than the number of Cloud PCs available for the selected size. And if any users are removed from the Microsoft Entra user group, the respective Cloud PCs automatically move into a grace period.
  • Windows 365 Frontline in shared mode – in this instance, users removed from your Microsoft Entra user group will lose access to their Cloud PCs. And if the Microsoft Entra user group is removed from the assignment, the Cloud PCs are automatically deprovisioned with no grace period.
  • Windows 365 Reserve – Cloud PCs will not automatically provision when creating the provisioning policy. Instead, provisioning will require the “Provision” device action. Additionally, some users might not receive their license assignment. For example, you may have more users in your Microsoft Entra user group than the number of licenses available in the tenant. Each Cloud PC license assigned to a user will have only one provisioning policy used to set up and configure the Cloud PC. And as before, Cloud PC provisioning always uses the first assigned policy.

Creating a Provisioning Policy

To create a provisioning policy, you will need to first provide some general information:

  • Start by navigating to the Microsoft Intune Admin center and signing in. With that done, select Devices > Windows 365 (under Device onboarding) > Provisioning policies > Create policy.
  • Next, you’ll need to provide a Name for the new policy on the General page. You can also provide a description (optional).
  • There are 2 experience types you can choose from. The first option gives you access to a full Cloud PC desktop and is available for all Windows 365 license types. This means that end users can connect to a full Windows desktop experience. The second option is only available for Windows 365 Frontline in shared mode and allows end users to only access apps that run on a Cloud PC.
  • At this juncture, you’ll need to choose a license type, which can be Enterprise, Frontline, or Reserve. However, those who select Frontline will require Windows 365 Frontline licenses to create a provisioning policy for Frontline Cloud PCs. Additionally, if you choose Frontline, you need to choose between Dedicated and Shared.

Deciding on a Join Type

If you choose to go with either Enterprise or Frontline, then you will need to pick a Join Type.

MICROSOFT ENTRA JOIN

Opting for Microsoft Entra Join has several advantages, such as streamlined device management and configuration, which helps to simplify IT operations. Combined with the excellent security measures and reduced delays in provisioning, there are plenty of reasons to make this option very attractive. To set up Entra Joined Windows 365 Cloud PCs, here are some of the requirements to consider:

  • You need an Intune and a Microsoft Entra tenant.
  • You also need to have Intune default device type enrollment restrictions set to Allow Windows (MDM) platform for corporate enrollment.
  • With Intune as the primary device management, an Intune license will be necessary.
  • Enterprise users need licenses for Windows E3, Intune, Microsoft Entra ID P1, and Windows 365 to use their Cloud PC. On the other hand, Frontline users need licenses for Windows E3, Intune, and Microsoft Entra ID P1. They will be added to the Microsoft Entra security group in the provisioning policy to use their Cloud PC.
  • You need to have an administrator role. This can be either an Intune Administrator in Microsoft Entra ID or a Windows 365 Administrator if you want to provision Cloud PCs.

Entra Join comes with three options for network:

  • Microsoft hosted network – you start by choosing the Geography where you want your Cloud PCs provisioned. With that done, you can pick a Region from the following:
  • [Recommended] All default regions within the geography (not supported for Frontline in shared mode) – enables you to maximize resiliency and provisioning success. This is the recommended option because it allows Cloud PCs to distribute across the maximum number of regions with a similar latency experience.
  • A single region group – for those who want all their Cloud PCs to be in one specific country or region group, it will be ideal to choose only that region group. By doing so, Cloud PCs will then distribute across its regions. This delivers maximum resiliency at the region-group level.
  • A specific region – this is your best option if you want to ensure that all your Cloud PC provisioning occurs in the specific region that you chose. Additionally, you can also choose regions across multiple region groups.
  • Auto opt-in – there is also an auto opt-in checkbox available that, if you enable, will automatically include any future regions or region groups as they become available. This gives you the convenience of benefiting from the latest Azure expansion without the need for manual updates.
  • Azure network connection – for this policy, you need to select an Azure network connection (ANC).

HYBRID MICROSOFT ENTRA JOIN

Hybrid Microsoft Entra Join also has its advantages, especially for businesses that want to tap into the benefits of cloud-based solutions while still using on-premises applications and servers. This works well because these types of devices enable a seamless operation for both systems. However, you need to be aware that you cannot use this policy without selecting an ANC.

Choosing an Azure Network Connection

An ANC is required for your provisioning policy if you have chosen either of the options below:

  • Join type – Hybrid Microsoft Entra Join
  • Join type – Microsoft Entra Join and

Network – Azure network connection

The steps below will guide you through the selection of an ANC:

  • Pick one or more ANCs on the General page for Azure Network Connection.
  • Those who select more than a single ANC can set the priority order for those ANCs. Doing so is a simple process that requires you to hover over an ANC before selecting and dragging on the three dots. After doing that, you can then drag the ANC to a different position in the list.

If the first ANC in the list has no issues, it will always be used to provision Cloud PCs under this policy. However, in the event that something is wrong, then the policy will use the ANC that is next on the list, provided that it’s healthy.

Using Alternate ANCs

Having alternate Azure Network Connections is a great option to have that helps minimize delays during provisioning. Without alternate ANCs, the Cloud PC provisioning process for policies that use an unhealthy ANC is blocked. As one can imagine, this would be extremely frustrating.

It’s this kind of scenario that gave rise to the alternate ANC, a great feature enabling you to define more than one ANC within a provisioning policy. Admins can add several alternate ANCs listed according to priority.

As mentioned earlier, if the highest-priority ANC fails, the next one on the list will be used. If the primary ANC recovers, it will automatically be used for new Cloud PCs being provisioned.

USE CONSIDERATIONS

Below are some of the considerations that businesses should look at before adding additional ANCs.

  • Alternate ANC use is optional. A provisioning policy only requires a single ANC, and adding alternate ANCs is not mandatory. This simply means that those with a single ANC and who see no reason to change will not be required to modify their existing configurations.
  • Alternate ANC selection is automatic. The choice of which ANC to use is automatic and follows the priority order list. Therefore, admins don’t need to manually make changes if the primary ANC becomes unhealthy. If a failure occurs, the next healthy ANC on the list will be the default. Admins should also be aware that they should not add an alternate ANC if they don’t want to provision into an alternate region.
  • Alternate ANCs should use the same domain. The alternate ANCs that you add to your provisioning policy should match the domain you use as your primary ANC if you are using a Hybrid Microsoft Entra Join ANC. If you don’t ensure this match, you can easily end up with some Cloud PCs joined to the primary ANC domain. Additionally, others may join the alternate ANC domain.
  • Alternate ANCs should be geographically appropriate. This is because the alternate ANCs will be substitutes if the primary ANC becomes faulty. You need to carefully consider the Azure regions in which these ANCs are created. You want to avoid having regions geographically far apart, as well. In this scenario, Cloud PCs in those regions are not suitable for the users you intend to provision.
  • Monitor your ANC health. Admins should be meticulous about regularly checking the health of primary ANCs. Otherwise, you could find yourself constantly dealing with a primary ANC that is frequently unhealthy. This results in more alternate ANC usage than you anticipated. You can avoid this by ensuring your primary ANC is always healthy, thereby reducing the need for the alternate ANC. An alternate ANC should be a fallback. And you should not add one unless you fully comprehend the consequences that come with provisioning Cloud PCs in a different ANC.
  • You can have Alternate ANCs in the same region. They don’t necessarily need to be located in a different region. There may be situations where alternate ANCs in the same region provide value.

Image Selection

Windows 365 enables the use of both default and custom operating system images to automatically create Cloud PCs. Microsoft Intune provides users with a gallery containing default images. These can be used when creating provisioning policies for Cloud PCs.

In this gallery, users will find a more than adequate list of regularly updated images available for use. But, if you decide against this, you also get the option to upload your own custom images. However, regardless of whether you prefer default or custom, all images must meet the following requirements:

  • Supported versions of Windows 10 or Windows 11 Enterprise.
  • Generation 2 images.
  • Generalized VM image.
  • Single Session VM images.
  • No recovery partition.
  • The image must never have been Active Directory, Microsoft Entra ID joined, Intune-enrolled, or enrolled for co-management.  
  • In addition to the above, custom images should also exist in an Azure subscription. They should also be stored as a managed image in Azure.

To select an image, head over to the Image page and for Image type, pick one of the following options:

  • Gallery image – Choose Select > select an image from the gallery > Select. (Note: For Reserve, the default gallery image is Automatic, where Windows 365 selects the latest image.)
  • Custom image: Choose Select > select an image from the list > Select.
  • Optional – If you chose Access only apps for Experience in the previous steps, then you can view applications discovered in the image. You will also be available to publish as Cloud Apps after creating the provisioning policy.

Once you’re done with your selection, click Next.

Wrap Up

Windows 365 Cloud PCs provide many benefits that can help businesses enhance their IT operations. End users get to access their desktops remotely and remain productive without having to worry about data security. Businesses can scale their resources up or down depending on their specific needs.

And just as importantly, Windows 365 is designed to be easy to set up by simplifying processes such as the creation of provisioning policies. As we’ve seen in part I of this blog, the process is not complicated, and we’ll be continuing our look into provisioning policies in the second part of this blog.

Microsoft Intune Connector for Active Directory – Updated and Improved

Posted on by
2

The Intune Connector for Active Directory, also referred to as the Offline Domain Join (ODJ) Connector, is responsible for joining computers to an on-premises domain during the Windows Autopilot process.

This Intune Connector for Active Directory will create computer objects in a specified Organizational Unit (OU) in Active Directory during the domain join process. Unfortunately for Microsoft, it appears as though there have been some issues with setting up the connector with build 6.2501.2000.5.

Common Issues with the Intune Connector for AD version 6.2501.2000.5

According to the feedback that Microsoft received, here are some of the more common challenges that customers run into.

IssueDetails
Error “MSA account <accountName> is not valid” when signing in.This happens when the connector successfully creates the MSA but fails to retrieve the data from the domain controller. Several things could cause this, including replication delays between domain controllers in a single domain, or when the user account exists in a different domain to the connector machine. Fortunately, this issue is resolved in build 6.2504.2001.8.
Error “Failed to create a managed service account – Element not found.” 
Error “Cannot start service ODJConnectorSvc on computer ‘.’. —> System.ComponentModel.Win32Exception: The service did not start due to a logon failure” after the MSA is created.This has been observed when the service can’t run as the MSA. Several issues can cause the service to not be able to run as the MSA, including group or local policy restricting Log on as a service privileges.
Error “System.DirectoryServices.DirectoryServicesCOMException (0x8007202F): A constraint violation occurred.” 

New and Improved Build

In light of everything, Microsoft released an update and build that intends to address the recent challenges. This update specifically resolves come of the client feedback and it also improves overall functionality. Users can download this new build 6.2504.2001.8 from Microsoft Intune. From this improved version, you can expect:

  • A new sign in page in the wizard that now uses WebView2, lives on Microsoft Edge, instead of the previously used WebBrowser.
  • There is resolution to the error “MSA account <accountName> is not valid” that some clients were seeing.
  • The error “Cannot start service ODJConnectorSvc on computer” is available for mitigation.
  • The error “System.DirectoryServices.DirectoryServicesCOMException (0x8007202F): A constraint violation occurred” is also available for troubleshooting and mitigation.

Updated Intune Connector

Windows Autopilot continues to use the Intune Connector for Active Directory to deploy hybrid joined Microsoft Entra devices. Going forward, Intune is looking to enhance security. It does so by updating the connector to use a Managed Service Account (MSA) instead of a SYSTEM account.

Customers will find the updated Connector available for download from within Intune. And although the legacy connector may still be available for download, it will no longer have support in late June 2025. So, before that happens, you need to plan to update the connector because this won’t happen automatically.

Updated Troubleshooting Guide

ProblemSolution
Why is the Intune Connector for Active Directory not logging in Event Viewer even though logging is enabled?The connector originally logged in the Event Viewer directly under Applications and Services Logs in a log called ODJ Connector Service. But, going forward, logging for the connector has been moved to the path Applications and Services Logs > Microsoft > Intune > ODJConnectorService. This means that users who find the ODJ Connector Service log at the original location empty or not updating should check the new path location.
Why does uninstalling the Intune Connector for Active Directory through the Settings app not fully remove the application?Uninstalling the connector requires you to use both the Settings app and the Intune Connector for Active Directory installed executable ODJConnectorBoostrapper.exe. To uninstall the connector, run ODJConnectorBoostrapper.exe and select the Uninstall option. Make sure that the ODJConnectorBoostrapper.exe installer version matches the version of the connector you’re uninstalling.
Why is the error “The MSA account couldn’t be granted permission to create computer objects in the following OUs” occurring when installing the Intune Connector for Active Directory?Different types of failures can cause this error including: The admin installing and configuring the connector not having the required permissions. The OU specified in the Intune Connector for Active Directory ODJConnectorEnrollmentWiazard.exe.config XML configuration file doesn’t exist.   To view more information on the error and what caused it, see the ODJConnectorUI.log normally located in the following folder:   C:\Program Files\Microsoft Intune\ODJConnector\ODJConnectorEnrollmentWizard
Why is the error “Cannot start service ODJConnectorSvc on computer ‘.'” occurring when setting up the Intune Connector for Active Directory?A few reasons could cause this error including the following: The domain has more than one domain controller with a replication latency policy. The MSA was created in one of the domain controllers but the search happened against another domain controller. Wait until replication completes in accordance with your policy or manually sync. Once the replication is complete, then open the connector and choose Configure MSA.A group policy is configured that doesn’t allow services to start as a non-privileged account. Check that the MSA account has Log on as a service privileges granted.
Why is the error “Microsoft Edge can’t read and write to its data directory” occurring?This error shows that the user needs read/write permissions to the listed directory.
Why did enrollments start failing when using the Intune Connector for Active Directory?Verify that the Intune Connector for Active Directory is updated to version 6.2501.2000.5 or later and that the legacy version isn’t still being used.
Why are the errors “Navigation to the webpage was canceled” or “Can’t connect securely to this page” occurring while setting up the Intune Connector for Active Directory?Different types of issues can cause this error including: The server where the admin has chosen to install and configure the Intune Connector for Active Directory lacks the required internet access or required Intune URLs aren’t allowed. The server is sending network requests via TLS 1.0 or 1.1 because PKCS Cryptography is disabled. You can fix this on the server hosting the Intune Connector for Active Directory by deleting the registry key value specified in the following command by running the command from an elevated command prompt:   reg.exe delete “HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS” /v Enabled /f

Pre-installation Requirements for Intune Connector

Before carrying out the installation, you need to verify that you meet all the requirements for the Intune Connector for Active Directory:

  • The connector will work best when installed on a computer running Windows Server 2016 or later with .NET Framework version 4.7.2 or later.
  • The server hosting the Intune Connector for Active Directory must have access to the Internet and Active Directory.
  • Multiple connectors can install in a domain, as this will increase scale and availability. Each connector must be able to create computer objects in the domain that it supports.
  • The administrator carrying out the installation must be a local administrator on the server where the Intune Connector for Active Directory is installing.
  • For the updated Connector, installation will require an account with the following domain rights:
  • Required – Create msDs-ManagedServiceAccount objects in the Managed Service Accounts container
  • Optional – Modify permissions in OUs in Active Directory – if the administrator installing the updated Intune Connector for Active Directory doesn’t have this right, additional configuration steps by an administrator who has these rights may be essential.

Installation Process

Internet Explorer Enhanced Security Configuration

The change to using WebView2 that comes with build 6.2504.2001.8 means that turning off the Internet Explorer Enhanced Security Configuration setting in Windows Server is no longer necessary. So, as long as you have version 6.2504.2001.8 or later of the connector installed, you should not run into problems with the Internet Explorer Enhanced Security Configuration setting.

DOWNLOADING THE CONNECTOR

To install the new connector in your environment, you can download it from the Intune admin center as follows:

  • Sign into the Intune admin center on the server where you want to install the connector.
  • Select Devices in the Home screen.
  • Select Windows in the Devices | Overview screen, under By platform.
  • Select Enrollment in the Windows | Windows devices screen, under Device onboarding.
  • Select Intune Connector for Active Directory in the Windows | Windows enrollment screen, under Windows Autopilot.
  • Select Add in the Intune Connector for Active Directory screen.
  • In the Add connector window that opens, under Configuring the Intune Connector for Active Directory, select Download the on-premises Intune Connector for Active Directory. The link downloads a file called “ODJConnectorBootstrapper.exe.”

INSTALLING THE CONNECTOR ON THE SERVER

  • Sign into the the server where you want to install the connector using an account that has local administrator rights.
  • Before you can install the updated Intune Connector for Active Directory, you need to first uninstall the legacy connector.
  • Open the downloaded “ODJConnectorBootstrapper.exe.” file to launch the Intune Connector for Active Directory Setup install.
  • Go through the Intune Connector for Active Directory Setup install.
  • When installation is complete, tick the checkbox Launch Intune Connector for Active Directory.

SIGNING IN With Intune Connector

  •  Select Sign In in the Intune Connector for Active Directory window, under the Enrollment tab.
  •  Sign in with the Microsoft Entra ID credentials of an Intune admin role under the Sign In tab. Also note that the user account needs to have an assigned Intune license.
  •  With the sign in process done:
  • A “The Intune Connector for Active Directory successfully enrolled” confirmation window appears. Click OK to close the window.
  •  An “A Managed Service Account with name “<MSA_name>” was successfully set up” confirmation window appears. The name of the MSA has the format “msaODJ#####” with the ##### representing 5 random characters. Notate the name of the MSA created, and then click OK to close the window.
  •  The Enrollment tab shows Intune Connector for Active Directory as officially “enrolled.” The Sign In button will also be gray and Configure Managed Service Account will show as enabled.
  •  Close the Intune Connector for Active Directory window.

VERIFICATION

Once authentication finishes, the Intune Connector for Active Directory will finish installation. After the completion of installation, you can verify that the connector is active by following the steps below:

  •  Head over to the Microsoft Intune admin center if it’s still open. From there, close the Add connector window if it’s still there. Alternatively, if the Microsoft Intune admin center isn’t still open:
  • Sign into the Intune admin center.
  • Select Devices in the Home screen.
  • Select Windows in the Devices | Overview screen, under By platform.
  • Select Enrollment in the Windows | Windows devices screen, under Device onboarding.
  • Select Intune Connector for Active Directory in the Windows | Windows enrollment screen, under Windows Autopilot.
  • In the Intune Connector for Active Directory page:
  • Confirm that the server displays under Connector name and shows as Active under Status.
  • Don’t forget to verify that the version is greater than or equal to 6.2501.2000.5 for the updated Connector.

If you don’t see the server displayed, select Refresh or head away from the page before going back to the Intune Connector for Active Directory page. Once the connector installs, it will start logging in the Event Viewer under the path Applications and Services Logs > Microsoft > Intune > ODJConnectorService.

Wrap Up

The previous version of the Microsoft Intune Connector for Active Directory presented several issues for many customers. And as one would expect, these issues reduced the efficiency of the connector and negatively impacted functionality.

Fortunately, with build 6.2504.2001.8, Microsoft is taking heed of the feedback from its clients to make the necessary adjustments. Going forward, clients can look forward to leveraging a connector with better functionality and significantly less issues. And if you do run into any problems, Microsoft provides updates the troubleshooting guide.

Say Goodbye To windows365.microsoft.com – Welcome The Windows App Portal

Posted on by
Reply

Microsoft products and services have been widely used across the globe for decades now. From office environments and universities to people’s homes, Microsoft has consistently provided invaluable service.

As technology has evolved, one of the things that has been at the forefront of a lot of the change that we have witnessed is the issue of access. Considering the popularity of services such as Windows 365 Cloud PC, Azure Virtual Desktop, and Microsoft 365, Microsoft wants its clients to have easy access to devices and applications. Hence the development of the Windows App Portal.

Introducing the Windows App

Windows App is a service that will remotely connect to your Windows devices and apps from Azure Virtual Desktop, Windows 365 Cloud PCs, Microsoft Dev Box, Remote Desktop Services, and PCs. It aims to guarantee you a secure connection to Windows devices and apps. Windows App comes with a lot of flexibility thus allowing you to use it with various types of devices on different platforms and form factors. The service is available for Windows, macOS, Android, Chrome OS, web browsers, meta quest VR headset, and iOS/iPadOS.

Owing to this flexibility, clients can use their desktops, laptops, tablets, or smartphones. Additionally, individuals that will be using a web browser on a desktop or a laptop won’t need to download and install any software. Below are the services and products you can connect to from different platforms:

Connect ToWindowsmacOSiOS / iPadOSAndroid / Chrome OSWeb BrowserMeta Quest
Azure Virtual DesktopYesYesYesYesYesYes
Windows 365YesYesYesYesYesYes
Microsoft Dev BoxYesYesYesYesYesYes
Remote Desktop ServicesNoYesYesYesNoYes
Remote PCNoYesYesYesNoYes

Benefits of Windows App

Windows App aims to provide organizations with a consistent, reliable experience for all devices, enabling secure access from any location. Whether your platform of choice is Azure Virtual Desktop, Windows 365, Remote Desktop, or any of the others, the goal with Windows App is to ensure that the process is easier thereby enabling you to manage and utilize these resources from a single, intuitive app.

In addition, this service is not uniquely for IT admins only. End-users can also take advantage of the many features to tailor their experience to fit their personal workflows. On the other hand, admins will find great value in the added security as well as streamlined management. Other exciting features that businesses can look forward to include:

  •  Unified access – manage and access multiple Windows services, including cloud PCs, virtual desktops, and local PCs, from a single, streamlined interface.
  •  Customizable experience – end-users get the option of personalizing their interfaces thanks to the customizable home screens, multimonitor support, and dynamic display resolutions.
  •  Enhanced experience – take advantage of great features including device redirection, Microsoft Teams optimizations, and easy account switching for an efficient remote working experience.

Prerequisites

WINDOWS

There are a few requirements that you need to meet before you can download Windows App and connect to your Cloud PC from Windows:

  •  As one would expect, you need an internet connection before you can download Windows App from the Microsoft Store and connect to Windows 365. Most people should have no issues here but if you happen to be on a network that blocks internet access then you’ll have to allow access to the list at Required FQDNs and endpoints.
  •  Your user account for Windows 365, and you’re assigned a Cloud PC by your administrator. Users can also sign in with multiple accounts and switch between them when necessary. A personal Microsoft account can’t be used to sign in.
  •  Your device must be running a supported version of Windows 11 or Windows 10 (21H2 and later including LTSC and IoT Enterprise). If you are running a version of Windows 10 that no longer has mainstream support, you must have your device enrolled in the Extended Security Updates (ESU) program.

MACOS

Before you can download Windows App and connect to your Cloud PC from macOS, you’ll need to meet the following requirements:

  •  An internet connection will be required before you can download Windows App from the Mac App Store and connect to Windows 365. Again, the majority of users won’t have problems here but those using networks that block internet access will have to allow access to the list at Required FQDNs and endpoints.
  •  Your user account for Windows 365, and you’re assigned a Cloud PC by your administrator. Users can also sign in with multiple accounts and switch between them when necessary. A personal Microsoft account can’t be used to sign in.
  •  Your device must be running macOS 12.0 or later.

iOS/iPadOS

Before you can download Windows App and connect to your Cloud PC from iOS or iPadOS, you need to verify the requirements below:

  •  An internet connection is a requirement before you can download Windows App from the App Store and connect to Windows 365. Most users won’t encounter any challenges during this process but those working on networks that block internet access will have to allow access to the list at Required FQDNs and endpoints.
  •  Your user account for Windows 365, and you’re assigned a Cloud PC by your administrator. Users can also sign in with multiple accounts and switch between them when necessary. A personal Microsoft account can’t be used to sign in.
  •  Your device must be running iOS or iPadOS 16.0 or later.

ANDROID/CHROME OS

There are a few requirements that you need to meet before you can download Windows App and connect to your Cloud PC from Android or Chrome OS:

  •  An internet connection will be required before you can download Windows App from the Google Play Store and connect to Windows 365. The majority won’t encounter any challenges during this process but those working on networks that block internet access will have to allow access to the list at Required FQDNs and endpoints.
  •  Your user account for Windows 365, and you’re assigned a Cloud PC by your administrator. Users can also sign in with multiple accounts and switch between them when necessary. A personal Microsoft account can’t be used to sign in.
  •  Your device must be running Android 10 or later and Chrome 126 or later.

WEB BROWSER

You need to meet the requirements listed below before you can download Windows App and connect to your Cloud PC from a web browser:

  •  You must have an internet connection to connect to Windows 365. Most people should have no issues here but if you happen to be on a network that blocks internet access then you’ll have to allow access to the list at Required FQDNs and endpoints.
  •  Your user account for Windows 365, and you’re assigned a Cloud PC by your administrator.
  •  Additionally, you should ensure that your web browser is supported. Unfortunately, Windows App won’t support mobile web browsers. Supported browsers must also:
  • Be less than 12 months old on a rolling basis.
  • Support the AVC codec, which fortunately has support by default on most desktops and laptops.
  • Have WebGL enabled which you will also find enabled by default on most recent browser versions.
  •  The table below contains information about the web browsers that you can use.
Web BrowserSupported PlatformsNotes
Microsoft EdgeWindows, macOS, Linux, Chrome OSVersion 79 or later
Google ChromeWindows, macOS, Linux, Chrome OSVersion 57 or later
Apple SafarimacOSVersion 11 or later
Mozilla FirefoxWindows, macOS, LinuxVersion 55 or later

META QUEST

You need to meet the requirements listed below before you can download Windows App and connect to your Cloud PC from Meta Quest:

  •  A Meta Quest 3 or Quest 3S headset.
  •   Users must also have a Meta Quest for Business subscription installed on their headsets to connect to Windows 365.
  •   Users will need to have an internet connection to download Windows App from the Meta Store and connect to Windows 365. In most cases, end-users won’t run into problems, but for those using networks that block internet access, they will have to allow access to the list at Required FQDNs and endpoints.
  •   Your user account for Windows 365, and you’re assigned a Cloud PC by your administrator.

Connect To Your Cloud PC

  •  To connect to your Cloud PC on Windows, you should start by downloading and installing Windows App from the Microsoft Store. Once installation is complete, open Windows App. Windows App for Windows may also download as a standalone outside of the Microsoft Store as a .msix file. The download links can be found here.
  •  Next, you need to select Sign in and sign in with your user account for Windows 365. End-users will be signed in automatically if they’re already signed in to a local Windows device with a work or school account on a managed device.
  •  During the first time using Windows App, you can navigate through the tour to learn more about Windows App, then select Done. Alternatively, you can simply select Skip.
  •  Once signed in, select Devices to show your Cloud PC and any other services you have access to. If you don’t see a Cloud PC, contact your administrator.
  •  A search box and filters are available to help you find the Cloud PC that you want to connect to.
  •  Select Connect on a Cloud PC to connect. Once the connection to your Cloud PC is complete, you’re ready to start using it. End-users can benefit from quick access by adding their favorite Cloud PCs to Task view in Windows 11 or the Favorites tab of Windows App.
  •  The process for connecting to a Cloud PC on macOS, iOS/iPadOS, Android/Chrome OS, web browser, and Meta Quest are similar to this one. The specifics for each process are in this article.

End-users should expect to find a customizable home screen that should be perfectly adaptable to one’s workflow needs. As mentioned earlier, flexibility is one of the key aspects of Windows App and this will allow end-users Windows access across multiple different services and remote PCs from a single place.

Features

Not only that, but end-users can also pin the favorites they access most. And for those with multiple accounts, the account switching feature makes switching between accounts a simple, seamless process. End-users will get several other features to enhance the remote experience and these include:

  • Multiple monitor support – end-users get the option to use multiple monitors thereby enabling them to work more efficiently.
  • Custom display resolutions – the display resolution of a Cloud PC or remote app is customizable so that it fits the unique needs of the user.
  • Dynamic display resolutions and scaling – to perfectly match your device, Windows App will automatically adjust the display resolution and scaling of your Cloud PC or remote app.
  • Device redirection, such as webcams, audio, storage devices, and printers – devices can redirect to a Cloud PC or remote app.
  • Microsoft Teams optimizations – Windows App is optimized for Microsoft Teams thus ensuring a great user experience.
  • Sign in with multiple accounts and easily switch between them.

Wrap Up

Microsoft has made the transition from the Remote Desktop app to Windows App to provide businesses with a portal that delivers a better experience. End-users will benefit from unified access to multiple Windows services as well as customizable home screens, multimonitor support, and dynamic display resolutions. All of these are crucial to giving Windows 365 Cloud PC users a more seamless experience. And as Cloud PC users move away from windows365.microsoft.com, they will benefit from the enhanced workflows that the versatile Windows App will provide.

New Release: Full OneDrive Shortcut Support, Smarter Downloads, and Enhanced Reporting for Download-OD4BAccount.ps1

Posted on by
Reply

The Download-OD4BAccount.ps1 script just got another major update – and this one takes it to a whole new level.

Following the September refresh that added full pagination and improved reliability for large OneDrive libraries, this new release focuses on smarter downloads, better handling of OneDrive “shortcuts,” and a cleaner, dependency-free approach to working with the Microsoft Graph API.

And once again – a big thank-you to Gary Chamryk and others in the community for their real-world feedback, testing, and suggestions that made this update possible.

Why Another Update?

After the last version went live, several users (including Gary) noticed edge cases where certain file types or OneDrive “shortcut” folders didn’t export correctly.

Digging into the logs revealed that the Microsoft Graph PowerShell SDK’s @microsoft.graph.downloadUrl property can occasionally fail or behave inconsistently when handling shortcuts to remote drives or shared folders.

That’s where this new iteration comes in – with a cleaner, more reliable download engine built entirely on direct /content requests via the Graph API.
The script now uses:
Invoke-MgGraphRequest -OutputFilePath

to stream file content directly from Graph to disk – no longer relying on @microsoft.graph.downloadUrl.
This eliminates transient URL expiration issues and improves consistency across large multi-user exports.

Full OneDrive Shortcut (remoteItem) Support

OneDrive “shortcuts” (also known as remoteItems) are now fully supported.
The script automatically follows the referenced driveId and itemId, so both files and folders linked from other OneDrives or SharePoint document libraries are downloaded seamlessly.

Paths That Match the Real OneDrive View

Exported folder structures now reflect the actual visible OneDrive hierarchy, including shortcut names.
That means what you see in your OneDrive web UI is exactly what you’ll get on disk — no more confusing “shortcut_12345” placeholders.

Multi-Threaded Downloads, Inside Worker Runspaces

The existing multi-threaded model remains, but now imports the Microsoft Graph authentication module inside each worker runspace.
This ensures every parallel job runs independently with full Graph context, even in long-running sessions or constrained environments.

Original CSV Reports Intact

Reporting hasn’t changed – the familiar CSV export for file listings and results is preserved, ensuring backward compatibility for scripts or processes that rely on it.

Quick Start

The syntax remains simple and consistent:

.\Download-OD4BAccount.ps1 -Username [email protected] `
                           -Destination "D:\OD4B" `
                           -ThreadCount 3 -Verbose

he script still requires Microsoft Graph PowerShell and admin consent for:

  • Organization.Read.All
  • User.Read.All
  • Directory.Read.All
  • Files.Read.All

When to Use This Version

  • Offboarding or Archival – Export full OneDrive content (including shared shortcuts) for departing users.
  • Legal or Compliance Holds – Capture exact user views of OneDrive, including remote shared content.
  • Tenant-to-Tenant Migrations – Seamlessly move data structures between organizations without breaking links.

Community-Driven Evolution

This update wouldn’t exist without direct input from the field.
Gary Chamryk and others in the community helped identify the gaps, test fixes, and validate the new approach.

The best part of open tooling is that it keeps evolving with real-world usage — and this release is proof of that.

Get the Latest Version

🔗 Download the updated script: Download-OD4BAccount.ps1
(available on the same GitHub repository as before)

If you’re already using the script, I strongly recommend upgrading – especially if you’re exporting libraries that include OneDrive shortcuts or shared content.

As always, feedback and PRs are welcome. These scripts only get better because of the community behind them.

New and Improved: Download All OneDrive Files for a User with PowerShell – Updated Script

Posted on by
1


Back in early 2023 I published a post:
PowerShell script to download a user’s OneDrive content

That original script – Download-OD4BAccount.ps1 – quickly became one of my go-to tools for off-boarding and archiving user data. It let administrators export an entire OneDrive for Business library directly to on-premises storage without paying Microsoft to keep the data around.

Since then, the script has seen heavy real-world usage, and thanks to some great community feedback it just got a serious upgrade.

Why the Update

A reader recently reached out after running the script against a very large OneDrive.
They noticed that not every file was exported.

After some digging, we discovered the root cause:

  • The Microsoft Graph PowerShell cmdlets Get-MgUserDriveRootChild and Get-MgUserDriveItemChild now page their results by default.
  • Without explicit pagination, large folders could quietly drop files from the export.

This was a subtle but critical issue – your export might look fine at first glance, but some files would never make it to disk.

What’s New in the Updated Script

The refreshed script keeps the original simplicity and speed but addresses these limitations and more.

– Full Pagination Support

Both Get-MgUserDriveRootChild and Get-MgUserDriveItemChild now run with the -All switch, ensuring every item – even in massive libraries – is fetched.

– Reliable Folder Traversal

Recursive folder expansion now preserves the full path, so deep folder hierarchies are exported exactly as they appear in OneDrive.

– Broader Microsoft Graph Scopes

The connection now requests:

Files.Read.All, User.Read.All, Directory.Read.All

These scopes ensure cross-user OneDrive exports work reliably across tenants and admin scenarios.

– Cleaner Reports

Removed an undefined $Job field from the file report, preventing runtime errors.

– More Robust Downloads

The script now checks and creates destination directories before writing each file, so missing folder paths won’t break the download process.

– Improved Batching and Multi-Threading

Thread batching logic is more resilient when splitting large file lists, while keeping the same multi-threaded performance boost that made the original so fast.

Quick Start

The usage remains the same:

.\Download-OD4BAccount.ps1 -Username [email protected] `
                           -Destination "D:\OD4B" `
                           -ThreadCount 3 -Verbose

Prerequisites

  1. Microsoft Graph PowerShell Module (the script will auto-install if missing).
  2. Azure AD user with admin consent to approve:
    • Organization.Read.All
    • User.Read.All
    • Directory.Read.All
    • Files.Read.All (new requirement)

When to Use This Script

Off-boarding – export a departing employee’s OneDrive to a secure archive before disabling their account.

  • Legal hold or compliance – capture a one-to-one copy of a user’s OneDrive library for audit purposes.
  • Bulk migration scenarios – move large OneDrive libraries to on-prem or a different tenant without relying on paid retention.

Community-Driven Improvement

This update wouldn’t have happened without feedback from the community.
Real-world use exposed a change in the Microsoft Graph SDK behaviour, and the fix – adding -All – was simple but critical.

If you’ve used the original version, I highly recommend updating your copy with the new script to guarantee complete and reliable exports.

Download the updated script: Download-OD4BAccount.ps1

Feel free to share feedback or improvements. Real-world input keeps these tools evolving and useful for everyone.

Resize Windows 365 Frontline Cloud PCs On Demand

Posted on by
1

Organizations need to constantly re-evaluate their virtual environments to ensure that they are operating as productively as possible. Admins need to check that end-users have Cloud PCs capable of handling the workloads they need to deal with.

Simultaneously, they also need to verify that there are no under-utilized Cloud PCs that could be potentially repurposed. Dealing with issues like these is why Microsoft has consistently provided new features that will help admins better run their Cloud PC environments. With upgrades like the ‘Resize’ feature for the Frontline Cloud PCs, organizations will get a tool that enhances the operation of their virtual environments.

Introducing the Resize Feature

Since its introduction a few years ago, the Windows 365 Cloud PC has provided organizations with an exceptional service that delivers high-powered virtual PCs to employees anywhere. End-users can stream their desktops to their multiple devices and work remotely with ease.

Understandably, IT admins are constantly seeking for ways to run these virtual environments more efficiently. And with the addition of the Resize feature to the arsenal of management tools already available, organizations can now easily make resource adjustments across multiple Cloud PCs within a specific group or task assignment.

The adjustments can take place among resources such as CPU, storage, and RAM among others. A simple example of this could be a business with a group of Cloud PCs with allocated 4 GB of RAM and moderate computing power.

If a situation arises where end-users have more demanding workloads, admins can now quickly and easily perform a few steps that will deliver 8 GB of RAM. They can also increase processing power to every virtual device in that group. Having such a feature could potentially increase productivity with IT admins no longer having to dedicate significant time and effort to adjusting Cloud PCs individually.

Benefits

From the introduction, it’s not difficult to see why the Resize feature would be gladly welcomed by administrators. Organizations get to benefit from an upgrade that is perfectly in line with Windows 365’s goal of delivering streamlined operations that are highly efficient.

With the Resize feature, Microsoft is not simply looking to add another upgrade. Instead, it offers something that will also enhance the great features that Cloud PCs have become known for. Features such as flexibility, ease of working remotely, and scalability, among others, can be enhanced by the Resize feature. Organizations can look forward to:

STANDARDIZED RESOURCE ALLOCATION

One of the things that could previously hinder the effectiveness of a group was having varying Cloud PC configurations within a particular group. Unsurprisingly, without access to the same resources, the quality of work done is bound to suffer.

Fortunately, by using the new Resize feature, IT admins can ensure that all end-users within assignments or teams share a standard configuration for their Cloud PCs. This means that during the more demanding tasks, every user will have access to the same powerful resources. Because of this, every team member will have the capabilities to produce at the same level.

INCREASED EFFICIENCY

As one can imagine, manually adjusting every single Cloud PC that needs attention can be a difficult and time-consuming task. And that’s before we even mention the potential risk of administrative errors that can occur. IT admins will surely be thrilled with a tool that helps them make bulk adjustments swiftly and without hassle. All the time saved can then be dedicated toward more productive tasks.

FLEXIBLE SCALABILITY

Windows 365 is designed to deliver the resources that organizations need when they need them. This flexibility enables businesses to scale up or down as necessary. It also provides businesses another reason to choose the Cloud PC. Most businesses have periods during the year when they know that workloads will spike and greater resources will be required.

By leveraging the Resize feature, IT can quickly scale up resources. And they can do so without end-users facing downtime or the organization needing new virtual instances. This scaled up environment only requires maintenance for the duration of the workload spike. After which, admins can adjust resources back to normal status.

BETTER END-USER EXPERIENCE

To keep end-users happy and productive, having Cloud PCs that function as flawlessly as possible is a must. When teams are dealing with more demanding workloads, they need their computing resources adjusted quickly and accordingly. Busy frontline workers don’t want to be stuck with a sluggish device right when the pressure is on.

So, this gives end-users the resources they need exactly when they need them. It makes the Resize feature immensely valuable to more than just the individuals in the IT department.

How Does It Work?

The Resize feature operates by utilizing the Microsoft provisioning policies that you get in Windows 365. The process works as follows:

  •  Provisioning assignments – whenever businesses create provisioning policies for their Cloud PCs, this is what defines the specifications (RAM, CPU, Disk Space, or GPU) of those virtual devices.
  •  Group-Based Control – all the Cloud PCs that are linked to a particular assignment will be operating with the same configurations.
  •  Resizing on command – IT admins can leverage the Resize feature to select a new predefined Cloud PC size from a dropdown list within the Windows 365 Admin Center. After the new size has been set, all the Cloud PCs that share this particular provisioning policy will be immediately modified.
  •  Deployment with zero downtime – key to the success of this new feature is ensuring that end-users experience very little or ideally no disruption or downtime. This is possible by using Microsoft’s secure global Azure infrastructure which guarantees that the changes are carried out seamlessly and in real time.

Resizing Windows 365 Frontline Cloud PCs

Windows 365 Frontline as the name suggests, is a version of Microsoft’s Cloud PC solution. It’s also a game-changer for frontline workers. This particular service aims to be a cost-effective version that allows businesses to provision a single Cloud PC, sharable by multiple users with a single license.

Not surprisingly, Windows 365 Frontline provides a great solution for shift workers. They can easily sign in to Windows 365 from the web or via the Windows App. And at the end of their shift, all one has to do is sign out. From there, the Cloud PC becomes once again available for someone else.

To make the use of these virtual devices even more efficient, Microsoft now enables clients to use provisioning policies to resize Windows 365 Frontline Cloud PCs in dedicated mode. This means that for now, you cannot resize Windows 365 Frontline Cloud PCs in shared mode. The requirements for resizing are as follows:

ROLE REQUIREMENTS

IT admins need to have certain built-in Microsoft Entra roles before they can start resizing Cloud PCs.

  •  They must have at least one of the roles below for Cloud PCs provisioned with direct assigned license:
  • Intune Service Administrator
  • Intune Reader + Cloud PC admin roles
  • Intune Reader+ Windows 365 Administrator
  •  Similarly, IT admins must have at least one the roles below for Cloud PCs provisioned with a group-based license:
  • Intune Service Administrator
  • Intune Reader+ Windows 365 Administrator
  • Additionally, IT admins should have a role with Microsoft Entra group read/write membership and licensing permissions. This is much like the Windows 365 Admin role.

Note: Another option that clients have would be to assign a custom role that includes the permissions of these built-in roles.

IP ADDRESS REQUIREMENTS

In some situations, organizations may want to resize a Microsoft Entra hybrid join bring-your-own-network Cloud PC,. In these instances, it’s important to know that a second IP address is a must in the subnet for the Cloud PC to action a resize. This second IP address is required when transitioning to the new size during the resizing process.

The reason the requirement for a second IP has been created is to ensure that in the event that something goes wrong, the affected Cloud PC can be rolled back to the original. Setting it up this way also means that resize failures can occur if inadequate addresses are available. Organizations should therefore verify that:

  •  Adequate IP addresses are available in the vNET so that all Cloud PCs can be resized.
  •  Alternatively, organizations can stagger the resizing process thus ensuring that the address scope is maintained

ADDITIONAL REQUIREMENTS

Before using the Resize feature, IT admins should check that they have the appropriate licenses in the inventory for the resized Cloud PC configuration. Furthermore, any Cloud PC that you want to Resize must have a status of Provisioned in the Windows 365 provisioning node.

Resizing Cloud PCs in Dedicated Mode

The process of using a provisioning policy to resize Windows 365 Frontline Cloud PCs in dedicated mode is performed as follows:

  •   Sign in to the Microsoft Intune admin center, select Devices > Windows 365 > Provisioning policies.
  •   The provisioning policy you choose must include an assignment with the Windows 365 Frontline Cloud PCs in dedicated mode that you want to resize.
  •   Next, you’ll need to select Edit next to Assignments on the policy page.
  •   Navigate to the Cloud PC size column and on the Assignments tab, proceed to select the Cloud PC Frontline entry that you want to resize. Following this action, every Cloud PC in the assignment will be resized.
  •   Head over to Available sizes and then in the Select Cloud PC size pane, choose the new Cloud PC size > Next.
  •   Select Next on the Assignments page.
  •   The last step will require you to navigate to the Review + save tab. Selecting Update will initiate the resize

You can get all the information you need and track the progress of the resize on the All Cloud PCs page. You can also track from the Cloud PC actions Report.

Cloud PC Size Recommendations

Microsoft provides Windows 365 with tools that they can use to better determine the Cloud PC resources they will require for their organizations. In addition to that, businesses can also go over the recommendations below to get a better idea of what they may need.

Cloud PCExample SituationsRecommended Apps
2vCPU/4GB/256GB 2vCPU/4GB/128GB 2vCPU/4GB/64GBFirstline workers, call centers, education/training/CRM access, mergers and acquisition, short-term and seasonal, customer services.Microsoft 365 Apps, Microsoft Teams (Audio only), OneDrive, Adobe Reader, Microsoft Edge, line-of-business apps, Defender support.
2vCPU/8GB/256GB 2vCPU/8GB/128GBBYOD scenarios, employees working from home, market researchers, government, consultants.Microsoft 365 Apps, Microsoft Teams, Outlook, Excel, Access, PowerPoint, OneDrive, Adobe Reader, Microsoft Edge, line-of-business apps, Defender support.
4vCPU/16GB/512GB 4vCPU/16GB/256GB 4vCPU/16GB/128GBBYOD scenarios, employees working from home, consultants, healthcare services, finance.Microsoft 365 Apps, Microsoft Teams, Outlook, Excel, Access, PowerPoint, Power BI, Dynamics 365, OneDrive, Adobe Reader, Microsoft Edge, line-of-business app, Defender support.
8vCPU/32GB/512GB 8vCPU/32GB/256GB 8vCPU/32GB/128GBSoftware developers, engineers, content creators, design and engineering workstations.Microsoft 365 Apps, Microsoft Teams, Outlook, Access, OneDrive, Adobe Reader, Microsoft Edge, Power BI, Visual Studio Code, virtualization-based workloads: Hyper-V, Windows Subsystem for Linux (WSL), line-of-business apps, and Defender support.
GPU Standard 4vCPU/16GB/4GBvRAM/512GB GPU Super 8CPU/56GB/12GBvRAM/1TB GPU Max 16vCPU/110GB/16GBvRAM/1TBGraphic design, image and video rendering, 3D modeling, gaming, data processing, and visualizationMicrosoft 365 Apps, Microsoft Teams, Outlook, Excel, Access, Adobe, Figma, Autodesk, Revit, Illustrator, Blender, Unity, ArcGIS, Microsoft Edge, Power BI, Visual Studio Code, line-of-business apps, Defender support.
16vCPU/64GB/512GB 16vCPU/64GB/1TBSoftware development, engineering, data analysis and visualization, financial services and wealth management.Microsoft 365 Apps, Microsoft Teams, Outlook, Excel, Access, Adobe Reader, Microsoft Edge, Power BI, Tableau, Visual Studio Code, Blackrock Aladdin, Bloomberg, Eclipse, line-of-business apps, Defender support.

Wrap Up

The needs of an organization cannot be expected to remain the same at all times throughout the year. Sometimes employees will require greater computing resources and other times they will require less. To ensure that Windows 365 Frontline end-users always have the processing power they need when they need it, Microsoft has introduced the Resize feature. By leveraging this tool, IT admins can now ensure that Cloud PCs are constantly operating at optimum levels.

Windows 11 Security Boost – Credential Guard and HVCI Now Default

Posted on by
Reply

In as much as technology has evolved over the decades, there are still plenty of threats that can cause massive damage to organizations. Those with nefarious intentions have gotten increasingly sophisticated in their attack methods thus causing concern for tech companies. For Microsoft, however, providing regular security upgrades for all products and services is a sure way to minimize the risk that clients are exposed to. And by enabling Credential Guard and HVCI by default on Windows 11, this should go a long way in strengthening customers’ cybersecurity. These powerful tools have some excellent features that offer a formidable barrier against attacks.

What is Credential Guard?

Credential Guard is a security solution that aims to block credential theft attacks. It does so by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. This solution relies on Virtualization-based security to isolate secrets in a way that restricts access to privileged system software. Due to this isolation, there is a minimized risk of unauthorized access as this can often lead to credential theft attacks like pass the hash and pass the ticket.

How Does It Work?

With Credential Guard enabled, the Local Security Authority (LSA) process (lsass.exe) in the operating system will communicate with a component known as the isolated LSA process. It stores and protects the secrets, LSAIso.exe. All data stored by this isolated LSA process will be protected using VBS and the rest of the operating system will have no access to it. LSA utilizes remote procedure calls to talk to the isolated LSA process.

To keep security tight and minimize any issues, the isolated LSA process won’t host any device drivers. What it does, instead, is host a small subset of operating system binaries. These are required for security and nothing else. All the binaries must be signed with a certificate that is trusted by VBS. And the signatures require validation before launching the file in the protected environment.

Benefits of Credential Guard

Credential Guard has several benefits that can help improve the security status of Windows 11 users. Once Credential Guard is enabled, organizations can look forward to:

  • Hardware security – NTLM, Kerberos, and Credential Manager operate by leveraging platform security features such as Secure Boot and virtualization, to protect credentials.
  • Virtualization-based security – NTLM, Kerberos derived credentials, and other secrets run in a protected environment that is isolated from the running operating system.
  • Protection against advanced persistent threats – the use of VBS to protect credentials helps to significantly enhance organizations’ network security. This is because VBS has the capabilities to render ineffective many of the the credential theft attack techniques and tools used in a lot of targeted attacks. Owing to this, any secrets protected by VBS will be isolated from malware running in the operating system with administrative privileges.

Default Enablement

To ensure that Windows 11 clients get all the benefits discussed above, going forward Microsoft will be enabling VBS and Credential Guard by default in Windows 11, 22H2 and Windows Server 2025. This will only apply to devices that meet the requirements. However, IT admins will still have the flexibility to disable Credential Guard remotely if the need arises because the default enablement is without UEFI Lock. Once Credential Guard is enabled, VBS will be automatically enabled as well.

IT admins should also be aware that if they have Credential Guard explicitly disabled before updating a device to Windows 11 (version 22H2/ Windows Server 2025 or later), default enablement will not apply. Also, the existing settings will remain in place. As a result, even after updating to a version of Windows that has Credential Guard enabled by default, all such devices will continue to have Credential Guard disabled.

WINDOWS

All devices running Windows 11, 22H2 or later will have Credential Guard enabled by default if they meet the licensing, hardware, and software requirements. Additionally, these devices should not have Credential Guard explicitly disabled. Furthermore, all devices running Windows 11 Pro/Pro Edu 22H2 or later may have VBS and/or Credential Guard automatically enabled. This is if they meet the other requirements for default enablement, and have previously run Credential Guard. A good example would be if Credential Guard was enabled on an Enterprise device that later downgraded to Pro.

WINDOWS SERVER

All devices running Windows Server 2025 or later will have Credential Guard enabled by default if they meet the licensing, hardware, and software requirements. Additionally, these devices should not have Credential Guard explicitly disabled, should be joined to a domain, and should not be a domain controller.

What If You Need To Disable Credential Guard?

IT admins may need to disable Credential Guard for any number of reasons and fortunately ‘enabled by default’ does not mean can’t be disabled. You’ll be happy to know that there are several different options available to disable Credential Guard. The best option for you will depend on how Credential Guard is configured:

  • When running in a virtual machine, the host can disable Credential Guard.
  • When enabled by UEFI lock, you can disable Credential Guard by following the steps in disable Credential Guard with UEFI lock.
  • If Credential Guard has been enabled without UEFI lock, or as part of the default enablement update, you can disable it using any one of Microsoft Intune/MDM, Group Policy, or Registry.

System Requirements

Credential Guard can only provide the protection it offers if the device meets certain hardware, firmware, and software requirements. It’s also important to note that all devices that exceed the minimum hardware and firmware requirements will benefit from additional protections. They will, as a result, offer better protection against certain threats.

HARDWARE AND SOFTWARE REQUIREMENTS

Credential Guard requires Virtualization-based security and Secure Boot. And although the following features are not required, they are highly recommended for the provision of additional protections:

  • Trusted Platform Module (TPM), as it provides binding to hardware. TPM versions 1.2 and 2.0 are supported, either discrete or firmware.
  • UEFI lock is crucial for blocking attackers from disabling Credential Guard with a registry key change.

CREDENTIAL GUARD IN VIRTUAL MACHINES

One of the biggest benefits of Credential Guard is that it is capable of protecting secrets in Hyper-V virtual machines. It does so the same way as it would on a physical machine. Enabling Credential Guard on a virtual machine means that all secrets will be protected from attacks inside the virtual machine.

However, Credential Guard won’t provide protection from privileged system attacks originating from the host. If you want to run Credential Guard in Hyper-V virtual machines, the Hyper-V host will need an IOMMU. Additionally, the Hyper-V virtual machine must be generation 2. This is because Credential Guard is only available on generation 2 VMs. Therefore, it won’t have support on Hyper-V or Azure generation 1 VMs.

Credential Guard Application Requirements

After Credential Guard is enabled, there are certain authentication capabilities that will be blocked. Consequently, any applications that need these capabilities will break. For this reason, these requirements are referred to as application requirements. IT admins need to ensure that they test applications before deployment to check compatibility with the reduced functionality.

Admins are also advised against enabling Credential Guard on domain controllers. This is because Credential Guard won’t offer any added security to domain controllers. Therefore, you can end up with application compatibility issues on domain controllers.

In like manner, Credential Guard offers no protections for the Active Directory database or the Security Accounts Manager (SAM). With Credential Guard enabled, all the credentials protected by Kerberos and NTLM are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).

You should expect applications to break if any of the following are needed:

  • Kerberos DES encryption support
  • Kerberos unconstrained delegation
  • Kerberos TGT extraction
  • NTLMv1

Applications will also ask and expose credentials if any of the following are needed:

  • Digest authentication
  • Credential delegation
  • MS-CHAPv2
  • CredSSP

IT admins should note that apps may cause performance issues when they attempt to hook the isolated Credential Guard process LSAIso.exe. However, any services or protocols that are reliant on Kerberos will still work and are not affected by Credential Guard. These include services or protocols such as remote desktop or file shares.

Hypervisor-Protected Code Integrity

Coupled with Credential Guard, Hypervisor-Protected Code Integrity (HVCI) is now also enabled by default in Windows 11, 22H2 and Windows Server 2025. HVCI is a virtualization-based security (VBS) feature that is also known as memory integrity and is available in Windows 10, Windows 11, and Windows Server 2016 and later. HVCI and VBS are key elements in the threat model of Windows. And they ensure that the defenses against malware trying to exploit the Windows kernel are greatly enhanced.

VBS leverages the Windows hypervisor to build an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is an integral element of the security system and is responsible for protecting and fortifying Windows. It achieves this by running kernel mode code integrity within the isolated virtual environment of VBS.

Memory integrity will further strengthen security by restricting kernel memory allocations that can be used to compromise the system. Imposing this restriction ensures that kernel memory pages can only become executable after passing code integrity checks inside the secure runtime environment. Additionally, this also guarantees that executable pages themselves will never become writable.

Functionality

IT admins should know that HVCI can work better with Intel Kabylake and higher processors with Mode-Based Execution Control, and AMD Zen 2 and higher processors with Guest Mode Execute Trap capabilities. The emulation of these features (Restricted User Mode) that older processors are dependant on will typically have a bigger impact on performance. Moreover, if you enable nested virtualization, you should expect to see memory integrity functioning better when the VM is version >= 9.3.

On the other hand, also consider that in scenarios where Secure Boot with DMA is selected, Azure VMs will not support HVCI. What you will see instead is that VBS will appear as enabled but not running. The main features of memory integrity are as follows:

  • Protects modification of the Control Flow Guard (CFG) bitmap for kernel mode drivers.
  • Protection of the kernel mode code integrity process ensuring that other trusted kernel processes have a valid certificate.

How Can You Disable HVCI?

As we discussed for Credential Guard, scenarios may sometimes arise where IT admins may need to disable HVCI. In such cases, what you can do is:

  • Navigate to the Core Isolation Settings – in the Windows search bar, search for Core Isolation. Then, select the Core Isolation settings page .
  • Find the Memory Integrity setting and turn it to the off position.
  • To apply the changes you’ve made, you’ll be prompted to restart your device.

In addition to the above option, if need be you may also disable VBS via Registry as follows:

  • Similar to the above option, head over to the Windows search bar and search for regedit. Proceed to open the Registry Editor.
  • Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard.
  • Double-click on EnableVirtualizationBasedSecurity and change its value to 0. Click Ok.
  • After completing these steps, close the Registry Editor and then restart your computer to apply the changes.

Wrap Up

The enablement by default of Credential Guard and Hypervisor-Protected Code Integrity in Windows 11 is part of Microsoft’s ongoing effort to enhance security for its customers. For all devices that meet the requirements, this change will mean a more protected and fortified Windows 11 environment. It also allows organizations to improve their overall network security.

Persistent threat attacks continue to change in search of even the slightest of vulnerabilities. Upgrades like these offer a powerful mitigating solution. Coupled with the other security measures, this change will help keep malicious actors at bay.