SMS_EXECUTIVE crashes on Hyper-V due to UserShadowStack

Introduction

In the realm of systems management, maintaining the stability and reliability of essential services is crucial for uninterrupted operations. A notable challenge that has emerged in this context involves the SMS_EXECUTIVE service, a vital component of the Configuration Manager, which is experiencing unexpected terminations shortly after startup. This issue not only hampers the functionality of the Configuration Manager but also poses significant concerns for system administrators who rely on this service for managing networked systems efficiently.

Overview of the Issue

The SMS_EXECUTIVE service, responsible for executing several critical tasks within the Configuration Manager infrastructure, including processing incoming data, executing administrative actions, and managing component threads, has been reported to crash moments after it is initiated. This abrupt termination of the service disrupts the normal workflow, leading to a series of operational challenges.

Scope of the Investigation

This post aims to delve into the potential causes of this issue, examining various aspects such as system logs, configuration settings, recent updates, and environmental factors that might contribute to the instability of the SMS_EXECUTIVE service. The primary objective is to isolate the root cause of the crash and provide a comprehensive analysis that can guide towards effective troubleshooting and resolution strategies.

Importance of Addressing the Issue

The stability of the SMS_EXECUTIVE service is paramount for the seamless operation of the Configuration Manager. Its failure not only impacts the efficiency of system management tasks but also poses risks related to security, compliance, and overall network health. Addressing this issue is thus critical for ensuring that the Configuration Manager continues to function as a robust and reliable tool for system administrators.

In the following sections, we will explore the technical details of the issue, outline the methodologies employed in the investigation, and discuss potential solutions to restore the functionality of the SMS_EXECUTIVE service effectively.

Identifying Potential Causes for the SMS_EXECUTIVE Service Crash


In order to effectively address the issue of the SMS_EXECUTIVE service crashing, it is essential to systematically identify and evaluate potential causes. This section outlines a structured approach for investigating various factors that could contribute to this problem.

1. System and Application Logs Analysis

  • Event Viewer Logs: A thorough examination of the Windows Event Viewer logs, specifically focusing on the Application and System logs around the time of the crash, can provide critical insights. Error messages or warnings preceding the crash are often indicative of underlying issues.
  • SMS_EXECUTIVE Logs: The Configuration Manager logs, particularly those related to SMS_EXECUTIVE, should be scrutinized for any unusual entries or error codes that could point towards the cause of the crash.

2. Configuration and Environment Review

  • Recent Changes: Any recent changes made to the system or the Configuration Manager settings could be a contributing factor. This includes updates, patches, or modifications in the configuration.
  • System Resources: Insufficient system resources, such as memory or CPU, can lead to service instability. Monitoring resource usage patterns around the time of the crash is crucial.
  • Network and Connectivity Issues: Network problems or connectivity interruptions can impact the functionality of the SMS_EXECUTIVE service, especially if it relies on remote components or databases.

3. Component Dependencies and Interactions

  • Dependent Services: Understanding the dependencies of the SMS_EXECUTIVE service, such as other Configuration Manager components or Windows services, is vital. If a dependent service is failing or unstable, it can cascade to the SMS_EXECUTIVE service.
  • Inter-Service Communication: Analyzing how SMS_EXECUTIVE interacts with other services and components within the Configuration Manager ecosystem can reveal potential points of failure.

4. Software Updates and Compatibility

  • Update History: Reviewing the history of updates applied to the Configuration Manager and the underlying operating system can help identify if a recent update might be causing compatibility issues.
  • Third-Party Software: The presence of third-party software or add-ons, particularly those that interface with the Configuration Manager, should be evaluated for compatibility and stability concerns.

5. Security and Access Control

  • Security Software Interference: Security solutions such as antivirus or firewall settings might be interfering with the operation of the SMS_EXECUTIVE service.
  • Permissions and Access Rights: Ensuring that the SMS_EXECUTIVE service has appropriate permissions to execute its tasks is crucial. Incorrect permissions can lead to service failures.

The specific issue identified from Event viewer:

Faulting application name: smsexec.exe, version: 0.0.0.0, time stamp: 0x00000000
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000409
Fault offset: 0x00007ffa5dc03d86
Faulting process id: 0x530
Faulting application start time: 0x01da4ae272f45384
Faulting application path: F:\Program Files\Microsoft Configuration Manager\bin\X64\smsexec.exe
Faulting module path: unknown
Report Id: 6463f350-fe42-4528-8849-c2489e6d558d
Faulting package full name:
Faulting package-relative application ID:

The issue is caused by UserShadowStack

UserShadowStack is a security feature introduced in Windows Server 2022, designed to enhance the protection against return-oriented programming (ROP) attacks, which are a common method used in exploiting software vulnerabilities.

Understanding UserShadowStack:

  1. Concept of Shadow Stack: At its core, UserShadowStack implements a ‘shadow stack’, which is a secondary, protected stack that keeps track of the intended return addresses for each function call in a program. When a function is called, its return address is stored both on the regular stack and the shadow stack. When the function returns, the return address from the regular stack is compared with the one in the shadow stack. If they match, the program continues as normal; if not, it indicates potential tampering, likely due to an attempted ROP attack, and the system can take appropriate action, such as terminating the process.
  2. Protection Mechanism: By ensuring the integrity of return addresses, UserShadowStack helps prevent attackers from hijacking the control flow of a program, which is a common technique in many sophisticated cyber attacks.

UserShadowStack in the Context of Hyper-V on Windows Server 2022:

Hyper-V is Microsoft’s hardware virtualization product, allowing users to create and run virtual machines. Each virtual machine runs its own operating system and is isolated from the host system. In this context, UserShadowStack can provide the following benefits:

  1. Enhanced Security for Virtual Machines: When running on Windows Server 2022 with Hyper-V, UserShadowStack can be used to protect the virtual machines from ROP attacks. This is particularly important as virtual machines often run critical or sensitive applications, and their security is paramount.
  2. Isolation and Containment: With Hyper-V, if an attack occurs within a virtual machine, it is typically contained within that VM, protecting the host system and other VMs. UserShadowStack adds an extra layer of defense within each VM, further reducing the risk of successful exploits.
  3. Compatibility and Performance: UserShadowStack is designed to work seamlessly with Hyper-V, ensuring that the additional security does not significantly impact the performance or compatibility of the virtual machines.

In summary, UserShadowStack in Windows Server 2022 provides a robust mechanism to thwart ROP attacks by validating return addresses. When integrated with Hyper-V, it ensures that both the host environment and the virtual machines benefit from enhanced security without compromising performance or compatibility.

Run the following command and start your service again: Set-ProcessMitigation -Name smsexec.exe -Disable UserShadowStack

Key Things To Know About Windows Safeguard Holds

Updating your computers and mobile devices is something that requires regular attention. Indeed this is rather important for a few reasons. For example, there are security updates to enhance your security posture and reduce the risk of breaches. Another important reason is to fix problems with applications. Additionally, updates can remedy issues with the operating system itself. This is where Windows safeguard holds come into play.

But, even though we perform updates expecting to improve the user experience, it doesn’t always work out that way. There are compatibility issues with particular devices sometimes. And in the worst of scenarios, you might lose connectivity, key functionality, or data. This is why Microsoft has systems in place to try and limit any problems to as few devices as possible.

What are Windows safeguard holds?

By leveraging data on compatibility and quality, Microsoft can identify issues that may cause a Windows client feature update to fail or rollback. In the instances where such issues arise, applying safeguard holds to update service helps.

Consequently, this action will prevent the affected devices from installing the update. It thereby protects them from any issues. Microsoft can also employ safeguard holds when clients, partners, or Microsoft internal validation find issues. It’s helpful for those issues that cause severe problems and there is no immediate solution available. Examples of possible events include loss of key functionality, rollback of update, and data loss.

With the use of safeguard holds, devices with known issues won’t be offered new versions of an operating system. However, once a fix has been found and verified, the update will become available.

Microsoft’s objective with safeguard holds is to enable clients to have a flawless experience when their devices are updating to new versions of Windows client. Those that use the Windows Update service for the deployment of new versions of Windows to their devices would already have benefited from the use of holds for known issues. These clients include all those using Windows Update for Business.

Looking at issues

When Microsoft describes how safeguard holds work, there is a lot of mention of the issues for which holds apply. But, what exactly are these issues? There are known issues. These are problems that can manifest after an upgrade is discovered by Microsoft or reported by clients or partners. Only after assessment and confirmation of an issue, for a specific set of devices, can it fall under known issues.

The next type are likely issues. As the name suggests, these issues are suspected, but not yet confirmed. What we have here are issues that have been picked up by the machine learning service across millions of unmanaged devices, corporate or personal. The service performs daily scans. And it searches for app or driver malfunctions, rollback during setup, connectivity issues, and more.

Subsequently, the machine learning service then looks for links among device hardware and software characteristics. This will then help to identify a larger set of devices yet to perform any updates to protect them. Basically what goes on in these instances is that there are issues that are yet to be confirmed. However, because they are likely it’s good practice to safeguard the at-risk devices.

How does it work?

Here are additional aspects to understand when recognizing how Windows safeguard holds work.

Identification of known issues

As one would expect, the process would naturally start by identifying the relevant issues. Microsoft has a setup that allows for the collection of feedback from various channels. This information is regarding known issues about a Windows update, now collected for your review.

Although there is an internal testing process, Microsoft also requires feedback from Windows Insiders, clients, and partners. And then, as issues are identified, device-specific criteria develop and for application to affected devices as a safeguard hold. These devices will no longer have access to updates until a fix is found and implemented.

Identification of likely issues

For the safeguarding of likely issues, Microsoft can use data obtained across millions of daily devices. Unmanaged by IT, these devices are installing the upgrade from the Windows Update.

All the diagnostic data that Microsoft has from the millions of client devices feeds into the machine learning system. From this, identity patterns associated with update-related disruptions can then be automatically identified. All data usage follows Microsoft’s privacy policy.

Safeguarding of devices

The actual safeguarding of devices can begin once the machine learning algorithm picks up a pattern. After this happens, a temporary safeguard hold for a likely issue is implemented. How long this hold remains in place can vary. But the priority will be device protection rather than progress.

This means the user experience can be preserved and IT staff can have fewer things to worry about. Because of the resultant delay, the few weeks you get can be used to decide how to proceed with the update in a way that keeps your devices protected and productive. The system intends to address the temporary hold for a likely issue in a matter of four to six weeks. This can be done in one of two ways:

  • Confirmation of the likely issue which consequently sees it transitioned to a known issue and thus sees the safeguard hold maintained.
  • In the second scenario, the issue is deemed to be a false positive and therefore the hold will be removed and devices can therefore begin updating.

Known and Unknown Issues

In the first option mentioned where the issue has been confirmed meaning the device is not in a position to update, the classification changes to a known issue. What this does is that it will continue to delay the upgrading of the device until a fix has been found and implemented.

When the system determines that the issue was actually a false positive, all unaffected devices will have the safeguard hold removed. In that case, any upgrades that are approved by the IT team may proceed as normal. According to information from Microsoft, two main criteria are used to determine whether to implement automatic safeguard holds for likely issues. These are:

  • In cases where deployment to consumer devices that are likely exposed to the issue has been paused.
  • The second criterion concerns situations where there are issues that are under active investigation by Microsoft engineers.

When it comes to Windows Update, Windows safeguard holds will be kept in place until the Microsoft investigation has been completed and a fix has been developed and verified. Only then will the solution be made available to the affected devices and update deployment restored.

So devices can only resume being offered updates after a fix has been delivered by Windows Update or a third party thereby lifting the safeguard hold. Under those circumstances, customers can be offered a seamless protection experience.

Taking advantage of Windows safeguard holds

Making use of the features that Microsoft has put in place can go a long way in improving the security posture of your organization. Leveraging safeguard holds will help you to get a better update deployment experience. These features will be available to you via the likes of Microsoft Intune, PowerShell SDK, Update Compliance, and Microsoft Graph.

You’ll find that deployment scheduling controls are consistently available. But, you need to, first of all, configure your devices to share diagnostic data with Microsoft and leverage available reporting tools. Without performing this action you won’t be able to benefit from the unique deployment protections tailored to devices under your management.

ยง  Pre-requisites

Before you can start benefiting from everything that safeguard holds have to offer, you need to meet a few requirements. These are:

Something that you do need to be aware of is that safeguards holds are applied to Windows Update for Business deployments by default. This is to ensure that your environment can benefit from optimal user experience and so opting out or doing manual updates is not recommended. However, in strict IT environments and for validation purposes you may still do that.

Keep track of safeguard holds reporting

One thing that you’ll want to do to stay up to date is to be meticulous about verifying safeguard hold records. When a safeguard hold is put in place, you can go to the M365 Admin Center or the Known Issues sections of the Windows release health dashboard online to get more information about the issue in question. The system also allows you to keep track of all the devices in your environment through up-to-date reporting.

For those that use Update Compliance, you can access information regarding which devices under your management are affected by which specific safeguard holds. To do this, you’ll have to check your safeguard hold report. For those who use Intune, on the other hand, safeguard holds are now visible in the Feature Update Failures Report.

How to opt-out

If you decide to opt-out, you can do so using the Local Group Policy Editor. This can be done by following the steps given below:

  • Navigate to the Open the Local Group Policy Editor (gpedit.msc).
  • In that section, look for the policy location in the left pane of the Local Group Policy Editor.
  • Next, head over to the right pane of Manage updates in the Windows Updates section of the Local Group Policy Editor. Proceed to tap on Disable safeguards for Feature Updates.

Microsoft recommendations

Until a solution has been developed and implemented and the safeguard hold has been released, Microsoft strongly cautions against performing manual updates. If you choose to opt-out of a safeguard hold, you should do so knowing that the concerned devices will be at risk of being affected by known performance issues.

So if you have made the decision that you still want to opt out despite the risk, you should make sure that you perform rigorous tests that will help you to verify the degree of the potential impact.

There is a way, however, for you to reduce your risk of being affected by issues and still opt-out. This can be possible as long as your IT admins check in regularly with Update Compliance and the Windows release health dashboard. If you’re in this position, you can have a greater degree of security when temporarily opting out so that you can enable an update to proceed.

As mentioned previously, this is still only recommended when in strict IT environments and for validation purposes. Furthermore, you should be aware that even if you do opt out, this will be temporary and only lasts the time it takes to complete the update. So as soon as that is done, the safeguard hold is automatically reapplied.

Wrap up about Windows safeguard holds

Compatibility issues are nothing new and we’ve all probably encountered them at one point or another. The frustration that this can cause as well as the cost in productivity terms can be immense. Loss of data or connectivity from an update that hasn’t worked out can mean downtime for the affected users.

That is why Microsoft has developed a service that is capable of monitoring quality and compatibility. Having this data means that issues can be swiftly identified and thus limit the number of devices that are affected.

In addition, the fact that this data is obtained from various sources including clients and Microsoft partners enables the creation of a very comprehensive compilation of information. Once issues are identified, safeguard holds are applied to allow for an investigation to take place, and a solution to be developed and applied. I think it’s pretty safe to say that safeguard holds can go a long way in giving users a streamlined experience and IT greater peace of mind.

Run Legacy Applications with Ease using Windows 365

Businesses tend not to want to implement too many changes to the way they do things when they are already doing very well. As such, this can pose a major stumbling block to the adoption of new products and services.

Migrating to the cloud is something that raises several concerns for businesses. So Windows 365 wants to offer a secure and reliable experience that can alleviate those concerns. It is an easy-to-use virtual desktop environment that also supports legacy applications ensuring that you won’t need to make changes that you are unwilling to make.

You can continue running your preferred applications without worrying about compatibility issues. With that in mind, let’s go over some of those legacy application support features.

Legacy Application Support Features of Windows 365

To allow businesses to use the legacy applications that have been most effective for them, Windows 365 provides users with several legacy application support features. Below are some of these key features:

Compatibility with Older Operating Systems

Newer and more advanced products and services can have significant benefits for most businesses. However, many are not always open to change for plenty of reasons. The potential cost of implementing new systems is one of the main reasons why companies may be hesitant.

But, Windows 365 is built to try and reduce IT expenditure by offering features such as compatibility with older operating systems. This means that your business can continue to use the software programs that you are comfortable with and that brings the most productivity.

Additionally, you don’t need to worry about the time that may be required to train your staff to use new applications. So, what Windows 365 can then offer you are all the benefits of running your desktops on the cloud. And you can do so without completely overhauling everything you currently use.

Another great thing about the compatibility feature is how it means that already overloaded IT departments will not have to deal with additional tasks. Once Cloud PCs have been set up, employees will have available to them the software programs they are familiar with so work can continue as normal.

Integration with Existing Infrastructure

As well as providing compatibility for applications that were running on older operating systems, Windows 365 also seamlessly integrates with existing infrastructure. The benefit of this is that you can continue with some of your legacy applications, without losing access to some of the more modern ones, as well.

As a result, you get the software programs you want and simultaneously benefit from the features of newer applications. Needless to say, the potential of such a setup is not only immense but very cost-effective.

Employees don’t need to have multiple devices running different operating systems to have all the applications they need. Even more importantly, however, this integration allows businesses that want to switch to newer applications to have sufficient time to make the transition.

Cloud PC users can use the software programs that they are familiar with while simultaneously learning about the newer versions. This will provide businesses with considerable flexibility to make gradual changes as they update their virtual desktop environment.

Compatibility with Older Hardware

Hardware limitations can be a massive factor that hinders businesses from migrating to the cloud. So, in some cases, if employees don’t have the latest, most powerful devices, they may not be able to use certain products and services. With Windows 365, this is not an issue because there is support for multiple devices and operating systems.

Consequently, Cloud PC users can stick with their current devices whenever they want to access their virtual desktops. They don’t necessarily need to worry about the specifications of their devices or the operating systems they are running.

As long as the device has either the Microsoft Remote Desktop app or an HTML5-capable browser to access the web, you can access your Cloud PC with no problems. Although Microsoft does clarify that Windows devices will provide the best experience, clients remain free to choose a platform of their choice.

Accordingly, businesses can immediately start preparing to set up their Windows 365 environment. And they can do so without the added concern about first furnishing employees with new devices. Undoubtedly this is something that has been designed to perfectly illustrate how easy using Windows 365 is meant to be.

Support for Multiple Environments

At this point, it’s becoming pretty clear that compatibility is a pretty big issue for Windows 365. Along with older operating systems and hardware, clients also get support for multiple environments. Naturally, you can expect a lot of businesses to have different setups that are tailored to their unique needs.

Therefore, it really should come as no surprise that Windows 365 supports various environments, including cloud, on-premises, and hybrid setups. This gives your business the flexibility to design a virtual desktop environment that can adequately meet the needs of your operations.

Something like a hybrid setup can be hugely beneficial to businesses that are not willing as yet to migrate their entire environment to the cloud. It gives you the time to assess whether or not full cloud migration is the right thing for you. In addition to these different environments, Windows 365 is also compatible with multiple operating systems. It works with Windows, macOS, iOS, and Android, among others.

It’s for this reason that most businesses can have access to the Windows 365 environment. Limitations are relatively few concerning the platforms that you may want to use. And there is great flexibility in how you operate.

Benefits of Windows 365’s Legacy Application Support

The features that we have discussed above have plenty of benefits that businesses can get concerning legacy application support. Some of these benefits are given below.

Cost Savings

Unquestionably, one of the biggest advantages that come with using Windows 365, is the potential to cut down on IT expenditure. From the get-go, Microsoft presents Windows 365 as a virtual desktop environment that you can set up on your own without additional IT personnel. This reduces the costs that you face when setting up your employees with Cloud PCs.

Also, maintaining the environment and handling any of the tasks will be easy enough for your in-house IT department. This means less time wasted waiting for IT support services, thus potentially increasing productivity.

Features like compatibility with older operating systems are also going to minimize your costs by eliminating the need to immediately change your OS. And the same thing will apply to the devices that Cloud PC users can utilize to access their virtual desktops.

As long as you have the appropriate application or browser, you can easily access your Cloud PC on your device of choice. Because employees can use any of the devices they already have, this can go a long way in reducing the cost of purchasing devices for new employees or refreshing devices now and again.

Improved Compatibility

Microsoft wants Windows 365 to be a solution that can assure clients they’re getting a product that fits seamlessly with their existing infrastructure. Businesses can leverage all the best that the Cloud PC has to offer without having to completely do away with the systems that have brought them this far.

It’s for this reason that Windows 365 provides compatibility on several different levels to address the concerns that you may currently have. And this helps provide employees with an easier transition to the new infrastructure.

So, whether you’re looking at hardware or software, Windows 365 gives you a level of compatibility that caters to your goals. You can get to have the Windows 365 experience with your Windows, Apple, or Android devices, among many others.

This is something that can be an excellent tool in enhancing how employees work and how IT departments increase efficiency. Additionally, businesses can expect to see fewer downtime issues from problems that may otherwise arise from compatibility challenges.

Greater Flexibility

In the same way that Windows legacy application support features can help you reduce IT expenditure, they will also improve flexibility. And this is vitally important considering how remote work and distributed workforces have become integral to the operations of a lot of businesses.

Many now want to have the flexible working conditions that they are now accustomed to as a permanent solution. Hence the need for platforms like Windows 365 that enable you to easily run legacy applications using your current devices.

Coupled with what employees stand to gain, the business as a whole has the flexibility to choose what devices or operating systems are best for improving efficiency. Windows 365 does not have stringent restrictions concerning which devices or operating systems you can use. So, you can choose the best devices on the market to suit the needs of your business. And you’ll be able to use them to access your virtual desktops without any problems.

Enhanced Productivity

Cloud computing presents businesses with a solution that aims to help improve productivity. With Windows 365, you are getting virtual desktops that are easily accessible from remote locations and facilitate collaboration among colleagues.

This means that employees can work from anywhere, making sure that projects are completed on time, even with people collaborating from different countries. Because of the support for multiple environments, operating in this manner becomes very easy to achieve. Not only that, but Windows 365 ensures that all communication and collaboration are extremely secure.

Something else that will help enhance productivity is the fact that Windows 365 can integrate with your existing infrastructure. Doing so enables you to adopt this solution without it costing you unacceptable amounts of downtime that could be used more productively. And we can say the same thing about the compatibility with older hardware.

Cloud PCs are easy to set up and deploy so that work continues seamlessly while simultaneously increasing efficiency. Furthermore, these features also help your business to swiftly adapt to any changes in the market. The regular updates that Windows 365 receives are perfect for ensuring that you always have the best features to potentially give you an edge over other businesses.

Increased Security

Most people will agree that plenty of businesses are reluctant to make the migration to the cloud because of a lack of trust in the security measures. There is a tendency to want to keep all data in-house so that it is kept secure.

And this is precisely why Windows 365 utilizes industry-leading security measures to keep clients’ data as secure as possible. Because of the support availed for multiple platforms, Windows 365 offers regular updates and security patches to maintain high levels of security.

And this, in turn, allows you to run your legacy applications easily with minimal concern about your data being compromised. Moreover, Windows 365 has several redundancies in the system. These ensure that regardless of what disaster you may encounter, your data should remain secure and accessible. Therefore, whether employees are in the office or working from remote locations, you can conduct business operations reliably and securely.

Conclusion

Arguably one of the biggest things that service providers would want to offer clients is a solution that can improve the ease of doing business. It’s these kinds of considerations that have brought about the legacy application support features that Windows 365 offers. They aim to improve accessibility and flexibility for businesses by enabling support for older software run on modern hardware without compatibility issues.

Because of this level of support as well as integration with existing infrastructure, businesses can boost productivity, improve security and efficiency, as well as minimize expenditure. All of these benefits should provide you with more than enough reason to think about making the migration to the cloud.

Microsoft Intune โ€“ A Comprehensive Design Guide

So much technological innovation is going on all around us that it can at times be overwhelming to keep up with everything. And mobile device management solutions are no different. Which of the solutions do you pick to ensure that your organization is using the best management solution? Difficult to say.

In fact, plenty of organizations opt for using multiple device management solutions at the same time. Although, there may be advantages to that, finding a single comprehensive solution to provide you with everything you need in a single package offers greater convenience. This is why Iโ€™ve decided to write this guide on Microsoft Intune, a solution that can optimize your IT operations to perform at unprecedented levels.

Before you begin

In the first blog of this Microsoft Intune series, I looked at the different stages of planning that youโ€™ll have to go through if you want to have a seamless adoption of Microsoft Intune in your organization. As one would expect, adopting any new technology will bring with it a few teething problems hence the need for a plan that covers as many potential scenarios as possible.

Getting started

Some of the key areas of consideration include:

  • Have your goals clearly itemized. This includes concerns about data security, device protection, access to organizational resources, and other objectives.
  • Creating a complete inventory of all the devices in your organization that will have access to company resources. So, this would include both organization-owned and personal devices as well as information about the platforms they are running.
  • Youโ€™ll also need to look at all potential costs and licensing. There will probably be some additional services and programs that youโ€™ll need so all these will need consideration.
  • You probably already have existing policies and infrastructure that your organization relies on. However, all these will require reviewing when thinking of moving to Intune. This is because you may need to develop some new policies.
  • With the above in place, you need to determine a rollout plan that has pre-defined objectives and can ensure that the rollout proceeds as smoothly as possible.
  • As you introduce Intune to your organization, you cannot ignore the value of communicating with your users. People in your organization need to understand what Intune is, what value it will bring to your organization, and what they should expect.
  • Lastly, itโ€™s crucial that you fully equip your IT support and helpdesk staff. You can do this by involving them in the adoption process from the early stages. Therefore, it enables them to learn more about Intune and gain invaluable experience. With the skills that they acquire, theyโ€™ll be able to play important roles in the full rollout of Microsoft Intune as well as help in the swift addressing of any potential issues that arise.

Design creation

After you go through your planning phase, you can start to look at creating a specific design for your organizationโ€™s Microsoft Intune setup. Coming up with a design will require you to review all the information already collected throughout the planning phase.

This is going to allow you to put together information on your existing environment. This includes the Intune deployment options, the identity requirements for external dependencies, the various device platform considerations, as well as the delivery requirements. One of the great things about Microsoft Intune is that you donโ€™t need to worry about significant on-premises requirements to use the service.

However, having a design plan is still a good idea because it allows you to have a clear outline of the objectives that you want to achieve so that you can be certain about choosing the management solution.

Assessing your current environment

A logical place for you to begin your planning is with your current environment. Having a record of this environment can help to further clarify where you currently are and what the ultimate vision is. This record can also serve you well during the implementation and testing phases. There you can make numerous changes to the design.

Recording the environment

There are several methods for recording your existing environment such as:

  • Identity in the cloud โ€“ you can note if your environment is federated. Additionally, you can determine MFA enabling. Also, which of Azure AD Connect or DirSync do you use?
  • Email environment โ€“ you need to record what email platform you currently use. Also consider if it is on-premises or on the cloud. And if youโ€™re using Exchange, for instance, are there any plans for migrating to the cloud?
  • Mobile device management solutions โ€“ youโ€™ll need to go over all the mobile device management solutions (MDM) currently in use. Also consider what platforms they support. Itโ€™s also important to note down which solutions youโ€™re using for corporate as well as BYOD use-case scenarios. Additionally, it’s useful to have a record of who in your organization is using these solutions, their groups, and even their use patterns.
  • Certificate solution โ€“ note whether or not you have implemented a certificate solution, including the certificate type.
  • Systems management โ€“ have a detailed record of how you manage your PC and server management. This, means you have to note what management platform you are using, whether itโ€™s Microsoft Endpoint Configuration Manager or some other third-party solution.
  • VPN solution โ€“ you should note what youโ€™re currently using as your VPN solution of choice. And if youโ€™re using it for both personal devices and organization-issued devices.

Note to consider

In addition to having a detailed record of your current environment, itโ€™s also important to not forget any other plans in the works. Or consider those on the docket for implementation. Especially if they could affect what you have already noted down in the record of your environment. For instance, your record could show that multi-factor authentication is off. Still, you could be planning to turn it on in the near future so youโ€™ll want to highlight this coming change.

Intune tenant location

The location where your tenant will reside is extremely important to decide before making the decision to subscribe to Microsoft Intune. And this is especially so for organizations that operate across different continents. The reason why itโ€™s so important to carefully think this through, is that youโ€™ll need to choose the country/region when you are signing up for Intune for the first time. After you have made your selection, you wonโ€™t have the option to change your decision later on. The regions that are currently available for selection include North America, Europe, the Middle East, Africa, as well as Asia and Pacific. ย 

External dependencies

When we talk about external dependencies, we are referring to products and services that are not part of the Intune package. But they may be part of the prerequisites to use Intune. In addition, they could also be elements that can integrate with Intune. Given how integral external dependencies may be to your use of Intune, youโ€™ll need to have a comprehensive list of any and all requirements. Make sure they’re for these products and services as well as the instructions for their configuration.

Below weโ€™ll look at some of the more common examples of external dependencies that you will encounter:

Identity

Simply put, identity gives us the element through which we can recognize all the various users that belong to your organization as well as those enrolling devices. If you want to use Intune then youโ€™ll need to be using Azure AD as your user identity provider. This comes with several advantages. One such benefit is enabling IT admins to enhance organizational security by controlling access to apps and app resources. Therefore, it’s easier to meet your access governance requirements. App developers will also benefit from the ability to leverage Azure AD APIs for creating personalized experiences using organizational data.

For those that are already using Azure AD, youโ€™ll get the added convenience of continuing with the current identity that you have in the cloud. Not only that, but you also get the added benefit of Azure AD Connect. This happens to be the ideal solution for synchronizing your on-prem user identities with Microsoft cloud services. For organizations that already have an Office 365 subscription, the best scenario would be to ensure that Intune also uses the same Azure AD environment.

User and device groups

These groups play an important role as they are responsible for defining who exactly the target of a deployment will be. This will also include profiles, apps, and policies. Itโ€™s therefore important to come up with the user and device groups that your organization will need. And the best way to go about this may be for you to start by creating these groups in the on-premises Active Directory. And then once you have done this you can proceed to synchronize to Azure AD.

Public key infrastructure (PKI)

The role of PKI is to provide users or devices with certificates that will enable secure authentication to various services. So, when considering adopting Microsoft Intune you should be aware that it supports a Microsoft PKI infrastructure. Mobile devices can provide device and user certificates, so you meet all certificate-based authentication requirements. However, before you proceed with the use of certificates, youโ€™ll need to verify a few things first:

  • Check whether or not you even need the certificates.
  • Check if certificate-based authentication provides support by the network infrastructure.
  • Lastly, you need to verify whether there are any certificates already in use in the existing environment. 

For some, they may need to use these certificates with VPN, Wi-Fi, or e-mail profiles with Intune. But to do that, you first need to check if you have a supported PKI infrastructure in place. It needs to be ready for the creation and deployment of certificate profiles. Furthermore, when it comes to the use of SCEP certificate profiles, you have to decide how to host the Network Device Enrollment Service feature. Not only that, but you also need to determine how to carry out any communication.

Pre-requisites for devices

As you proceed with your design plan for Microsoft Intune, youโ€™ll also need to turn your focus over to devices and the requirements. Expectedly, as with any management solution, there will be devices to consider. But there will also be platform considerations that will determine suitability for Intune management.

Device platforms and Microsoft Intune

One of the most important parts of the design plan is to consider the device platforms that will be supported by your chosen management solution. Therefore, before making the final decision about whether or not to go with Intune, you should create a complete inventory of the devices that will be in your environment. Then crosscheck whether or not they have proper support by Intune.

Understanding systems

The table below contains the supported configurations.

Operating systemsAndroid iOS/iPadOS Linux macOS Windows
Chrome OS  
Apple (For device enrollment scenarios and app configuration that you get via Managed devices app configuration policies, Intune will require iOS 14.x or later. The same requirement also applies to Intune app protection policies and app configuration.)Apple iOS 14.0 and later   Apple iPadOS 14.0 and later   macOS 11.0 and later  
Android (For device enrollment scenarios and app configuration that you get via Managed devices app configuration policies, Intune will require Android 8.x or later. However, for Microsoft Teams Android devices, support will continue so this requirement does not apply. And then for Intune app protection policies and app configuration delivered via Managed devices app configuration policies, the requirement is for Android 9.0 or higher.)Android 8.0 and later (including Samsung KNOX Standard 3.0 and higher: requirements)   Android enterprise: requirements   Android open source project devices (AOSP) supported devices RealWear devices (Firmware 11.2 or later)HTC Vive Focus 3  
Linux (Itโ€™s to be noted that Ubuntu Desktop already has a GNOME graphical desktop environment installed)Ubuntu Desktop 22.04.1 LTS with a GNOME graphical desktop environment.   Ubuntu Desktop 20.04 LTS with a GNOME graphical desktop environment.  
Microsoft (Microsoft Endpoint Manager can still be used for the management of devices running Windows 11 the same as with Windows 10. Unless explicitly stated otherwise, assume that feature support that only mentions Windows 10 also extends to Windows 11. In addition, you should also note that configuring the available operating system features through MDM is not something that is supported by all Windows editions.)Windows 10/11 (Home, S, Pro, Education, Enterprise, and IoT Enterprise editions) Windows 10/11 Cloud PCs on Windows 365 Windows 10 LTSC 2019/2021 (Enterprise and IoT Enterprise editions) Windows 10 version 1709 (RS3) and later, Windows 8.1 RT, PCs running Windows 8.1 (Sustaining mode) Windows Holographic for Business Surface Hub Windows 10 Teams (Surface Hub)    
Microsoft Intune-supported web browsersMicrosoft Edge (latest version)   Safari (latest version, Mac only)   Chrome (latest version)   Firefox (latest version)  

Devices

By using Microsoft Intune, organizations can manage mobile devices more efficiently in a way that can enhance the security of organizational data. This means that the risk of malicious activity is reduced. And users can thus work from a greater number of locations. One of the greatest benefits of device management solutions such as these is that they can be both cost-efficient and convenient. This is because they support a wide variety of device types and platforms.

As a result of this, organizations are less likely to need to invest in new devices. And users can utilize the personal devices they already own in BYOD scenarios. With all this, however, itโ€™s even more important for you to come up with a comprehensive template detailing what device types, OS platforms, and versions you will allow to have access to your organizationโ€™s resources.

Device ownership

As already mentioned, Microsoft Intune offers support for a wide variety of devices. And these devices can either be personal or organization-owned. When devices are enrolled via a device enrollment manager or a device enrollment program, they fall under the category of organization-owned devices. So, for instance, all devices that you enroll using the Apple Device Enrollment Program will categorize as organizational devices. Subsequently they will add to the device group, which will receive organizational policies and applications.

Bulk enrollment

As an organization, when enrolling a large number of devices into Intune, the process is simplified by the availability of a bulk enrollment feature. This feature provides you with a quick and easy way of setting up a large number of devices for management. A few use case examples. These include setting up devices for large organizations, setting up school computers, and setting up industrial machinery, among others. Intune has different ways to process the bulk enrollment of devices so youโ€™ll need to determine which method fits best with your Intune design plan. ย 

Design requirements and Microsoft Intune

When making the design considerations, there are specific requirements youโ€™ll need to look at for the Intune environment that you want to establish. There may be instances that require you to make adjustments to the general advice that you get concerning Intune deployment.

It’s essential to ensure that certain capabilities will meet the requirements for the use cases needed for your organization. These features include configuration policies, compliance policies, conditional access, terms and conditions policies, resource profiles, and apps.

Microsoft Intune Configuration policies

You can use configuration policies for the management of the security settings on devices in Intune in addition to the features, as well. Itโ€™s important that you design configuration policies that follow the configuration requirements by Intune devices. And the necessary information to design your configuration policies in this manner are in the use case requirements section. This enables you to note the settings and their configurations. Not only that, but youโ€™ll need to make sure to verify to which users or device groups to apply certain configuration policies. The various device platforms that you use will need to have at least one configuration policy assigned to them or even several whenever the situation calls for it.

Compliance policies and Microsoft Intune

These types of policies are responsible for establishing whether devices are complying with the necessary requirements. Therefore, determining whether or not a device is compliant becomes a significantly easier matter for Intune. And this is very important because it allows for devices to categorize as either compliant or non-compliant. And that status can then determine which devices are given access to the organizationโ€™s network and which ones to restrict.

Furthermore, if you intend on using Conditional Access, then it will probably be in your best interests to create a device compliance policy. Before you can decide on your device compliance policies, you may again want to refer to the use cases and requirements section. This will provide you with the necessary information concerning the number of device compliance policies youโ€™ll require. It will also help you decide which user groups youโ€™ll be applying them. Lastly, you need to have clearly defined rules. These will detail how long devices are allowed to remain offline before they move to the non-compliant list.

Conditional Access for Microsoft Intune

Conditional access plays the role of enforcer for your organizationโ€™s policies on all devices. That means that if any device fails to comply with your requirements, conditional access measures can implement. They will prevent them from accessing organizational resources such as email. When it comes to Intune, youโ€™ll also benefit from its integration with Enterprise Mobility + Security. This will give your organization better protocols to control access to organizational resources. So, when it comes to your design plan you still need to look at Conditional Access. You’ll also decide whether or not you need it and what youโ€™d want to secure with it.ย 

Terms and conditions

Terms and conditions are essential for determining your organizationโ€™s requirements for any users that want access to the network. This is especially important in BYOD scenarios where some users may not be willing to meet those conditions. So, by establishing terms and conditions, your organization can give users an ultimatum if they want to access the organizationโ€™s resources. With Intune, you also get the option to add and deploy several terms and conditions to your user groups.

Profiles

Profiles play a key role by enabling the end user to connect to company data. To cater to the multiple scenarios that your organization may encounter, Intune provides several types of profiles. The information that you need, concerning the timeline for the configuration of the profiles, is obtainable by going through the section on use cases and requirements. Planning is easier because youโ€™ll find all the device profiles grouped according to platform type. Profile types that you need to know about include email profiles, certificate profiles, VPN profiles, and Wi-Fi profiles.

Email profile

Email profiles are responsible for several capabilities. These include reducing the workload of support staff and enabling end-users with access to company email on their personal devices. Email clients will automatically set up with connection information and email configuration. Moreover, all this can be done without users having to perform any setup tasks. So this will ultimately improve consistency. However, not all of these email profiles will have support, on all devices.

Certificate profiles

Certificate profiles are the elements that enable Microsoft Intune to provide certificates to users or devices. The certificates that Intune supports include Trusted Root Certificate, PFX certificate, and Simple Certificate Enrollment Protocol (SCEP). For SCEP, all users who will receive it are going to need a trusted root certificate. This is because the latter is a requirement for SCEP certificate profiles. So, before you proceed make sure to have a clear idea of the SCEP certificate templates that youโ€™d like to use. Your design plan should include a record of the user groups that require certificates. It should also include the number of certificate profiles needed, and to which user groups theyโ€™ll be targeted.

VPN profiles

Virtual private networks enable internet users to have secure access from almost any location across the globe. And using VPN profiles achieves the same thing for your organizationโ€™s users. They will be able to have secure access to the organizationโ€™s networks even from remote locations. Furthermore, Intune widens the options available to you by supporting VPN profiles from native mobile VPN connections and third-party vendors.

WiFi profiles

Wi-Fi profiles are important tools that enable your mobile devices to automatically connect to wireless networks. Using Intune, you can deploy Wi-Fi profiles to the various supported platforms. The device platforms that Wi-Fi profiles support include Android 5 and newer, Android Enterprise and kiosk, Android (AOSP), iOS 11.0 and newer, iPadOS 13.0 and newer, macOS X 10.12 and newer, Windows 11, Windows 10, and Windows Holographic for Business.

Microsoft Intune Apps

When using Intune, youโ€™ll have the option to deliver apps to users or devices using any number of different ways. The apps that you can deliver cover a wide range including apps from public app stores, managed iOS apps, software installer apps, as well as external links. Moreover, this capability extends beyond individual app deployments. Youโ€™ll also be able to manage and deploy volume-purchased apps that you may have obtained from volume-purchase programs for both Windows and iOS.

App type requirements

Your design plan needs to include clear details regarding the types of apps that you will allow Intune to manage. This is especially necessary when you consider how apps deploy to users and devices. Information that you should consider for your criteria includes whether or not these apps will require integration with cloud services as well as the deployment measures youโ€™d like to use.

You also need to decide if youโ€™ll be availing these apps to employees using their personal devices and if users will need to have internet access to use the apps. Additionally, you need to verify if your organizationโ€™s partners will require you to provide them with Software-As-A-Service (SaaS) app data. Lastly, you need to check the availability of these apps to see if they will be available publicly in app stores or if they will be uniquely custom line-of-business apps.   

App protection policies

These policies intend to safeguard your organizationโ€™s data by keeping it secure or contained in a managed app. Generally, these policies are rules that go into play when users try to access or move your organizationโ€™s data. These rules may also be enforced if users try to engage in actions that are prohibited or monitored when users are inside the app.

Therefore, you can reduce the risk of data loss because of how apps are set up to manage organizational data. Any app that can function with mobile app management will receive app protection policy support from Intune. It will be up to the organization and the team of admins to determine what restrictions youโ€™d like to place on your organizationโ€™s data within certain apps.

Setting up Microsoft Intune

When you have your design plan in place, then you can begin looking at setting up Microsoft Intune for your environment. To do that, there will be a few things that you need to consider.

Requirements for Microsoft Intune

The first thing you need to have is an Intune subscription and the license for this is offered as a stand-alone Azure service. It is a part of Enterprise Mobility + Security (EMS) and is included with Microsoft 365. From your design plan, youโ€™ll have a better idea of what the goals of your organization are and you may end up choosing Microsoft 365 because it comes with all of Microsoft Intune, EMS, and Office 365 apps.

Current status

If your organization doesnโ€™t have any MDM or MAM solutions that it is currently using then Intune is probably the best choice for you. Especially if a cloud solution is what you want and then youโ€™ll also benefit from features like Windows Update, configuration, compliance, and app features in Intune.

You can add Endpoint Manager admin center as well to the list of benefits that will be availed to you. Something that does need to be mentioned is that organizations that use more than one device management solution should consider using only a single one.

And if youโ€™ve been using MDM providers such as MobileIron, Workspace ONE, and MaaS360 youโ€™ll still have the option to move to Intune. This will come with a significant inconvenience, however, because before users can enroll their devices in Intune, they will have to unenroll their devices from the current management platform.

Before you make the move to Intune, youโ€™ll need to note in your design plan all the tasks youโ€™ve been running and the features you need so that you know how to proceed with setting up Intune. Unenrolling devices from your current MDM solution not only presents a challenge but makes devices temporarily vulnerable.

This is because while they are in that unenrolled state, they stop receiving all your policies thus security is compromised. By using conditional access, you can block unenrolled devices until they complete their enrollment in Intune.

You should plan to implement your deployment in phases that start with small pilot groups so that you can monitor the success of your approach. If all goes well you can then proceed with a full-scale deployment. Furthermore, those who currently use Configuration Manager and would like to move to Intune can use the options below:

Add tenant attach

This option offers you the simplest way to integrate Intune with your on-prem Configuration Manager setup. By leveraging this option, you can upload your Configuration Manager devices to your organization in Intune. And then once your devices are attached, youโ€™ll be able to use Microsoft Endpoint Manager admin center to run remote actions including user policy and sync machine.

Set up co-management

With this option, Intune will be used for some workloads and Configuration Manager for others. You need to first navigate to Configuration Manager and then set up co-management. And then you proceed to deploy Intune and that also includes setting the MDM Authority to Intune. Once all this is done, devices will now be ready to be enrolled and receive the necessary policies.

Moving to Microsoft Intune from Configuration Manager

This may not happen often because Configuration Manger users tend to want to stay on this platform. However, making the move is possible if you decide that a 100% cloud solution is what you are looking for. Youโ€™ll need to first register existing on-prem Active Directory Windows client devices as devices in Azure AD. Then, you proceed to move your existing on-prem Configuration Manager workloads to Intune. Using this method would be good for providing you with a more seamless experience for existing Windows client devices but the downside is that it will be more labor-intensive for your admins.

And if weโ€™re looking at new Windows client devices then you would be better off starting from scratch with Microsoft 365 and Intune:

  • Start by setting up hybrid Active Directory and Azure AD for the devices. Devices that are Hybrid Azure AD joined will be joined to your on-prem Active Directory as well as registered with your Azure AD. Having devices in Intune helps to safeguard your organization from malicious activity because these devices can receive your Intune-created policies and profiles.
  • Go to Configuration Manager and set up co-management.
  • Next, you need to deploy Intune and that includes setting the MDM Authority to Intune.
  • Youโ€™ll also need shift all workloads from Configuration Manager to Intune in the Configuration Manager section.
  • With all this done, you can go ahead and uninstall the Configuration Manager client on the concerned devices. This is something that can be done by creating an Intune app configuration policy that can perform the uninstallation once Intune has been set up.

Start from scratch with Microsoft 365 and Microsoft Intune

You can only use this approach for Windows client devices, so for those Windows Server OSs, Configuration Manager will be the option you have.

  • Deploy Microsoft 365, including creating users and groups.
  • Next, you need to deploy Intune and that includes setting the MDM Authority to Intune.
  • The Configuration Manager client will need to be uninstalled on all existing devices.

Microsoft Intune Deployment

The steps to follow for your Microsoft Intune deployment are given below:

  • Navigate to Endpoint Manager admin center and sign up for Intune.
  • Set Intune Standalone as the MDM authority.
  • Next, you need to add your domain account because if you donโ€™t your-domain.onmicrosoft.com is what will be used as the domain.
  • Add users and groups that will receive the policies you create in Intune.
  • Users will then need to be assigned licenses and once that is done, devices can enroll in Intune.
  • The default setting allows all device platforms to enroll in Intune so if there are platforms that youโ€™d like to block youโ€™ll need to create a restriction.
  • You need to customize the Company Portal app so that it has your company details.
  • Come up with your administrative team and assign roles as necessary. 

Windows 365 management and Microsoft Intune

Microsoft Intune not only manages your physical devices but will also play a key role in the management of your Windows 365 Cloud PCs. All you need to sign in is to head over to the Microsoft Intune admin center. This is where youโ€™ll find the landing page for managing your Cloud PCs which is known as the Overview tab. Once signed in, go to Devices > Windows 365 (under Provisioning). In this section, you get a quick overview of the state of your Cloud PCs including the Provisioning status which summarizes the state of Cloud PCs in your organization, and the Connection health which summarizes the health of the Azure network connection in your organization.

All Cloud PCs page

On this page, youโ€™re going to find a summary as well as a list view that will give you all the necessary information you need to know about the status of all the Cloud PCs in your organization. To make the task easier for you, the list view is refreshed every five minutes and allows you to search, filter, and sort. Additionally, there will be multiple Cloud PCs given to those users that have been assigned multiple Windows 365 SKUs. And what this means is that in the All Cloud PCs list view you will see multiple rows dedicated to a single user.

Column details

NameA combination of the assigned provisioning policy and the assigned userโ€™s name will provide the name of the Cloud PC.
Device nameWindows computer name.
ImageSame image used during provisioning.
PC typeThe userโ€™s assigned Windows 365 SKU.
StatusProvisioned: provisioning successful and user can sign in. Provisioning: still in progress. Provisioned with warning: warning is flagged in case of failure of a non-critical step in the provisioning process. Not provisioned: user has been assigned a Windows 365 license but not a provisioning policy. Deprovisioning: Cloud PC going through active deprovisioning. Failed: provisioning failed. In grace period: users with current Cloud PCs are placed in this state when a license/assignment change occurs for them. Pending: this happens when a provisioning request cannot be processed because of a lack of available licenses.
SUserUser assigned to the Cloud PC.
Date modifiedTime when last change of state of the Cloud PC occurred.
Third-party connectorWhen you have third-party connectors installed and currently in use on Cloud PCs, the connector provider is displayed as well as the connector status.

Remote management

Your organization can take advantage of the Microsoft 365 admin center to remotely manage your Windows 365 Business Cloud PCs. There will be several remote actions available to you but to access them you need Azure AD role-based access roles, either Global administrator or Windows 365 administrator. Once you have one of those two roles assigned, youโ€™ll have several methods you can use for Cloud PC management including:

  • Windows365.microsoft.com
  • Microsoft 365 admin center
  • Microsoft Intune (on condition that you have all the necessary licenses)
  • Microsoft Graph

Cloud PC management design options

When it comes to the design options for Cloud PC management, there will be three options that we are going to look at:

Option 1 (Windows 365 Azure AD Joined + hosted in Microsoft Network)

Microsoft Intune

  • Cloud PCs are hosted in the cloud (Microsoft Hosted Network) and managed in the cloud (Intune)
  • Cloud PCs are enrolled as Azure AD joined and managed out-of-the-box by Intune
  • Eliminates customer constraints
  • Cloud PCs will get a unified endpoint management integration from the Microsoft Endpoint Manager admin portal
  • Simplifies Cloud PC management workloads such as app delivery and endpoint security among others
  • Comfortably address Cloud PC remote management needs

Co-Management

  • This is optional and allows you to bring your on-premises device management solution MECM for Option 1
  • Requires MECM + Cloud Management Gateway
  • Depends on customer device management on-premises environment
  • Some considerations before managing Cloud PCs include: Azure subscription and on-premises infrastructure, deployment and configuration of a CMG as well as a public SSL certificate for this CMG, enable Co-Management in Configuration Manager, and more.ย 

Option 2 (Windows 365 Azure AD Joined + hosted in Customer Network)

Microsoft Intune:

  • Cloud PCs are hosted in the Customer Network and managed in the cloud
  • Cloud PCs are enrolled as Azure AD joined and managed out-of-the-box by Intune
  • Eliminates customer constraints
  • Cloud PCs will get a unified endpoint management integration from the Microsoft Endpoint Manager admin portal
  • Simplifies Cloud PC management workloads such as app delivery and endpoint security among others
  • Comfortably address Cloud PC remote management needs

Co-Management

  • This is optional and allows you to bring your on-premises device management solution MECM for Option 2
  • Requires MECM. Cloud Management Gateway is optional
  • Depends on customer device management on-premises environment
  • Some considerations before managing Cloud PCs include: on-premises infrastructure, configuration of Intune to deploy the CM client for your Cloud PCs, enable Co-Management in Configuration Manager.ย ย 

Option 3 (Windows 365 Hybrid Azure AD Joined + hosted in Customer Network)

Co-management:

  • Cloud PCs are hosted in the Customer Network and managed by the customer (Co-Management)
  • Cloud PCs are enrolled as Hybrid Azure AD joined and managed by Co-Management
  • Requires MECM
  • Depends on customer device management on-premises environment
  • Cloud PCs will get a unified endpoint management integration from the Microsoft Endpoint Manager admin portal
  • Simplifies Cloud PC management workloads such as app delivery and endpoint security among others
  • Comfortably address Cloud PC remote management needs
  • Some considerations before managing Cloud PCs include: on-premises infrastructure, configuration of MECM to deploy the CM client for your Cloud PCs, enable Co-Management in Configuration Manager.ย ย 

Microsoft Intune

  • This is optional and if you donโ€™t have a MECM environment you can use Intune as your Cloud PC device management solution for Option 3          
  • Some considerations for this option include: configuration of Azure AD Connect for Hybrid Domain Joined, Hybrid Azure AD Joined Cloud PCs need to be directly attached to an on-premises AD environment, for device management the Active Directory environment will depend on Group Policy Objects.

Wrap Up About Microsoft Intune

Device and application management can prove to be a very challenging task to get right for a lot of organizations. Finding the right solution that can streamline application use across your organizationโ€™s devices without breaking the bank would be a dream for any organization. You also want a platform that can increase the productivity levels of your IT staff by minimizing the complexity of device management and by extension reducing the time spent on device management.

With Microsoft Intune, you can get this and plenty more. This MDM and MAM solution will enhance the security of your organization by establishing strict access protocols for your organizationโ€™s resources. This means greater protection at a time when endpoints are increasingly a vulnerable point for malicious attacks. Intune can provide you with peace of mind while providing an effective management platform that can vastly improve the way your organization operates. 

Reduce Your Carbon Footprint with Windows 365

The state of the environment is a massive topic of discussion all across the globe. Whether it’s in meetings bringing together world leaders or at business summits, the issue of how to reduce our impact on the environment is regularly on the agenda. This responsibility doesn’t fall solely on the shoulders of politicians but on those of business leaders as well.

And when it comes to the IT industry, there is a great need to consider adopting more sustainable solutions. This is because of how this sector has contributed to carbon emissions from data centers, computing devices, and more. Hence the need for a solution like Windows 365.

With this service, customers get a cloud-based virtual desktop infrastructure solution designed to help reduce their carbon footprint. So, with that in mind, let’s take a look at how Windows 365 can help you to operate more sustainably.

Energy Efficiency Features of Windows 365

To help various businesses meet their sustainability goals and reduce their carbon footprint, Microsoft has created several features for Windows 365. In this section, we’ll discuss some of those key energy efficiency features.

Cloud-Based Infrastructure

Many businesses envision attaining net-zero sustainability for their operations. Although this is a very ambitious goal, it is not out of reach with solutions like Windows 365. You only have to go through the Microsoft report on the carbon benefits of cloud computing to see how this may be possible.

According to that report, the Microsoft cloud can be anywhere between 22% and 93% more efficient than traditional data centers depending on the comparison. And this would undoubtedly be something that can contribute massively to help reduce your carbon footprint.

The most obvious area where you will see these benefits is with reduced energy consumption. On-premises data centers require a lot of energy to not only power them but cool them as well. So, by leveraging shared cloud infrastructure, such as what Microsoft is offering, you can put yourself in a great position to attain your net-zero targets.

Windows 365’s cloud-based virtual desktops also encourage remote work, and this is something that can potentially reduce transport emissions. Cloud PC users can work from anywhere without being restricted by location.

Dynamic Provisioning

Running a business efficiently requires you to have the computing resources you need at all times to maximize productivity. This is something that Windows 365 values greatly to adequately meet all customers’ needs. With the availability of dynamic provisioning, businesses can easily provision and de-provision virtual desktops as needed.

As you can imagine, this will help you to run your business more efficiently because you do not need to retain any resources that are in excess of requirements. However, if the need for more computing resources arises, you can add more Cloud PCs quite easily.

When running your own data center, you won’t necessarily have the same flexibility to increase or decrease your computing resources with the same ease. And this can be very costly not only financially but in terms of carbon emissions as well. A business with a larger data center than it needs will find it a lot more difficult to meet its sustainability goals. And it may actually increase its carbon footprint.

Automatic Scaling

The business environment can change very suddenly, and organizations need to have solutions available that can help them swiftly adapt. Windows 365 offers businesses automatic scaling to help improve how efficiently they can run their IT operations.

When we talk about scaling, we are simply referring to the ability to increase or decrease computing resources as needed. Because businesses are trying to implement measures to reduce their carbon footprint, having an automatic scaling feature available goes a long way to simplifying that task.

Windows 365 can automatically adjust the computing resources that virtual desktops have access to depending on their various usage needs. By automating this process, Cloud PC users can be more productive. This is because they will have the resources they need when they need them. In addition, by not over-provisioning computing resources, businesses can minimize energy waste. And this moves you closer toward running sustainable operations.

Power Management

The unfortunate reality is that there are plenty of businesses that waste power and are not even aware of it. Consequently, this means that you are unnecessarily spending more as well as increasing your carbon footprint.

Around offices, it’s not uncommon to see devices that are always on, regardless of whether or not they are in use. Some people won’t or may not even know how to set their devices to switch off after a certain amount of idle time.

Fortunately, for Cloud PC users, this is something that you will get assistance with. Windows 365 has power management capabilities that are designed to help businesses minimize the wastage of resources.

By enabling you to automatically power off virtual desktops that are not currently in use, you can easily reduce your energy consumption. This feature gives you an essential management solution. And it can be key to how you monitor energy use within your business.

Benefits of Windows 365’s Energy Efficiency Features

The energy efficiency features discussed in the previous section have several benefits that can be of great importance to your business. These include:

Reduced Energy Consumption

Every business wants to improve how it runs its operations and ultimately improve productivity. And one of the best things about putting in place measures to reduce your carbon footprint is that it allows you to pinpoint inefficiencies in your organization. Addressing issues such as wastage of energy will help create savings that can be invested in other areas.

Other features, such as automatically powering off idle devices, allow you to better assess energy use in your business. This may be an important determining factor if your business is considering scaling your computing resources.

Something else that businesses can benefit from operating more sustainably is increased brand equity. We find that in some studies, 55% of consumers have indicated a preference for products made by businesses that have implemented sustainable practices.

Therefore, reducing your carbon footprint will not only help you to meet your sustainable objectives, but it can boost business as well. And if that is not enough, then you also need to consider current and potential future legislation that may affect your business.

As mentioned earlier, climate change is a hot topic at all different levels. So a lot of regulations are changing, and you may risk finding yourself non-compliant.

Lower Operating Costs

Even if the climate change discussions aren’t something that you are particularly interested in, you cannot ignore solutions that may potentially lower your operating costs. With that in mind, the energy efficiency features of Windows 365 are certainly worth a look.

By providing you with a cloud-based virtual desktop environment, Windows 365 allows you to save costs on purchasing and refreshing devices for your employees. As long as an individual has a device with a modern browser, they can access their Cloud PC relatively easily from any location.

This increased flexibility will also boost operational efficiency and can potentially improve productivity. Additionally, with capabilities such as dynamic provisioning, your business constantly has the resources to operate optimally.

You don’t need to worry about paying for more than you need. This is because if your computing resources become inadequate, you can always scale up. Another recent update that will help reduce costs is the introduction of Windows 365 Frontline. This latest update allows users to share Cloud PCs, which is particularly beneficial for employees that work in shifts.

Improved Scalability

Scalability can prove to be a major challenge for businesses that operate their own data centers. Not only can this be a complex affair, but it’s often very costly. Windows 365 is built to simplify scalability for businesses, regardless of size.

You can easily provision or de-provision virtual desktops as and when they are needed. Having this capability means that scaling up or down your computing resources becomes a quick and easy solution without significant costs. It also means that whatever happens in your section of the market, you’ll be well-placed to swiftly adapt and gain an edge over other companies.

This can also help you grow your profits significantly, especially when compared to other businesses that may face huge costs when scaling. Furthermore, this improved scalability is great for smaller businesses that need to grow at a pace that does not compromise the quality of service.

Windows 365 has a subscription option targeted at smaller businesses that can be scaled up as operations expand. Taking advantage of a system like this is an excellent choice for the long-term because it is going to promote customer loyalty. Whenever you experience an increase in traffic, you can manage it efficiently while still delivering excellent service.

Increased Productivity

Using cloud-based virtual desktops allows more businesses access to technologies that were in the past only available to a few. The degree of accessibility and flexibility that Windows 365 provides enables businesses to run more efficient operations.

In addition to that, Cloud PC users can collaborate with greater ease from anywhere across the world on any number of projects. With the ease with which employees can do this, your business may experience higher levels of productivity.  No longer do you have to contend with the restrictions that often come with working from static locations.

Automation has been a game-changer for users of cloud-computing technologies. Businesses can stop being concerned about a lot of daily tasks that consume time that may be used more productively.

By automating tasks such as scaling, power management, and updates, among others, IT personnel have less to deal with. They can contribute more to core business activities. Moreover, the Windows 365 automation features are crucial in helping to minimize costly errors that compromise efficiency. Virtual desktop users also benefit from the improved data security and disaster recovery measures provided by cloud computing services. Because of this enhanced degree of protection, there is a huge boost in the ease of doing business.

Environmental Responsibility

Cloud computing services are meant to reduce your carbon footprint, minimize emissions, and promote the use of greener energy sources. When you look at large-scale data centers, such as what Microsoft offers, you’ll find that they mostly run on renewable energy sources.

Therefore, businesses that are intent on switching to more sustainable operations can leverage solutions like Windows 365. Using this service also means that your business can reduce what it spends on new devices because most employees will be able to access their Cloud PCs on the devices they currently own.

In the long term, this will create significantly less electronic waste and keep you on track to reaching net-zero sustainability. Similarly, the use of the Microsoft cloud and enhanced power management capabilities means that businesses can start to reduce energy consumption.

Even though many may not see it, utilizing these features can be instrumental to reducing your carbon footprint. Coupled with all this, the ability to work remotely can further reduce emissions by limiting how much commuting employees will need to do and also reducing the need for massive corporate offices.

Conclusion

Cloud computing services are playing a massive role in helping enterprises to operate more efficiently and introduce more sustainable solutions. Service providers like Microsoft run large-scale data centers far more efficiently than the average business. As a result of this, businesses using Windows 365 get a solution that allows them to reduce their carbon footprint overall and contribute to a greener planet.

Users of this service get several energy efficiency features such as cloud-based infrastructure, dynamic provisioning, automatic scaling, and power management. These are going to allow businesses to utilize more sustainable options, reduce operating costs, and become more environmentally responsible. Undoubtedly, if we are to have a better future and create a greener planet, everyone will need to play their part.

Your Windows 365 Questions Answered

A lot of progress has taken place in the domain of cloud computing over the last few decades. And it’s not surprising just how much the technology evolution is out there when you consider the way a lot of businesses operate in modern times. Leveraging the best technology on the market can be integral to the success of your business.

But, businesses like yours also need to be able to do so without breaking the bank. This is why the “as-a-service” sector is thriving. Organizations have access to all the resources they need for significantly less than what it would cost for an on-premises infrastructure.

Seeing the need to ensure clients can get even better service is why Microsoft brought us Windows 365. It’s design revolutionizes what you can get from a desktop-as-a-service platform. Today we’ll be going over the most frequently asked questions about Windows 365. So you can discover how it can benefit your business model.

What exactly is Windows 365?

The best place to start is with questions about definitions. A lot of people have heard about Windows 365. But not everyone understands its capabilities and purpose. Familiarity exists especially because Microsoft also announced Windows 11 in 2021.

Initially, there is some confusion about the two Windows solutions. However, these two are completely different products. Unlike Windows 11 which is an operating system that you install on your device, Windows 365 is a cloud-based service. The latter creates Windows virtual machines for your end users. It is these virtual machines that Microsoft calls Cloud PCs.

So the goal for Windows 365 is to enable business clients to access these Cloud PCs from anywhere. As mentioned above, Microsoft wants the Windows 365 Cloud PC to be the next step in the evolution of desktop-as-service.

Using Windows 365, clients can access their ‘desktops’ on devices running macOS, iOS, Linux, and Android. Ultimately, this means that Microsoft will no longer provide the operating system only. Now it will now be offering ersatz hardware with Windows virtual machines running on its Azure servers. Microsoft CEO Satya Nadella had this to say:

Just like applications were brought to the cloud with SaaS, we are now bringing the operating system to the cloud, providing organizations with greater flexibility and a secure way to empower their workforce to be more productive and connected, regardless of location.”

Each Cloud PC created will then be assigned to an individual user and thus becomes their dedicated Windows device. Clients will also be able to benefit from the productivity, security, and collaboration provided by Microsoft 365.

As for accessing your Cloud PC, it’s a simple matter of navigating to the Cloud PC website. From there, users sign in using any modern browser. Alternatively, you can also use Microsoft’s Remote Desktop app.

What’s different about Windows 365?

For businesses that already have experience with various VDI platforms, you may rightly be wondering how Windows 365 is different from all the other platforms out there. For starters, simplicity. That’s what Microsoft is aiming for with the Windows 365 service.

When you consider traditional VDI platforms, you’d be looking at setting up servers, installing the necessary applications, and then giving users access. Windows 365 just about eliminates all of the above.

By offering you a Cloud PC, this means that Microsoft alone will take care of the virtualization. Ultimately this will make the deployment of operating systems a lot faster. Moreover, you won’t have to deal with the hassle of hardware and software configurations.

The automation of the various processes also means that there is no need for additional VDI expertise or resources. Microsoft will ensure that you can scale the service as necessary to meet your organization’s needs. And as organizations start to reap the benefits of a highly productive remote workforce, the need for a solution like Windows 365 grows even more.

The ability to customize and provision a desktop based on the usersโ€™ needs is beneficial. It means that for the most part, it doesn’t really matter what device an individual is using. It also doesn’t matter whether it’s a corporate-owned device or a personal one. The security measures that come with Windows 365 ensure that end-users can securely access corporate resources on personal devices.

How much will it cost me?

Microsoft’s Windows 366 Cloud PC service provides clients with a range of different fee options. This ensures there is flexibility available for different enterprises. From the small company, only needing a handful of PCs, to the larger enterprises that may require unlimited options, there’s an affordable solution for everyone.

The pricing ranges starts at $20 per user per month for the lowest-end SKU. Fees can go up to $162 per user per month for the most expensive setup.

Clients will also notice that unlike with the consumption-based pricing model that you get with Azure Virtual Desktop, Windows 365 gives you fixed monthly subscriptions. And if you need to scale, then you have the option to choose a different subscription, as well.

For the Windows 365 Business edition, the $20 per user per month fee is going to get you a single virtual core, 2GB of RAM, and 64GB of storage. Although you will require Windows Hybrid Benefit, which is Microsoft’s Bring-Your-Own license model that helps clients apply existing (or new) licenses toward the cost of a product.

Otherwise, if you don’t have Windows Hybrid Benefit then the cost goes up to $24 per user per month. At the other end of the spectrum, clients will be able to purchase the Business SKU that offers eight virtual cores, 32GB of RAM, and 512GB of storage for $158. And similarly to the previous one, without Windows Hybrid Benefit the cost goes up, this time to $162.

Clients that need the Windows 365 Enterprise edition will also have a similar range of pricing. At the lower end, you’ll get a single virtual core along with 2GB of RAM and 64GB of storage for the same $20. However, if your computing needs are a lot greater, then you can choose the option that offers eight virtual cores, another 32GB of RAM, and 512GB of storage at a cost of $158 per user per month.

What about licensing?

Licensing for services similar to Windows 365 is typically where things start to get complicated, and expensive. Although Windows 365 will not attract everyone, Microsoft has tried to make their offering reasonably accessible.

Both Windows 365 Enterprise and Windows 365 Business are going to provide a complete cloud-based offering with multiple Cloud PC configurations depending on the needs of the various organizations.

Clients will be able to buy Windows 365 as a separate license per user for a fixed monthly fee to access and use each Cloud PC. However, in some cases, you may incur additional costs based on your network usage.

Windows 365 Enterprise

For this edition of Windows 365, clients can make their purchases directly from Windows365.com or from their account representative. After this, you can then proceed to provision and manage your Cloud PCs using the fully integrated Microsoft Endpoint Manager.

It’s also worth noting that before an individual can use Windows 365 Enterprise, they need licensing for the following: Windows 11 Enterprise or Windows 10 Enterprise, Microsoft Endpoint Manager, and Azure Active Directory P1. Even though these licenses can be available separately, you’ll also find them included in:

  • Microsoft 365 F3,
  • Microsoft 365 E3,
  • Microsoft 365 E5,
  • Microsoft 365 A3,
  • Microsoft 365 A5,
  • Microsoft 365 Business Premium,
  • Microsoft 365 Education Student Use Benefit subscriptions.

So for those who are interested in using Windows 365 Enterprise, but don’t meet the licensing requirements, head over to the Windows 11 Enterprise page or the Microsoft 365 page. There is more information there, along with the ability to purchase the ideal plan to meet your needs.

Windows 365 Business

Similar to the above, clients interested in purchasing Windows 365 Business can also do so directly from Windows365.com. Upon purchase, you can then set up your account without a domain. As for provisioning and management of the Cloud PCs, you can do that directly from the Windows 365 homepage on the web.

Moreover, clients should be happy to note that there are no additional licenses that will be required with only your credit card necessary to get you started. If you’re already a client of Microsoft 365, the purchase will complete through the Microsoft 365 admin center. All you simply need to do is get in touch with your global administrator. Alternatively, your billing administrator can assist in completing the purchase.

What are the device requirements?

One of the major benefits Microsoft intends to provide businesses is a reduction in IT costs, especially related to hardware. Because Windows 365 is essentially PC hardware that runs in the cloud, the importance of your actual physical device is significantly less. As long as you have an internet connection, you’ll be able to operate a reasonably powerful Windows PC. And you can do so using just about any device.

Accessing this Cloud PC is easy. You can use any modern browser or the Remote Desktop app. A setup like this is going to be extremely beneficial for organizations, too. More specifically, it’s a game-changer for those with a sizeable remote or seasonal workforce.

Additionally, your organization won’t need to make a massive investment in hardware for all those employees. Even better is the fact that they’ll be able to easily access these Cloud PCs anywhere, without losing any progress.

In short, all Windows 10 and Windows 11 devices are expectedly going to be compatible with Windows 365. The best part, however, is that clients will be able to easily stream a Windows 365 session to hardware running macOS, iPadOS, Linux, and Android.

However, for the best experience, Microsoft recommends devices that have a traditional keyboard and mouse. For the most part, as long as your device has an HTML5 browser and a DSL connection or a wireless internet connection capable of streaming a video, you will be just fine. The amount of bandwidth that you’ll need, however, will depend on your workload.

Which configuration is right for me?

Choosing the right configuration for your business is going to be key. If you want to get the most out of Windows 365, you’ll need to understand your needs. After all, you don’t want to select a configuration that eventually proves incapable of meeting your computing load.

But, you also don’t want to pay for access resources that you do not need. The best way choose is to get in touch with Microsoft Support. From there, you can get advice on how best to set up your environment.

However, there are some examples that we can look to get a good idea of what you may require:

  • 1vCPU/2GB/64GB – the first configuration is ideal for call centers, frontline workers, and education/training/CRM access.
  • 2vCPU/4GB/64GB – in this scenario, the offer is ideal for short-term and seasonal users, those working from home, customer services, mergers and acquisitions, and Bring-Your-Own-PC situations.
  • 2vCPU/4GB/128GB – suits the same scenarios as above.
  • 2vCPU/4GB/256GB – also suits the same scenarios as above.
  • 2vCPU/8GB/128GB – ideal for market researchers, working from home, Bring-Your-Own-PC scenarios, and government consultants.
  • 2vCPU/8GB/256GB – suits the same scenarios as the previous configuration.
  • 4vCPU/16GB/128B – ideal for Bring-Your-Own-PC scenarios, working from home, healthcare services, government consultants, and finance.
  • 4vCPU/16GB/256GB – same as previous configuration.
  • 4vCPU/16GB/512GB – same as previous configuration.
  • 8vCPU/32GB/128GB – ideal for content creators, engineers, software developers, and design and engineering workstations.
  • 8vCPU/32GB/256GB – same as previous configuration.
  • 8vCPU/32GB/512GB – same as previous configuration.

Is it the same as Azure Virtual Desktop?

Any business that has previously considered cloud-based solutions will be aware that Microsoft already has another service that it offers called Azure Virtual Desktop (AVD). There are probably plenty of businesses that already use AVD. So understandably they would want to know the advantages of switching. Or is Windows 365 the same as Azure Virtual Desktop?

The simple answer is no. These two products are quite different. Although they do have several similarities. For starters, both of them aim to give clients the latest in what cloud technology has to offer.

This means you’ll have high-end security features, a flexible work environment, and premium remote work experience. And you’ll get this at a relatively affordable price. There are some differences, however. AVD is a cloud VDI that customizes the infrastructure of clients and also manage the resources that support the virtualized infrastructure.

On the other hand, Windows 365 gives you a fully managed desktop-as-a-service solution. It offers you the great Windows experience that you have to come to expect. All without having to deal with the management of infrastructure.

Technical features

When it comes to the technical side of things, there are several differences that you need to know for you to decide which service is right for your business. Some of the differences are as follows:

  • Design – Windows 365 has been designed to be simple and easy to use whereas AVD has been designed more for flexibility.
  • Desktop – clients get personal desktops for Windows 365 and AVD (single session). For AVD (multisession) there are pooled desktops.
  • Pricing – the pricing structure for AVD follows a consumption-based model whereas Windows 365 offers a fixed per-user per-month pricing.
  • Subscription – subscriptions are customer-managed for AVD and fully Microsoft-managed for Windows 365 Business. Windows 365 Enterprise is also Microsoft-managed with the exception of networking.
  • VM SKUs – Windows 365 has various optimized options for multiple use cases. On the other hand, AVD offers any Azure VM including GPU-enabled SKUs.
  • Backup – AVD clients will get to use Azure backup services while Windows 365 users get local redundant storage for disaster recovery.

In summary

Looking at the different services helps us to know that AVD will get you the best price on Windows 10 with Windows 10 multisession, exclusive to AVD. Azure Virtual Desktop is fully customizable and runs on Azure. It would be ideal for you, if you already have experience with VDI solutions. It’s also a good fit if you require industry-leading technology that gives you the flexibility of a fully customized environment.

On the other hand, Windows 365 gives you a solution that is simple and easy to provision. It’s simple to deploy without requiring special IT skills and has predictable pricing. It also gives you the option to scale in either direction, according to the needs of your business.

Therefore, if you have no previous experience with Azure Virtual Desktop, as well as a hybrid or seasonal workforce that needs PC management, then Windows 365 is the choice for you.

How secure is Windows 365?

Arguably one of the biggest concerns for businesses regarding cloud-based solutions is cyber security. Cloud solutions enable businesses to have their employees working from home while using personal devices. This means the risk of compromise is very high if security is lacking.

There are plenty of areas in the network that could be potentially very vulnerable to security breaches. However, Microsoft is well aware of these concerns. And it offers several guidelines to help improve the security of your Cloud PCs. These are as follows.

Conditional Access

Using Conditional Access policies is highly recommended to maintain strict control over the devices and apps that can access company resources. Conditional Access also helps you to secure end-user access to Windows 365. Another way to further enhance that security would be to use Azure AD multi-factor authentication to verify users.

Microsoft Defender

Microsoft advises connecting Microsoft Defender for Endpoint to Cloud PCs devices to help you identify threats and set devices as non-compliant. In addition, you’ll be able to apply device compliance policies to Cloud PCs as well as use Conditional Access for threat identification.

Applicable Blocking

Devices with a high-risk level need to be blocked from accessing corporate resources until the issues are resolved. And you can easily do this by using Intune compliance policies with Conditional Access policies to identify the high-risk devices and users.

Up-To-Date OS

Keeping your OS up-to-date is a key aspect of maintaining high levels of cyber security. Updates bring you enhanced security measures and other new features that serve to improve the user experience while fortifying your corporate network. And when it comes to your Cloud PCs, IT admins can use Endpoint Manager to configure Intune Windows 10/11 updates and policies for Windows Update for Windows.

Admin Security

Another security measure that Microsoft has put in place is that Windows 365 Enterprise end-users will not be admins of their Cloud PCs. This particular feature comes as a default setting.

Integrations

Lastly, Microsoft has created an integration of Windows 365 with Microsoft Defender for Endpoint. What this does is give you a scenario that allows security and endpoint admins to work together managing the Cloud PC environment similar to how they would manage a physical endpoint. Consequently, subscribed Cloud PCs will:

  • Send data through to Microsoft 365 Secure Score.
  • Appear on the dashboards of both Microsoft Defender for Endpoint
  • Security Center and threat analysis when unhealthy.
  • Similar to how other managed devices function, Cloud PCs will also respond to the various remediation measures.

What features does Windows 365 Business have?

Windows 365 Business is the edition made for smaller organizations. More specifically, it is meant for businesses that need to deploy no more than 300 Cloud PCs. As far as technology prerequisites go, Microsoft has made it very simple for businesses.

All you’ll need to do is use the Windows 365 cloud portal to purchase, deploy, and manage Cloud PCs at any time.

Furthermore, because everything works with Azure natively, Windows 365 Business clients aren’t going to require an Azure subscription or domain controller. Your workload will be lighter, as all the components will be running inside the Microsoft cloud and managed by Microsoft.

Purchasing Windows 365 Business can be done directly from the Microsoft 365 admin center. Upon purchase, you can then set up your account without a domain. And you can provision and manage cloud PCs directly from the Windows 365 web portal.

Other Advantages

Another advantage that comes with Windows 365 Business is that no other licenses are needed. So getting started is very easy and may only require a credit card.

The self-service capabilities on offer enable end-users to perform maintenance on cloud PCs via the Windows 365 web portal. The actions supported include Restart, Rename, and Reset (which allows you to remove your personal files, apps, or changes that you may have made to settings).

It’s also important to note that you’ll need to backup all your important files to a cloud storage service or external storage before resetting. This is because the process will delete these files. Windows 365 Business also has native Azure AD support. This means clients aren’t going to require an existing Active Directory domain or Azure subscription.

In addition to Windows 365, Microsoft also announced the successor to Windows 10 in 2021. And given that Windows 11 is the ideal operating system to optimize hybrid work, it’s great to know that new Cloud PCs will come with this OS installed by default. So organizations will benefit from all the new improvements to Windows. They’ll additionally enjoy the enhanced security features that come with it.

What features does Windows 365 Enterprise have?

Windows 365 Enterprise is the ideal edition for larger organizations. Unlike with Windows 365 Business ,which tops out at 300 users, Enterprise clients won’t have any such limits.

If the objective for your business is to manage Cloud PCs with MEM and leverage the integrations with other Microsoft services, then you’d be smart to purchase Windows 365 Enterprise.

By doing so, you benefit from other services such as Azure Active Directory and Microsoft Defender for Endpoint. Although this edition may not have a license limit, users will still require a license for Windows 11 Enterprise, Windows 10 Enterprise, Microsoft Endpoint Manager, and Azure Active Directory P1.

Purchasing and Setup

When it comes to purchasing channels and license assignments, the former will be done via Web Direct, Enterprise Agreements (EA), CSP. And the latter via the Microsoft 365 Admin Center. Clients using Enterprise will have networking through their Azure VNet, since it isn’t included in the license.

As for the administration side of things, the provisioning can be configured and customized to meet the specific needs of your organization. Your admins can set up the VNet, configure user permissions, and then assign the policy to an Azure AD group.

After that, the admins can proceed to provision the Cloud PCs with a choice of either standard gallery images or custom images. Clients using this version also get support for Group Policy Objects (GPO), Intune MDM, and application deployment.

End users can restart, rename, and troubleshoot their Cloud PCs on the Windows 365 homepage. In addition, users get assigned standard user roles on the Cloud PCs and this is by default.

However, when the need arises, admins can change this setting in the Microsoft Endpoint Manager admin center. And as with Windows 365 Business, users can access their Cloud PCs via the Remote Desktop app or on windows365.microsoft.com using any modern browser.

Furthermore, you enjoy great security measures with Conditional Access that can be implemented using the MEM admin center or Azure AD. In addition, there is support for per-user multi-factor authentication and integration with Microsoft Defender for Endpoint.

How do you deploy Windows 365?

Once you have purchased the Windows 365 licenses that your organization needs, the Windows 365 node in Microsoft Endpoint Manager becomes active for management. So now you can begin provisioning your Cloud PCs. Setting up your system to provision Cloud PCs will require you to follow the steps below.

Assign licenses

For a user to have access to a Cloud PC, they will need to have a Windows 365 license assigned to them. You can use the following methods to assign the licenses:

  • For individual users, you have the option of using the Microsoft 365 admin center.
  • For group license assignments, you have the option of using the Azure AD admin center.
  • Lastly, for the assigning of direct licenses to a list of individual users, navigate to Assign licenses for Windows 365 or alternatively go to Assign license.

Create an on-premises network connection

An on-premises network connection (OPNC) is the crucial element that allows you to provision Cloud PCs that are attached to a virtual network that is under your management. Microsoft allows you to have 10 OPNCs per tenant. Creating an OPNC requires you to meet a few criteria:

  • You need to be an Intune Admin in Azure AD.
  • You also should have Owner permissions on the Azure subscription that contains the VNet with connectivity to your on-prem domain controller and network. 
  • Finally, you should have a PowerShell execution policy that is set up to enable RemoteSigned scripts. And for those that use Group Policy to set execution policy, you’ll need to ensure that the GPO targeted at the Organizational Unit defined in the OPNC is configured to allow RemoteSigned scripts.

Provide users a localized Windows experience

A great way to improve end-user comfort and potentially productivity levels, is by presenting Windows with a language that the user is comfortable with using. Setting up a localized Windows experience can be configured as a provisioning policy or by creating a custom device image.

One of the announcements made by Microsoft in February 2022 regarding Windows 365 Enterprise, talked about an important update that will enhance the user experience for different users from across the globe. The objective is to enable you to configure a Language & Region pack that can be installed on the Cloud PCs during provisioning when you are creating your provisioning policy.

At present, there are 38 languages available. And Microsoft will allow you to change the configured language for existing provisioning policies and subsequently reprovision any desired Cloud PCs.

Add or delete custom device images

Microsoft enables you to use a custom device image by simply adding it into your Azure subscription. From there, you can use it for Cloud PC provisioning. The standard Azure Marketplace gallery is where you’d navigate. Or you could also create your own custom-managed image. For those with a Shared Image Gallery in Microsoft Azure, they can convert one of those images into a managed image.

Create a provisioning policy

The last step in this process will require you to create a Provisioning Policy so that you can provision the Cloud PC with an image of your choice and is based on Azure AD security groups. Provisioning policies hold key provisioning rules and settings, allowing the Windows 365 service to set up and configure the right Cloud PCs for your users. Once the provisioning policies have been created and assigned to the Azure AD user security groups or Microsoft 365 Groups, the Windows 365 service will then:

  • Check the appropriate license for each user.
  • Configure each Cloud PC as necessary.

Why should our organization be interested?

Remote work has been a major topic of discussion, especially over the last few years. Therefore, Windows 365 is available at the best time. The concept of the Cloud PC will help your organization by simplifying the process of having your staff working remotely.

By having a PC running in the cloud, your workforce can access their desktops from anywhere without difficulty. This kind of flexibility is something that can make your organization more attractive when it comes to attracting and retaining talent.

Not only is Windows 365 going to allow you to take advantage of hybrid work. But it’s also going to address what is probably your next concern – security. When using Windows 365, your data will store on the cloud where Zero Trust Principles are in effect.

Moreover, Microsoft Endpoint Manager solutions will help fortify the platform for greater cyber security. Thus, organizations can rest easy knowing that although their workers are not on the premises, they can still remain productive without compromising the security of your data. And if you need to scale, it’s equally simplified without hassle.

Other Benefits

Windows 365 enables you to configure the size, CPU, and RAM of your Cloud PCs according to your needs. This versatility means that if the need arises to increase or reduce the computing resources that you require, you’ll be able to do so.

Windows also aims to help your organization lower your expenses in the hardware department. Because users will have desktops running in the cloud, you won’t face any significant costs regarding purchasing high-end devices.

In addition, you potentially won’t have to refresh your organization’s hardware as frequently. The Cloud PC will be handling the heavy computing on the Azure servers. Your organization may also save costs during the setup process.

Since Microsoft designed Windows 365 for ease of use, setting it up is not going to require you to bring in specialist IT professionals onto your team. Your IT people will be able to deploy and manage the configuration of any PC, much like they have been doing all along.ย 

What kind of support is available?

Undoubtedly every organization that wants to sign up for Windows 365 would like to know about support. The last thing you need is to run into the kinds of problems that could prevent your organization’s staff from accessing their Cloud PCs. Microsoft has availed support for Windows 365 clients in various ways. Each level of support is available, depending on how your Windows 365 subscription was purchased.

If you made your purchase via the self-service feature, you can request support through the Microsoft 365 admin center. For those who would have made their subscription purchases through volume licensing, they will need to contact their Microsoft account managers for assistance.

And lastly, if your Windows 365 subscription was purchased through a Microsoft Cloud Solution Provider (CSP), the latter can submit support requests for you. These requests, which can be for non-technical issues such as enrollment, membership, billing, subscription, and user management, can be submitted in the Microsoft Partner Center.

Can I use my apps on Windows 365?

According to Microsoft, Windows 365 was designed with compatibility in mind. This falls in line with the goal of trying to make clients’ apps compatible with the latest versions of Microsoft software. So if you have apps that you were using on Windows 7, Windows 8.1, and Windows 10, then you’ll be glad to know that they will work on Windows 365, as well. And if you have any challenges with your apps, Microsoft can help you address them for free with an eligible subscription through the Fast Track App Assure program.

Wrap Up

Windows 365 is a service that has plenty to offer your organization. Although it may not be the first such product in the domain of virtualization technology, it intends to perform like no other before it.

One of the key goals is to avail cloud computing technology to as many as possible and make it easy to use. The recent global pandemic showed us what can happen to countless organizations if adequate solutions aren’t available.

Going forward, I believe that the remote workforce will continue to grow and businesses will need to find ways to take advantage of this. Sometimes the ideal person for a particular task may be on the other side of the globe. And by leveraging Windows 365 and its communication channels, collaborating with anyone anywhere can be safe and easy.

And if there’s anything else that you may need answers to, Microsoft will be hosting monthly Windows 365 Ask Microsoft Anything events, on the fourth Wednesday of each month. Now, there’s no denying that the Windows 365 Cloud PC may not be for everyone. But, it’s certainly a product that’s worth taking a good look at.

Reigniting The Passion for Science and Technology

It’s safe to say that science and technology have proven invaluable to humanity for thousands of years. When we look at examples of “innovation” just a few hundred years ago, it’s a much different dynamic than the innovation of today. Thinking about just a few short decades ago, let alone a thousand years ago, a lot of people may understandably not be impressed.

But everything we benefit from today has to start from somewhere. And similarly, centuries from now people will be looking at all our โ€˜fancyโ€™ science and technological innovations without the same โ€˜wowโ€™ factor we may have. In todayโ€™s article, we want to go over the great advancements of today. Explore work we are seeing from institutions such as the Pacific Science Center and Microsoft with Microsoft Ignite.

Why is all this important?

The simplest answer to this question is that science and technology just make our lives easier and more comfortable. I mean, just take the last few years as an example, at the height of the COVID-19 pandemic. Technology made it possible to endure restricted movement and still keep in touch with our loved ones through video calls, phone calls, texts, etc.

Furthermore, it wasnโ€™t just families and friends that benefited. A lot of businesses were able to maintain operations by having their employees working from home. These kinds of solutions helped maintain the sanity of countless millions. It simultaneously enabled businesses to keep the doors open.

The beauty of all this is that people all across the globe can benefit from great tech. Because of things like online courses, e-books, e-libraries, and more, people no longer need to travel great distances to acquire the knowledge.

It could be as simple as powering on a device with internet access. And you can meet people that you may previously never had the opportunity to learn from otherwise. Science and technology can help entire countries grow their economies. It’s innovation that improves healthcare, ensures food security, creates employment, and so much more.   

Pacific Science Center

When we talk about creativity and innovation in the field of science, it would be remiss to not mention the work being put in at the Pacific Science Center. This place provides an independent, not-for-profit institution that serves nearly 1 million people in the Pacific Northwest and beyond each year.

For over 60 years, it has been promoting innovation by trying to increase accessibility to science so that we can continue to build solutions to some of life’s greatest challenges. By attempting to get people interested in science from an early age, this institution can tap into the greatest minds out there. We can look forward to science and technology evolving at an even greater pace, making our lives significantly better.

WHAT TO EXPECT?

All one has to do is visit the center, and the warm hospitality that will greet you should be enough to arouse the natural curiosity that exists in us all. At the center, there are several exhibits to be explored and immersive STEM experiences that are uniquely designed to stimulate the imagination. These experiences include:

The Tropical Butterfly House

This place is home to hundreds of beautiful butterflies that have been placed in their tropical habitats. The countless eye-catching butterflies with their rich colors are a sight to behold. Visitors can take advantage of the butterfly and plant identification guides to test their scientific skills of observation.

The Willard Smith Planetarium

Here, the visitors will get an incredible opportunity to discover space in a way that they’ve probably never done before through live, immersive experiences. You can indulge your curiosity about space by going off to the furthest parts of the universe, or you can stay closer to home and go exploring the planets in our solar system. To give you the best possible experience, the shows will be live and the content can be tailored to the interest of the guests.

The hands-on Tinker Tank Makerspace

This wonderful experience allows you to get physically involved by attempting the various engineering and design challenges. Guests can also pick up new skills that can help them build something from nothing and then develop that creation into something even more impressive. By carrying out experiments and getting involved in the innovative process, guests will get a complete experience of not just observing but doing as well.

The Salt Water Tide Pool

Here, guests will be given the exhilarating experience of getting a closer look at the local marine life from the Puget Sound region. You’ll have the chance to explore the vast marine life that exists in tide pools found at the local beaches. Guests can get up close and personal with these marine animals, learn more about them, and see how they act in this Salt Water Tide Pool that has been designed to replicate the conditions in the Puget Sound region where these animals are from.

Clearly, one of the main objectives of having these experiences is to encourage people to ask questions, test theories, and reassess just about everything they have come to accept in their lives. This is how humanity has changed things for the better over thousands of years.

There is a constant need for people to question what many may consider irrefutable facts. It is in doing so that discoveries are made, and innovation is brought into existence.

This is something that the Pacific Science Center (PacSci) has been trying to ignite in children since its birth at the 1962 World’s Fair in Seattle. When it came into existence, it was the U S’ first science and technology center.

For over 60 years since then, PacSci has devoted a lot of effort to increasing the accessibility of science. It continues to ensure that the center can function as a vital resource for educators. The goal of this is to encourage discovery as well as experimentation while taking advantage of the available resources to essentially become one massive community laboratory.

Tech innovation

When it comes to technological innovation, there are few, if any, who can make a case for being better than the people working at Microsoft. For decades now, this tech giant has been one of the leaders in this space, bringing to market products and services that have introduced significant changes to not only how we operate our businesses but how we interact with technology in our homes.

And every year, Microsoft hosts an annual conference known as Microsoft Ignite for developers and IT professionals where we get introduced to the latest and most exciting tech innovations. Furthermore, for attendees, this presents an opportunity to engage with Microsoft leaders and experts, learn new things in hands-on labs, and get a first-hand experience of what the future may hold.

But it’s also worth noting that Microsoft Ignite does not only target the IT pro or developer. You’ll find content that will be helpful for individuals in all roles, including administrators, implementers, data architects, application engineers, cloud architects, senior advisors, security professionals, and decision-makers. So, there will be something for everyone to enjoy.

Additionally, you’ll get the benefit of networking with people from all across the globe who are experts in different areas of technology. The deep technical training, breakout sessions, keynotes, and immersive learning experiences will ensure that attendees get the best experience learning from the teams that are responsible for product-building.

Microsoft wants to help interested parties attend Microsoft Ignite so much that they even have a Convince your manager template to support you. This is specifically aimed at individuals who want to attend the event, but whose bosses may be reluctant to let them go.

Accommodation has also been arranged conveniently within the downtown Seattle area. So, Microsoft Ignite attendees remain within walking distance to Summit, Seattle Convention Center.

Microsoft Ignite 2023

The Microsoft Ignite conference typically runs over a few days and in 2023. The Microsoft Ignite event is in Seattle from November 14th to 17th. Unsurprisingly, the in-person attendance is already sold out. So, Microsoft Ignite is encouraging any other interested parties to attend virtually.

Attendees can expect to have sessions, discussions, and interactions. These sessions will increase their knowledge, build a greater network of connections, and enhance the vision they may have for a future. And it’s a future exploding with technological excellence. Experts will be available to help you understand how to leverage the latest technologies. You will also have guidance so that your business can strive towards achieving core objectives.

And with all the multidisciplinary experts in attendance, you are bound to gain more than you expect in such a short time.

Some of the key sessions to look forward to include:

  • Unlock Productivity with Microsoft Copilot – presented by Rajesh Jha, Executive Vice President, Experiences + Devices, and Jared Spataro, Corporate Vice President, Modern Work and Business Applications. This session will enable attendees to learn how to unlock productivity and transform business processes for everyone across functions and industries.
  • The future of security with AI – presented by Charlie Bell, Executive Vice President, Microsoft Security, and Vasu Jakkal, Corporate Vice President, Security, Compliance, Identity & Privacy. In this session, there will be plenty to learn concerning how Microsoft is delivering AI for security with Security Copilot. Also discover how enabled organizations will secure and govern AI with new capabilities.
  • AI transformation for your organization with the Microsoft Cloud – presented by Scott Guthrie, Executive Vice President, Cloud + AI Group. For this session, attendees can expect to gain a deeper understanding of how the Microsoft Cloud helps customers transform. They do so by building AI solutions and unlocking insights using the same platform and services that power all of Microsoftโ€™s comprehensive solutions.
  • Inside Microsoft AI innovations – presented by Mark Russinovich, Chief Technology Officer and Technical Fellow for Microsoft Azure. In what should be another great session, attendees will be getting to see just what they will get with Microsoftโ€™s AI architecture. This includes the technology behind supercomputers and data centers and AI-aware resource management. Additionally included are advancements in confidential computing to safeguard data during processing.

Improving the quality of life

As with anything in life, it’s just about impossible for everyone to agree on something. Regardless of what the issue may be, there will always be loyalists and antagonists. And when it comes to technology, the same applies as people forge alliances with certain technologies and solutions over others.

Set aside whatever you may think about the benefits of certain technologies out there. Not everyone who simply can’t or won’t agree with that point of view. So, in this section, we’ll be highlighting some of the ways that technology enables us to improve the quality of many people’s lives.

SIMPLIFIED COMMUNICATION

We all know just how important communication is to humanity in all aspects of our lives. Whether it’s family, business, social, etc., communication is key to how we live our lives. And I think we can sometimes take for granted how easy communication is for us today. Unlike in centuries or decades ago, today, you can have “face-to-face” conversations with just about anyone on any continent at any time.

The importance of this cannot be overstated. It’s mission-critical, especially when we consider the migration of people across the globe. Families can easily stay in touch regardless of where one may be. Businesses can seamlessly work with customers from other parts of the world. And within seconds, anyone can share crucial analytic information.

IMPROVED HEALTHCARE DELIVERY

Most of us have probably experienced the frustration of endless hours spent in a waiting room to see a doctor. With the technologies at our disposal today, this no longer needs to be the case. Patients can set up their appointments according to what works for their schedules. They can easily check if their doctor’s office is open, as well.

Healthcare workers can also work more efficiently by leveraging the technologies available to them. Switching over to digital records means that patients’ files will be easily accessible and less likely to be misplaced. Physicians can easily consult in cases (or even surgeries) from other countries. And they’re brilliantly effective while sitting in the comfort of their homes or offices.

ACCESS TO INFORMATION

Technology has opened up access to information in a way that would have seemed fantastical a mere century ago. But today, anyone across the globe can access almost any information they need at the click of a button.

No longer do you need to spend hour after hour in a library to find answers. Say goodbye to scouring books, newspapers, research papers, etc., trying to find that elusive information. Provided internet access a strong, children in remote parts of the world can access most of the same educational resources as those from wealthy backgrounds attending expensive private schools.

CHANGING THE WORKING ENVIRONMENT

It’s not surprising that with all the advances we have witnessed in the field of technology, the work environment would also change accordingly. In recent years, there has been a lot of discussion about flexible working conditions with a particular emphasis on remote work.

There are now products and services on the market, such as the Windows 365 Cloud PC, that enable employees to work remotely. Virtualization services have allowed users to basically carry their desktops with them wherever they go. An added benefit is that it allows employees to work more flexibly. And this alone can help businesses boost efficiency and productivity.

IMPROVED FINANCIAL SECTOR

Working remotely is not only possible because of virtualization services but it’s also made possible because of financial technology (fintech). This solution is what has enabled businesses to hire and pay employees from other parts of the world.

By leveraging the ability to transact through the virtual financial system, the business sector is making improvements in economic equity. We’ve also witnessed rising problems in the global economy. Those issues inspired the creation of a conducive environment for the development of financial technology.

Wrap up

Change is a part of the human fabric, and we should always be willing to welcome developments that can make life better for all. Not only should we be focused on short-term benefits. But we should be looking for solutions that will benefit the generations to come as well. This is part of what has made the Pacific Science Center the success that it is.

Encourage people to immerse themselves in breathtaking experiences that can change how they perceive the world around them. Doing so can only further the cause of science and technology. Combine that with events like Microsoft Ignite, and you can have the ultimate immersion experience of science and technology. We never know where or from whom the next big idea or development may come from.

Windows Autopatch Groups

Every business is now very much aware of the very real threats of attacks that are lurking out there. And for any that aren’t aware, then those threats are even greater. Time and again, we hear of businesses under cyber attacks and critical data compromised. With this in mind, we all need to be looking at ways to enhance our data security.

Otherwise, your business could soon fall victim to hackers. Given the multitude of threats that businesses are constantly dealing with, Microsoft has introduced Windows Autopatch to help improve security. This solution intends to streamline the update process, thus enabling businesses to operate better. In this business solutions article, we will be exploring Windows Autopatch groups and how they function.

Windows Autopatch Recap

For the benefit of those who may not yet be familiar with the service, I’m going to start by going over what Windows Autopatch is. IT admins can attest to the challenges that they sometimes face when it comes to keeping the devices in their environments up to date. Although service providers may offer updates regularly, the process of implementing these updates can sometimes present plenty of challenges to IT staff.

With that in mind, what you get with Windows Autopatch is a cloud-based service that seeks to automate the updates for Windows, Microsoft 365 Apps for Enterprise, Microsoft Teams, and Microsoft Edge.

Due to the automation of these updates, your business can expect to improve security and productivity across the organization. Over the years, we have grown accustomed to getting regular updates. Despite that, the process of implementing them is not always a seamless one. And that’s in addition to the plethora of other tasks that IT admins are responsible for managing. The Windows Autopatch solution gives you a more reliable update method that improves efficiency.

Windows Autopatch Groups

Additionally, Windows Autopatch uses groups to better manage updates in a way that minimizes issues and improves the experience for your business. Autopatch groups, by definition, are logical containers or units that bring together several Azure AD groups and software update policies. These include:

BENEFITS OF AUTOPATCH GROUPS

Windows Autopatch aims to adapt to the needs of businesses that are using Microsoft Cloud-Managed services. It is going to meet you wherever you may be in your update management journey. The first benefit that you’ll be able to get from Autopatch groups is that they can replicate your organizational structure.

What this means is that you can set up Autopatch groups to replicate your organizational structures represented by your existing device-based Azure AD group targeting logic. Furthermore, the use of Autopatch groups allows you to choose which software update deployment cadence is most ideal for your business.

Another benefit is a flexible number of deployments. As a result of this flexibility, you get to have the ideal number of deployment rings that will work perfectly for your business. Depending on your needs, you can have as many as 15 deployment rings per Autopatch group.

The next benefit you’ll get is being able to decide which device or devices will belong to deployment rings. In addition to your existing device-based Azure AD groups, as well as choosing the number of deployment rings, your business also has the option to select which devices belong to deployment rings during the device registration process when setting up Autopatch groups.

AUTOPATCH GROUPS WORKFLOW

There are a few steps in this high-level workflow, including these below:

  • The first step requires the creation of an Autopatch group.
  • Next, the Windows Autopatch service is going to leverage Microsoft Graph to facilitate the creation of:
  • Azure AD groups.
  • Software update policy assignments with other Microsoft services, such as Azure AD, Intune, and Windows Update for Business (WUfB,) based on IT admin choices when you create or edit an Autopatch group.
  • Intune assigns software update policies. You’re going to find that Intune assigns the software update policies to these groups as soon as the Azure AD groups become available in the Azure AD service. In addition, Intune will also provide the number of devices that need the software update policies to the Windows Update for Business (WUfB) service.
  • Lastly, we’ll go over the Windows Update for Business responsibilities and these include:
  • Delivering update policies.
  • Retrieving update deployment statuses back from devices.
  • Sending back the status information to Microsoft Intune and then to the Windows Autopatch service

Things to know

Before you can proceed to use Windows Autopatch groups, there are a few key concepts that you’ll need to familiarize yourself with.

DEFAULT AUTOPATCH GROUP

If your organization can meet its business needs using the pre-configured five-deployment ring composition, then you are the ideal candidate for the Default Autopatch group. The group has the intention of serving businesses that want to enroll in the service as well as those that want to align to Autopatch’s default update management process without the need for additional customizations. Furthermore, this group uses Windows Autopatchโ€™s default update management process recommendation and contains:

  • A set of 5 deployment rings.
  • A default update deployment cadence for both Windows feature and quality updates.

You should also note that you cannot delete or rename the Autopatch group. But you do still get the option to customize its deployment ring composition to add and/or remove deployment rings. Additionally, you can customize the update deployment cadences for each deployment within it.

Default deployment ring composition

The software update-based deployment rings that will be used are determined by default. These deployment rings, represented by Azure AD assigned groups, are as follows:

Deployment ringUse
Windows Autopatch โ€“ TestCan only be used as Assigned device distributions.
Windows Autopatch โ€“ Ring1Can be used with either Assigned or Dynamic device distributions or have a combination of both device distribution types.
Windows Autopatch โ€“ Ring2Can be used with either Assigned or Dynamic device distributions or have a combination of both device distribution types.
Windows Autopatch โ€“ Ring3Can be used with either Assigned or Dynamic device distributions or have a combination of both device distribution types.
Windows Autopatch โ€“ LastCan only be used as Assigned device distributions.

An additional thing to note for instances where a group of specialized devices and/or VIP/Executive users coverage is provided by the Last deployment ring, the fifth deployment ring in the Default Autopatch group. Furthermore, to minimize any potential disruptions that your business may encounter, software updates for the aforementioned should be received after the organization’s general population.

Default update deployment cadences

Default update deployment cadences are going to be provided by the Default Autopatch group for deployment rings, with the exception of the Last (fifth) deployment ring.

Update rings policy for Windows 10 and later

Each of the default rings in the Default Autopatch group is going to get Update rings policy for Windows 10 and later set up by Windows Autopatch groups. Below is some data concerning the default policy values:

Policy nameAzure AD group assignmentQuality updates deferral in daysFeature updates deferral in daysFeature updates uninstall window in daysDeadline for quality updates in daysDeadline for feature updates in daysGrace periodAuto restart before deadline
Windows Autopatch Update Policy – default – TestWindows Autopatch – Test0030050Yes
Windows Autopatch Update Policy – default – Ring1Windows Autopatch – Ring11030252Yes
Windows Autopatch Update Policy – default – Ring2Windows Autopatch – Ring26030252Yes
Windows Autopatch Update Policy – default – Ring3Windows Autopatch – Ring39030552Yes
Windows Autopatch Update Policy – default – LastWindows Autopatch – Last11030352Yes

Feature update policy for Windows 10 and later

Each of the default rings in the Default Autopatch group is going to get feature updates for Windows 10 and later set up by Windows Autopatch groups. Below is some data concerning the default policy values:

Policy nameAzure AD group assignmentFeature update versionRollout optionsFirst deployment ring availabilityFinal deployment ring availabilityDay between deployment ringsSupport end date
Windows Autopatch – DSS Policy [Test]Windows Autopatch – TestWindows 10 21H2Make update available as soon as possibleN/AN/AN/AJune 11, 2024; 1:00AM
Windows Autopatch – DSS Policy [Ring1]Windows Autopatch – Ring1Windows 10 21H2Make update available as soon as possibleN/AN/AN/AJune 11, 2024; 1:00AM
Windows Autopatch – DSS Policy [Ring2]Windows Autopatch – Ring2Windows 10 21H2Make update available as soon as possibleDecember 14, 2022December 21, 20221June 11, 2024; 1:00AM
Windows Autopatch – DSS Policy [Ring3]Windows Autopatch – Ring3Windows 10 21H2Make update available as soon as possibleDecember 15, 2022December 29, 20221June 11, 2024; 1:00AM
Windows Autopatch – DSS Policy [Last]Windows Autopatch – LastWindows 10 21H2Make update available as soon as possibleDecember 15, 2022December 29, 20221June 11, 2024; 1:00AM

CUSTOM AUTOPATCH GROUPS

If your business needs a more precise representation of its structures as well as its own update cadence in the service, then the Custom Autopatch groups are ideal for you. You’ll also find that the Test and Last deployment rings are automatically present by default.

TEST AND LAST DEPLOYMENT RINGS

Both of these are default deployment rings, and they will be automatically present in both the Default Autopatch group and Custom Autopatch groups. These deployment rings are an essential component because they allow the recommended minimum number of deployment rings needed by each Autopatch group to be provided. In a couple of instances, youโ€™ll find that the Test deployment ring can serve as the pilot deployment ring, with the Last serving as the production deployment ring. This can happen:

  • If only the Test and Last deployment rings are within your Default Autopatch group.
  • If at the time you are creating a Custom Autopatch group, you donโ€™t add more deployment rings.

Something else that you need to know is that you cannot remove or even rename the Test and Last deployment rings from the Default or Custom Autopatch groups. Because these Autopatch groups require a minimum of 2 deployment rings for their gradual rollout, they wonโ€™t support using a single deployment ring as part of its deployment ring composition.

So, you will need to consider managing devices outside Windows Autopatch whenever you have a specific scenario that you want to implement using a single deployment ring and where the gradual rollout is not necessary.

Deployment rings

Autopatch groups intend to have software update deployments delivered sequentially in a gradual rollout within the. Autopatch group. Deployment rings are the tools that make this possible. Windows Autopatch can align with Azure AD and Intune terminology for device group management. As far as deployment ring group distribution in Autopatch groups is concerned, there are two types that you need to know about:

Deployment ring distributionDescription
DynamicFor this situation, one or more device-based Azure AD groups can be used. And these can be either dynamic query-based or assigned to use in your deployment ring composition. Moreover, you can use the Azure AD groups that are available with the Dynamic distribution type for the distribution of devices across several deployment rings according to the percentage values that can be customized.
AssignedFor this type of deployment ring distribution, a single device-based Azure AD group is best. And this can be either dynamic query-based or assigned to use in your deployment ring composition.
Combination of Dynamic and AssignedIn some cases, you’ll find yourself needing a greater level of flexibility when working on deployment ring compositions. And this option will prove to be the most ideal. It allows you to combine both device distribution types in Autopatch groups. You will, however, need to note that this particular combination of device distribution will not be supported for the Test and Last deployment ring in Autopatch groups.

Service-based versus software update-based deployment rings

Another thing you will discover is that Autopatch groups create 2 different layers. And each of those layers will have its own deployment ring set. By default, both of the deployment ring sets that we are looking at will assign to devices that have completed successful registration with Windows Autopatch.

SERVICE-BASED DEPLOYMENT RINGS

This deployment ring set is only going to be for keeping Windows Autopatch updated. It does so with service and device-level configuration policies, apps, and the APIs required for the core functions of the service. Below is the list of Azure AD-assigned groups representing the service-based deployment rings.

  • Modern Workplace Devices-Windows Autopatch-Test
  • Modern Workplace Devices-Windows Autopatch-First
  • Modern Workplace Devices-Windows Autopatch-Fast
  • Modern Workplace Devices-Windows Autopatch-Broad

Please note that you should absolutely avoid making any modifications to the Azure AD group membership types (Assigned and Dynamic). If you make those changes, Windows Autopatch wonโ€™t be able to read the device group membership from these groups.

As a result, the Autopatch groups feature, along with other service-related operations, will not function correctly. Not only that, but you should also know that having Configuration Manager collections directly synced to any Azure AD group and created by Autopatch groups is an unsupported option.

SOFTWARE-BASED DEPLOYMENT RINGS

The second type of deployment ring set is only going to be compatible with software update management policies, such as the Windows update ring and feature update policies, in the Default Windows Autopatch group. Below is the list of Azure AD-assigned groups representing the software updates-based deployment rings.

  • Windows Autopatch – Test
  • Windows Autopatch โ€“ Ring1
  • Windows Autopatch โ€“ Ring2
  • Windows Autopatch โ€“ Ring3
  • Windows Autopatch โ€“ Last

IT admins should note that any additional Azure AD assigned groups will be created and added to the list at the same time youโ€™ll be adding more deployment rings to the Default Autopatch group. Moreover, similar to the previous type of deployment ring set, you can’t make any modifications to the Azure AD group membership types (Assigned and Dynamic). If you make those changes, Windows Autopatch wonโ€™t be able to read the device group membership from these groups.

As a result, the Autopatch groups feature, along with other service-related operations, will not function correctly. Not only that, but you should also know that having Configuration Manager collections directly synced to any Azure AD group and created by Autopatch groups is an unsupported option.

How to use Autopatch groups

There are a few examples that we can look at that describe certain scenarios and how we use Autopatch groups for those cases.

EXAMPLE NUMBER 1

Imagine a scenario where you are an IT admin who is responsible for several Microsoft and non-Microsoft cloud services. In this example, you don’t have the time necessary to set up and manage multiple Autopatch groups. At present, your company relies on using five deployment rings to operate it’s update management. However, you do have the option for flexible deployment cadences if you were to communicate to your end-users.

The solution, in this case, will involve using the Default Autopatch group if you currently don’t have thousands of devices under your management. The Default Autopatch group is editable to include additional deployment rings and/or slightly modify some of its default deployment cadences.

Additionally, because this Default Autopatch group comes preconfigured and doesnโ€™t require extra configurations when registering devices with the Windows Autopatch service, it will offer greater convenience to IT admins.

EXAMPLE NUMBER 2

For the second example, you’re going to be an IT admin for a business that is looking to implement a gradual rollout of software updates within certain critical business units or departments to help mitigate the risk of end-user disruption.

What you can do in this case is to create a Custom Autopatch group for all your business units. This means that you can create a Custom Autopatch group for each department. And then, you can proceed to break down the deployment ring composition according to the various user personas. You could also perform the breakdown by categorizing how essential certain users may be for not only a particular department but for the business as a whole.

EXAMPLE NUMBER 3

In the final example, imagine being an IT admin working in the New York branch of a particular company. And in this scenario, you’re looking to implement a gradual rollout of software updates within certain departments in a way that does not disrupt operations in that New York branch.

Similar to the second example, you’re going to create a Custom Autopatch group. But this time, it will be for the New York branch. Then, you will proceed to break down the deployment ring composition according to the various departments within that branch location.

Wrap up

With the threat of cyber-attacks seemingly increasing each and every year, businesses need to be highly proactive about their security. They need to put in place measures that help to improve security and minimize vulnerabilities. Microsoft is looking to help businesses do that with the Windows Autopatch service. It is a highly efficient tool that streamlines the management of software updates and patches.

Autopatch leverages groups to enable businesses to get the maximum benefits from the service. This is also while taking into account the unique needs of the business. Therefore, what you ultimately get is a solution that can cut the security gap. And one that optimizes your IT resources in a way that improves productivity.

Windows Autopatch: Guide to Setup and Configuration

Most businesses have several technologies that they use to help their employees operate at the highest levels of efficiency. Without them, your ability to provide high-quality products and services would be severely hindered.

But, all these devices and the associated operating systems and applications need maintenance for them to work the way they were designed to. They need regular attention as well as updates and security patches. This is so businesses can fully benefit from their productivity tools.

Windows Autopatch gives you a great solution for your Microsoft products by automating the update process. Additionally, it simplifies the maintenance process for you. In this article, we’ll be going over how your business can set up this must-have solution.

What is Windows Autopatch?

Let’s start by explaining what exactly Windows Autopatch is and what it does. According to the Windows Autopatch page:

Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.”

One of the key reasons this solution is a much-needed tool is that the process of implementing updates is not entirely seamless for a lot of organizations. IT admins are responsible for ensuring your organization’s devices get all the necessary updates upon release. And they’re responsible for overseeing that everything is working as it should.

So, even though Microsoft provides regular updates for its products and services, the task can sometimes be challenging and very time-consuming. Therefore, with a solution like Autopatch, IT admins can save a lot of time on the update processes. They can additionally cut time in positioning the overall security posture of the business, leading to improvements.

I’m sure most would agree that this is an excellent feature to have, given the increasing sophistication of cyber attacks. Additionally, end users will be able to work more efficiently with fewer distractions. Moreover, your IT personnel will potentially have a lot more time on their hands for dedicating to more productive tasks.

The role of Autopatch services

From what we have seen over the last year, we know that Windows Autopatch can manage your updates for you. But, you still need to know what exactly Autopatch will be responsible for regarding those updates. This is why it’s not too surprising that a lot of IT admins are hesitant about using Autopatch. They have concerns about losing control over their devices.

To simplify the rollout of the different updates, Windows Autopatch will place devices into groups based on their software and hardware configurations. Doing it this way enables suitable test machines to receive updates first. And if all goes well, broader deployments can proceed as well. Not only is this a crucial step for evaluating updates, but it can help alleviate some of the concerns that IT admins have.

Below is a list of what Autopatch will be responsible for updating:

  • Windows 10 and Windows 11 quality
  • Windows 10 and 11 features
  • Windows 10 and 11 drivers
  • Windows 10 and 11 firmware
  • Microsoft 365 apps for enterprise updates

In addition to the above list, Windows Autopatch will also be responsible for patching drivers and firmware that are only published to Windows Update as automatic. Also, in terms of how Windows Autopatch operates, there are four deployment rings. The first one caters to a few of your company’s devices, and the second one is responsible for 1% of these devices. The third and fourth rings will contain 9% and then 90% of the organization’s devices respectively. 

Setting up Windows Autopatch

The process of setting up Windows Autopatch includes several steps that we will be discussing in this section.

PREREQUISITES

AreaRequirements
LicensingWindows 10/11 Enterprise E3 (or higher) in addition to Azure Active Directory Premium and Microsoft Intune.
ConnectivityAll Windows Autopatch devices require dedicated connectivity to multiple Microsoft service endpoints across the corporate network.
Azure Active DirectoryThe source of authority for all user accounts needs to be Azure AD. Or, the user accounts can be synchronized from on-premises Active Directory using the very latest supported version of Azure AD Connect to enable Hybrid Azure Active Directory to join.
Device managementAll devices must be registered with Microsoft Intune, be connected to the internet, have a Serial number, Model and Manufacturer, and must be corporate-owned. Furthermore, the target devices will need to have Intune set as the Mobile Device Management (MDM) authority or co-management must be turned on.

NETWORK CONFIGURATION

  • Proxy configuration – Windows Autopatch needs to reach certain endpoints for the various aspects of the Windows Autopatch service. Network optimization can be done by sending all trusted Microsoft 365 network requests directly through their firewall or proxy.
  • Proxy requirements – should support TLS 1.2, and if not, then you may need to disable protocol detection. 
  • Required URLs – mmdcustomer.microsoft.com

                         – mmdls.microsoft.com

                         – logcollection.mmd.microsoft.com

                         – support.mmd.microsoft.com

  • Delivery optimization – Microsoft recommends configuring and validating Delivery Optimization when you enroll into the Windows Autopatch service.

TENANT ENROLLMENT

The first step in this next stage will require you to verify that you’ve met all the requirements discussed at the beginning of this section.

With that done, you’ll now need to run the readiness tool. This checks the settings in both Intune and Azure AD and verifies that they work with Autopatch. To access this readiness assessment tool, head over to the Intune admin center and select Tenant administration in the left pane. Once there, go to Windows Autopatch > Tenant enrollment. When the check is done, you’ll get one of four possible results: Ready, Advisory, Not ready, or Error. And if this check is showing any issues with your tenant, then your next step will involve fixing the issues picked up by the readiness assessment tool.

If everything is in order and the readiness assessment tool has given you the “Ready” result, then you can proceed and enroll the tenant. You’ll find the “Enroll” button that you need to select within the readiness assessment tool. Once you select this option, it will start the process of enrolling your tenant into the Windows Autopatch service. You’ll see the following during the process:

  • Consent workflow to manage your tenant.
  • Provide Windows Autopatch with IT admin contacts.
  • Setup of the Windows Autopatch service on your tenant. This step is where the policies, groups, and accounts necessary to run the service will be created.

Your tenant will be successfully enrolled upon completion of these actions. And then, after all this is done, you can delete the collected data by the readiness assessment tool if you want. To do so:

  • Head over to the Microsoft Intune admin center.
  • Go to Windows Autopatch > Tenant enrollment.
  • Select Delete all data.

ADD AND VERIFY ADMIN CONTACTS

After you have finished the process of enrolling your tenant, you can move on to the addition and verification of admin contacts. Windows Autopatch has several ways of communicating with customers. And there’s a requirement to submit a set of admin contacts when onboarding. Each specific area of focus should have an admin contact. This provides that the Windows Autopatch Service Engineering Team has a contact for assistance with the support request. These areas of focus are given below.

Area of focusDescription
DevicesDevice registration Device health
UpdatesWindows quality updates Windows feature updates Microsoft 365 Apps for enterprise updates Microsoft Edge updates Microsoft Teams updates

To add the admin contacts, follow these steps:

  • Sign in to the Intune admin center.
  • Head over to the Windows Autopatch section, find Tenant administration, and then select Admin contacts.
  • Select Add.
  • Now, you need to provide all the necessary contact details. This includes name, an email, phone number, and language of choice.
  • Choose an area of focus and provide information about the contact’s knowledge and authority in this particular area.
  • Click Save and then repeat the steps for each area of focus.

DEVICE REGISTRATION

  • Windows Autopatch groups device registration

Autopatch groups will start the device registration process for devices that aren’t yet registered using your existing device-based Azure AD groups. This is instead of the Windows Autopatch Device Registration group. Windows Autopatch will support a couple of Azure AD nested group scenarios, namely Azure AD groups synced up from:

  • On-premises Active Directory groups (Windows Server AD)
  • Configuration Manager collections
  • Clean up dual state of Hybrid Azure AD joined and Azure registered devices in your Azure AD tenant

For an Azure AD dual state to occur, a device needs to be initially connected to Azure AD as an Azure AD registered device. And then, when you enable Hybrid Azure AD join, the same device will be connected twice to Azure AD as a Hybrid Azure AD device.

So, what you’ll find in the dual state is a device with two Azure AD device records with different join types. However, the Azure AD registered device record is stale because the Hybrid Azure AD device record will take precedence.

About the Registered, Not ready, and Not registered tabs

Device blade tabPurposeExpected device readiness status
RegisteredShows successful registration of devices with Windows AutopatchActive
Not readyShows successfully registered devices that aren’t yet ready to have one or more software update workloads managed by the Windows Autopatch service.Readiness failed and/or Inactive
Not registeredShows devices that have not passed the prerequisite checks and thus require remediation.Prerequisites failed.

Device readiness statuses

Readiness statusDescriptionDevice blade tab
ActiveShows devices that: +have passed all prerequisite checks +registered with Windows Autopatch +have passed all post-device registration readiness checksRegistered
Readiness failedShows devices that: +haven’t passed one or more post-device registration readiness checks +aren’t ready to have one or more software update workloads managed by Windows AutopatchNot ready
InactiveShows devices that haven’t communicated with Microsoft Intune in the last 28 days.Not ready.
Prerequisites failedShows devices that: +haven’t passed one or more prerequisite checks +have failed to successfully register with Windows AutopatchNot registered

Built-in roles required for device registration

Roles are permissions granted to dedicated users. And there are a couple of built-in users in Autopatch that you can use to register devices:

  • Azure AD Global Administrator
  • Intune Service Administrator

Less privileged user accounts can be assigned to perform specific tasks in the Windows Autopatch portal. You can do this by adding these user accounts into one of the two Azure AD groups created during the tenant enrollment process:

Azure AD group nameDiscover devicesModify columnsRefresh device listExport to .CSV
Modern Workplace Roles – Service AdministratorYesYesYesYes
Modern Workplace Roles – Service ReaderNoYesYesYes

Details about the device registration process

The process of registering your devices with Windows Autopatch will accomplish a couple of things:

  • Creation of a record of devices in the service.
  • Device assignment to the two deployment ring sets and other groups required for software update management.

Windows Autopatch on Windows 365 Enterprise Workloads

As part of the Windows 365 provisioning policy creation, Windows 365 Enterprise admins will have the option to register devices with Windows Autopatch. This means that Cloud PC users will also benefit from the increased security and automated updates that Windows Autopatch provides. The process for registering new Cloud PC devices is as follows:

  • Head over to the Intune admin center and select Devices.
  • Next, go to Provisioning>Windows 365 and select Provisioning policies>Create policy.
  • Type in the policy name, select Join Type, and then select Next.
  • Pick your desired image and select Next.
  • Navigate to the Microsoft managed services section, select Windows Autopatch, and then select Next.
  • Assign the ideal policy, select Next, and then select Create.
  • Your newly provisioned Windows 365 Enterprise Cloud PCs will then be automatically enrolled and managed by Autopatch.

Windows Autopatch on Azure Virtual Desktop workloads

Azure Virtual Desktop (AVD) workloads can also benefit from the features that Windows Autopatch has to offer. Your admins can use the existing device registration process to provision their AVD workloads to be managed by Autopatch.

One of the most appealing features of Windows Autopatch is how it offers the same quality of service to virtual devices as it does to physical ones. This ensures that if your business is looking to migrate to virtual devices or is already using them, then you won’t miss out on what Windows Autopatch offers.

It is worth noting, however, that any Azure Virtual Desktop specific support is deferred to Azure support unless otherwise specified. In addition, the prerequisites for Windows Autopatch for AVD are pretty much the same as those for Windows Autopatch and AVD.

The service will support personal persistent virtual machines. But, there are some AVD features that are not supported such as multi-session hosts, pooled non-persistent virtual machines, and remote app streaming.

Deploy Autopatch on Azure Virtual Desktop

Another great feature that you’ll get with Autopatch is that you can register your Azure Virtual Desktop workloads using the same method as your physical devices. Microsoft recommends nesting a dynamic device group in your Autopatch device registration group to simplify the process for your admins. And this dynamic device group is going to target the Name prefix defined in your session host while also excluding any Multi-Session Session Hosts.

Client support

Windows Autopatch provides businesses with excellent support services to ensure that any issues are addressed. You can access the appropriate support services through Windows 365, or the Windows Autopatch Service Engineering team for device registration-related incidents.

Device management lifecycle scenarios

Before you proceed and register your devices in Windows Autopatch, there are a few device management lifecycle scenarios that you may want to consider. These include the following:

  • Device refresh – devices that were previously registered in Autopatch and require reimaging will require you to run one of the device provisioning processes available in Microsoft Intune to reimage these devices. Subsequently, these devices will be rejoined to Azure AD (Hybrid or Azure AD only) and then re-enrolled into Intune. And because the Azure AD device ID record of that device will not be altered, neither you nor Windows Autopatch will need to perform any additional actions.
  • Device repair and hardware replacement – when devices require you to repair them by replacing certain hardware, then you’ll need to re-register these devices into Autopatch when you’re done. We are talking about the kind of repairs that include replacing parts such as the motherboard, non-removable network interface cards (NIC), or hard drives. And the reason why re-registration is necessary is that when you replace those parts, a new hardware ID will be generated, including:
  • SMBIOS UUID (motherboard)
  • MAC address (non-removable NICs)
  • OS hard drive’s serial, model, manufacturer information

So, even though you still practically have the same device, whenever you replace major hardware, Azure AD will create a new ID record for that device.

UPDATE MANAGEMENT

Software update workloads

Software update workloadDescription
Windows quality update – on the second Tuesday of every month, Autopatch deploys monthly security update releases. Autopatch also uses mobile device management (MDM) policies to gradually release updates to devices. These policies are deployed to each update deployment ring to control the rollout.Requires four deployment rings to manage these updates
Windows feature update – in this instance, you’ll be the one to inform Autopatch when you’re ready to upgrade to the new Windows OS version. The feature update release management process has been designed to make the task of keeping your Windows devices up to date much easier and more affordable. This also has the added benefit of lessening your burden, thus allowing you to dedicate more time to more productive tasks.Requires four deployment rings to manage these updates
Anti-virus definitionUpdated with each scan
Microsoft 365 Apps for EnterpriseFind information at Microsoft 365 Apps for Enterprise
Microsoft EdgeFind information at Microsoft Edge
Microsoft TeamsFind information at Microsoft Teams

Autopatch groups

Autopatch groups play an essential role in helping Microsoft Cloud-Managed services work with businesses according to their various needs. When it comes to update management, Windows Autopatch groups provide an excellent tool that allows for the combining of Azure AD groups and software update policies. These might include Windows Update rings and feature update policies.

Reports

If there are any Windows Autopatch managed devices in your environment that are not up to date, you can monitor and remediate them using Windows quality and feature update reports. Not only that, but you can also resolve any device alerts to bring Windows Autopatch-managed devices back into compliance.

Policy health and remediation

To enable the management of Windows quality and feature updates, Autopatch needs to deploy Intune policies. Windows Update policies must be healthy at all times should you plan to remain up to date and receive Windows updates. Microsoft ensures continuous monitoring to maintain the health of the policies, as well as raise alerts and provide remediation actions.

Wrap up

The threat of attacks against businesses is something that is always lurking. And as we have seen on far too many occasions in recent years, these attacks can be devastating. Business operations can be severely compromised. Additionally, the financial penalties can be massive. Therefore, there is a need to do everything within your power to fortify your system defenses. Windows Autopatch allows you to bolster your security by automating certain tasks.

Make sure that update and patch deployments occur in a timely fashion. It can significantly reduce the risk of attacks against your business. And this is precisely what Autopatch is ready to help you prevent.

It helps you by automating the update process and simplifying tasks that are sometimes difficult and time-consuming. As a result, you get an easier and less expensive way of equipping your business with all the latest security updates necessary. Ultimately, it allows you to enhance your operations.

Simplify Your Virtual Desktop Infrastructure with Windows 365

Businesses need to be constantly looking for different solutions to help them improve their operations. One area that can give businesses a significant advantage is their IT environment. Technology has evolved greatly, and businesses can now easily leverage cloud computing to boost productivity.

Solutions like Windows 365 enable businesses to provide employees with secure and reliable access to virtual desktops anytime and from anywhere. Although cloud computing has been available for a while, Microsoft is offering clients something that is meant to take the cloud computing experience to new heights.

The Windows 365 Cloud has plenty of features designed to help you better manage and simplify your virtual desktop infrastructure. And in this article, we’ll be exploring those features.

Management Features of Windows 365

Windows 365 is a service that is easy to deploy as well as easy to use. Microsoft has built-in several management features that can help your business manage your virtual desktop infrastructure quickly and efficiently. Let’s take a look at some of those features.

Centralized Management

IT admins can often encounter huge challenges with decentralized systems. One of the more common issues that you can face is vulnerability to security threats. When successful, these attacks will compromise the integrity of the entire network and can be quite costly to rectify.

Running a decentralized environment efficiently will probably require a well-staffed IT department to ensure that your business functions smoothly. Without this, ensuring that all desktops are fully up-to-date and secure can prove to be a challenging and time-consuming task.

To make running your virtual desktop environment simpler, Microsoft has developed Windows 365 to be easily manageable without the need for significant IT resources. With the availability of centralized management, your business can comfortably manage your Cloud PC environment from a single location.

What this does is make the task of managing and monitoring your virtual desktops far less complicated for IT admins. This capability will have the additional advantage of enhancing your security posture. This is because using a single console enables you to better secure your environment.

Self-Service Portal

Continuing with the theme of ease of use, Microsoft provides a self-service portal for Windows 365 Cloud PCs. We all know how far too much time can be lost with employees waiting around to get IT support. In some cases, it could be even worse when the help you need is external.

The potential downtime can be very costly in terms of productivity. This is why having a self-service portal makes so much sense. With a self-service portal, employees can manage certain things without having to wait for IT support. Cloud PC users can install applications, set up user accounts, and configure their security settings with relative ease.

Having a feature like this will not only help to boost productivity, but it will empower your employees as well. Furthermore, by allowing Cloud PC users to manage their virtual desktops, IT admins can dedicate more time to more productive work for the business.

IT admins can also use this feature to quickly and easily add or remove virtual desktops. This depends on the organization’s needs. And it can help to simplify the management of your virtual desktop environment without the need for external IT support.

Automated Patching

When it comes to the security of your virtual desktop environment, you cannot afford to neglect regular updates and patches. Malicious actors are getting worse with each passing year, meaning that businesses need to constantly reinforce their cyber security.

Fortunately, Microsoft offers its clients regular updates for its various products and services. This is to ensure that clients get the best and most secure experience. The challenge that can often arise, however, involves updating every single device in an environment. It can have its fair share of complications.

So, even though service providers may be regularly offering updates and security patches, if the task is not carried out, well your environment remains vulnerable. To try and minimize the issues that IT admins can face, Windows 365 has automated patching. And the biggest advantage of this is that it means your virtual desktops will always be up-to-date with the absolute latest security updates and software patches. Moreover, automated patching lightens the burden for IT admins and simplifies the management of your virtual desktop environment.

Customizable Management

Businesses need to know that when they are purchasing a product or service, they get something that is worth the investment. Part of the attraction of Windows 365 is that it offers great value for money in addition to being easy to use. Clients get the option to select a plan that suits the unique needs of their particular business. Microsoft offers businesses a choice between Windows 365 Business and Windows 365 Enterprise to cater to both small and large businesses. 

These options give businesses the flexibility to customize an ideal subscription plan which eliminates the risk of paying for more than you need or that fails to meet your requirements. And the pay-as-you-go subscription model also allows businesses to continually make changes to their virtual desktop environment as their needs change. This way, you don’t need to make any long-term commitments, but you get access to the computing resources you need at any given time.

Benefits of Windows 365’s Simplified Management

The features that we have gone over have several benefits that they can offer your business. Some of these benefits are the following:

Reduced IT Overhead

The costs that businesses will often have to dedicate to their IT needs can be massive. These include things such as setting up an on-premises infrastructure, issuing devices to employees, and having a well-staffed IT department. One of the goals of Windows 365 is to help businesses minimize these costs.

By getting access to virtual desktops that are easily accessible, you’ll no longer need to worry about the devices you use. Because the heavy computing is done on the cloud, employees can use any device, including smartphones and tablets. And this will immediately help you to spend less on purchasing new devices.

In the long term, you will also reduce your expenses by not having to maintain the same device refresh cycle. Windows 365 is simple enough to use and maintain that you can run it efficiently without needing to bring in additional IT support. Features such as the self-service portal are perfectly designed to make management of your virtual desktop environment easier for IT.

As a result, they will also have a lighter burden meaning they can devote more time to other productive tasks. Additional reductions in IT overhead can also come from not having to maintain on-premises infrastructure because not only is it expensive to set up, but it’s also costly to maintain.

Increased Productivity

Virtual desktops should, by nature, help boost productivity because of how easily accessible they are. Employees have the flexibility to access their Cloud PCs even when traveling using any device they will be carrying. More importantly, remote work can create a more positive work environment by enabling people to work where and how they want.

Over the last few years, the desire to have the option to work remotely has grown significantly. So, if businesses can find a way to offer this to their employees, it could potentially boost productivity. People who feel cared for are far more likely to perform better.

Furthermore, the simplified management features available will allow Cloud PC users to work more efficiently with fewer issues. Features such as automated patching and centralized management give you a virtual desktop environment that is simple to manage. All of these things can contribute to lightening the load for your IT personnel, which can free up time for more critical tasks.

In addition, the security of the Microsoft Cloud as well as the redundancies in place, mean that your Cloud PCs will always be available. You don’t need to worry about facing disasters that can cause significant downtime because your data is highly secured.

Improved Security

With all the remote access that Windows 365 offers users, security needs to be of the highest standard. Recently we have witnessed plenty of businesses suffering from various attacks, so businesses are very wary about cloud computing solutions.

This is why Windows 365 would be a great choice because it leverages the industry-leading security measures that Azure has used over the years. You also get automated patching to ensure that your virtual desktop environment is fully protected by the regular updates that Microsoft delivers. By doing it automatically, it eliminates common issues that you may face with updates.

Monitoring your environment without the features to simplify management can be a complicated task. And this serves to highlight the importance of centralized management for enabling you to run your environment more efficiently.

IT admins can easily monitor all devices under their management from a single console and ensure that they are following all organizational policies. Using features like this will not only enhance your security but improve operational efficiency as well by keeping your virtual desktop environment up-to-date with all the latest features.

Greater Flexibility

I’m sure it’s pretty clear by now that there is a lot of talk about flexibility and its benefits. Businesses that can improve the working atmosphere for their employees, as well as accessibility to virtual desktops, can reap huge benefits. Windows 365 offers features like customizable management to address these areas.

In so doing, Microsoft allows businesses to select subscription plans that can perfectly meet their requirements. As a result of this, you’ll have the flexibility to use Windows 365 to carry out your business operations without any hindrances.

But, this is not only advantageous to the business but to employees as well. Because of the support for multiple operating systems and devices, Cloud PC users can comfortably use whatever device they want. Add to that the fact that the self-service portal allows users to carry out certain tasks that would normally require IT support, and you empower users even more.

So, whether your preference is iOS or Android, Windows or macOS, you can access your Cloud PC and get all your work done. And this you can do for years to come without worrying about purchasing new, more powerful devices.

Cost Savings

Everything that we’ve discussed plays a key role in providing Windows 365 clients with a service that can help businesses cut costs. By providing customizable management, businesses get the option to take full advantage of what Windows 365 Cloud PCs can offer while staying within their budgets. It may actually reduce your IT expenditure because you won’t need to purchase as much hardware or require additional IT personnel to run your Cloud PC environment.

Furthermore, the security of the Microsoft Cloud assures you that you don’t have to worry about cyber-attacks that could result in downtime. Windows 365 is determined to ensure that your Cloud PCs remain available at all times. And if you compare this to other backup systems that may be available to you, you may see just how much you’ll be saving by using Windows 365. Ultimately, the reductions in IT expenditure will help you to invest in other areas of your business thus improving growth and productivity.

Conclusion

Most businesses will be aware of the benefits that can be gained by introducing cloud computing to their businesses. But, as with any new solutions, there will be significant concerns about how viable this would be. With Windows 365, Microsoft wants businesses to have a solution that can alleviate security concerns, reduce operating costs, and increase flexibility among others.

Features designed to simplify Cloud PC management, such as the self-service portal, centralized management, automated patching, and customizable management, will help you function more efficiently. All of these things are crucial for improving employee morale, boosting productivity, and potentially increasing revenues. When all is said and done, Windows 365 may just be the solution you need to get closer to your business goals.