Since its launch in 2021, Windows 365 has benefited from countless new features and updates that have enhanced the Cloud PC experience. And 2024 has not been an exception. But, arguably the biggest Windows 365 announcement comes right as the year is coming to an end. Microsoft is introducing a purpose-built device that has been specifically designed to enable users to quickly and securely connect to their Windows 365 Cloud PCs. As the first Cloud PC device, Windows 365 Link is generating a lot of interest. And it’s looking to be the the high-fidelity experience Microsoft promises.
Unboxing
Once you receive your Windows 365 Link device, you can expect to find the following:
Hardware
Windows 365 Link device.Power adaptor.Quick start guide.
Ports
On the front panel, you’ll find a USB-A port, a 3.5 mm audio jack, as well as a power button and LED indicator. On the back panel, you’ll find 2 USB-A ports, 1 USB-C port, 1 Display Port, 1 ethernet port, 1 HDMI port, and the power supply port.
Side Panel
The side panel has a Kensington lock to physically secure the device.
Monitor Support
Both the HDMI and Display Port support one monitor each, up to 4k in resolution.
Peripheral Support
Users will get USB and Bluetooth support for their keyboards, mice, headphones, and cameras.
Software
The device comes pre-installed with a small, Windows-based OS called Windows CPC. To add to the convenience, updates are downloaded in the background and then installed during off hours. However, to ensure these updates occur, verify that the device is plugged in and powered on (in standby or sleep mode).
Wireless Support
Here you get Wi-Fi 6E as well as Bluetooth 5.3.
Why would I need this?
Understandably, whenever a new device comes on the market, businesses want to know how purchasing the product can benefit them. After all, the Windows 365 Link device will set you back US$349.
According to Microsoft, this new device aims to resolve some of the problems that Cloud PC users encounter. These include, but are not limited to, latency issues, security challenges, and complicated sign in processes. From what we’ve heard so far, the biggest positives of using the Link device will be:
CLOUD-POWERED PERFORMANCE
Users can harness the full power of the cloud to increase their efficiency and enjoy a more seamless experience. With the ability to connect to their Windows 365 Cloud PCs in seconds, users can maximize productivity. This ensures that businesses get full value for their investment. Additionally, users will benefit from responsive, high-fidelity experiences with access to all their favorite Microsoft 365 productivity apps.
SECURE BY DESIGN
The Windows 365 Link devices comes with security measures that will address the concerns about endpoint vulnerability that IT professionals have raised. Because of these concerns, the Link device has a locked-down operating system with no local data or apps, and no local admin users. By designing it this way, Microsoft has significantly reduced the potential attack surface thus making the task of compromising devices much harder.
Furthermore, the availability of passwordless authentication using Microsoft Entra ID means that users can sign in with MFA using the Microsoft Authenticator app, a cross-device passkey using a QR code, or a FIDO USB security key. Consequently, the use of all these security measures will serve to improve overall device protection.
SIMPLIFY IT MANAGEMENT
Another key issue that Windows 365 Link wants to resolve is complex management. I’m sure that we’ve all at one point or another been frustrated about just not seeming to have enough time to complete all the tasks at hand.
Fortunately, Windows 365 Link gives us a possible solution by enabling admins to configure and manage devices using Intune. By allowing admins to leverage the knowledge and policies they already have, the Link device helps improve IT management efficiency.
ALIGNMENT WITH SUSTAINABILITY GOALS
Many organizations are looking for ways that can help them make a positive environmental impact while simultaneously enhancing business operations. With this in mind, Microsoft has built the Windows 365 Link device to be a sustainable product.
The device is built with 90% post-consumer recycled aluminum alloy in its top shield, 100% pre-consumer recycled aluminum alloy in its bottom plate, and its motherboard contains 100% recycled copper and 96% recycled tin solder.
In addition, when in operation, Windows 365 Link consumes less energy than your average desktop with external monitors and peripherals connecting to Windows 365. And as a device that has been designed to have a long life, the lack of moving parts means that frequent replacements will not be an issue with this gadget.
Get an early look
As mentioned before, Windows 365 will become generally available as of April 2025. In the interim, those who want to get an early look may be able to participate in the public preview.
Anyone interested in getting Windows 365 Link devices for their organization should get in touch with their Microsoft account team. Additionally, you could also join the Customer Connections Program and Office hours for the latest updates as part of your participation.
Wrap up
The new purpose-built device that Microsoft is introducing will make accessing Cloud PCs much simpler for users. With the ability to wake quickly and connect you to your Cloud PC in seconds, this device has the potential to be an excellent productivity tool. Announced at Microsoft’s Ignite 2024 tech conference in Chicago, Windows 365 Link will provide users with a high-fidelity experience with access to all the familiar Microsoft 365 apps.
The public preview period should provide us with a lot more information in the coming months. But, as something that Microsoft hopes will bring positive change to the future of virtualization, the lightweight Link device will have a lot riding on its petite frame.
Flow dynamics calibration is critical to achieving high-quality 3D prints, especially when using the Bambu Lab X1 Carbon (X1C). Proper calibration ensures precise material extrusion, improved surface quality, and optimal dimensional accuracy. In this detailed guide, we’ll dive into everything you need to know about flow dynamics calibration for the X1C, including why it’s important, when you should do it, how the printer handles calibration, and how to perform and save a manual calibration properly.
1. Understanding Flow Dynamics Calibration
Flow dynamics calibration is the process of tuning how the printer compensates for the behavior of melted filament as it moves through the nozzle and onto the print bed. Factors such as filament type, viscosity, print speed, and temperature all impact flow characteristics.
Flow dynamics calibration helps determine the optimal “pressure advance” (K value), which corrects for the lag between extrusion start/stop and nozzle pressure buildup/release.
Without proper calibration, you might experience issues like:
Over-extrusion at corners
Blobs and zits on surfaces
Inconsistent line widths
Dimensional inaccuracies
Thus, a good flow dynamics calibration is essential for high-fidelity prints.
2. How Bambu Lab X1C Handles Flow Dynamics Calibration
The X1C offers two primary ways to calibrate flow dynamics:
2.1 Automatic Flow Dynamics Calibration Before a Print
When you enable “Flow Dynamics Calibration” in the print settings before a print, the printer will perform a calibration sequence. However:
The result is used only for that specific print.
It is not saved to any filament profile or memory for future prints.
This method is quick and convenient but not optimal for consistent results across multiple prints.
2.2 Manual Calibration via Bambu Studio
Performing a manual calibration through Bambu Studio allows you to:
Calibrate flow dynamics accurately
Save the resulting K value directly into a filament profile
Apply this calibration automatically every time you use the filament
This ensures consistent quality without the need to recalibrate every print.
3. When Should You Perform Flow Dynamics Calibration?
Calibration isn’t necessary before every single print, but there are several situations where you should perform it manually:
Using a new brand or type of filament (e.g., switching from PLA to PETG)
Changing nozzle sizes (e.g., from 0.4mm to 0.6mm)
After significant nozzle wear
Changing maximum volumetric speeds
Noticing under- or over-extrusion artifacts
Filament moisture exposure
Remember: better calibration means fewer failed prints and higher part quality.
4. How to Manually Calibrate Flow Dynamics (and Save It)
Let’s walk through the manual calibration process in detail.
4.1 Preparation
Before you begin, make sure:
Your printer is clean and the nozzle is not partially clogged.
Tip: If you’re unsure about the nozzle size, you can find it in your printer’s configuration or by physical inspection.
Step 4: Start the Calibration Process
Click Start Calibration.
The printer will print a special pattern designed to measure pressure advance.
This process usually takes around 5-10 minutes.
Step 5: Analyze Results
Once the test print is complete:
Bambu Studio will automatically analyze the printed lines.
It will suggest an optimal K value.
Accept the suggested value if it looks good, or manually adjust based on visual inspection.
Step 6: Save the Calibration
After accepting the K value:
Save it directly into the filament profile.
The K value will now automatically apply every time you use this filament with this profile.
Congratulations! You’ve now successfully saved your flow dynamics calibration for ongoing use.
5. Important Tips for Successful Calibration
Calibrate at typical print temperatures: If you normally print PETG at 240°C, calibrate at that temperature.
Use default speed settings: Don’t alter speed drastically during calibration unless necessary.
Keep environmental factors constant: Big changes in ambient temperature (cold garage vs warm room) can affect extrusion behavior.
Dry your filament: Especially important for hygroscopic materials like nylon and PETG.
6. Troubleshooting Calibration Problems
Problem 1: Inconsistent calibration results
Check nozzle for partial clogging.
Make sure filament is dry.
Problem 2: K value seems too high or too low
Double-check filament diameter consistency.
Look for under/over-extrusion or strange surface artifacts.
Problem 3: Calibration pattern looks messy
Level your bed.
Ensure proper first layer adhesion before starting.
7. Expert Tips for Advanced Users
Tune Flow Rate Afterwards: After setting pressure advance, consider tuning “flow rate” or “extrusion multiplier” for perfect walls.
Multiple Calibrations: Some experts recommend doing calibration at both slow and fast speeds and averaging the K value.
Custom G-code Scripts: Advanced users can embed calibration K values into startup G-code scripts if they want different K values for different speeds automatically.
8. FAQs About Flow Dynamics Calibration on Bambu Lab X1CQ1: Can I use the same calibration across different filament colors?
Sometimes yes, but darker pigments (like black) and translucent filaments often behave slightly differently.
Q2: Do I need to recalibrate if I switch from PLA to PLA+?
It’s recommended, because even minor changes in formulation affect flow.
Q3: Will nozzle wear affect calibration?
Definitely. A worn-out nozzle has larger internal diameter, affecting pressure buildup and release.
Q4: What’s the default K value if I never calibrate?
Bambu Lab sets conservative defaults, but they’re not optimized for every filament.
Q5: Can I copy calibration profiles between filaments?
You can, but performance may degrade. It’s better to calibrate each filament.
9. Conclusion
Flow dynamics calibration is a cornerstone of achieving professional-level results with your Bambu Lab X1 Carbon. While the automatic on-the-fly calibration is convenient for quick prints, for serious or repeatable results, manual calibration is the way to go.
By taking the time to manually calibrate and save your pressure advance values into filament profiles, you’ll:
Save time on reprints
Improve surface finishes
Ensure accurate dimensions
Reduce mechanical stresses in parts
Remember, every filament is unique. Treat your printer and materials with care, and they will reward you with stunning prints every time.
When I think back to how my 3D printing journey started, it all began with a big box of parts and a manual that felt like it was translated by an AI still in beta. That was the Anet A8 Plus—my very first printer. It was as DIY as it gets. You didn’t just build the prints—you practically built the printer itself.
The A8 Plus was a fantastic learning tool. I learned what a stepper driver was, how to flash firmware, how to fix a failed thermistor, and that fire hazards were very real if you weren’t careful with your wiring.
Later, I upgraded to the Creality Ender-5 Pro, which felt like a huge step up. It was sturdier, more consistent, and less prone to spontaneous meltdowns. But even that required regular tinkering—manual bed leveling, frequent nozzle changes, and more “printer babysitting” than I liked to admit.
Then came the Bambu Lab X1 Carbon.
If the A8 Plus was the equivalent of building your own race car and the Ender-5 Pro was a dependable but clunky commuter, the X1C is a Tesla Model S of printers: sleek, fast, nearly autonomous, and kind of magical.
The Evolution of Setup: Screws, Springs, and… Silence?
The Anet A8 Plus was where I learned patience. Assembly took hours. Wiring felt like a bomb defusal mission. Firmware? Let’s just say I bricked it once and learned to never skip backups again.
The Ender-5 Pro was pre-assembled to an extent, but still required manual leveling and tuning. Every time I moved the printer, I had to redo everything. Good prints were possible—but they weren’t guaranteed.
Then the Bambu Lab X1C showed up.
Fully assembled. No Z-bracing hacks needed. No fiddling with springs and wheels. It booted up with a clean interface, and after a few taps on the touchscreen, that was easly mounted, it auto-calibrated everything from bed leveling to flow rate compensation.
It felt like jumping into a self-driving car after years of clutch-kicking old stick shifts.
Unboxing: From Cardboard Chaos to Premium Packaging
The Ender-5 Pro came in a box filled with foam blocks, mystery screws, and semi-labeled bags. Not quite chaos, but you definitely needed a good table and some spare time.
Unboxing the Bambu Lab X1 Carbon was a totally different experience. Think “Apple product”. Everything was labeled, secured, and neatly packed. The AMS (Automatic Material System) had its own box, clearly organized with guides and quick-start instructions.
In 20 minutes, I had it powered on and connected to Wi-Fi. No zip ties. No half-translated instructions. Just plug-and-play. And it felt luxurious.
First Print: A Benchmark Benchy, But Make it Beautiful
We all do it. The first print is always a Benchy. But with the X1C, it wasn’t just to test the printer—it was to witness what modern hardware could do with zero tinkering.
This Benchy came out faster, cleaner, and more detailed than any print I’d ever done on my Ender-5 Pro or Anet A8 Plus. The hull was smooth, the portholes were crisp, and the layers? Practically invisible.
No first layer anxiety. No extrusion hiccups. Just hit “print” and watch it go.
AMS: The Game-Changer I Didn’t Know I Needed
Back on the A8 and Ender, multi-color printing was a manual mess. Pause the print, swap the filament, purge, hope the printer doesn’t blob up the nozzle, and repeat.
With the AMS, that whole drama vanished. I loaded four filaments, selected colors in Bambu Studio, and let it run. The AMS handled filament switching, detection, and purging all on its own.
Watching it print a multicolor model—with seamless transitions—felt like magic.
Speed and Precision: CoreXY Muscle
On the Ender-5 Pro, I had to balance speed with quality. Push too fast, and the prints got sloppy. Stick to 50mm/s and you’d wait overnight.
The X1C prints at up to 500mm/s thanks to its CoreXY motion system. That’s not a typo. And somehow, it doesn’t shake, doesn’t wobble, and doesn’t lose accuracy.
A model that took 7 hours on the Ender now finishes in under 3. And with better quality.
Noise and Smell: Office Friendly at Last
Both the Anet and Ender were noisy. Stepper motor whine, fans, open-frame echoing… not something you want running next to your desk.
The X1C is enclosed and well-insulated. The AMS adds some clicking during filament changes, but overall it’s just a soft hum. No PLA smell. No ABS fumes. Finally, a printer that doesn’t dominate the room it’s in.
Slicer Experience: From Cura Tuning to Bambu Smoothness
Cura served me well, especially on the Ender. But getting prints dialed in took work—adjusting profiles, testing retraction, tuning speeds.
Bambu Studio is built for the X1C. It has presets that just work, but also allows deep customization. It connects directly to the printer, offers real-time monitoring, and even supports remote starts.
I send models from my laptop and start prints from my phone. No SD card shuffle. No hassle.
Downsides? A Few.
Cost: It’s a premium machine, and the AMS adds to the price. Not for budget tinkerers.
Filament Drying: AMS isn’t a dryer. You still need dry storage for hygroscopic filaments.
Ecosystem Lock-In: It works best with Bambu gear and software. You can go open-source, but it takes more effort.
Still, these are minor trade-offs compared to the value and time it saves.
What I Still Use the Ender For
Believe it or not, the Ender-5 Pro still gets some use. It’s great for rough prototypes, quick PETG brackets, or experimental filaments I don’t want to risk clogging the AMS.
The A8 Plus? It retired with honors. It taught me everything I needed to know about 3D printing—the hard way.
Final Thoughts: Worth the Hype
The Bambu Lab X1 Carbon changed how I think about 3D printing. It’s no longer a technical project—it’s a creative tool. It’s fast, reliable, versatile, and smart.
For anyone coming from the tinker-heavy days of Anet or Creality machines, the X1C feels like stepping into the future.
Would I recommend it? 100%. If you want to focus on printing instead of troubleshooting, the X1C is the printer you’ve been waiting for.
Windows Autopilot is a set of technologies that is built to simplify the process of deploying, setting up, and configuring new devices. By using this technology, users can avoid going through the traditional imaging process and save countless productive hours.
However, Autopilot is not without its faults. One of the more common instances of running into problems occurs when using Managed Installer policies with Win32 app deployment during the Autopilot device preparation phase. As an issue that can cause quite a headache, this blog will help you better understand this problem as well as provide you with solutions for addressing it.
Windows Autopilot Explained
Windows Autopilot gives organizations a solution that eliminates the challenges that come with building, maintaining, and generally applying custom images. IT admins can use this service to set up new desktops to join pre-existing configuration groups and apply profiles to the desktops. What this does is give users the opportunity to access fully functional desktops from their first login.
Importance of Managed Installer Policies
Managed Installer policies are useful for dictating which applications can be installed on your organization’s devices. Once enabled, Managed Installer uses a special rule collection in AppLocker to designate binaries. These are trusted by your organization as an authorized source for application installation.
The problem IT admins will run into is that currently Windows Autopilot device preparation doesn’t guarantee the delivery of the Managed Installer policy before trying to install Win32 apps. Because of this, you may end up with deployment failures during the App Installation phase of Autopilot.
INVESTIGATING THE PROBLEM
A regular deployment scenario follows a series of steps that begins with the launch of the Autopilot Device Preparation process. Following this, Win32 apps are then scheduled for installation as part of the device preparation policy.
At this point, the Managed Installer policy won’t yet have been installed. The reason why you may see the Win32 app installations failing is because the policy is set up to block apps from unverified sources.
WHAT TO EXPECT With Windows Autopilot
One of the things you can expect to see because of this issue is the Autopilot deployment process stopping at the app installation phase. You will also get error messages showing application deployment failures. Another thing to expect is that deployment reports will show failed Win32 app installations. Lastly, end-users may receive incomplete or improperly configured devices.
How has Microsoft addressed the issue?
Microsoft is fully aware of the issue at hand and has offered some recommendations that provide a temporary solution. IT admins can start by removing Win32 apps from all Autopilot device preparation policies.
Also, devices should be left to complete Autopilot and reach the desktop. Furthermore, Win32 apps and Managed Installer policies need to be applied after the user gets to the desktop.
In October 2024, Microsoft announced service release 2410 that introduced some new changes that will see Win32 and Microsoft Store apps being automatically skipped during device preparation and instead continuing to the desktop. To implement these solutions, you’ll need to follow the steps below:
AUDIT YOUR EXISTING Windows AUTOPILOT DEVICE PREPARATION POLICIES
For this process, organizations need to identify all device preparation policies configured in Intune. You’ll also need to verify any Win32 apps included in these policies. With all this done, make sure to document these apps as well as their purpose.
REMOVE WIN32 APPS FROM DEVICE PREPARATION POLICIES
Navigate to Microsoft Intune and edit your existing device preparation policies. Then, proceed to remove all Win32 apps from these policies. Once these tasks are complete, save and apply the updated policies.
MONITOR DEPLOYMENT STATUS
Use the updated policies to deploy your devices. You can track the progress of this process using the Autopilot Deployment Report. Make sure that you check that devices reach the desktop without app installation failures.
DEPLOY WIN32 APPS POST-ENROLLMENT
Once a device has reached the desktop, you can reassign your Win32 apps to deploy. You’ll need to use Required or Available for enrolled devices deployment settings in Intune. The success of app installation can be monitored using Intune’s reporting tools.
Alternative Options
In addition to the recommendations by Microsoft, there are other options that organizations can consider to address the above-mentioned issue. These include:
PRE-STAGE CRITICAL APPLICATIONS
One thing that organizations can consider doing is pre-staging key apps that are required to be on the device at deployment. This can be done using offline methods such as:
Injecting apps into the Windows image using tools like OSDCloud or Configuration Manager.
App deployment using PowerShell scripts post-Autopilot.
CONDITIONAL ACCESS AND APP PROTECTION POLICIES
If your organization is worried about security, then using Conditional Access policies will help block access to corporate resources until the necessary apps have been installed. An example of this would be enforcing Conditional Access policies to ensure that non-compliant devices are prevented from accessing the organization’s resources.
Optimize Enrollment Status Page (ESP) Configuration
The Enrollment Status Page plays a key role in controlling app deployment during Windows Autopilot. This is done by dividing the deployment into several stages, thus allowing you to prioritize the apps you consider more important.
USER VS DEVICE ASSIGNMENTS
With device-based deployments, there is a greater likelihood of encountering problems with Managed Installer policies. Because of this, it’s worth considering changing your app deployment from device-based to user-based assignments.
PILOT AND TEST NEW CONFIGURATIONS
Before rolling out new deployment configurations to the entire organization, it’s always wise to test them on a small pilot group. Doing it this way gives you the opportunity to identify problems and address them early.
Monitoring and Troubleshooting
The availability of Autopilot Deployment Reports in Microsoft will provide organizations with key information concerning the deployment process. This allows them to evaluate skipped apps, failed deployments, and device readiness status.
Additionally, organizations should also use Intune Diagnostics and Event Viewer to analyze deployment logs. By evaluating these logs, IT admins can pinpoint specific app failures and then determine whether they’re related to the Managed Installer policy.
If all else fails and your deployment issues are still yet to be resolved, you’ll have the option of reaching out to Microsoft Support for any help you need. Alternatively, engaging with the Intune community on X may yield assistance from those who have dealt with the issues you may be confronting.
Wrap Up
Windows Autopilot offers organizations a powerful tool to help simplify the process of deploying and setting up devices. Processes are made simpler and faster, thus helping businesses operate more efficiently. And although there may be issues with Wind32 app deployment during device preparation, there are ways to deal with it.
But, in addition to the workaround, we can look forward to Microsoft developing a more permanent solution to this challenge. Updates are sure to be forthcoming and we will be keeping an eye on what Autopilot will bring us next.
The evolution of powerful cloud computing has resulted in the development of platforms like Windows 365 and Azure Virtual Desktop (AVD). These services can offer numerous benefits to businesses including greater degrees of flexibility and efficiency.
Additionally, employees can get better computing performance by leveraging the resources that Windows 365 and AVD can offer. However, the key to getting the most from these solutions is implementing effective security and compliance strategies. Below, we’ll be looking at some of the strategies you can use to enhance organizational security and improve operations.
Introducing Windows 365 and Azure Virtual Desktop
WHAT IS WINDOWS 365?
Windows 365 is a cloud-based solution that offers users Windows virtual machines (Cloud PCs). Each of these Cloud PCs will be assigned to an individual user and this becomes their dedicated Windows device. Simply put, Windows 365 is your PC in the cloud accessible from anywhere.
WHAT IS AZURE VIRTUAL DESKTOP?
With Azure Virtual Desktop, Microsoft offers clients a desktop and app virtualization service that runs on Azure. By using this service, businesses get a virtual desktop infrastructure that provides multi-session Windows experiences. AVD is generally considered more technical than Windows 365 and this allows for more customization.
DIFFERENCES BETWEEN WINDOWS 365 AND Azure Virtual Desktop
Identity Management
Security Policies
Multi-session
Built-in Security
Windows 365
Azure AD
Intune and Endpoint security
Single user Cloud PC
Fully Microsoft managed
Azure Virtual Desktop
Hybrid Azure AD or AD DS integration
Group Policies, Intune, and NSGs
Offers multi-session Windows experiences
Can be customized but this would require hands-on security setup
Why is Security and Compliance So Important?
Every organization needs to put in place strong security measures to minimize the risks of any data breaches or loss. Without advanced security and compliance strategies, malicious actors can take advantage and attempt to compromise your network. This is why it’s vital for organizations that are adopting cloud-based computing solutions to enhance their cybersecurity so that remote access does become a vulnerability.
Moreover, most industries such as finance and healthcare will have certain strict regulations that businesses must adhere to. Such regulations have been put in place to not only safeguard businesses but to ensure that sensitive client data remains protected. Some of the risks to protect against include Identity theft, unsecured endpoints, and malware attacks among others.
Utilizing Zero Trust Security with Windows 365 and Azure Virtual Desktop
Zero Trust security employs a system that strictly verifies the identity of every individual and device attempting to access the resources of an organization’s network. This security model is essential for providing a high standard of protection for Windows 365 and Azure Virtual Desktop.
By using Zero Trust, no one is trusted by default whether in or outside the organization’s network. This means that everyone needs to be authenticated and authorized before being granted access.
In addition to the above, those verified will only be provided the minimum level of access necessary for whatever tasks they may need to carry out. But, even with such a strategy in place, breaches may still occasionally occur. Fortunately, the Zero Trust model was built with this in mind and is designed to minimize the impact of a network breach.
Effective Advanced Security Strategies
CONDITIONAL ACCESS AND MULTI-FACTOR AUTHENTICATION
Conditional Access enforces security policies that determine who gets access to which resources and under what conditions. As an integral element of Azure AD security, Conditional Access can help organizations control access to Cloud PCs. To get the best from Conditional Access, organizations need to force all external connections to perform multi-factor authentication (MFA).
But, even with this in place, access from high risk locations still needs to be blocked. Furthermore, as an organization, you need to have strict compliance regulations governing which devices will be considered compliant and thus granted access to corporate resources.
ENDPOINT SECURITY POLICIES
Endpoint Security policies aim to help you improve the security of your endpoints and mitigate the risk of malicious attacks. One of the main Endpoint Security policies is Antivirus Protection which is responsible for ensuring that Microsoft Defender is functioning properly and regularly updated.
Another key policy is Disk Encryption which implements BitLocker on all Windows 365 devices. Furthermore, organizations also benefit from Firewall Rules that establish firewall policies designed to reduce attack surfaces.
MICROSOFT DEFENDER FOR CLOUD AND ADVANCED THREAT PROTECTION
These solutions will ensure that your organization gets high level security for both Windows 365 and AVD environments. With the availability of Threat Detection capabilities, you can rest assured that all suspicious activity will be identified and dealt with accordingly.
Moreover, you also have Compliance Monitoring which assesses security configurations before making the appropriate recommendations. In addition, integration with Azure Sentinel means centralized incidence response and monitoring.
Compliance Strategies
As mentioned earlier, different industries, including government departments, have certain regulations that they need to adhere to. For instance, there is the well known General Data Protection Regulation (GDPR), HIPAA for the healthcare sector, and PCI-DSS for the finance sector, among others. To ensure that these compliance regulations are met, organizations need to:
Put in place Data Loss Protection policies that safeguard sensitive data
Leverage Azure Policy to enforce regulatory requirements at the infrastructure level.
Conduct regular reviews of security strategies and baselines enabling you to make the appropriate changes when necessary.
Monitoring, Auditing, and Incident Response
The monitoring tools available include Azure Monitor which gives you insights into resource health and performance. Another tool is Microsoft Defender for Endpoint responsible for detecting and acting on endpoint threats. Additionally, Azure Sentinel is available to offer centralized logging and threat detection for Windows 365 and AVD environments.
To get the best incidence response, you can start by configuring Automated Playbooks in Azure Sentinel for swift responses. Furthermore, you should regularly test security policies and run tabletop exercises.
Managing Security and Compliance with Windows 365 & Azure Virtual Desktop
To effectively manage security and compliance, you need a complete understanding of an organization’s compliance requirements. With that done you can implement a Zero Trust model so that all policies align with Zero Trust principles. Then, you should select a small group of users to pilot and test security policies before expanding.
Additionally, you should also enable automated security updates and use Intune and Microsoft Defender for updates and patches. Another good practice would be using Azure Sentinel and Microsoft Defender to help you continuously monitor your environments. And then arguably the most important tool available to an organization is ensuring that end users have a comprehensive understanding of security policies.
Wrap up
Virtual computing environments offer countless benefits to organizations. Increased flexibility, potentially lowering hardware costs, and excellent computing performance, among others immediately come to mind. However, to get the most from solutions like Windows 365 and Azure Virtual Desktop, effective advanced security and compliance strategies are necessary. Without such strategies, organizations leave themselves open to malicious attacks.
In today’s business environment, securely exchanging data with external partners is essential. Azure Blob Storage with native SFTP support offers a scalable, secure solution, while Microsoft Entra ID provides robust identity management. Together, these tools help organizations share data with external users while ensuring security and compliance.
This go-to guide will walk you through configuring Azure Blob Storage for SFTP, managing user access with Entra ID, and showcase three real-world use cases—payment reconciliation, logistics data sharing, and healthcare data exchange.
Why Use Azure Blob Storage with SFTP and Entra ID?
Azure Blob Storage with native SFTP support simplifies secure file transfers without the need for third-party SFTP servers. Integrating Microsoft Entra ID enhances security by enforcing multi-factor authentication (MFA), conditional access, and role-based access control (RBAC).
Benefits at a Glance
Scalable and Cost-Effective: Pay only for the storage you use.
Secure File Transfer: Use the SFTP protocol for encrypted data transfer.
Centralized Access Management: Use Entra ID to control and monitor external access.
Automation and Integration: Seamless integration with tools like Azure Logic Apps and Power Automate.
Step 1: Setting Up Azure Blob Storage with SFTP Support
Follow these steps to set up Azure Blob Storage for SFTP access.
Create a new Conditional Access Policy to enforce MFA and restrict access based on location.
3.2 Role-Based Access Control (RBAC)
Assign roles to external users to limit their access to only the relevant Azure Blob containers.
Step 4: Real-World Use Cases
Case 1: Payment Reconciliation – Mastercard Data Exchange
A retail company needs to securely exchange Mastercard transaction data with an external payment processor for daily reconciliation.
Workflow:
The payment processor uploads transaction data to the SFTP endpoint.
Azure Blob Storage receives and stores the files.
Business Central or an ERP system processes the data for reporting and reconciliation.
Security Measures:
Use MFA and Conditional Access for external user authentication.
Configure audit logging to monitor access and activity.
Case 2: Logistics Data Sharing – Real-Time Inventory Updates
A manufacturing company needs to share real-time inventory data with its logistics partner.
Workflow:
The logistics partner downloads inventory files and uploads shipping updates to the SFTP server.
An Azure Function processes these updates and integrates them into the company’s ERP.
Security Measures:
RBAC ensures the logistics partner only accesses relevant files.
Data encryption protects information in transit and at rest.
Case 3: Healthcare Data Exchange – Secure File Transfers with External ClinicsA hospital exchanges patient data with external clinics, ensuring compliance with GDPR and HIPAA regulations.
Workflow:
Clinics upload test results and patient data to the hospital’s SFTP endpoint.
An Azure Logic App validates and integrates the data into the hospital’s EMR system.
Doctors receive automatic notifications for new updates.
Security Measures:
Conditional Access restricts access by IP and enforces MFA.
Data masking during processing protects sensitive information.
Step 5: Automating Data Processing
Azure Logic Apps
Automate file processing with Logic Apps to trigger workflows when a file is uploaded.
Azure Functions
Run custom code to process files and integrate them with external systems.
Power Automate
Create simple automation workflows for notifications and approvals.
Step 6: Security Best Practices
Enforce Multi-Factor Authentication for all external users.
Use Conditional Access Policies to limit access by device and location.
Encrypt Data at Rest and in Transit.
Rotate SSH Keys Regularly.
Audit and Monitor Access Logs for unusual activity.
Conclusion
Azure Blob Storage with SFTP support and Microsoft Entra ID provides a powerful and secure platform for exchanging data with external partners. Whether you are exchanging financial data, inventory files, or healthcare records, this setup ensures security, compliance, and scalability.
By following this step-by-step guide and using the real-world use cases as inspiration, you can create a secure, reliable solution for your organization’s external data exchange needs.
The business environment today is constantly evolving and organizations that fail to adapt can quickly find themselves falling behind. And in this era of rapid technology changes, it can sometimes prove impossible to catch up. If we look back at just the last five years, for instance, we have witnessed significant change in hybrid work acceptance. Services such as Windows 365 have given organizations a secure, reliable platform that enables employees to remain productive anywhere.
With this kind of flexibility as well as the capability to access Cloud PCs from any device, business productivity can soar. By introducing Windows 365 Link, the advantages will be even greater.
Onboarding Windows 365 Link devices
Having gone over the process for setting up Windows 365 Link in a previous post, today we’ll be looking at how you can onboard Windows 365 Link devices to your organization’s environment. As you get started with this process, it’s important to remember that Windows 365 Link devices have been designed to be shared.
After unboxing and turning on your Link device, the first time it boots it will load the Out of Box Experience to guide you through a straightforward process. This process joins the device to Entra ID and enrolls into Intune management. With this complete, the device will display a sign-in screen from where any user can authenticate and connect to their own Cloud PC.
Any standard user can onboard Windows 365 Link devices using the OOBE process as long as they have the requisite permissions. However, organizations can also decide to have admins onboard Windows 365 Link devices and complete the onboarding before delivering the devices to users. Another option would be to split the tasks with admins onboarding some devices and users onboarding others. To help you decide, you can consider the following information:
Considerations
Admin-driven Onboarding
User-driven onboarding
Device will be availed to multiple, different users.
Yes.
Device will be availed to one specific user.
Yes.
Users will not be allowed to join or register devices.
Yes.
Users will get their devices shipped directly to them.
Yes.
Admin-driven Onboarding
An account with the designation of a Device Enrollment Manager (DEM) can onboard devices shared by multiple users. Although this account doesn’t require admin privileges in the tenant, it can still enroll up to 1000 devices in Intune. DEMs remain subject to the limit on the number of devices allowed to join to Entra ID. With this in mind, you may want to consider increasing the maximum number of devices per user to a value you expect a DEM to enroll.
By using this DEM account to onboard Link devices, this will:
Enroll the Windows 365 Link devices in a shared device mode.
Bypass any Intune enrollment restrictions for platforms as well as any device limits that may be in place.
Eliminate the need for any changes to allow personal Windows devices.
Not require designating a primary user of the device. And with no primary user of the device, Windows 365 Link will not appear in a user’s list of devices in Intune, Entra, Company Portal, or other places.
Setting up a DEM account to onboard Your Link devices.
This requires you to follow the steps below:
Create the account you’ll be using for Windows 365 Link device onboarding.
Verify that the user has the requisite permissions to join devices to Microsoft Entra ID.
The user will then need to be added to the list of Device Enrollment Managers.
Lastly, you need to provision a Cloud PC for this DEM account so that you can validate connectivity.
Onboarding Your Windows Link devices using the DEM account.
This requires you to follow the steps below:
Turn on the Windows 365 Link device.
Sign in with the DEM account. You can only join the device to Microsoft Entra and enroll in Intune by completing all the authentication steps.
After you’ve connected to the Cloud PC, you’ll need to then disconnect and restart Windows 365 so that any available updates can properly install.
Shut down Windows 365 Link.
Once the above steps have are complete, the Windows 365 Link device is now ready for use by anyone in the organization with a Cloud PC.
User-driven Onboarding
Organizations don’t need to have IT admins onboard each Windows Link and can instead have users complete the OOBE to join them to Microsoft Entra and enroll them in Intune. By using this method:
A user will need to be designated as the primary user of the device.
The Windows 365 Link will subsequently appear in their list of devices.
All users within the organization can then use the device to access their own Cloud PCs.
THINGS TO VERIFY
All users should have the necessary licenses.
All users need to have permissions to join devices to Microsoft Entra IP.
Users must not exceed the maximum number of devices that can be joined.
Users must not be blocked from Intune enrollment by any restrictions or device limits.
Each user should have a Cloud PC provisioned and consented to single sign-on.
Steps for Onboarding Windows 365 Link Link Devices
Provide users with the Windows 365 Link devices.
Turn the device on.
Sign in with the user’s account. You can only join the device to Microsoft Entra and enroll in Intune by completing all the authentication steps.
After you’ve connected to the Cloud PC, you’ll then disconnect and restart Windows 365 so that any available updates can install properly.
Shut down Windows 365 Link.
Once the above steps have been successfully completed, the Windows 365 Link device is now ready for use by anyone in the organization with a Cloud PC.
Wrap up
Windows 365 Link is designed to make accessing Cloud PCs a faster and more secure process. It does this by addressing latency issues and complicated sign in processes to name but two problems. Windows 365 is all about being easy to use so it’s not surprising that onboarding Link devices to your organization’s environment is a relatively straightforward process. Whether you give the task to admins or the users do it themselves, getting your Windows Link devices up and running should be quick and hassle-free.
Microsoft has recently announced a new product that is built to bring significant changes to how clients interact with Windows 365. The new Windows 365 Link device which is scheduled to be available from April 2025, will potentially show us which direction virtualization could take in the future.
With this thin client device, Microsoft is giving Windows 365 users a product that is purpose-built to connect to Windows 365. Once connected, users will get a seamless Cloud PC experience with easy access to all of the Microsoft 365 apps.
Windows 365 recap
A few years ago, Microsoft introduced a cloud-based service that automatically creates a new version or type of Windows virtual machine known as a Cloud PC. This service allows organizations to provide employees with the tools they need to be productive on any device regardless of where they physically are.
By subscribing to the Windows 365 service, end-users can get their desktops, with all files, apps, and settings included, streamed to whatever devices they are using.
Essentially, Microsoft has built a service that gives you your own personal PC in the cloud. Undoubtedly, one of the greatest advantages of Cloud PCs is getting access from anywhere.
This can fit in perfectly with the hybrid work approaches that many businesses are implementing. As long as there is an internet connection, employees can maintain their productivity levels from any location.
Introducing Windows 365 Link
As an increasing number of organizations are adopting Windows 365, Microsoft has chosen the opportune moment to introduce the first Cloud PC device. Now in public preview, this small device has a Windows-based OS that will connect you to Windows 365 in seconds.
After quickly signing in to your Cloud PC, you can securely connect to your familiar Windows desktop in the Microsoft cloud.
To simplify use, Microsoft has designed it such that admins can leverage Intune to manage Windows 365 Link devices alongside other devices. This means that IT will benefit from a more streamlined management experience.
Additionally, IT can continue using the knowledge and policies they already have to ensure maximum efficiency regarding device management. Before you can use Windows 365 Link, you need to meet the following requirements:
Purchase a Windows 365 Link device.
Ensure management by your organization using Microsoft Intune.
Have a Windows 365 license for your Cloud PC.
Optimizing cloud performance
Although there has been a big push for organizations to migrate to the cloud, the simple reality is that inefficiency can often slow down adoption. Some of the more concerning problems that Microsoft has noted include latency issues, difficult sign-in processes, and peripheral incompatibility. These are exactly the types of issues that the Windows 365 Link device has been designed to address, especially in shared workspace situations.
The small, compact design means that you won’t have space concerns while taking advantage of faster access processes. Users should be happy with the few seconds the device takes to boot as well as the dual 4K monitor support, 4 USB ports, an Ethernet port, Wi-Fi 6E, and Bluetooth 5.3, that the devices comes with. Furthermore, the local processing capabilities on the device provide high-performance video playback and conferencing that is ideal for enhanced productivity.
Device description
As already mentioned, the Windows 365 Link device is a small, compact product that will be easy to move around the workplace as needed. Because of its size and light weight, you can easily place it anywhere on your desk or maybe even attach it to the back of a monitor. The dimensions of the device are given in the table below:
Dimension
Units metric
Units imperial
Length
120mm
4.72 inches
Width
120mm
4.72 inches
Height
30mm
1.18 inches
Weight
418 grams
14.75 ounces
The device will run on a small, Windows-based operating system known as Windows CPC and there will be no local applications or local users. In addition, there will be a strict application control policy that you cannot disable. To add to the convenience already on offer, updates will automatically download seamlessly in the background and then install at night.
Inside the computer, there will be an Intel chip that comes with 8GB of RAM and 64GB of storage. Even though the device has no moving parts, it will have the following ports:
Three USB-A 3.2 ports.
One USB-C 3.2 port.
One HDMI port.
One DisplayPort.
3.5mm headphone jack.
Ethernet port.
Kensington lock slot.
A port for the power cord.
Enhanced security
One of the things that Microsoft has emphasized about Windows 365 Link is that not only will it provide quick access to Windows 365 but it will do so very securely. As one can imagine, this is a very important issue to address as secure access is arguably one of the biggest concerns that businesses have about virtual solutions. Fortunately, the Windows 365 Link device will come with multiple features that guarantee optimum security including:
Discrete Trusted Platform Model 2.0.
Secure boot.
Virtualization-based security.
Hypervisor-protected Code Integrity.
BitLocker drive encryption.
Strict Application Control policy.
No local user with administrative rights.
No local data storage.
No local apps.
Security baseline policies are enabled by default.
Microsoft Defender EDR Sensor.
Wrap up
One of the chief ideas that Microsoft has reiterated over the years is how Windows 365 should simplify the use of virtualization technology. The ultimate goal is to see organizations migrate to the cloud and have a service that is quick, easy to use, and secure.
Windows 365 Link offers an additional update to the innovative measures that Microsoft has introduced to enhance the Windows 365 Cloud PC experience even more. And with the devices being available in just a few month’s time, it’ll be interesting to see the client responses during this public preview period.
New features and updates are paramount to improving the functionality of the various devices and applications that businesses use. This is necessary, especially if companies expect high levels of performance. It’s also essential as the tasks that we deal with grow more complex.
Not only do companies want to maintain performance but they also need tech companies to address any existing issues. As a result, organizations like Microsoft will offer many new features. These updates are for services like Microsoft Intune and Windows 365.
Because of the updates, released in 2024, overall user experiences will greatly improve. Let’s discuss the recent additions and explore how they might help elevate, simplify, and improve your business operations.
Improvements to Microsoft Intune
2024 has been a year with a lot of innovation from Microsoft across its various products and services. Plenty of this effort prioritizes Microsoft Intune improvements, bringing us features such as:
New capabilities for Windows Autopilot
Windows Autopilot is a service that makes the device deployment process faster and less complex. Companies benefit immensely from Autopilot’s ability to do away with the labor-intensive process previously necessary to provision new devices. And, Microsoft has additional service improvements to share.
Earlier this year, an announcement introduced an exciting new release – device preparation. This brilliant new innovation will enable the accommodation of more devices and delivery of more efficient results. Moreover, it will allow for the provisioning of cloud instances such as Windows 365.
Still, Microsoft ensures customers that the original, existing Windows Autopilot architecture is still in place. Because of this, you still have access to all your favorite features. IT admins can now enjoy a faster and simpler addition of groups to devices. This is due to enrollment time grouping, which replaces dynamic grouping. This creates a process that assigns app policies and scripts to devices more efficiently.
NEW SECURITY BASELINE
A key reason for updating devices and applications is to strengthen security and address vulnerabilities. Companies want to make sure that their security measures can stay ahead of the methods being employed by cybercriminals.
Hence the introduction of an update to the Microsoft Defender for Endpoint security baseline. These one-click collections of policies can be applied to devices (and device groups) in Intune. They also provide you with a way to configure all your organization’s devices with the same security policies.
Setting up your security measures in this way makes it’s easier to maintain the same security levels across the entire enterprise. This particular update offers a much better way of implementing the configuration recommendations made by the Microsoft Defender for Endpoint team. Furthermore, because it’s based on the Windows unified settings platform, you also get:
Quicker turnaround for updates.
Improved reporting, including per-setting status reports.
Assignment filter support.
Improved UI.
Consistent names across Intune.
Platform single sign-on (SSO) has arrived for macOS device enrollment
Signing in to multiple applications and websites using different credentials can be a tedious task. It can also be difficult for many people to keep up with all their sign-in information and passwords. This is why Platform Single Sign On (SSO) is a wonderful solution for streamlining the authentication process.
Because of how local account credentials synchronize with an individual’s IdP, one will only need to log in once. Platform SSO can help your company improve its security posture and enhance productivity.
Owing to the integration of SSI with Apple’s Secure Enclave technology, your organization can enable phishing-resistant, hardware-bound, passwordless authentication on Mac through Intune. In addition to better security, end-users can enjoy a less complex and faster out-of-the-box experience. This is possible because all they’ll need to set up their devices are their Entra ID passwords.
End-users also get to work more efficiently. This SSO experience, unique to Intune, enables them to sign in to their Outlook, Teams, and other Microsoft 365 apps simultaneously.
Installation of macOS apps on demand via Intune
Microsoft has done plenty of work to develop systems that can provide more capable Mac management. Intune has made providing IT admins and end-users a better, more efficient platform one of its key objectives. And one of the main reasons they’ve been able to achieve that is by leveraging feedback from customers.
Of note among the latest developments, are options that admins can provide to users for downloading unmanaged applications. These specifically apply in PKG and DMG format via the Intune Company Portal app.
Furthermore, to reduce the reliance on line-of-business app workflow or third-party tools to deploy optional applications, Intune added the “available” assignment type to the well-known “required” type. As one of the most requested features by Mac device administrators, this should be a well-received development as it will help both end-users and admins save time.
Expanded support for Microsoft Managed Home Screen
Microsoft Managed Home Screen (MHS) is an enterprise launcher application that enables IT admins to customize their devices and restrict the capabilities that a user can access. If you configure in multi-kiosk mode in Intune, MHS launches automatically as the default home screen on the device. This customizable launcher serves as a key tool for IT admins to better manage devices. It also ensures that users are performing at the expected levels.
As organizations provide users with increasingly more powerful devices, they need to make sure that business operations improve accordingly. The availability of Managed Home Screen is expanding from just user-less kiosks or shared devices to corporate-owned, fully managed devices associated with a specific user as well. As a result, this means capabilities are will extend to a wider range of use cases and applications.
BitLocker RECOVERY KEY
Having access to a BitLocker recovery key allows you to unlock an Intune-enrolled PC if you have the misfortune of forgetting your sign-in password and getting locked out. The stored recovery key is accessible from the Intune Company Portal website. It’s also accessible in the Intune Company Portal app.
Without this key, users would typically need to contact the Help Desk for assistance. As one can imagine, it’s easy to see why this option is better. It offers greater support to users while lightening the load on IT professionals.
Going forward, this update will enable end-users to access their BitLocker recovery key directly from the Company Portal website. Because of this, your organization can expect to benefit from a more intuitive and streamlined path to recovery.
This should also help improve productivity because end-users won’t need to wait for the delays that sometimes occur while waiting for IT support to assist them. And with IT having this task taken care of for them, they will have more time to dedicate to more productive endeavors.
CORPORATE IDENTIFIERS
This feature aims to verify that corporate devices are labeled as corporate-owned as soon as they enroll. It does so by adding their corporate identifiers ahead of time in the Microsoft Intune admin center.
For businesses, corporate device management provides you with more capabilities than that for personal devices. This new change will help organizations restrict the application of the corporate-owned devices label only to authorized devices.
Adding corporate identifiers to Intune requires you to upload a file of corporate identifiers in the admin center or enter each identifier separately. Also important to note is the fact that you don’t need to add corporate identifiers for all deployments. During enrollment, Intune automatically assigns corporate-owned status to devices that join to Microsoft Entra via:
Device enrollment manager account (all platforms)
An Apple device enrollment program such as Apple School Manager, Apple Business Manager, or Apple Configurator (iOS/iPadOS only)
Windows Autopilot
Co-management with Microsoft Intune and group policy (GPO)
Azure Virtual Desktop
Automatic mobile device management (MDM) enrollment via provisioning package
Knox Mobile Enrollment
Android Enterprise management:
Corporate-owned devices with work profile.
Fully managed devices.
Dedicated devices.
Android Open Source Project (AOSP) management:
Corporate-owned user-associated devices
Corporate-owned userless devices
Google Zero Touch
Windows 365 Cloud PC security baseline updates
From the new, additional features and updates to Microsoft Intune, it’s clear to see that increasing efficiency matters. Strengthening security is also of utmost importance. And the same applies here.
Configuring security settings can often be a complex, time-consuming task that few will enjoy especially if you are still a novice. These deployed policy templates with Intune aim to establish Microsoft Security–recommended settings are central to the security strategies employed by Intune.
To ensure that you get the most from these measures, Intune has set it up such that these baselines can be tailored to your unique needs. Additionally, this particular update requires you to manually update your customizations, if any, from the previous baseline. This baseline, which comes highly recommended, will also give you:
Faster deployment of baseline version updates
Improved user interface and reporting experience (such as per-setting status reports)
More consistent naming across the Intune portal
Elimination of setting “tattooing”
Ability to use assignment filters for profiles
New updates and features for Windows 365
Similar to Microsoft Intune, Windows 365 has also introduced several updates to the Cloud PC service. Some of these include:
ADDITIONS TO DEVICE MANAGEMENT CAPABILITIES
Update
What it offers
Windows 11 Cloud PCs now support EN-NZ
As of September 2024, Windows 11 Cloud PCs now support EN-NZ.
Support for symmetric NAT with RDP Shortpath
The goal is to develop an RDP Short path in Windows 365 such that it can support setting up an indirect UDP connection using Traversal Using Relays around NAT (TURN) for symmetric NAT. Most are probably aware that TURN is a widely accepted standard for device-to-device networking for low latency, high-throughput data transmission.
Uni-directional clipboard support is now generally available
With service release 2407 in July 2024, came the release of uni-directional clipboard support into general availability.
Closing port 3389 by default for newly provisioned and reprovisioned Cloud PCs
Going forward, expect to find the inbound port 3389 closed by default. This update has come about as a means to further safeguard your Windows 365 environment.
Chroma subsampling default change to 4:2:0
This change has been made to help reduce monitor support issues. The Windows 365 service will now default to the chroma subsampling at 4:2:0. instead of the previous 4:4:4.
Windows 365 Boot and Windows 365 Switch now support battery status redirection
In a move that should be welcomed by users, Windows 365 Boot and Windows 365 Switch will now offer support for battery status redirection. Therefore, you can now view your local PCs battery status on a Cloud PC.
Upgrade Windows 365 licenses in Microsoft admin center
All clients with Modern Microsoft Cloud Agreements can now upgrade their existing Windows 365 licenses in the Microsoft Admin Center.
New Windows 365 Cloud PC images available in the gallery
As of May 2024, you can now access new Cloud PC gallery images for Windows 10 and Windows 11. These improved images have harmonized optimizations with Windows 365 apps images for better policy management: Win 10 Enterprise Cloud PC: 21H2, 22H2,Win 11 Enterprise Cloud PC: 21H2, 22H2, 23H2
Manage redirections for Cloud PCs on iOS/iPadOS devices
The Intune admin center can now be used to handle redirections for iOS/iPadOS users who access their Cloud PCs using Microsoft Remote Desktop and Windows App.
DEVICE SECURITY UPDATES
Update
What it offers
Session lock experience configuration for single sign-on
This new update offers clients the ability to configure the remote session lock experience when single sign-on (SSO) is enabled between the default disconnect behavior and showing the remote lock screen. Enabling SSO allows you to use passwordless authentication and third-party Identity Providers that federate with Microsoft Entra ID to sign in to your Cloud PC. This tool offers an SSO experience when authenticating to the Cloud PC and inside the session when accessing Microsoft Entra ID-based apps and websites.
Windows 365 support for Microsoft Purview Customer Key
Windows 365 clients are also being given a feature that supports the encryption of Cloud PCs by setting up Microsoft Purview Customer Key.
Customer Lockbox
With service release 2407 is new Windows 365 Government support for Microsoft Purview Customer Lockbox. The Customer Lockbox prevents Microsoft from accessing your content without explicit approval. This feature gets you integrated into the approval workflow process that Microsoft uses thereby restricting access to your content only to authorized requests.
Single sign-on Windows 365 clients authentication change
Single sign-on for Windows 365 is switching to the use of the Windows Cloud Login Entra ID cloud app for Windows authentication. This change will begin with the Windows and Web clients.
FQDNs removed from requirement list
Several of the required FQDNs have in the past been moved to the *.infra.windows365.microsoft.com wildcard FQDN. This move reduces the initial configuration requirements and the change rate of connectivity requirements. As of May 2024, the old FQDNs have been removed from the requirement list.
Microsoft Purview Data Loss Prevention
In March 2024 (service release 2403), it was announced that Microsoft Purview Data Loss Prevention (DLP) will now support Windows 365 Enterprise. Getting access to DLP means that you can now monitor the actions that are being taken on items you’ve determined to be sensitive. Moreover, this also helps you block unintentional sharing of these items. As soon as you onboard devices into the Microsoft Purview solutions, data concerning what users are doing with sensitive items becomes available in activity explorer.
Windows 365 Boot shared mode supports FIDO
This change can help your business strengthen the security of your Windows 365 environment. Because Windows 365 Boot shared mode now supports FIDO, enterprises can leverage hardened authentication measures that minimize the risk of successful attacks.
MONITOR AND TROUBLESHOOT
Update
What it offers
New Intune report and device action for Windows enrollment attestation (public preview)
The device status attestation report gives you information about devices that have either Completed, Failed,or Not started enrollment attestation. With the new device attestation status report in Microsoft Intune, you can find out if a device has attested and enrolled securely while being hardware-backed.
Cloud PC utilization report for Windows 365 Government
The Cloud PC utilization report offers you a useful tool for monitoring and optimizing Cloud PC usage in your organization. You can glean from it information such as how much time users are spending on their Cloud PCs or when they last connected. As of June 2024, support for this feature is now available to Windows 365 Government.
Cloud PC size recommendations report
This Cloud PC recommendations report is now out of preview and generally available. The report is an AI-powered feature that enables administrators to determine the correct size for Cloud PCs. By assessing data such as end-user Cloud PC usage patterns, platform level resource utilization data, and performance needs, you can work out the best Cloud PC configuration for your users.
Cloud PCs that aren’t available report
Generally available as of May 2024 (service release 2404). Simplifies the task for admins by helping them identify Cloud PCs that may be currently unavailable. The report will give you information concerning conditions up to 5 to 15 minutes ago. As a result, you could potentially find Cloud PCs in the report that have already recovered.
Improvements to Cloud PC connection quality report
Several upgrades to the Cloud PC connection quality report became generally available in March. The improvements that you can look forward to include: A more comprehensive view of the overall performance of your Cloud PCs.A more detailed view of devices when they are in a state of poor performance due to high round trip times.Tenant level visibility to most recent/current for:Round Trip Time.Bandwidth.Connection Time.UDP Utilization.Connection specific detail on client IP and associated CPC Gateway.Filters for all columns.
Alerts for Windows 365 Frontline maximum concurrent Cloud PCs
Windows 365 administrators will be getting even more information to help them better manage their Cloud PC environments. With this update, admins receive alerts notifying them when the maximum concurrent Cloud PCs are active for Windows 365 Frontline subscriptions.
Device action data kept for 90 days
You get to view actions performed within the last 90 days. To access this information, navigate to the Overview page for individual Cloud PCs.
UPDATES TO WINDOWS 365 BOOT
Update
What it offers
Shared and dedicated Windows 365 Boot device
Using Windows 365 Boot, admins can configure Windows 11 physical devices so that users can: Avoid signing in to their physical device.Sign in directly to their Windows 365 Cloud PC on their physical device. To add to the flexibility, Windows 365 Boot now supports both dedicated and shared PC scenarios.
Windows 365 Boot sign-in page customization
Another update for Windows 365 Boot is the availability of sign-in page customization. Previously in preview, this feature became generally available in February.
Windows 365 Boot fail fast notifications
Adding to the previous new updates is fail fast notifications. Beginning in February as well, Windows 365 Boot detection and notification of network or application setup issues transitioned to general availability.
Management of local PC settings
The last update for February allowed for changes regarding the management of local PC settings. Going forward, users will be able to manage local PC settings through their Windows 365 Boot Cloud PC.
Wrap up
Ensuring that your IT environment is operating at peak efficiency is a goal that every company should have. Optimizing the functions of applications and devices is integral to maintaining elevated productivity levels. This is why one cannot overstate the importance of the new features and updates. It’s why we regularly see them from Microsoft Intune and Windows 365.
Not only do they keep your business running smoothly. They constantly address any issues that may arise. As a business, your needs change as the operating environment evolves. Therefore, there is a need for services like Intune and the Cloud PC that can keep up with those changes.
Synology NAS (Network Attached Storage) devices are known for their versatility, offering a wide array of features for data storage, sharing, and management. One feature that significantly enhances performance is the Synology SSD cache. This guide explores Synology SSD cache, its benefits, how to set it up, the importance of upgrading DiskStation Manager (DSM) versions, and how to verify if you’re running the latest DSM version.
What is Synology SSD Cache?
An SSD cache uses Solid-State Drives (SSDs) to accelerate data access on traditional Hard Disk Drives (HDDs). SSDs are much faster than HDDs due to their lack of mechanical parts, providing lower latency and higher throughput. In Synology NAS, SSD caching improves the performance of your storage pools without requiring a full SSD-only setup.
Types of SSD Cache in Synology NAS
Read-Only Cache:
Speeds up frequently accessed data by storing it in SSDs.
Improves read performance but does not affect write operations.
Read-Write Cache:
Boosts both read and write performance.
Requires at least two SSDs in RAID 1 for redundancy.
Benefits of SSD Cache
Enhanced Performance: Faster data access and improved application performance.
Cost-Effective: Combines HDDs and SSDs for performance gains without the expense of SSD-only setups.
Scalable: Easily added or removed as needed.
Optimized Utilization: Ensures frequently accessed data is quickly available.
When to Use SSD Cache
High I/O Workloads: For example, virtualization, databases, or file servers.
Mixed Storage Systems: Combining HDDs and SSDs for balanced performance.
Repetitive Access Patterns: Ideal for applications with predictable workloads.
Install SSDs in the designated bays or via an adapter card like the Synology M2D17 in PCIe Slot 1.
Verify installation using Synology DSM.
Create SSD Cache:
Navigate to Storage Manager > SSD Cache.
Choose the storage pool and cache type (read-only or read-write).
Follow the on-screen instructions.
Monitor Performance:
Use Resource Monitor to track cache efficiency.
Optimize Cache:
Update DSM for the latest features.
Adjust settings as needed.
Why Upgrade DSM?
DiskStation Manager (DSM) is the operating system powering Synology NAS devices. Regular upgrades are essential for:
New Features: Improved functionality and usability.
Security: Patches to keep your system secure.
Performance: Enhanced efficiency with updated algorithms.
Compatibility: Support for new hardware and apps.
Bug Fixes: Resolves known issues.
DSM Upgrade Steps
Prepare for the Upgrade:
Backup data using Hyper Backup.
Verify compatibility and system health.
Upgrade DSM:
Use the Control Panel > Update & Restore for automatic updates.
Perform manual updates by downloading the update file from Synology’s website.
Post-Upgrade Verification:
Test applications and review logs for errors.
Reconfigure settings as needed.
How to Verify DSM Version
DSM Interface: Navigate to Control Panel > Update & Restore to check for updates.
Synology Assistant: Use this tool to display the DSM version.
Command-Line: Run cat /etc/VERSION via SSH.
Mobile App: Use Synology’s DS Finder to check the version.
My Setup and Observations
I am using a DS1817+ with eight Seagate ST8000AS0002-1NA17Z 8 TB Archive HDDs, running without issues. Currently, I’m upgrading to 16 TB Western Digital WDC WD161KFGX-68AFPN0 HDDs. My SSD cache consists of two Samsung SSD 850 EVO M.2 (500 GB) drives installed using a Synology M2D17 adapter in PCIe Slot 1.
Hardware Highlights
Seagate ST8000AS0002 HDD:
Energy-efficient archival storage.
Reliable for long-term use.
Western Digital WDC WD161KFGX HDD:
High-capacity Ultrastar DC HC500 series.
Optimized for data centers with vibration resistance.
Samsung SSD 850 EVO M.2:
Advanced 3D V-NAND technology.
TurboWrite for faster write speeds.
High endurance and energy efficiency.
Best Practices for SSD Cache
Regular Maintenance: Monitor and optimize cache performance.
Use Compatible Hardware: Follow Synology’s compatibility guidelines.
Backup Data: Regularly back up to avoid data loss.
Conclusion
Synology SSD cache is a game-changer for optimizing NAS performance. Coupled with regular DSM upgrades, it ensures a reliable and high-performing system. Follow these best practices to maximize your NAS potential, enhance data security, and enjoy seamless compatibility.
