The state of the environment is a massive topic of discussion all across the globe. Whether it’s in meetings bringing together world leaders or at business summits, the issue of how to reduce our impact on the environment is regularly on the agenda. This responsibility doesn’t fall solely on the shoulders of politicians but on those of business leaders as well.
And when it comes to the IT industry, there is a great need to consider adopting more sustainable solutions. This is because of how this sector has contributed to carbon emissions from data centers, computing devices, and more. Hence the need for a solution like Windows 365.
With this service, customers get a cloud-based virtual desktop infrastructure solution designed to help reduce their carbon footprint. So, with that in mind, let’s take a look at how Windows 365 can help you to operate more sustainably.
Energy Efficiency Features of Windows 365
To help various businesses meet their sustainability goals and reduce their carbon footprint, Microsoft has created several features for Windows 365. In this section, we’ll discuss some of those key energy efficiency features.
Cloud-Based Infrastructure
Many businesses envision attaining net-zero sustainability for their operations. Although this is a very ambitious goal, it is not out of reach with solutions like Windows 365. You only have to go through the Microsoft report on the carbon benefits of cloud computing to see how this may be possible.
According to that report, the Microsoft cloud can be anywhere between 22% and 93% more efficient than traditional data centers depending on the comparison. And this would undoubtedly be something that can contribute massively to help reduce your carbon footprint.
The most obvious area where you will see these benefits is with reduced energy consumption. On-premises data centers require a lot of energy to not only power them but cool them as well. So, by leveraging shared cloud infrastructure, such as what Microsoft is offering, you can put yourself in a great position to attain your net-zero targets.
Windows 365’s cloud-based virtual desktops also encourage remote work, and this is something that can potentially reduce transport emissions. Cloud PC users can work from anywhere without being restricted by location.
Dynamic Provisioning
Running a business efficiently requires you to have the computing resources you need at all times to maximize productivity. This is something that Windows 365 values greatly to adequately meet all customers’ needs. With the availability of dynamic provisioning, businesses can easily provision and de-provision virtual desktops as needed.
As you can imagine, this will help you to run your business more efficiently because you do not need to retain any resources that are in excess of requirements. However, if the need for more computing resources arises, you can add more Cloud PCs quite easily.
When running your own data center, you won’t necessarily have the same flexibility to increase or decrease your computing resources with the same ease. And this can be very costly not only financially but in terms of carbon emissions as well. A business with a larger data center than it needs will find it a lot more difficult to meet its sustainability goals. And it may actually increase its carbon footprint.
Automatic Scaling
The business environment can change very suddenly, and organizations need to have solutions available that can help them swiftly adapt. Windows 365 offers businesses automatic scaling to help improve how efficiently they can run their IT operations.
When we talk about scaling, we are simply referring to the ability to increase or decrease computing resources as needed. Because businesses are trying to implement measures to reduce their carbon footprint, having an automatic scaling feature available goes a long way to simplifying that task.
Windows 365 can automatically adjust the computing resources that virtual desktops have access to depending on their various usage needs. By automating this process, Cloud PC users can be more productive. This is because they will have the resources they need when they need them. In addition, by not over-provisioning computing resources, businesses can minimize energy waste. And this moves you closer toward running sustainable operations.
Power Management
The unfortunate reality is that there are plenty of businesses that waste power and are not even aware of it. Consequently, this means that you are unnecessarily spending more as well as increasing your carbon footprint.
Around offices, it’s not uncommon to see devices that are always on, regardless of whether or not they are in use. Some people won’t or may not even know how to set their devices to switch off after a certain amount of idle time.
Fortunately, for Cloud PC users, this is something that you will get assistance with. Windows 365 has power management capabilities that are designed to help businesses minimize the wastage of resources.
By enabling you to automatically power off virtual desktops that are not currently in use, you can easily reduce your energy consumption. This feature gives you an essential management solution. And it can be key to how you monitor energy use within your business.
Benefits of Windows 365’s Energy Efficiency Features
The energy efficiency features discussed in the previous section have several benefits that can be of great importance to your business. These include:
Reduced Energy Consumption
Every business wants to improve how it runs its operations and ultimately improve productivity. And one of the best things about putting in place measures to reduce your carbon footprint is that it allows you to pinpoint inefficiencies in your organization. Addressing issues such as wastage of energy will help create savings that can be invested in other areas.
Other features, such as automatically powering off idle devices, allow you to better assess energy use in your business. This may be an important determining factor if your business is considering scaling your computing resources.
Something else that businesses can benefit from operating more sustainably is increased brand equity. We find that in some studies, 55% of consumers have indicated a preference for products made by businesses that have implemented sustainable practices.
Therefore, reducing your carbon footprint will not only help you to meet your sustainable objectives, but it can boost business as well. And if that is not enough, then you also need to consider current and potential future legislation that may affect your business.
As mentioned earlier, climate change is a hot topic at all different levels. So a lot of regulations are changing, and you may risk finding yourself non-compliant.
Lower Operating Costs
Even if the climate change discussions aren’t something that you are particularly interested in, you cannot ignore solutions that may potentially lower your operating costs. With that in mind, the energy efficiency features of Windows 365 are certainly worth a look.
By providing you with a cloud-based virtual desktop environment, Windows 365 allows you to save costs on purchasing and refreshing devices for your employees. As long as an individual has a device with a modern browser, they can access their Cloud PC relatively easily from any location.
This increased flexibility will also boost operational efficiency and can potentially improve productivity. Additionally, with capabilities such as dynamic provisioning, your business constantly has the resources to operate optimally.
You don’t need to worry about paying for more than you need. This is because if your computing resources become inadequate, you can always scale up. Another recent update that will help reduce costs is the introduction of Windows 365 Frontline. This latest update allows users to share Cloud PCs, which is particularly beneficial for employees that work in shifts.
Improved Scalability
Scalability can prove to be a major challenge for businesses that operate their own data centers. Not only can this be a complex affair, but it’s often very costly. Windows 365 is built to simplify scalability for businesses, regardless of size.
You can easily provision or de-provision virtual desktops as and when they are needed. Having this capability means that scaling up or down your computing resources becomes a quick and easy solution without significant costs. It also means that whatever happens in your section of the market, you’ll be well-placed to swiftly adapt and gain an edge over other companies.
This can also help you grow your profits significantly, especially when compared to other businesses that may face huge costs when scaling. Furthermore, this improved scalability is great for smaller businesses that need to grow at a pace that does not compromise the quality of service.
Windows 365 has a subscription option targeted at smaller businesses that can be scaled up as operations expand. Taking advantage of a system like this is an excellent choice for the long-term because it is going to promote customer loyalty. Whenever you experience an increase in traffic, you can manage it efficiently while still delivering excellent service.
Increased Productivity
Using cloud-based virtual desktops allows more businesses access to technologies that were in the past only available to a few. The degree of accessibility and flexibility that Windows 365 provides enables businesses to run more efficient operations.
In addition to that, Cloud PC users can collaborate with greater ease from anywhere across the world on any number of projects. With the ease with which employees can do this, your business may experience higher levels of productivity. No longer do you have to contend with the restrictions that often come with working from static locations.
Automation has been a game-changer for users of cloud-computing technologies. Businesses can stop being concerned about a lot of daily tasks that consume time that may be used more productively.
By automating tasks such as scaling, power management, and updates, among others, IT personnel have less to deal with. They can contribute more to core business activities. Moreover, the Windows 365 automation features are crucial in helping to minimize costly errors that compromise efficiency. Virtual desktop users also benefit from the improved data security and disaster recovery measures provided by cloud computing services. Because of this enhanced degree of protection, there is a huge boost in the ease of doing business.
Environmental Responsibility
Cloud computing services are meant to reduce your carbon footprint, minimize emissions, and promote the use of greener energy sources. When you look at large-scale data centers, such as what Microsoft offers, you’ll find that they mostly run on renewable energy sources.
Therefore, businesses that are intent on switching to more sustainable operations can leverage solutions like Windows 365. Using this service also means that your business can reduce what it spends on new devices because most employees will be able to access their Cloud PCs on the devices they currently own.
In the long term, this will create significantly less electronic waste and keep you on track to reaching net-zero sustainability. Similarly, the use of the Microsoft cloud and enhanced power management capabilities means that businesses can start to reduce energy consumption.
Even though many may not see it, utilizing these features can be instrumental to reducing your carbon footprint. Coupled with all this, the ability to work remotely can further reduce emissions by limiting how much commuting employees will need to do and also reducing the need for massive corporate offices.
Conclusion
Cloud computing services are playing a massive role in helping enterprises to operate more efficiently and introduce more sustainable solutions. Service providers like Microsoft run large-scale data centers far more efficiently than the average business. As a result of this, businesses using Windows 365 get a solution that allows them to reduce their carbon footprint overall and contribute to a greener planet.
Users of this service get several energy efficiency features such as cloud-based infrastructure, dynamic provisioning, automatic scaling, and power management. These are going to allow businesses to utilize more sustainable options, reduce operating costs, and become more environmentally responsible. Undoubtedly, if we are to have a better future and create a greener planet, everyone will need to play their part.
A lot of progress has taken place in the domain of cloud computing over the last few decades. And it’s not surprising just how much the technology evolution is out there when you consider the way a lot of businesses operate in modern times. Leveraging the best technology on the market can be integral to the success of your business.
But, businesses like yours also need to be able to do so without breaking the bank. This is why the “as-a-service” sector is thriving. Organizations have access to all the resources they need for significantly less than what it would cost for an on-premises infrastructure.
Seeing the need to ensure clients can get even better service is why Microsoft brought us Windows 365. It’s design revolutionizes what you can get from a desktop-as-a-service platform. Today we’ll be going over the most frequently asked questions about Windows 365. So you can discover how it can benefit your business model.
What exactly is Windows 365?
The best place to start is with questions about definitions. A lot of people have heard about Windows 365. But not everyone understands its capabilities and purpose. Familiarity exists especially because Microsoft also announced Windows 11 in 2021.
Initially, there is some confusion about the two Windows solutions. However, these two are completely different products. Unlike Windows 11 which is an operating system that you install on your device, Windows 365 is a cloud-based service. The latter creates Windows virtual machines for your end users. It is these virtual machines that Microsoft calls Cloud PCs.
So the goal for Windows 365 is to enable business clients to access these Cloud PCs from anywhere. As mentioned above, Microsoft wants the Windows 365 Cloud PC to be the next step in the evolution of desktop-as-service.
Using Windows 365, clients can access their ‘desktops’ on devices running macOS, iOS, Linux, and Android. Ultimately, this means that Microsoft will no longer provide the operating system only. Now it will now be offering ersatz hardware with Windows virtual machines running on its Azure servers. Microsoft CEO Satya Nadella had this to say:
“Just like applications were brought to the cloud with SaaS, we are now bringing the operating system to the cloud, providing organizations with greater flexibility and a secure way to empower their workforce to be more productive and connected, regardless of location.”
Each Cloud PC created will then be assigned to an individual user and thus becomes their dedicated Windows device. Clients will also be able to benefit from the productivity, security, and collaboration provided by Microsoft 365.
As for accessing your Cloud PC, it’s a simple matter of navigating to the Cloud PC website. From there, users sign in using any modern browser. Alternatively, you can also use Microsoft’s Remote Desktop app.
What’s different about Windows 365?
For businesses that already have experience with various VDI platforms, you may rightly be wondering how Windows 365 is different from all the other platforms out there. For starters, simplicity. That’s what Microsoft is aiming for with the Windows 365 service.
When you consider traditional VDI platforms, you’d be looking at setting up servers, installing the necessary applications, and then giving users access. Windows 365 just about eliminates all of the above.
By offering you a Cloud PC, this means that Microsoft alone will take care of the virtualization. Ultimately this will make the deployment of operating systems a lot faster. Moreover, you won’t have to deal with the hassle of hardware and software configurations.
The automation of the various processes also means that there is no need for additional VDI expertise or resources. Microsoft will ensure that you can scale the service as necessary to meet your organization’s needs. And as organizations start to reap the benefits of a highly productive remote workforce, the need for a solution like Windows 365 grows even more.
The ability to customize and provision a desktop based on the users’ needs is beneficial. It means that for the most part, it doesn’t really matter what device an individual is using. It also doesn’t matter whether it’s a corporate-owned device or a personal one. The security measures that come with Windows 365 ensure that end-users can securely access corporate resources on personal devices.
How much will it cost me?
Microsoft’s Windows 366 Cloud PC service provides clients with a range of different fee options. This ensures there is flexibility available for different enterprises. From the small company, only needing a handful of PCs, to the larger enterprises that may require unlimited options, there’s an affordable solution for everyone.
The pricing ranges starts at $20 per user per month for the lowest-end SKU. Fees can go up to $162 per user per month for the most expensive setup.
Clients will also notice that unlike with the consumption-based pricing model that you get with Azure Virtual Desktop, Windows 365 gives you fixed monthly subscriptions. And if you need to scale, then you have the option to choose a different subscription, as well.
For the Windows 365 Business edition, the $20 per user per month fee is going to get you a single virtual core, 2GB of RAM, and 64GB of storage. Although you will require Windows Hybrid Benefit, which is Microsoft’s Bring-Your-Own license model that helps clients apply existing (or new) licenses toward the cost of a product.
Otherwise, if you don’t have Windows Hybrid Benefit then the cost goes up to $24 per user per month. At the other end of the spectrum, clients will be able to purchase the Business SKU that offers eight virtual cores, 32GB of RAM, and 512GB of storage for $158. And similarly to the previous one, without Windows Hybrid Benefit the cost goes up, this time to $162.
Clients that need the Windows 365 Enterprise edition will also have a similar range of pricing. At the lower end, you’ll get a single virtual core along with 2GB of RAM and 64GB of storage for the same $20. However, if your computing needs are a lot greater, then you can choose the option that offers eight virtual cores, another 32GB of RAM, and 512GB of storage at a cost of $158 per user per month.
What about licensing?
Licensing for services similar to Windows 365 is typically where things start to get complicated, and expensive. Although Windows 365 will not attract everyone, Microsoft has tried to make their offering reasonably accessible.
Both Windows 365 Enterprise and Windows 365 Business are going to provide a complete cloud-based offering with multiple Cloud PC configurations depending on the needs of the various organizations.
Clients will be able to buy Windows 365 as a separate license per user for a fixed monthly fee to access and use each Cloud PC. However, in some cases, you may incur additional costs based on your network usage.
Windows 365 Enterprise
For this edition of Windows 365, clients can make their purchases directly from Windows365.com or from their account representative. After this, you can then proceed to provision and manage your Cloud PCs using the fully integrated Microsoft Endpoint Manager.
It’s also worth noting that before an individual can use Windows 365 Enterprise, they need licensing for the following: Windows 11 Enterprise or Windows 10 Enterprise, Microsoft Endpoint Manager, and Azure Active Directory P1. Even though these licenses can be available separately, you’ll also find them included in:
Microsoft 365 F3,
Microsoft 365 E3,
Microsoft 365 E5,
Microsoft 365 A3,
Microsoft 365 A5,
Microsoft 365 Business Premium,
Microsoft 365 Education Student Use Benefit subscriptions.
So for those who are interested in using Windows 365 Enterprise, but don’t meet the licensing requirements, head over to the Windows 11 Enterprise page or the Microsoft 365 page. There is more information there, along with the ability to purchase the ideal plan to meet your needs.
Windows 365 Business
Similar to the above, clients interested in purchasing Windows 365 Business can also do so directly from Windows365.com. Upon purchase, you can then set up your account without a domain. As for provisioning and management of the Cloud PCs, you can do that directly from the Windows 365 homepage on the web.
Moreover, clients should be happy to note that there are no additional licenses that will be required with only your credit card necessary to get you started. If you’re already a client of Microsoft 365, the purchase will complete through the Microsoft 365 admin center. All you simply need to do is get in touch with your global administrator. Alternatively, your billing administrator can assist in completing the purchase.
What are the device requirements?
One of the major benefits Microsoft intends to provide businesses is a reduction in IT costs, especially related to hardware. Because Windows 365 is essentially PC hardware that runs in the cloud, the importance of your actual physical device is significantly less. As long as you have an internet connection, you’ll be able to operate a reasonably powerful Windows PC. And you can do so using just about any device.
Accessing this Cloud PC is easy. You can use any modern browser or the Remote Desktop app. A setup like this is going to be extremely beneficial for organizations, too. More specifically, it’s a game-changer for those with a sizeable remote or seasonal workforce.
Additionally, your organization won’t need to make a massive investment in hardware for all those employees. Even better is the fact that they’ll be able to easily access these Cloud PCs anywhere, without losing any progress.
In short, all Windows 10 and Windows 11 devices are expectedly going to be compatible with Windows 365. The best part, however, is that clients will be able to easily stream a Windows 365 session to hardware running macOS, iPadOS, Linux, and Android.
However, for the best experience, Microsoft recommends devices that have a traditional keyboard and mouse. For the most part, as long as your device has an HTML5 browser and a DSL connection or a wireless internet connection capable of streaming a video, you will be just fine. The amount of bandwidth that you’ll need, however, will depend on your workload.
Which configuration is right for me?
Choosing the right configuration for your business is going to be key. If you want to get the most out of Windows 365, you’ll need to understand your needs. After all, you don’t want to select a configuration that eventually proves incapable of meeting your computing load.
But, you also don’t want to pay for access resources that you do not need. The best way choose is to get in touch with Microsoft Support. From there, you can get advice on how best to set up your environment.
However, there are some examples that we can look to get a good idea of what you may require:
1vCPU/2GB/64GB – the first configuration is ideal for call centers, frontline workers, and education/training/CRM access.
2vCPU/4GB/64GB – in this scenario, the offer is ideal for short-term and seasonal users, those working from home, customer services, mergers and acquisitions, and Bring-Your-Own-PC situations.
2vCPU/4GB/128GB – suits the same scenarios as above.
2vCPU/4GB/256GB – also suits the same scenarios as above.
2vCPU/8GB/128GB – ideal for market researchers, working from home, Bring-Your-Own-PC scenarios, and government consultants.
2vCPU/8GB/256GB – suits the same scenarios as the previous configuration.
4vCPU/16GB/128B – ideal for Bring-Your-Own-PC scenarios, working from home, healthcare services, government consultants, and finance.
4vCPU/16GB/256GB – same as previous configuration.
4vCPU/16GB/512GB – same as previous configuration.
8vCPU/32GB/128GB – ideal for content creators, engineers, software developers, and design and engineering workstations.
8vCPU/32GB/256GB – same as previous configuration.
8vCPU/32GB/512GB – same as previous configuration.
Is it the same as Azure Virtual Desktop?
Any business that has previously considered cloud-based solutions will be aware that Microsoft already has another service that it offers called Azure Virtual Desktop (AVD). There are probably plenty of businesses that already use AVD. So understandably they would want to know the advantages of switching. Or is Windows 365 the same as Azure Virtual Desktop?
The simple answer is no. These two products are quite different. Although they do have several similarities. For starters, both of them aim to give clients the latest in what cloud technology has to offer.
This means you’ll have high-end security features, a flexible work environment, and premium remote work experience. And you’ll get this at a relatively affordable price. There are some differences, however. AVD is a cloud VDI that customizes the infrastructure of clients and also manage the resources that support the virtualized infrastructure.
On the other hand, Windows 365 gives you a fully managed desktop-as-a-service solution. It offers you the great Windows experience that you have to come to expect. All without having to deal with the management of infrastructure.
Technical features
When it comes to the technical side of things, there are several differences that you need to know for you to decide which service is right for your business. Some of the differences are as follows:
Design – Windows 365 has been designed to be simple and easy to use whereas AVD has been designed more for flexibility.
Desktop – clients get personal desktops for Windows 365 and AVD (single session). For AVD (multisession) there are pooled desktops.
Pricing – the pricing structure for AVD follows a consumption-based model whereas Windows 365 offers a fixed per-user per-month pricing.
Subscription – subscriptions are customer-managed for AVD and fully Microsoft-managed for Windows 365 Business. Windows 365 Enterprise is also Microsoft-managed with the exception of networking.
VM SKUs – Windows 365 has various optimized options for multiple use cases. On the other hand, AVD offers any Azure VM including GPU-enabled SKUs.
Backup – AVD clients will get to use Azure backup services while Windows 365 users get local redundant storage for disaster recovery.
In summary
Looking at the different services helps us to know that AVD will get you the best price on Windows 10 with Windows 10 multisession, exclusive to AVD. Azure Virtual Desktop is fully customizable and runs on Azure. It would be ideal for you, if you already have experience with VDI solutions. It’s also a good fit if you require industry-leading technology that gives you the flexibility of a fully customized environment.
On the other hand, Windows 365 gives you a solution that is simple and easy to provision. It’s simple to deploy without requiring special IT skills and has predictable pricing. It also gives you the option to scale in either direction, according to the needs of your business.
Therefore, if you have no previous experience with Azure Virtual Desktop, as well as a hybrid or seasonal workforce that needs PC management, then Windows 365 is the choice for you.
How secure is Windows 365?
Arguably one of the biggest concerns for businesses regarding cloud-based solutions is cyber security. Cloud solutions enable businesses to have their employees working from home while using personal devices. This means the risk of compromise is very high if security is lacking.
There are plenty of areas in the network that could be potentially very vulnerable to security breaches. However, Microsoft is well aware of these concerns. And it offers several guidelines to help improve the security of your Cloud PCs. These are as follows.
Conditional Access
Using Conditional Access policies is highly recommended to maintain strict control over the devices and apps that can access company resources. Conditional Access also helps you to secure end-user access to Windows 365. Another way to further enhance that security would be to use Azure AD multi-factor authentication to verify users.
Microsoft Defender
Microsoft advises connecting Microsoft Defender for Endpoint to Cloud PCs devices to help you identify threats and set devices as non-compliant. In addition, you’ll be able to apply device compliance policies to Cloud PCs as well as use Conditional Access for threat identification.
Applicable Blocking
Devices with a high-risk level need to be blocked from accessing corporate resources until the issues are resolved. And you can easily do this by using Intune compliance policies with Conditional Access policies to identify the high-risk devices and users.
Up-To-Date OS
Keeping your OS up-to-date is a key aspect of maintaining high levels of cyber security. Updates bring you enhanced security measures and other new features that serve to improve the user experience while fortifying your corporate network. And when it comes to your Cloud PCs, IT admins can use Endpoint Manager to configure Intune Windows 10/11 updates and policies for Windows Update for Windows.
Admin Security
Another security measure that Microsoft has put in place is that Windows 365 Enterprise end-users will not be admins of their Cloud PCs. This particular feature comes as a default setting.
Integrations
Lastly, Microsoft has created an integration of Windows 365 with Microsoft Defender for Endpoint. What this does is give you a scenario that allows security and endpoint admins to work together managing the Cloud PC environment similar to how they would manage a physical endpoint. Consequently, subscribed Cloud PCs will:
Send data through to Microsoft 365 Secure Score.
Appear on the dashboards of both Microsoft Defender for Endpoint
Security Center and threat analysis when unhealthy.
Similar to how other managed devices function, Cloud PCs will also respond to the various remediation measures.
What features does Windows 365 Business have?
Windows 365 Business is the edition made for smaller organizations. More specifically, it is meant for businesses that need to deploy no more than 300 Cloud PCs. As far as technology prerequisites go, Microsoft has made it very simple for businesses.
All you’ll need to do is use the Windows 365 cloud portal to purchase, deploy, and manage Cloud PCs at any time.
Furthermore, because everything works with Azure natively, Windows 365 Business clients aren’t going to require an Azure subscription or domain controller. Your workload will be lighter, as all the components will be running inside the Microsoft cloud and managed by Microsoft.
Purchasing Windows 365 Business can be done directly from the Microsoft 365 admin center. Upon purchase, you can then set up your account without a domain. And you can provision and manage cloud PCs directly from the Windows 365 web portal.
Other Advantages
Another advantage that comes with Windows 365 Business is that no other licenses are needed. So getting started is very easy and may only require a credit card.
The self-service capabilities on offer enable end-users to perform maintenance on cloud PCs via the Windows 365 web portal. The actions supported include Restart, Rename, and Reset (which allows you to remove your personal files, apps, or changes that you may have made to settings).
It’s also important to note that you’ll need to backup all your important files to a cloud storage service or external storage before resetting. This is because the process will delete these files. Windows 365 Business also has native Azure AD support. This means clients aren’t going to require an existing Active Directory domain or Azure subscription.
In addition to Windows 365, Microsoft also announced the successor to Windows 10 in 2021. And given that Windows 11 is the ideal operating system to optimize hybrid work, it’s great to know that new Cloud PCs will come with this OS installed by default. So organizations will benefit from all the new improvements to Windows. They’ll additionally enjoy the enhanced security features that come with it.
What features does Windows 365 Enterprise have?
Windows 365 Enterprise is the ideal edition for larger organizations. Unlike with Windows 365 Business ,which tops out at 300 users, Enterprise clients won’t have any such limits.
If the objective for your business is to manage Cloud PCs with MEM and leverage the integrations with other Microsoft services, then you’d be smart to purchase Windows 365 Enterprise.
By doing so, you benefit from other services such as Azure Active Directory and Microsoft Defender for Endpoint. Although this edition may not have a license limit, users will still require a license for Windows 11 Enterprise, Windows 10 Enterprise, Microsoft Endpoint Manager, and Azure Active Directory P1.
Purchasing and Setup
When it comes to purchasing channels and license assignments, the former will be done via Web Direct, Enterprise Agreements (EA), CSP. And the latter via the Microsoft 365 Admin Center. Clients using Enterprise will have networking through their Azure VNet, since it isn’t included in the license.
As for the administration side of things, the provisioning can be configured and customized to meet the specific needs of your organization. Your admins can set up the VNet, configure user permissions, and then assign the policy to an Azure AD group.
After that, the admins can proceed to provision the Cloud PCs with a choice of either standard gallery images or custom images. Clients using this version also get support for Group Policy Objects (GPO), Intune MDM, and application deployment.
End users can restart, rename, and troubleshoot their Cloud PCs on the Windows 365 homepage. In addition, users get assigned standard user roles on the Cloud PCs and this is by default.
However, when the need arises, admins can change this setting in the Microsoft Endpoint Manager admin center. And as with Windows 365 Business, users can access their Cloud PCs via the Remote Desktop app or on windows365.microsoft.com using any modern browser.
Furthermore, you enjoy great security measures with Conditional Access that can be implemented using the MEM admin center or Azure AD. In addition, there is support for per-user multi-factor authentication and integration with Microsoft Defender for Endpoint.
How do you deploy Windows 365?
Once you have purchased the Windows 365 licenses that your organization needs, the Windows 365 node in Microsoft Endpoint Manager becomes active for management. So now you can begin provisioning your Cloud PCs. Setting up your system to provision Cloud PCs will require you to follow the steps below.
Assign licenses
For a user to have access to a Cloud PC, they will need to have a Windows 365 license assigned to them. You can use the following methods to assign the licenses:
For individual users, you have the option of using the Microsoft 365 admin center.
For group license assignments, you have the option of using the Azure AD admin center.
An on-premises network connection (OPNC) is the crucial element that allows you to provision Cloud PCs that are attached to a virtual network that is under your management. Microsoft allows you to have 10 OPNCs per tenant. Creating an OPNC requires you to meet a few criteria:
You need to be an Intune Admin in Azure AD.
You also should have Owner permissions on the Azure subscription that contains the VNet with connectivity to your on-prem domain controller and network.
Finally, you should have a PowerShell execution policy that is set up to enable RemoteSigned scripts. And for those that use Group Policy to set execution policy, you’ll need to ensure that the GPO targeted at the Organizational Unit defined in the OPNC is configured to allow RemoteSigned scripts.
Provide users a localized Windows experience
A great way to improve end-user comfort and potentially productivity levels, is by presenting Windows with a language that the user is comfortable with using. Setting up a localized Windows experience can be configured as a provisioning policy or by creating a custom device image.
One of the announcements made by Microsoft in February 2022 regarding Windows 365 Enterprise, talked about an important update that will enhance the user experience for different users from across the globe. The objective is to enable you to configure a Language & Region pack that can be installed on the Cloud PCs during provisioning when you are creating your provisioning policy.
At present, there are 38 languages available. And Microsoft will allow you to change the configured language for existing provisioning policies and subsequently reprovision any desired Cloud PCs.
Add or delete custom device images
Microsoft enables you to use a custom device image by simply adding it into your Azure subscription. From there, you can use it for Cloud PC provisioning. The standard Azure Marketplace gallery is where you’d navigate. Or you could also create your own custom-managed image. For those with a Shared Image Gallery in Microsoft Azure, they can convert one of those images into a managed image.
Create a provisioning policy
The last step in this process will require you to create a Provisioning Policy so that you can provision the Cloud PC with an image of your choice and is based on Azure AD security groups. Provisioning policies hold key provisioning rules and settings, allowing the Windows 365 service to set up and configure the right Cloud PCs for your users. Once the provisioning policies have been created and assigned to the Azure AD user security groups or Microsoft 365 Groups, the Windows 365 service will then:
Check the appropriate license for each user.
Configure each Cloud PC as necessary.
Why should our organization be interested?
Remote work has been a major topic of discussion, especially over the last few years. Therefore, Windows 365 is available at the best time. The concept of the Cloud PC will help your organization by simplifying the process of having your staff working remotely.
By having a PC running in the cloud, your workforce can access their desktops from anywhere without difficulty. This kind of flexibility is something that can make your organization more attractive when it comes to attracting and retaining talent.
Not only is Windows 365 going to allow you to take advantage of hybrid work. But it’s also going to address what is probably your next concern – security. When using Windows 365, your data will store on the cloud where Zero Trust Principles are in effect.
Moreover, Microsoft Endpoint Manager solutions will help fortify the platform for greater cyber security. Thus, organizations can rest easy knowing that although their workers are not on the premises, they can still remain productive without compromising the security of your data. And if you need to scale, it’s equally simplified without hassle.
Other Benefits
Windows 365 enables you to configure the size, CPU, and RAM of your Cloud PCs according to your needs. This versatility means that if the need arises to increase or reduce the computing resources that you require, you’ll be able to do so.
Windows also aims to help your organization lower your expenses in the hardware department. Because users will have desktops running in the cloud, you won’t face any significant costs regarding purchasing high-end devices.
In addition, you potentially won’t have to refresh your organization’s hardware as frequently. The Cloud PC will be handling the heavy computing on the Azure servers. Your organization may also save costs during the setup process.
Since Microsoft designed Windows 365 for ease of use, setting it up is not going to require you to bring in specialist IT professionals onto your team. Your IT people will be able to deploy and manage the configuration of any PC, much like they have been doing all along.
What kind of support is available?
Undoubtedly every organization that wants to sign up for Windows 365 would like to know about support. The last thing you need is to run into the kinds of problems that could prevent your organization’s staff from accessing their Cloud PCs. Microsoft has availed support for Windows 365 clients in various ways. Each level of support is available, depending on how your Windows 365 subscription was purchased.
If you made your purchase via the self-service feature, you can request support through the Microsoft 365 admin center. For those who would have made their subscription purchases through volume licensing, they will need to contact their Microsoft account managers for assistance.
And lastly, if your Windows 365 subscription was purchased through a Microsoft Cloud Solution Provider (CSP), the latter can submit support requests for you. These requests, which can be for non-technical issues such as enrollment, membership, billing, subscription, and user management, can be submitted in the Microsoft Partner Center.
Can I use my apps on Windows 365?
According to Microsoft, Windows 365 was designed with compatibility in mind. This falls in line with the goal of trying to make clients’ apps compatible with the latest versions of Microsoft software. So if you have apps that you were using on Windows 7, Windows 8.1, and Windows 10, then you’ll be glad to know that they will work on Windows 365, as well. And if you have any challenges with your apps, Microsoft can help you address them for free with an eligible subscription through the Fast Track App Assure program.
Wrap Up
Windows 365 is a service that has plenty to offer your organization. Although it may not be the first such product in the domain of virtualization technology, it intends to perform like no other before it.
One of the key goals is to avail cloud computing technology to as many as possible and make it easy to use. The recent global pandemic showed us what can happen to countless organizations if adequate solutions aren’t available.
Going forward, I believe that the remote workforce will continue to grow and businesses will need to find ways to take advantage of this. Sometimes the ideal person for a particular task may be on the other side of the globe. And by leveraging Windows 365 and its communication channels, collaborating with anyone anywhere can be safe and easy.
And if there’s anything else that you may need answers to, Microsoft will be hosting monthly Windows 365 Ask Microsoft Anything events, on the fourth Wednesday of each month. Now, there’s no denying that the Windows 365 Cloud PC may not be for everyone. But, it’s certainly a product that’s worth taking a good look at.
It’s safe to say that science and technology have proven invaluable to humanity for thousands of years. When we look at examples of “innovation” just a few hundred years ago, it’s a much different dynamic than the innovation of today. Thinking about just a few short decades ago, let alone a thousand years ago, a lot of people may understandably not be impressed.
But everything we benefit from today has to start from somewhere. And similarly, centuries from now people will be looking at all our ‘fancy’ science and technological innovations without the same ‘wow’ factor we may have. In today’s article, we want to go over the great advancements of today. Explore work we are seeing from institutions such as the Pacific Science Center and Microsoft with Microsoft Ignite.
Why is all this important?
The simplest answer to this question is that science and technology just make our lives easier and more comfortable. I mean, just take the last few years as an example, at the height of the COVID-19 pandemic. Technology made it possible to endure restricted movement and still keep in touch with our loved ones through video calls, phone calls, texts, etc.
Furthermore, it wasn’t just families and friends that benefited. A lot of businesses were able to maintain operations by having their employees working from home. These kinds of solutions helped maintain the sanity of countless millions. It simultaneously enabled businesses to keep the doors open.
The beauty of all this is that people all across the globe can benefit from great tech. Because of things like online courses, e-books, e-libraries, and more, people no longer need to travel great distances to acquire the knowledge.
It could be as simple as powering on a device with internet access. And you can meet people that you may previously never had the opportunity to learn from otherwise. Science and technology can help entire countries grow their economies. It’s innovation that improves healthcare, ensures food security, creates employment, and so much more.
Pacific Science Center
When we talk about creativity and innovation in the field of science, it would be remiss to not mention the work being put in at the Pacific Science Center. This place provides an independent, not-for-profit institution that serves nearly 1 million people in the Pacific Northwest and beyond each year.
For over 60 years, it has been promoting innovation by trying to increase accessibility to science so that we can continue to build solutions to some of life’s greatest challenges. By attempting to get people interested in science from an early age, this institution can tap into the greatest minds out there. We can look forward to science and technology evolving at an even greater pace, making our lives significantly better.
WHAT TO EXPECT?
All one has to do is visit the center, and the warm hospitality that will greet you should be enough to arouse the natural curiosity that exists in us all. At the center, there are several exhibits to be explored and immersive STEM experiences that are uniquely designed to stimulate the imagination. These experiences include:
The Tropical Butterfly House
This place is home to hundreds of beautiful butterflies that have been placed in their tropical habitats. The countless eye-catching butterflies with their rich colors are a sight to behold. Visitors can take advantage of the butterfly and plant identification guides to test their scientific skills of observation.
The Willard Smith Planetarium
Here, the visitors will get an incredible opportunity to discover space in a way that they’ve probably never done before through live, immersive experiences. You can indulge your curiosity about space by going off to the furthest parts of the universe, or you can stay closer to home and go exploring the planets in our solar system. To give you the best possible experience, the shows will be live and the content can be tailored to the interest of the guests.
The hands-on Tinker Tank Makerspace
This wonderful experience allows you to get physically involved by attempting the various engineering and design challenges. Guests can also pick up new skills that can help them build something from nothing and then develop that creation into something even more impressive. By carrying out experiments and getting involved in the innovative process, guests will get a complete experience of not just observing but doing as well.
The Salt Water Tide Pool
Here, guests will be given the exhilarating experience of getting a closer look at the local marine life from the Puget Sound region. You’ll have the chance to explore the vast marine life that exists in tide pools found at the local beaches. Guests can get up close and personal with these marine animals, learn more about them, and see how they act in this Salt Water Tide Pool that has been designed to replicate the conditions in the Puget Sound region where these animals are from.
Clearly, one of the main objectives of having these experiences is to encourage people to ask questions, test theories, and reassess just about everything they have come to accept in their lives. This is how humanity has changed things for the better over thousands of years.
There is a constant need for people to question what many may consider irrefutable facts. It is in doing so that discoveries are made, and innovation is brought into existence.
This is something that the Pacific Science Center (PacSci) has been trying to ignite in children since its birth at the 1962 World’s Fair in Seattle. When it came into existence, it was the U S’ first science and technology center.
For over 60 years since then, PacSci has devoted a lot of effort to increasing the accessibility of science. It continues to ensure that the center can function as a vital resource for educators. The goal of this is to encourage discovery as well as experimentation while taking advantage of the available resources to essentially become one massive community laboratory.
Tech innovation
When it comes to technological innovation, there are few, if any, who can make a case for being better than the people working at Microsoft. For decades now, this tech giant has been one of the leaders in this space, bringing to market products and services that have introduced significant changes to not only how we operate our businesses but how we interact with technology in our homes.
And every year, Microsoft hosts an annual conference known as Microsoft Ignite for developers and IT professionals where we get introduced to the latest and most exciting tech innovations. Furthermore, for attendees, this presents an opportunity to engage with Microsoft leaders and experts, learn new things in hands-on labs, and get a first-hand experience of what the future may hold.
But it’s also worth noting that Microsoft Ignite does not only target the IT pro or developer. You’ll find content that will be helpful for individuals in all roles, including administrators, implementers, data architects, application engineers, cloud architects, senior advisors, security professionals, and decision-makers. So, there will be something for everyone to enjoy.
Additionally, you’ll get the benefit of networking with people from all across the globe who are experts in different areas of technology. The deep technical training, breakout sessions, keynotes, and immersive learning experiences will ensure that attendees get the best experience learning from the teams that are responsible for product-building.
Microsoft wants to help interested parties attend Microsoft Ignite so much that they even have a Convince your manager template to support you. This is specifically aimed at individuals who want to attend the event, but whose bosses may be reluctant to let them go.
Accommodation has also been arranged conveniently within the downtown Seattle area. So, Microsoft Ignite attendees remain within walking distance to Summit, Seattle Convention Center.
Microsoft Ignite 2023
The Microsoft Ignite conference typically runs over a few days and in 2023. The Microsoft Ignite event is in Seattle from November 14th to 17th. Unsurprisingly, the in-person attendance is already sold out. So, Microsoft Ignite is encouraging any other interested parties to attend virtually.
Attendees can expect to have sessions, discussions, and interactions. These sessions will increase their knowledge, build a greater network of connections, and enhance the vision they may have for a future. And it’s a future exploding with technological excellence. Experts will be available to help you understand how to leverage the latest technologies. You will also have guidance so that your business can strive towards achieving core objectives.
And with all the multidisciplinary experts in attendance, you are bound to gain more than you expect in such a short time.
Some of the key sessions to look forward to include:
Unlock Productivity with Microsoft Copilot – presented by Rajesh Jha, Executive Vice President, Experiences + Devices, and Jared Spataro, Corporate Vice President, Modern Work and Business Applications. This session will enable attendees to learn how to unlock productivity and transform business processes for everyone across functions and industries.
The future of security with AI – presented by Charlie Bell, Executive Vice President, Microsoft Security, and Vasu Jakkal, Corporate Vice President, Security, Compliance, Identity & Privacy. In this session, there will be plenty to learn concerning how Microsoft is delivering AI for security with Security Copilot. Also discover how enabled organizations will secure and govern AI with new capabilities.
AI transformation for your organization with the Microsoft Cloud – presented by Scott Guthrie, Executive Vice President, Cloud + AI Group. For this session, attendees can expect to gain a deeper understanding of how the Microsoft Cloud helps customers transform. They do so by building AI solutions and unlocking insights using the same platform and services that power all of Microsoft’s comprehensive solutions.
Inside Microsoft AI innovations – presented by Mark Russinovich, Chief Technology Officer and Technical Fellow for Microsoft Azure. In what should be another great session, attendees will be getting to see just what they will get with Microsoft’s AI architecture. This includes the technology behind supercomputers and data centers and AI-aware resource management. Additionally included are advancements in confidential computing to safeguard data during processing.
Improving the quality of life
As with anything in life, it’s just about impossible for everyone to agree on something. Regardless of what the issue may be, there will always be loyalists and antagonists. And when it comes to technology, the same applies as people forge alliances with certain technologies and solutions over others.
Set aside whatever you may think about the benefits of certain technologies out there. Not everyone who simply can’t or won’t agree with that point of view. So, in this section, we’ll be highlighting some of the ways that technology enables us to improve the quality of many people’s lives.
SIMPLIFIED COMMUNICATION
We all know just how important communication is to humanity in all aspects of our lives. Whether it’s family, business, social, etc., communication is key to how we live our lives. And I think we can sometimes take for granted how easy communication is for us today. Unlike in centuries or decades ago, today, you can have “face-to-face” conversations with just about anyone on any continent at any time.
The importance of this cannot be overstated. It’s mission-critical, especially when we consider the migration of people across the globe. Families can easily stay in touch regardless of where one may be. Businesses can seamlessly work with customers from other parts of the world. And within seconds, anyone can share crucial analytic information.
IMPROVED HEALTHCARE DELIVERY
Most of us have probably experienced the frustration of endless hours spent in a waiting room to see a doctor. With the technologies at our disposal today, this no longer needs to be the case. Patients can set up their appointments according to what works for their schedules. They can easily check if their doctor’s office is open, as well.
Healthcare workers can also work more efficiently by leveraging the technologies available to them. Switching over to digital records means that patients’ files will be easily accessible and less likely to be misplaced. Physicians can easily consult in cases (or even surgeries) from other countries. And they’re brilliantly effective while sitting in the comfort of their homes or offices.
ACCESS TO INFORMATION
Technology has opened up access to information in a way that would have seemed fantastical a mere century ago. But today, anyone across the globe can access almost any information they need at the click of a button.
No longer do you need to spend hour after hour in a library to find answers. Say goodbye to scouring books, newspapers, research papers, etc., trying to find that elusive information. Provided internet access a strong, children in remote parts of the world can access most of the same educational resources as those from wealthy backgrounds attending expensive private schools.
CHANGING THE WORKING ENVIRONMENT
It’s not surprising that with all the advances we have witnessed in the field of technology, the work environment would also change accordingly. In recent years, there has been a lot of discussion about flexible working conditions with a particular emphasis on remote work.
There are now products and services on the market, such as the Windows 365 Cloud PC, that enable employees to work remotely. Virtualization services have allowed users to basically carry their desktops with them wherever they go. An added benefit is that it allows employees to work more flexibly. And this alone can help businesses boost efficiency and productivity.
IMPROVED FINANCIAL SECTOR
Working remotely is not only possible because of virtualization services but it’s also made possible because of financial technology (fintech). This solution is what has enabled businesses to hire and pay employees from other parts of the world.
By leveraging the ability to transact through the virtual financial system, the business sector is making improvements in economic equity. We’ve also witnessed rising problems in the global economy. Those issues inspired the creation of a conducive environment for the development of financial technology.
Wrap up
Change is a part of the human fabric, and we should always be willing to welcome developments that can make life better for all. Not only should we be focused on short-term benefits. But we should be looking for solutions that will benefit the generations to come as well. This is part of what has made the Pacific Science Center the success that it is.
Encourage people to immerse themselves in breathtaking experiences that can change how they perceive the world around them. Doing so can only further the cause of science and technology. Combine that with events like Microsoft Ignite, and you can have the ultimate immersion experience of science and technology. We never know where or from whom the next big idea or development may come from.
Every business is now very much aware of the very real threats of attacks that are lurking out there. And for any that aren’t aware, then those threats are even greater. Time and again, we hear of businesses under cyber attacks and critical data compromised. With this in mind, we all need to be looking at ways to enhance our data security.
Otherwise, your business could soon fall victim to hackers. Given the multitude of threats that businesses are constantly dealing with, Microsoft has introduced Windows Autopatch to help improve security. This solution intends to streamline the update process, thus enabling businesses to operate better. In this business solutions article, we will be exploring Windows Autopatch groups and how they function.
Windows Autopatch Recap
For the benefit of those who may not yet be familiar with the service, I’m going to start by going over what Windows Autopatch is. IT admins can attest to the challenges that they sometimes face when it comes to keeping the devices in their environments up to date. Although service providers may offer updates regularly, the process of implementing these updates can sometimes present plenty of challenges to IT staff.
With that in mind, what you get with Windows Autopatch is a cloud-based service that seeks to automate the updates for Windows, Microsoft 365 Apps for Enterprise, Microsoft Teams, and Microsoft Edge.
Due to the automation of these updates, your business can expect to improve security and productivity across the organization. Over the years, we have grown accustomed to getting regular updates. Despite that, the process of implementing them is not always a seamless one. And that’s in addition to the plethora of other tasks that IT admins are responsible for managing. The Windows Autopatch solution gives you a more reliable update method that improves efficiency.
Windows Autopatch Groups
Additionally, Windows Autopatch uses groups to better manage updates in a way that minimizes issues and improves the experience for your business. Autopatch groups, by definition, are logical containers or units that bring together several Azure AD groups and software update policies. These include:
Windows Autopatch aims to adapt to the needs of businesses that are using Microsoft Cloud-Managed services. It is going to meet you wherever you may be in your update management journey. The first benefit that you’ll be able to get from Autopatch groups is that they can replicate your organizational structure.
What this means is that you can set up Autopatch groups to replicate your organizational structures represented by your existing device-based Azure AD group targeting logic. Furthermore, the use of Autopatch groups allows you to choose which software update deployment cadence is most ideal for your business.
Another benefit is a flexible number of deployments. As a result of this flexibility, you get to have the ideal number of deployment rings that will work perfectly for your business. Depending on your needs, you can have as many as 15 deployment rings per Autopatch group.
The next benefit you’ll get is being able to decide which device or devices will belong to deployment rings. In addition to your existing device-based Azure AD groups, as well as choosing the number of deployment rings, your business also has the option to select which devices belong to deployment rings during the device registration process when setting up Autopatch groups.
AUTOPATCH GROUPS WORKFLOW
There are a few steps in this high-level workflow, including these below:
The first step requires the creation of an Autopatch group.
Next, the Windows Autopatch service is going to leverage Microsoft Graph to facilitate the creation of:
Azure AD groups.
Software update policy assignments with other Microsoft services, such as Azure AD, Intune, and Windows Update for Business (WUfB,) based on IT admin choices when you create or edit an Autopatch group.
Intune assigns software update policies. You’re going to find that Intune assigns the software update policies to these groups as soon as the Azure AD groups become available in the Azure AD service. In addition, Intune will also provide the number of devices that need the software update policies to the Windows Update for Business (WUfB) service.
Lastly, we’ll go over the Windows Update for Business responsibilities and these include:
Delivering update policies.
Retrieving update deployment statuses back from devices.
Sending back the status information to Microsoft Intune and then to the Windows Autopatch service
Things to know
Before you can proceed to use Windows Autopatch groups, there are a few key concepts that you’ll need to familiarize yourself with.
DEFAULT AUTOPATCH GROUP
If your organization can meet its business needs using the pre-configured five-deployment ring composition, then you are the ideal candidate for the Default Autopatch group. The group has the intention of serving businesses that want to enroll in the service as well as those that want to align to Autopatch’s default update management process without the need for additional customizations. Furthermore, this group uses Windows Autopatch’s default update management process recommendation and contains:
A set of 5 deployment rings.
A default update deployment cadence for both Windows feature and quality updates.
You should also note that you cannot delete or rename the Autopatch group. But you do still get the option to customize its deployment ring composition to add and/or remove deployment rings. Additionally, you can customize the update deployment cadences for each deployment within it.
Default deployment ring composition
The software update-based deployment rings that will be used are determined by default. These deployment rings, represented by Azure AD assigned groups, are as follows:
Deployment ring
Use
Windows Autopatch – Test
Can only be used as Assigned device distributions.
Windows Autopatch – Ring1
Can be used with either Assigned or Dynamic device distributions or have a combination of both device distribution types.
Windows Autopatch – Ring2
Can be used with either Assigned or Dynamic device distributions or have a combination of both device distribution types.
Windows Autopatch – Ring3
Can be used with either Assigned or Dynamic device distributions or have a combination of both device distribution types.
Windows Autopatch – Last
Can only be used as Assigned device distributions.
An additional thing to note for instances where a group of specialized devices and/or VIP/Executive users coverage is provided by the Last deployment ring, the fifth deployment ring in the Default Autopatch group. Furthermore, to minimize any potential disruptions that your business may encounter, software updates for the aforementioned should be received after the organization’s general population.
Default update deployment cadences
Default update deployment cadences are going to be provided by the Default Autopatch group for deployment rings, with the exception of the Last (fifth) deployment ring.
Update rings policy for Windows 10 and later
Each of the default rings in the Default Autopatch group is going to get Update rings policy for Windows 10 and later set up by Windows Autopatch groups. Below is some data concerning the default policy values:
Policy name
Azure AD group assignment
Quality updates deferral in days
Feature updates deferral in days
Feature updates uninstall window in days
Deadline for quality updates in days
Deadline for feature updates in days
Grace period
Auto restart before deadline
Windows Autopatch Update Policy – default – Test
Windows Autopatch – Test
0
0
30
0
5
0
Yes
Windows Autopatch Update Policy – default – Ring1
Windows Autopatch – Ring1
1
0
30
2
5
2
Yes
Windows Autopatch Update Policy – default – Ring2
Windows Autopatch – Ring2
6
0
30
2
5
2
Yes
Windows Autopatch Update Policy – default – Ring3
Windows Autopatch – Ring3
9
0
30
5
5
2
Yes
Windows Autopatch Update Policy – default – Last
Windows Autopatch – Last
11
0
30
3
5
2
Yes
Feature update policy for Windows 10 and later
Each of the default rings in the Default Autopatch group is going to get feature updates for Windows 10 and later set up by Windows Autopatch groups. Below is some data concerning the default policy values:
Policy name
Azure AD group assignment
Feature update version
Rollout options
First deployment ring availability
Final deployment ring availability
Day between deployment rings
Support end date
Windows Autopatch – DSS Policy [Test]
Windows Autopatch – Test
Windows 10 21H2
Make update available as soon as possible
N/A
N/A
N/A
June 11, 2024; 1:00AM
Windows Autopatch – DSS Policy [Ring1]
Windows Autopatch – Ring1
Windows 10 21H2
Make update available as soon as possible
N/A
N/A
N/A
June 11, 2024; 1:00AM
Windows Autopatch – DSS Policy [Ring2]
Windows Autopatch – Ring2
Windows 10 21H2
Make update available as soon as possible
December 14, 2022
December 21, 2022
1
June 11, 2024; 1:00AM
Windows Autopatch – DSS Policy [Ring3]
Windows Autopatch – Ring3
Windows 10 21H2
Make update available as soon as possible
December 15, 2022
December 29, 2022
1
June 11, 2024; 1:00AM
Windows Autopatch – DSS Policy [Last]
Windows Autopatch – Last
Windows 10 21H2
Make update available as soon as possible
December 15, 2022
December 29, 2022
1
June 11, 2024; 1:00AM
CUSTOM AUTOPATCH GROUPS
If your business needs a more precise representation of its structures as well as its own update cadence in the service, then the Custom Autopatch groups are ideal for you. You’ll also find that the Test and Last deployment rings are automatically present by default.
TEST AND LAST DEPLOYMENT RINGS
Both of these are default deployment rings, and they will be automatically present in both the Default Autopatch group and Custom Autopatch groups. These deployment rings are an essential component because they allow the recommended minimum number of deployment rings needed by each Autopatch group to be provided. In a couple of instances, you’ll find that the Test deployment ring can serve as the pilot deployment ring, with the Last serving as the production deployment ring. This can happen:
If only the Test and Last deployment rings are within your Default Autopatch group.
If at the time you are creating a Custom Autopatch group, you don’t add more deployment rings.
Something else that you need to know is that you cannot remove or even rename the Test and Last deployment rings from the Default or Custom Autopatch groups. Because these Autopatch groups require a minimum of 2 deployment rings for their gradual rollout, they won’t support using a single deployment ring as part of its deployment ring composition.
So, you will need to consider managing devices outside Windows Autopatch whenever you have a specific scenario that you want to implement using a single deployment ring and where the gradual rollout is not necessary.
Deployment rings
Autopatch groups intend to have software update deployments delivered sequentially in a gradual rollout within the. Autopatch group. Deployment rings are the tools that make this possible. Windows Autopatch can align with Azure AD and Intune terminology for device group management. As far as deployment ring group distribution in Autopatch groups is concerned, there are two types that you need to know about:
Deployment ring distribution
Description
Dynamic
For this situation, one or more device-based Azure AD groups can be used. And these can be either dynamic query-based or assigned to use in your deployment ring composition. Moreover, you can use the Azure AD groups that are available with the Dynamic distribution type for the distribution of devices across several deployment rings according to the percentage values that can be customized.
Assigned
For this type of deployment ring distribution, a single device-based Azure AD group is best. And this can be either dynamic query-based or assigned to use in your deployment ring composition.
Combination of Dynamic and Assigned
In some cases, you’ll find yourself needing a greater level of flexibility when working on deployment ring compositions. And this option will prove to be the most ideal. It allows you to combine both device distribution types in Autopatch groups. You will, however, need to note that this particular combination of device distribution will not be supported for the Test and Last deployment ring in Autopatch groups.
Service-based versus software update-based deployment rings
Another thing you will discover is that Autopatch groups create 2 different layers. And each of those layers will have its own deployment ring set. By default, both of the deployment ring sets that we are looking at will assign to devices that have completed successful registration with Windows Autopatch.
SERVICE-BASED DEPLOYMENT RINGS
This deployment ring set is only going to be for keeping Windows Autopatch updated. It does so with service and device-level configuration policies, apps, and the APIs required for the core functions of the service. Below is the list of Azure AD-assigned groups representing the service-based deployment rings.
Modern Workplace Devices-Windows Autopatch-Test
Modern Workplace Devices-Windows Autopatch-First
Modern Workplace Devices-Windows Autopatch-Fast
Modern Workplace Devices-Windows Autopatch-Broad
Please note that you should absolutely avoid making any modifications to the Azure AD group membership types (Assigned and Dynamic). If you make those changes, Windows Autopatch won’t be able to read the device group membership from these groups.
As a result, the Autopatch groups feature, along with other service-related operations, will not function correctly. Not only that, but you should also know that having Configuration Manager collections directly synced to any Azure AD group and created by Autopatch groups is an unsupported option.
SOFTWARE-BASED DEPLOYMENT RINGS
The second type of deployment ring set is only going to be compatible with software update management policies, such as the Windows update ring and feature update policies, in the Default Windows Autopatch group. Below is the list of Azure AD-assigned groups representing the software updates-based deployment rings.
Windows Autopatch – Test
Windows Autopatch – Ring1
Windows Autopatch – Ring2
Windows Autopatch – Ring3
Windows Autopatch – Last
IT admins should note that any additional Azure AD assigned groups will be created and added to the list at the same time you’ll be adding more deployment rings to the Default Autopatch group. Moreover, similar to the previous type of deployment ring set, you can’t make any modifications to the Azure AD group membership types (Assigned and Dynamic). If you make those changes, Windows Autopatch won’t be able to read the device group membership from these groups.
As a result, the Autopatch groups feature, along with other service-related operations, will not function correctly. Not only that, but you should also know that having Configuration Manager collections directly synced to any Azure AD group and created by Autopatch groups is an unsupported option.
How to use Autopatch groups
There are a few examples that we can look at that describe certain scenarios and how we use Autopatch groups for those cases.
EXAMPLE NUMBER 1
Imagine a scenario where you are an IT admin who is responsible for several Microsoft and non-Microsoft cloud services. In this example, you don’t have the time necessary to set up and manage multiple Autopatch groups. At present, your company relies on using five deployment rings to operate it’s update management. However, you do have the option for flexible deployment cadences if you were to communicate to your end-users.
The solution, in this case, will involve using the Default Autopatch group if you currently don’t have thousands of devices under your management. The Default Autopatch group is editable to include additional deployment rings and/or slightly modify some of its default deployment cadences.
Additionally, because this Default Autopatch group comes preconfigured and doesn’t require extra configurations when registering devices with the Windows Autopatch service, it will offer greater convenience to IT admins.
EXAMPLE NUMBER 2
For the second example, you’re going to be an IT admin for a business that is looking to implement a gradual rollout of software updates within certain critical business units or departments to help mitigate the risk of end-user disruption.
What you can do in this case is to create a Custom Autopatch group for all your business units. This means that you can create a Custom Autopatch group for each department. And then, you can proceed to break down the deployment ring composition according to the various user personas. You could also perform the breakdown by categorizing how essential certain users may be for not only a particular department but for the business as a whole.
EXAMPLE NUMBER 3
In the final example, imagine being an IT admin working in the New York branch of a particular company. And in this scenario, you’re looking to implement a gradual rollout of software updates within certain departments in a way that does not disrupt operations in that New York branch.
Similar to the second example, you’re going to create a Custom Autopatch group. But this time, it will be for the New York branch. Then, you will proceed to break down the deployment ring composition according to the various departments within that branch location.
Wrap up
With the threat of cyber-attacks seemingly increasing each and every year, businesses need to be highly proactive about their security. They need to put in place measures that help to improve security and minimize vulnerabilities. Microsoft is looking to help businesses do that with the Windows Autopatch service. It is a highly efficient tool that streamlines the management of software updates and patches.
Autopatch leverages groups to enable businesses to get the maximum benefits from the service. This is also while taking into account the unique needs of the business. Therefore, what you ultimately get is a solution that can cut the security gap. And one that optimizes your IT resources in a way that improves productivity.
Most businesses have several technologies that they use to help their employees operate at the highest levels of efficiency. Without them, your ability to provide high-quality products and services would be severely hindered.
But, all these devices and the associated operating systems and applications need maintenance for them to work the way they were designed to. They need regular attention as well as updates and security patches. This is so businesses can fully benefit from their productivity tools.
Windows Autopatch gives you a great solution for your Microsoft products by automating the update process. Additionally, it simplifies the maintenance process for you. In this article, we’ll be going over how your business can set up this must-have solution.
What is Windows Autopatch?
Let’s start by explaining what exactly Windows Autopatch is and what it does. According to the Windows Autopatch page:
“Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.”
One of the key reasons this solution is a much-needed tool is that the process of implementing updates is not entirely seamless for a lot of organizations. IT admins are responsible for ensuring your organization’s devices get all the necessary updates upon release. And they’re responsible for overseeing that everything is working as it should.
So, even though Microsoft provides regular updates for its products and services, the task can sometimes be challenging and very time-consuming. Therefore, with a solution like Autopatch, IT admins can save a lot of time on the update processes. They can additionally cut time in positioning the overall security posture of the business, leading to improvements.
I’m sure most would agree that this is an excellent feature to have, given the increasing sophistication of cyber attacks. Additionally, end users will be able to work more efficiently with fewer distractions. Moreover, your IT personnel will potentially have a lot more time on their hands for dedicating to more productive tasks.
The role of Autopatch services
From what we have seen over the last year, we know that Windows Autopatch can manage your updates for you. But, you still need to know what exactly Autopatch will be responsible for regarding those updates. This is why it’s not too surprising that a lot of IT admins are hesitant about using Autopatch. They have concerns about losing control over their devices.
To simplify the rollout of the different updates, Windows Autopatch will place devices into groups based on their software and hardware configurations. Doing it this way enables suitable test machines to receive updates first. And if all goes well, broader deployments can proceed as well. Not only is this a crucial step for evaluating updates, but it can help alleviate some of the concerns that IT admins have.
Below is a list of what Autopatch will be responsible for updating:
Windows 10 and Windows 11 quality
Windows 10 and 11 features
Windows 10 and 11 drivers
Windows 10 and 11 firmware
Microsoft 365 apps for enterprise updates
In addition to the above list, Windows Autopatch will also be responsible for patching drivers and firmware that are only published to Windows Update as automatic. Also, in terms of how Windows Autopatch operates, there are four deployment rings. The first one caters to a few of your company’s devices, and the second one is responsible for 1% of these devices. The third and fourth rings will contain 9% and then 90% of the organization’s devices respectively.
Setting up Windows Autopatch
The process of setting up Windows Autopatch includes several steps that we will be discussing in this section.
PREREQUISITES
Area
Requirements
Licensing
Windows 10/11 Enterprise E3 (or higher) in addition to Azure Active Directory Premium and Microsoft Intune.
Connectivity
All Windows Autopatch devices require dedicated connectivity to multiple Microsoft service endpoints across the corporate network.
Azure Active Directory
The source of authority for all user accounts needs to be Azure AD. Or, the user accounts can be synchronized from on-premises Active Directory using the very latest supported version of Azure AD Connect to enable Hybrid Azure Active Directory to join.
Device management
All devices must be registered with Microsoft Intune, be connected to the internet, have a Serial number, Model and Manufacturer, and must be corporate-owned. Furthermore, the target devices will need to have Intune set as the Mobile Device Management (MDM) authority or co-management must be turned on.
NETWORK CONFIGURATION
Proxy configuration – Windows Autopatch needs to reach certain endpoints for the various aspects of the Windows Autopatch service. Network optimization can be done by sending all trusted Microsoft 365 network requests directly through their firewall or proxy.
Proxy requirements – should support TLS 1.2, and if not, then you may need to disable protocol detection.
Required URLs – mmdcustomer.microsoft.com
– mmdls.microsoft.com
– logcollection.mmd.microsoft.com
– support.mmd.microsoft.com
Delivery optimization – Microsoft recommends configuring and validating Delivery Optimization when you enroll into the Windows Autopatch service.
TENANT ENROLLMENT
The first step in this next stage will require you to verify that you’ve met all the requirements discussed at the beginning of this section.
With that done, you’ll now need to run the readiness tool. This checks the settings in both Intune and Azure AD and verifies that they work with Autopatch. To access this readiness assessment tool, head over to the Intune admin center and select Tenant administration in the left pane. Once there, go to Windows Autopatch > Tenant enrollment. When the check is done, you’ll get one of four possible results: Ready, Advisory, Not ready, or Error. And if this check is showing any issues with your tenant, then your next step will involve fixing the issues picked up by the readiness assessment tool.
If everything is in order and the readiness assessment tool has given you the “Ready” result, then you can proceed and enroll the tenant. You’ll find the “Enroll” button that you need to select within the readiness assessment tool. Once you select this option, it will start the process of enrolling your tenant into the Windows Autopatch service. You’ll see the following during the process:
Consent workflow to manage your tenant.
Provide Windows Autopatch with IT admin contacts.
Setup of the Windows Autopatch service on your tenant. This step is where the policies, groups, and accounts necessary to run the service will be created.
Your tenant will be successfully enrolled upon completion of these actions. And then, after all this is done, you can delete the collected data by the readiness assessment tool if you want. To do so:
Head over to the Microsoft Intune admin center.
Go to Windows Autopatch > Tenant enrollment.
Select Delete all data.
ADD AND VERIFY ADMIN CONTACTS
After you have finished the process of enrolling your tenant, you can move on to the addition and verification of admin contacts. Windows Autopatch has several ways of communicating with customers. And there’s a requirement to submit a set of admin contacts when onboarding. Each specific area of focus should have an admin contact. This provides that the Windows Autopatch Service Engineering Team has a contact for assistance with the support request. These areas of focus are given below.
Area of focus
Description
Devices
Device registration Device health
Updates
Windows quality updates Windows feature updates Microsoft 365 Apps for enterprise updates Microsoft Edge updates Microsoft Teams updates
To add the admin contacts, follow these steps:
Sign in to the Intune admin center.
Head over to the Windows Autopatch section, find Tenant administration, and then select Admin contacts.
Select Add.
Now, you need to provide all the necessary contact details. This includes name, an email, phone number, and language of choice.
Choose an area of focus and provide information about the contact’s knowledge and authority in this particular area.
Click Save and then repeat the steps for each area of focus.
DEVICE REGISTRATION
Windows Autopatch groups device registration
Autopatch groups will start the device registration process for devices that aren’t yet registered using your existing device-based Azure AD groups. This is instead of the Windows Autopatch Device Registration group. Windows Autopatch will support a couple of Azure AD nested group scenarios, namely Azure AD groups synced up from:
On-premises Active Directory groups (Windows Server AD)
Configuration Manager collections
Clean up dual state of Hybrid Azure AD joined and Azure registered devices in your Azure AD tenant
For an Azure AD dual state to occur, a device needs to be initially connected to Azure AD as an Azure AD registered device. And then, when you enable Hybrid Azure AD join, the same device will be connected twice to Azure AD as a Hybrid Azure AD device.
So, what you’ll find in the dual state is a device with two Azure AD device records with different join types. However, the Azure AD registered device record is stale because the Hybrid Azure AD device record will take precedence.
About the Registered, Not ready, and Not registered tabs
Device blade tab
Purpose
Expected device readiness status
Registered
Shows successful registration of devices with Windows Autopatch
Active
Not ready
Shows successfully registered devices that aren’t yet ready to have one or more software update workloads managed by the Windows Autopatch service.
Readiness failed and/or Inactive
Not registered
Shows devices that have not passed the prerequisite checks and thus require remediation.
Prerequisites failed.
Device readiness statuses
Readiness status
Description
Device blade tab
Active
Shows devices that: +have passed all prerequisite checks +registered with Windows Autopatch +have passed all post-device registration readiness checks
Registered
Readiness failed
Shows devices that: +haven’t passed one or more post-device registration readiness checks +aren’t ready to have one or more software update workloads managed by Windows Autopatch
Not ready
Inactive
Shows devices that haven’t communicated with Microsoft Intune in the last 28 days.
Not ready.
Prerequisites failed
Shows devices that: +haven’t passed one or more prerequisite checks +have failed to successfully register with Windows Autopatch
Not registered
Built-in roles required for device registration
Roles are permissions granted to dedicated users. And there are a couple of built-in users in Autopatch that you can use to register devices:
Azure AD Global Administrator
Intune Service Administrator
Less privileged user accounts can be assigned to perform specific tasks in the Windows Autopatch portal. You can do this by adding these user accounts into one of the two Azure AD groups created during the tenant enrollment process:
Azure AD group name
Discover devices
Modify columns
Refresh device list
Export to .CSV
Modern Workplace Roles – Service Administrator
Yes
Yes
Yes
Yes
Modern Workplace Roles – Service Reader
No
Yes
Yes
Yes
Details about the device registration process
The process of registering your devices with Windows Autopatch will accomplish a couple of things:
Creation of a record of devices in the service.
Device assignment to the two deployment ring sets and other groups required for software update management.
Windows Autopatch on Windows 365 Enterprise Workloads
As part of the Windows 365 provisioning policy creation, Windows 365 Enterprise admins will have the option to register devices with Windows Autopatch. This means that Cloud PC users will also benefit from the increased security and automated updates that Windows Autopatch provides. The process for registering new Cloud PC devices is as follows:
Head over to the Intune admin center and select Devices.
Next, go to Provisioning>Windows 365 and select Provisioning policies>Create policy.
Type in the policy name, select Join Type, and then select Next.
Pick your desired image and select Next.
Navigate to the Microsoft managed services section, select Windows Autopatch, and then select Next.
Assign the ideal policy, select Next, and then select Create.
Your newly provisioned Windows 365 Enterprise Cloud PCs will then be automatically enrolled and managed by Autopatch.
Windows Autopatch on Azure Virtual Desktop workloads
Azure Virtual Desktop (AVD) workloads can also benefit from the features that Windows Autopatch has to offer. Your admins can use the existing device registration process to provision their AVD workloads to be managed by Autopatch.
One of the most appealing features of Windows Autopatch is how it offers the same quality of service to virtual devices as it does to physical ones. This ensures that if your business is looking to migrate to virtual devices or is already using them, then you won’t miss out on what Windows Autopatch offers.
It is worth noting, however, that any Azure Virtual Desktop specific support is deferred to Azure support unless otherwise specified. In addition, the prerequisites for Windows Autopatch for AVD are pretty much the same as those for Windows Autopatch and AVD.
The service will support personal persistent virtual machines. But, there are some AVD features that are not supported such as multi-session hosts, pooled non-persistent virtual machines, and remote app streaming.
Deploy Autopatch on Azure Virtual Desktop
Another great feature that you’ll get with Autopatch is that you can register your Azure Virtual Desktop workloads using the same method as your physical devices. Microsoft recommends nesting a dynamic device group in your Autopatch device registration group to simplify the process for your admins. And this dynamic device group is going to target the Name prefix defined in your session host while also excluding any Multi-Session Session Hosts.
Client support
Windows Autopatch provides businesses with excellent support services to ensure that any issues are addressed. You can access the appropriate support services through Windows 365, or the Windows Autopatch Service Engineering team for device registration-related incidents.
Device management lifecycle scenarios
Before you proceed and register your devices in Windows Autopatch, there are a few device management lifecycle scenarios that you may want to consider. These include the following:
Device refresh – devices that were previously registered in Autopatch and require reimaging will require you to run one of the device provisioning processes available in Microsoft Intune to reimage these devices. Subsequently, these devices will be rejoined to Azure AD (Hybrid or Azure AD only) and then re-enrolled into Intune. And because the Azure AD device ID record of that device will not be altered, neither you nor Windows Autopatch will need to perform any additional actions.
Device repair and hardware replacement – when devices require you to repair them by replacing certain hardware, then you’ll need to re-register these devices into Autopatch when you’re done. We are talking about the kind of repairs that include replacing parts such as the motherboard, non-removable network interface cards (NIC), or hard drives. And the reason why re-registration is necessary is that when you replace those parts, a new hardware ID will be generated, including:
SMBIOS UUID (motherboard)
MAC address (non-removable NICs)
OS hard drive’s serial, model, manufacturer information
So, even though you still practically have the same device, whenever you replace major hardware, Azure AD will create a new ID record for that device.
UPDATE MANAGEMENT
Software update workloads
Software update workload
Description
Windows quality update – on the second Tuesday of every month, Autopatch deploys monthly security update releases. Autopatch also uses mobile device management (MDM) policies to gradually release updates to devices. These policies are deployed to each update deployment ring to control the rollout.
Requires four deployment rings to manage these updates
Windows feature update – in this instance, you’ll be the one to inform Autopatch when you’re ready to upgrade to the new Windows OS version. The feature update release management process has been designed to make the task of keeping your Windows devices up to date much easier and more affordable. This also has the added benefit of lessening your burden, thus allowing you to dedicate more time to more productive tasks.
Requires four deployment rings to manage these updates
Autopatch groups play an essential role in helping Microsoft Cloud-Managed services work with businesses according to their various needs. When it comes to update management, Windows Autopatch groups provide an excellent tool that allows for the combining of Azure AD groups and software update policies. These might include Windows Update rings and feature update policies.
Reports
If there are any Windows Autopatch managed devices in your environment that are not up to date, you can monitor and remediate them using Windows quality and feature update reports. Not only that, but you can also resolve any device alerts to bring Windows Autopatch-managed devices back into compliance.
Policy health and remediation
To enable the management of Windows quality and feature updates, Autopatch needs to deploy Intune policies. Windows Update policies must be healthy at all times should you plan to remain up to date and receive Windows updates. Microsoft ensures continuous monitoring to maintain the health of the policies, as well as raise alerts and provide remediation actions.
Wrap up
The threat of attacks against businesses is something that is always lurking. And as we have seen on far too many occasions in recent years, these attacks can be devastating. Business operations can be severely compromised. Additionally, the financial penalties can be massive. Therefore, there is a need to do everything within your power to fortify your system defenses. Windows Autopatch allows you to bolster your security by automating certain tasks.
Make sure that update and patch deployments occur in a timely fashion. It can significantly reduce the risk of attacks against your business. And this is precisely what Autopatch is ready to help you prevent.
It helps you by automating the update process and simplifying tasks that are sometimes difficult and time-consuming. As a result, you get an easier and less expensive way of equipping your business with all the latest security updates necessary. Ultimately, it allows you to enhance your operations.
Businesses need to be constantly looking for different solutions to help them improve their operations. One area that can give businesses a significant advantage is their IT environment. Technology has evolved greatly, and businesses can now easily leverage cloud computing to boost productivity.
Solutions like Windows 365 enable businesses to provide employees with secure and reliable access to virtual desktops anytime and from anywhere. Although cloud computing has been available for a while, Microsoft is offering clients something that is meant to take the cloud computing experience to new heights.
The Windows 365 Cloud has plenty of features designed to help you better manage and simplify your virtual desktop infrastructure. And in this article, we’ll be exploring those features.
Management Features of Windows 365
Windows 365 is a service that is easy to deploy as well as easy to use. Microsoft has built-in several management features that can help your business manage your virtual desktop infrastructure quickly and efficiently. Let’s take a look at some of those features.
Centralized Management
IT admins can often encounter huge challenges with decentralized systems. One of the more common issues that you can face is vulnerability to security threats. When successful, these attacks will compromise the integrity of the entire network and can be quite costly to rectify.
Running a decentralized environment efficiently will probably require a well-staffed IT department to ensure that your business functions smoothly. Without this, ensuring that all desktops are fully up-to-date and secure can prove to be a challenging and time-consuming task.
To make running your virtual desktop environment simpler, Microsoft has developed Windows 365 to be easily manageable without the need for significant IT resources. With the availability of centralized management, your business can comfortably manage your Cloud PC environment from a single location.
What this does is make the task of managing and monitoring your virtual desktops far less complicated for IT admins. This capability will have the additional advantage of enhancing your security posture. This is because using a single console enables you to better secure your environment.
Self-Service Portal
Continuing with the theme of ease of use, Microsoft provides a self-service portal for Windows 365 Cloud PCs. We all know how far too much time can be lost with employees waiting around to get IT support. In some cases, it could be even worse when the help you need is external.
The potential downtime can be very costly in terms of productivity. This is why having a self-service portal makes so much sense. With a self-service portal, employees can manage certain things without having to wait for IT support. Cloud PC users can install applications, set up user accounts, and configure their security settings with relative ease.
Having a feature like this will not only help to boost productivity, but it will empower your employees as well. Furthermore, by allowing Cloud PC users to manage their virtual desktops, IT admins can dedicate more time to more productive work for the business.
IT admins can also use this feature to quickly and easily add or remove virtual desktops. This depends on the organization’s needs. And it can help to simplify the management of your virtual desktop environment without the need for external IT support.
Automated Patching
When it comes to the security of your virtual desktop environment, you cannot afford to neglect regular updates and patches. Malicious actors are getting worse with each passing year, meaning that businesses need to constantly reinforce their cyber security.
Fortunately, Microsoft offers its clients regular updates for its various products and services. This is to ensure that clients get the best and most secure experience. The challenge that can often arise, however, involves updating every single device in an environment. It can have its fair share of complications.
So, even though service providers may be regularly offering updates and security patches, if the task is not carried out, well your environment remains vulnerable. To try and minimize the issues that IT admins can face, Windows 365 has automated patching. And the biggest advantage of this is that it means your virtual desktops will always be up-to-date with the absolute latest security updates and software patches. Moreover, automated patching lightens the burden for IT admins and simplifies the management of your virtual desktop environment.
Customizable Management
Businesses need to know that when they are purchasing a product or service, they get something that is worth the investment. Part of the attraction of Windows 365 is that it offers great value for money in addition to being easy to use. Clients get the option to select a plan that suits the unique needs of their particular business. Microsoft offers businesses a choice between Windows 365 Business and Windows 365 Enterprise to cater to both small and large businesses.
These options give businesses the flexibility to customize an ideal subscription plan which eliminates the risk of paying for more than you need or that fails to meet your requirements. And the pay-as-you-go subscription model also allows businesses to continually make changes to their virtual desktop environment as their needs change. This way, you don’t need to make any long-term commitments, but you get access to the computing resources you need at any given time.
Benefits of Windows 365’s Simplified Management
The features that we have gone over have several benefits that they can offer your business. Some of these benefits are the following:
Reduced IT Overhead
The costs that businesses will often have to dedicate to their IT needs can be massive. These include things such as setting up an on-premises infrastructure, issuing devices to employees, and having a well-staffed IT department. One of the goals of Windows 365 is to help businesses minimize these costs.
By getting access to virtual desktops that are easily accessible, you’ll no longer need to worry about the devices you use. Because the heavy computing is done on the cloud, employees can use any device, including smartphones and tablets. And this will immediately help you to spend less on purchasing new devices.
In the long term, you will also reduce your expenses by not having to maintain the same device refresh cycle. Windows 365 is simple enough to use and maintain that you can run it efficiently without needing to bring in additional IT support. Features such as the self-service portal are perfectly designed to make management of your virtual desktop environment easier for IT.
As a result, they will also have a lighter burden meaning they can devote more time to other productive tasks. Additional reductions in IT overhead can also come from not having to maintain on-premises infrastructure because not only is it expensive to set up, but it’s also costly to maintain.
Increased Productivity
Virtual desktops should, by nature, help boost productivity because of how easily accessible they are. Employees have the flexibility to access their Cloud PCs even when traveling using any device they will be carrying. More importantly, remote work can create a more positive work environment by enabling people to work where and how they want.
Over the last few years, the desire to have the option to work remotely has grown significantly. So, if businesses can find a way to offer this to their employees, it could potentially boost productivity. People who feel cared for are far more likely to perform better.
Furthermore, the simplified management features available will allow Cloud PC users to work more efficiently with fewer issues. Features such as automated patching and centralized management give you a virtual desktop environment that is simple to manage. All of these things can contribute to lightening the load for your IT personnel, which can free up time for more critical tasks.
In addition, the security of the Microsoft Cloud as well as the redundancies in place, mean that your Cloud PCs will always be available. You don’t need to worry about facing disasters that can cause significant downtime because your data is highly secured.
Improved Security
With all the remote access that Windows 365 offers users, security needs to be of the highest standard. Recently we have witnessed plenty of businesses suffering from various attacks, so businesses are very wary about cloud computing solutions.
This is why Windows 365 would be a great choice because it leverages the industry-leading security measures that Azure has used over the years. You also get automated patching to ensure that your virtual desktop environment is fully protected by the regular updates that Microsoft delivers. By doing it automatically, it eliminates common issues that you may face with updates.
Monitoring your environment without the features to simplify management can be a complicated task. And this serves to highlight the importance of centralized management for enabling you to run your environment more efficiently.
IT admins can easily monitor all devices under their management from a single console and ensure that they are following all organizational policies. Using features like this will not only enhance your security but improve operational efficiency as well by keeping your virtual desktop environment up-to-date with all the latest features.
Greater Flexibility
I’m sure it’s pretty clear by now that there is a lot of talk about flexibility and its benefits. Businesses that can improve the working atmosphere for their employees, as well as accessibility to virtual desktops, can reap huge benefits. Windows 365 offers features like customizable management to address these areas.
In so doing, Microsoft allows businesses to select subscription plans that can perfectly meet their requirements. As a result of this, you’ll have the flexibility to use Windows 365 to carry out your business operations without any hindrances.
But, this is not only advantageous to the business but to employees as well. Because of the support for multiple operating systems and devices, Cloud PC users can comfortably use whatever device they want. Add to that the fact that the self-service portal allows users to carry out certain tasks that would normally require IT support, and you empower users even more.
So, whether your preference is iOS or Android, Windows or macOS, you can access your Cloud PC and get all your work done. And this you can do for years to come without worrying about purchasing new, more powerful devices.
Cost Savings
Everything that we’ve discussed plays a key role in providing Windows 365 clients with a service that can help businesses cut costs. By providing customizable management, businesses get the option to take full advantage of what Windows 365 Cloud PCs can offer while staying within their budgets. It may actually reduce your IT expenditure because you won’t need to purchase as much hardware or require additional IT personnel to run your Cloud PC environment.
Furthermore, the security of the Microsoft Cloud assures you that you don’t have to worry about cyber-attacks that could result in downtime. Windows 365 is determined to ensure that your Cloud PCs remain available at all times. And if you compare this to other backup systems that may be available to you, you may see just how much you’ll be saving by using Windows 365. Ultimately, the reductions in IT expenditure will help you to invest in other areas of your business thus improving growth and productivity.
Conclusion
Most businesses will be aware of the benefits that can be gained by introducing cloud computing to their businesses. But, as with any new solutions, there will be significant concerns about how viable this would be. With Windows 365, Microsoft wants businesses to have a solution that can alleviate security concerns, reduce operating costs, and increase flexibility among others.
Features designed to simplify Cloud PC management, such as the self-service portal, centralized management, automated patching, and customizable management, will help you function more efficiently. All of these things are crucial for improving employee morale, boosting productivity, and potentially increasing revenues. When all is said and done, Windows 365 may just be the solution you need to get closer to your business goals.
Cloud computing has been evolving at a very impressive rate over the last few decades. It is now becoming an integral part of how a lot of businesses perform their operations. As you would expect, tech giant Microsoft has contributed a lot to the development that we have witnessed.
More recently, we have seen this with Windows 365, which is a virtual desktop service that Microsoft introduced a few years back. This solution gives businesses the ability to offer their employees desktops that run in the cloud and are always available. Having an option like this allows employees to remain productive wherever they may be.
And one of the best things about Windows 365 is that it offers flexible pricing terms that make it accessible to businesses both large and small. In this article, we’ll be discussing these flexible terms that Microsoft offers and how your business can benefit.
Flexible Pricing Features of Windows 365
To attract large numbers of businesses, Microsoft has had to ensure that Windows 365 has several flexible pricing features that you will find appealing. These features allow you to select the computing resources you need that will fit your unique business strategy. So, let’s take a look at some of these features.
Monthly Subscription
The flexibility that users get from their Windows 365 Cloud PCs does not only apply to how and where they can use their virtual desktops. It also applies to the subscription terms that are available to your organization. Clients that use Windows 365 get to pay for the service on a month-to-month basis.
As you can imagine, this gives you the advantage of not having to make a longer-term commitment that you may not be willing to make. You get to assess the benefits that Windows 365 gives your business every month and make adjustments to your strategies as you need.
Additionally, this also helps you to more efficiently manage your computing resources based on your changing needs. Therefore, if you need to increase or decrease the computing resources that you are using, Windows 365 allows you to do so without any problems. And all of this you can do quickly and seamlessly without having to commit to a long-term subscription that may not suit your business strategy.
Customizable Plans
Within your organization, employees working in different departments can have different computing resource needs. For example, individuals working in human resources departments are unlikely to need the same computing power as people working in an engineering department.
And fortunately for Windows 365 clients, Microsoft appreciates this and enables you to select a plan that can be uniquely tailored to precisely fit your specific computing requirements. That way, you don’t need to worry about getting more or less than your business needs.
Right at the beginning, there are two subscription options available depending on the size of your business. If you are a relatively smaller organization requiring less than 300 Cloud PCs, then you have the Windows 365 Business Edition.
Larger enterprises with employees that require a greater number of Cloud PCs have the option of Windows 365 Enterprise. The great thing about all this, however, is that these options all offer the same range of features. Therefore, small businesses get to have a similar Windows 365 experience to the larger businesses without having to break the bank.
Pay-As-You-Go
This next feature provides businesses with a lot of flexibility relevant to how they can manage their budgets. With a pay-as-you-go arrangement in place, plenty of businesses, especially the smaller ones, will find it a bit easier to take advantage of what Windows 365 can offer without compromising their budget structures.
As already mentioned before, for some businesses, long-term commitments may not currently be financially viable, so having a service that allows you to only pay for what you are using can be a great solution.
One of the most obvious differences between Windows 365 and Azure Virtual Desktop (AVD) is the payment structure. AVD offers its services on a consumption-based model, whereas Windows 365 uses a fixed per-month/per-user licensing arrangement.
The benefit that Windows 365 clients get from this is that it allows them to plan long-term, knowing exactly what their IT expenditure will be. And in the case of changing computing resource needs, they can easily scale up or down to meet demand without being worried about having to face massive costs to do so.
Self-Service Portal
Windows 365 prides itself on being a service that is easy to deploy and use for any business. By designing it this way, Microsoft has been able to offer clients a product that doesn’t require any additional financial investment to set up and use.
According to Microsoft, you should not need additional IT resources to help you set up your Windows 365 environment. And this is clearly something that is meant to help your business reduce expenditure. But, it’s not only setting up the Cloud PCs that is meant to be simple, but maintaining the environment should be as well.
Hence the availability of a self-service portal. This feature is perfect for helping your IT staff maintain your Windows 365 environment without needing to be dependent on support services. Moreover, if your business needs to add or remove virtual desktops, then your IT admins can leverage the self-service portal to do so easily and securely.
Ultimately, what Microsoft is giving you with this feature is a tool that enables you to adjust your computing resources as your business continues to evolve. Most importantly, you can do this in-house without needing to invest in additional IT resources.
Benefits of Windows 365’s Flexible Pricing
The various features that we have gone over above have several benefits that they can offer your business. In this section, we’ll be looking at some of those benefits.
Cost Control
Having effective cost control measures is essential for any business to minimize the progressive growth of expenses. Implementing such measures can help your business grow with minimal issues. One of the biggest things that a lot of businesses see as a great cost control measure is cloud computing.
Not only is this something that will help your employees remain productive from remote locations, but it can reduce IT expenses. If you consider setting up an on-premises infrastructure, you’ll quickly realize how costly an undertaking that would be. And that’s before considering the additional expenses for maintaining and potentially scaling the environment.
With Windows 365’s flexible pricing options, Microsoft wants businesses to have a virtual desktop service that can help to keep their IT expenses manageable. By signing up for only the computing resources that you need, you avoid having to overpay, especially for unnecessary resources.
This also gives you the advantage of planning an accurate budget well in advance. Moreover, you can also make allowances in your budget that will enable you to scale your computing resources if necessary.
Scalability
Windows 365 offers two subscription plans to businesses, the Enterprise 365 edition and the Business 365 edition. As mentioned already, this gives large and small businesses options that can meet their unique needs.
Within these two editions of Windows 365, you’ll also find several different options offering different levels of computing resources. This allows businesses to subscribe to options that will suit their needs without being concerned about potentially costly, long-term commitments.
In addition to this, as the needs of your business continually evolve, Windows 365 allows you to easily and quickly adapt to those changes. If your business is experiencing significant growth, you can scale your computing resources accordingly without incurring significant costs to do so.
The pay-as-you-go model that Windows 365 uses gives your IT staff the flexibility to adapt to the business environment when the need arises. Because of this, you can operate at optimal efficiency levels with exactly the computing resources you need at any given time.
Reduced Overhead
Another massive benefit that Windows 365 provides is the ease with which you can deploy, use, and maintain your virtual desktop environment. This gives businesses an excellent cloud computing service that doesn’t require you to bring in additional or specialized IT professionals.
The simplicity of Windows 365 is meant to enable your in-house IT staff to easily set up Cloud PCs for all employees that need them without necessarily bringing in external support. As you can imagine, the potential reduction in overhead can be massive.
By leveraging Windows 365, you already have plenty of benefits gained by providing employees with the flexibility to work from any remote location. And then, the reduced demands on IT admins will also free them up to dedicate more time to essential value creation for the organization. All of this, when put together, provides an excellent foundation for improving the efficiency of the business, increasing productivity, and ultimately keeping your expenses down.
Improved Productivity
Windows 365 can provide greater security for their clients’ virtual desktop environment because of the measures that are in place in the Microsoft Cloud to safeguard data. This will have an additional positive impact on productivity because of how employees can do their work securely regardless of where they are. And unlike with on-premises systems, where you may occasionally have hardware issues, the redundancies in place for Windows 365 Cloud PCs are designed to keep your data accessible at all times.
The flexible pricing terms that you get with Windows 365 are what make this a great productivity tool for a lot of businesses. It’s especially advantageous when you consider that plenty of businesses, particularly the smaller ones, may otherwise find it financially difficult to offer employees this level of flexibility in their work conditions with the security that Microsoft provides. In addition, your Cloud PC environment is regularly updated so that you always have the best features available without the need to increase your IT expenditure.
Customizable Plans
A small startup company is going to have significantly different needs to those of a massive Fortune 500 company, for example. However, that is not to say that Windows 365 can’t be as equally beneficial to the business operations of both.
It’s this need to avail virtual desktops to all who need them that has led Microsoft to allow businesses to pay monthly subscriptions for only the computing resources that they’ll be using. So, businesses can choose between Windows 365 Enterprise and Windows 365 Business, depending on their various computing resource needs.
And within these two editions, you get several customizable and flexible plans that can be tailored to your unique needs and pocket. Therefore, all you have to do is determine the number of Cloud PCs you want and the amount of storage you’ll need. This is all you have to pay for, no more, no less.
Furthermore, having a pay-as-you-go model in place also makes it a lot easier for your business to adapt to a changing business environment. Thus, if the need arises, you can scale up or down with little to no trouble, and this increased control over computing resources will help improve your efficiency.
Conclusion
Most people will probably agree that there has been a massive increase in the acceptance of cloud computing by all businesses, both large and small. It’s not surprising as we have come to realize all the benefits that our businesses stand to gain. Not to mention the work that Microsoft has put into services like Windows 365 to improve security and reliability.
Although not the first of its kind, Windows 365 has been a game-changer for businesses because of its ease of use and favorable payment terms. Having access to a cloud computing environment that can potentially lower your IT expenses while boosting productivity is a great solution for any enterprise. And with all the development efforts that Microsoft continues to pour in, the Windows 365 Cloud PC will only get better.
Over the last few years, we have witnessed an alarming increase in cybercrime across the globe. Attacks are becoming more sophisticated, and businesses are suffering massive losses. As we take all of this into consideration, it makes us realize the importance of maintaining a secure and always up-to-date environment. Microsoft’s latest cloud computing platform, named Windows 365, is a solution that is meant to provide businesses with a flexible computing environment that adheres to the strictest security measures available.
By providing clients with excellent always-up-to-date features, Microsoft can ensure that clients always have the latest security updates and software versions.
So, in this article, we want to go over the various always-up-to-date features that you get with Windows 365 and why this cloud computing service can give your business the necessary security and reliability.
What Is an Always-up-to-date Computing Environment?
Malicious actors out there are constantly coming up with new tricks. They’re always looking to perpetrate data breaches, hacks, cyber attacks, and identity theft. They are always looking to exploit any potential vulnerabilities that may exist in your network. So, to counter this threat, one of the best tools that services like Windows 365 can offer clients is an always-up-to-date computing environment. This is something that allows businesses to run Cloud PCs that are always up-to-date with not only the latest features but important security patches as well.
Most of us have already experienced the challenges that one can face when trying to maintain an up-to-date computing environment. Although various updates and security patches are regularly availed, it can still prove to be a challenging task.
Hence the need for a system that provides an always-up-to-date environment. It ensures that your business is running the software versions you need to maximize productivity. Additionally, this also enhances organizational security in a way that reduces the risk of successful attacks.
Windows 365 Always-up-to-date Features
To ensure that businesses will consistently have a computing environment that is running on the latest updates, Windows 365 takes advantage of several features. Combining these features helps to ensure that businesses will get an effective and comprehensive updating system. In this section, we’ll take a look at those various features.
Automated Updates
Chances are high that for most people when you encounter that “would you like to update now” prompt, you’ll click on “no.” No one wants the disruption to their workday, especially not knowing how long this update process could take. Even being aware of the security risks of ignoring updates, people will regularly continue without installing them. Actions like this are the reason behind the need for automated updates. Windows 365 can ensure that your devices are updated at a time that is convenient and doesn’t affect any ongoing work.
This gives you the scheduling flexibility to plan for the installation of automated updates. It works for both the operating system and applications on your Cloud PCs to be done during non-working hours. And since these updates are applied automatically, it helps reduce the workload for your IT staff by eliminating some of those sometimes daunting manual tasks. All of this while your business gets to use the latest features and maintain high-security levels.
Patch Management
Patch management involves the scanning and detection of security patches before they can be downloaded and installed. Using this tool helps IT admins to keep the devices that are under their control constantly up-to-date with the latest security patches. Leverage the patch management capabilities that Windows 365 provides. And eliminate the need for IT admins to manually check each virtual device to see if it has the necessary patches applied.
Having feature updates and security patches applied automatically means that you reduce the risk of hackers getting sufficient time to exploit any known vulnerabilities and security threats. This helps your business significantly reduce attack surfaces and keep employee productivity levels unaffected by potential security breaches. Moreover, businesses will also get to reap the benefits from reduced expenses for device lifecycle management as well as repairs.
Centralized Management
Centralized management can play a key role in simplifying your organization’s IT operations. It can help to make user access and data storage easier. It additionally contributes to saving IT admins plenty of time that could be used more productively.
As a result, your security posture can be expected to improve because of how admins can monitor the entire network from a single console. Doing this allows them to quickly detect any issues that may arise and implement the necessary solutions without delay.
This is particularly important in the area of updates and security patches. As already mentioned, manually updating devices can often be a nightmare of a task. So automated updates will come as a welcome relief. Having an always-up-to-date environment means IT admins will get their desired secure computing environments. It also allows the freeing up some of their time. All in all, taking advantage of centralized management for your Cloud PCs gives you a more secure and stable environment from top to bottom.
Integration with Microsoft Azure
One of the things that Microsoft was keen to highlight when it first introduced Windows 365 was this new product’s foundation of existing Azure infrastructure. As such, it could benefit from the tools and features that Microsoft clients would already be familiar with. This means that Windows 365 clients have access to the excellent computing resources that Azure infrastructure can provide.
And we cannot talk about these resources without mentioning security. This includes the highly reliable security measures of the Azure cloud infrastructure. It also includes the identity management protocols that significantly reduce the chances of unauthorized access to devices and, by extension, to your organization’s network.
Industry-leading security is what makes Azure such a great and reliable product. This ensures the protection of all your virtual machines and sensitive data. Most importantly, by keeping the environment always up-to-date, businesses will have any of their security concerns alleviated.
Role-based Access Control
Role-based access control (RBAC) is a method that improves your organization’s security by restricting network access based on the roles and unique responsibilities of employees within your organization. Using this tool helps your business by seeing to it that employees can only access what they need to perform their duties and no more. In addition, it doesn’t just regulate what resources an individual can access. It also determines what they can do with those resources.
By providing Windows 365 users with RBAC, Microsoft enables IT admins to assign permissions to users based on the needs of their duties within the organization. Restricting access to critical software and data is important for protecting the integrity of your network. Moreover, IT admins can enforce compliance especially concerning updates and security patches. And it ensures the organization is operating at optimal efficiency.
Benefits of Windows 365 Always-up-to-date Features
The features that we discuss above are integral to ensuring that your computing environment is kept up-to-date at all times. The benefits of this are several, and we’ll be exploring them below.
Enhanced Security
Cyber attacks have been a thorn in the backside of a lot of businesses in recent years. Take eyewear giant Luxottica as an example, a business that suffered a data breach that exposed the information of over 70 million clients. This kind of attack will be very damaging to any business, and others may not recover from the consequences. As we consider incidences like these, it becomes abundantly clear why businesses must try, by all means, to implement the best security measures available.
A big part of that is maintaining an always-up-to-date computing environment. The features that Windows 365 gives you to achieve this will provide you with security against known security threats. Malicious actors are constantly searching for vulnerabilities, so it’s important to apply the latest security patches and updates. Moreover, having these updates and security patches installed as soon as they become available is important. It will significantly reduce your risk of suffering at the hands of hackers.
Improved Productivity
Anyone who remembers using older devices or any device with older software will probably also notice that they are not as efficient as one would like. They will often run slower than is ideal, and applications may crash far too many times. Undoubtedly, this can be a very frustrating experience for anyone simply trying to get their work done.
As a business, this is something that will cause a noticeable drop in the efficiency of your employees. Individuals cannot be as productive as they want when they have to waste time dealing with software bugs.
The Windows 365 always-up-to-date features are designed to provide your virtual devices with the best available updates. With the improvements that you get from these updates, employees can work better and more efficiently. In some cases, applications will stop working entirely without the necessary updates. Furthermore, the application of security patches reduces your chances of downtime that may be caused by cyber-attacks.
Reduced IT Overhead
Microsoft has designed Windows 365 to be a service that is available to both big and small enterprises. As such, the cost of using the service is meant to be affordable enough to potentially lower your IT expenditure. To begin with, setting up and deploying Cloud PCs is simple enough for you not to require additional IT personnel. So you immediately have fewer costs to worry about. Because of the benefits of features like automated updates and centralized management, maintaining your IT environment is a lot less complex.
The tasks that your IT staff needs to perform become simpler. And they no longer have to spend as much time with manual updates and security patches. As a result, there is a lot more time available to dedicate to better value creation for your business.
Not only that, but with an always-up-to-date environment, IT admins will know that organizational security will significantly improve. This is something that will help them by also reducing the time that could potentially be spent dealing with software bugs or security breaches.
Scalability
Every business needs to ensure that they have the necessary tools to scale as and when necessary. If your business experiences a sudden surge in customer interest, you need to be well-placed to adequately deal with the traffic. Windows 365 has several tools available that enable businesses to scale up quickly and seamlessly without compromising service delivery. And one of the biggest advantages of this process is that the tools you use are the same ones you’re already familiar with. So the process is a relatively straightforward one.
Most importantly, however, is that this task can be carried out very securely, and your IT environment will remain well-protected. So, utilizing the always-up-to-date features means that your business will always have the best tools for your computing environment. Although we mostly talk about expanding a business, the same also applies to scaling down operations.
If the need arises to reduce the computing resources you are using, then you can scale down just as easily and securely, as well. Microsoft provides a service that can accommodate the needs of your business in a way that allows you to operate under ideal conditions.
Wrap-Up About Windows 365
The security of your computing environment is not something that you can afford to take lightly. As we have discussed in this article, several businesses have been breached. The result is the compromising of information of millions of clients. Windows 365 provides you with a cloud computing platform with the objective to adapt to your organization’s needs. And it simultaneously offers you industry-leading security measures.
With the always-up-to-date features that you get, your computing environment can perform with optimal efficiency. Not to mention the enhanced security posture you’ll benefit from because of the automated security patches available. So, if you’re looking for a cloud computing solution that is secure, won’t break the bank, and is relatively easy to maintain, then Windows 365 deserves consideration.
Most IT pros are fully aware of how challenging it can be to manage the update process for all the devices in their organization. It can be an incredibly complex and time-consuming task that takes away time from engaging your efforts in work that could be considered more productive for the business.
Fortunately, Microsoft knows about this challenge and offers you Windows Autopatch to help businesses with this process. With this service, your organization will get a product that can help you to “streamline updating operations and create new opportunities for IT pros.” By enabling organizations to automate tasks such as these, Windows Autopatch will help you to minimize the security and performance issues that can sometimes be encountered because of inefficient update processes.
What is Windows Autopatch?
In case you may not as yet be familiar with Windows Autopatch, let me start by going over a few things your teams should know. Released in 2022, Autopatch is a cloud-based service that is designed to automatically manage the updates for Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams.
As I’m sure you can imagine, a service like this can vastly improve the efficiency of your IT operations. Not only that but this will tighten your organization’s security, it will improve productivity, and it will enhance device management among other things.
Consequences of Poor Update Processes
Research done by Google has shown that 66% of users don’t automatically or immediately apply updates. And most of us can relate to the reasons given such as not wanting the unwelcome interruption, not seeing the need, worrying about the time it could take, and so on.
Unfortunately, though the consequences of not applying updates may not be immediate they can eventually be very damaging. It’s important to know that updates are critical for device performance and security. Malicious actors are constantly searching for vulnerabilities in your network and occasionally they find them. So, if security patches are made available and you ignore them it will leave your business exposed to all manner of cyber attacks.
In addition to that, hackers can potentially access organizational data and infect your network with malware. Not so long ago in 2017, Equifax was the victim of a brutal cyber attack that exposed the personal information of close to 150 million people. This kind of attack would be very damaging to an organization and as we saw in this case it cost the company over half a billion dollars in settlement. Clearly, this kind of situation needs to be avoided whenever possible. Furthermore, security concerns are not the only thing to worry about with neglecting updates. It can also result in your organization using poorly performing devices and not having access to the best and latest features. Obviously, this can cost you significantly especially if other businesses are gaining an advantage over you.
Before You Get Started
Just like any other service you would want to use, Windows Autopatch has some requirements you would need to meet before you can get started. There are several areas that you will have to consider if you want to deploy Autopatch.
Licensing
The most obvious starting point is going to be the licensing requirements for Autopatch. You’re going to need to assign Windows 10/11 Enterprise E3 (or higher) to all the various users who will require the service. Fortunately, users that already have Windows 10/11 Enterprise E3 or higher (user-based only), get Windows Autopatch with their licenses. There are several service plan SKUs that are eligible for Autopatch and they are given in the table below:
License
ID
Microsoft 365 E3
SPE_E3
Microsoft 365 E3 (500 seats minimum_HUB)
Microsoft_365_E3Microsoft_365_E3
Microsoft 365 E3 – Unattended License
SPE_E3_RPA1
Microsoft 365 E5
SPE_E5
Microsoft 365 E5 (500 seats minimum)_HUB
Microsoft_365_E5
Microsoft 365 E5 with calling minutes
SPE_E5_CALLINGMINUTES
Microsoft 365 E5 without audio conferencing
SPE_E5_NOPSTNCONF
Microsoft 365 E5 without audio conferencing (500 seats minimum)_HUB
Microsoft_365_E5_without_Audio_Conferencing
TEST – Microsoft 365 E3
SPE_E3_TEST
TEST – Microsoft 365 E5 without audio conferencing
SPE_E5_NOPSTNCONF_TEST
Windows 10/11 Enterprise E3
WIN10_VDA_E3
Windows 10/11 Enterprise E5
WIN10_VDA_E5
Windows 10/11 Enterprise VDA
E3_VDA_only
You’ll also find there are a few Windows 10, build versions and architectures that are eligible for registration with Windows Autopatch. These are as follows:
Windows 10 (1809+)/11 Pro
Windows 10 (1809+)/11 Enterprise
Windows 10 (1809+)/11 Pro for Workstations
In addition to the licensing requirements given above, these users will also need to have Azure Active Directory Premium and Microsoft Intune.
Network configuration
The next area to review is the connectivity to multiple Microsoft service endpoints from the corporate network which will be needed. Autopatch being a cloud service means that for the service’s different elements to work properly there is a set of endpoints that Autopatch should be able to reach.
The network optimization for these can be done by using their firewalls or proxies to send all trusted Microsoft 365 network requests. Doing this allows you to bypass authentication, and all additional packet-level inspection or processing.
As a result, you can expect to directly benefit from less latency and reduced perimeter capacity requirements. The required proxy or firewall will need to support TLS 1.2. If it doesn’t, you might need to disable protocol detection.
REQUIRED WINDOWS AUTOPATCH ENDPOINTS FOR PROXY AND FIREWALL RULES
The allowed list for your proxy and firewall needs to contain certain URLs if Autopatch devices are to be able to communicate with Microsoft services. The Windows Autopatch URL is necessary for anything that the service runs on client APIs. Therefore, it’s important to verify that this URL remains consistently available on your corporate network. The URLs required on the allowed list are given below:
mdcustomer.microsoft.com
mmdls.microsoft.com
logcollection.mmd.microsoft.com
support.mmd.microsoft.com
REQUIRED MICROSOFT PRODUCT ENDPOINTS
The allowed list will also need to contain certain URLs from several Microsoft products if Autopatch devices are to be able to communicate with these Microsoft services. The table below shows the Microsoft services as well as the corresponding URLs.
Microsoft Service
URLs required on Allowlist
Windows 10/11 Enterprise including Windows Update for Business
Manage connection endpoints for Windows 10 Enterprise, version 1909 Manage connection endpoints for Windows 10 Enterprise, version 2004 Connection endpoints for Windows 10 Enterprise, version 20H2 Manage connection endpoints for Windows 10 Enterprise, version 21H1 Manage connection endpoints for Windows 10 Enterprise, version 21H2 Manage connection endpoints for Windows 11 Enterprise
Microsoft 365
Microsoft 365 URL and IP address ranges Hybrid identity required ports and protocols
Azure Active Directory
Active Directory and Active Directory Domain Services Port Requirements
Microsoft Intune
Intune network configuration requirements Network endpoints for Microsoft Intune
Microsoft Edge
Allowlist for Microsoft Edge Endpoints
Microsoft Teams
Office 365 URLs and IP address ranges
Windows Update for Business (WUfB)
Windows Update for Business firewall and proxy requirements
DELIVERY OPTIMIZATION
One of the recommendations made by Windows Autopatch during your enrollment into the Autopatch service is that you configure and validate Delivery Optimization. Doing so will provide access to a P2P distribution technology that is offered in Windows 10 and Windows 11.
And the key advantage of this is that you get a service that enables devices to share content, such as updates, that the devices downloaded from Microsoft over the internet. Another core benefit of using this technology is that it can also reduce network bandwidth since portions of the update will already be available to the device from another device sharing the same local network. So, there won’t be an additional need to perform a complete update download from Microsoft.
Azure Active Directory
When it comes down to identifying the source of authority for all user accounts then Azure Active Directory would arguably be the most ideal. If not, however, you will need to ensure that all user accounts are synchronized from on-premises Active Directory. And this will have to be done using the latest supported version of the Azure Active Directory Connect so that Hybrid Azure Active Directory join can be enabled.
Azure AD Connect is a Microsoft service that your organization will receive as part of your Azure subscription. This tool is something that will help you to manage the synchronization of identity data between your on-premises Active Directory environment and Azure AD. So, users will benefit from the convenience of being able to use the same credentials to access on-premises applications and cloud services.
Hybrid Azure AD join, in its simplest terms, means having a device that is available in both the on-premises Active Directory and the Azure AD environments. Therefore, this tool can simplify device management because of how a ‘hybrid-joined’ device is visible on both platforms.
Before registration with Windows Autopatch can proceed, all the concerned devices will need to be enrolled with Intune. Furthermore, Intune should be set as the Mobile Device Management authority. Alternatively, you’ll need to ensure that you turn on and enable co-management on the target devices. In addition, you are required to set to Pilot Intune or Intune the apps workloads for the Windows Update, Device configuration, and Office Click-to-Run. And then don’t forget to verify that the devices you want to bring to Windows Autopatch are in the targeted device collection.
Device Management
The device management requirements for Windows Autopatch are given below:
All devices that you are going to use will need to be corporate-owned. This is because Windows bring-your-own-devices (BYOD) are not eligible and will therefore not pass the device registration prerequisite checks.
Devices should be under Configuration Manager or Intune co-management. So, any devices that are only under Configuration Manager management will not be eligible.
Registration with Windows Autopatch is only possible if a device has been in communication with Microsoft Intune in the last 28 days.
It goes without saying that internet connectivity is required for the devices.
Lastly, devices need to have a serial number, model, and manufacturer. Therefore, any device emulators that don’t provide this information will not pass the Intune or Cloud-attached prerequisite check.
A few things to note
Based on the aforementioned requirements, there are a few other things that we should be aware of. One of these issues involves the registration of devices that don’t meet the minimum Windows OS required.
Although these devices can be registered with Windows Autopatch, after that process is complete they will be offered the minimum Windows OS version. You’ll need to make the necessary changes concerning the minimum Windows OS version. From there, you’ll receive monthly security updates that maintain the health and security of your devices.
Furthermore, Windows Autopatch allows you to register Windows 10 Long-Term Servicing Channel (LTSC) devices. These devices are being currently serviced by the Windows LTSC. However, only devices that are currently serviced by the LTSC can have their Windows quality updates workloads managed by the service.
So, any devices that are part of the LTSC are not eligible for Windows feature updates from both the Windows Autopatch and Windows Update for Business services. In the case of Windows devices that are part of the LTSC, you’ll need to use either the Configuration Manager Operating System Deployment capabilities or LTSC media to carry out an in-place upgrade.
Configuration Manager Co-management Requirements
We’ve already gone through some of the information concerning co-management and Windows Autopatch. Since co-management is fully supported, you need to know what the requirements are:
You need to use a current, supported version of Configuration Manager.
Configuration Manager should also be cloud-attached with Intune (co-management.) And it will need to have the co-management workloads below enabled and set to either Pilot Intune or Intune:
Among the additional requirements for devices managed by Configuration Manager is the need to switch Configuration Manager workloads to Intune. This is something that can present a significant issue for a lot of people. Fortunately, however, you’ll still be able to switch workloads back to Configuration Manager if you later decide that’s what you want.
Different pilot collections can be configured for all of the co-management workloads. The benefit of using various pilot collections is the ability to leverage a more granular approach during the shifting of workloads. So, workloads can be switched at your convenience, meaning you can do so once you enable co-management. Rr you can postpone it until a later time. At this point, if you haven’t yet enabled co-management that’s what you’ll need to do first. And once done, you can proceed to modify the settings in the co-management properties.
Modify
Head over to the Configuration Manager console and go to the Administration workspace. Next, you need to expand Cloud Services and then select the Cloud Attach node. If the version is 2103 or earlier, then select the Co-management node.
Select the co-management object, and then choose Properties in the ribbon.
Next, you need to switch to the Workloads tab. Take note that all workloads are by default set to the Configuration Manager setting. So, to switch a workload you must move the slider control for that workload to the desired setting. If you keep the slider where it is then Configuration Manager will continue to manage the workload. Moving the slider to PilotIntune should only be done if the devices are in the pilot collection. And if you want to change the Pilot collections, you can do so by going to the Staging tab of the co-management properties page. And then lastly, move the slider to Intune for all Windows devices enrolled in co-management.
If necessary, you can now go to the Staging tab and change the Pilot collection for any of the workloads you want.
NOTE: Always verify that any workloads you would like to switch, the corresponding workloads in Intune have been configured and deployed. In addition, workloads should always be managed by one of the available management tools for your devices. Furthermore, whenever you switch to a co-management workload, there will be an automatic synchronization of the MDM policy from Intune by the co-managed devices.
Data and Privacy
The administration of enrolled devices requires Windows Autopatch to use data from various sources. These sources, which include Intune, Azure AD, and Windows 10/11, are going to provide a comprehensive view of the devices under Autopatch management. Below is a helpful table containing a list of the various data sources. Also outlined is the intended purpose of the information:
Data Source
Purpose
Windows 10/11 Enterprise
Handles the management of device setup experience, connections to other services, and operational support for IT pros.
Windows Update for Business
Leverages diagnostic data collected from Windows 10/11 Enterprise to provide additional information on Windows 10/11 update.
Microsoft Intune
Handles device management and plays a key role in maintaining device security. It makes use of a couple of endpoint management data sources: Microsoft Azure Active Directory: Authentication and identification of all user accountsMicrosoft Intune: Distributing device configurations, device management, and application management
Windows Autopatch
Data provided by the customer or generated by the service during the running of the service.
Microsoft 365 Apps for Enterprise
Management of Microsoft 365 Apps.
Effective Service
Also, to effectively provide service to enterprise clients, Autopatch needs data from multiple Microsoft products and services. This data must be processed and copied from these services to Autopatch. This allows enrolled devices to be maintained and protected. The processor duties undertaken by Autopatch include maintaining security, confidentiality, and resilience. All this is done to ensure that Autopatch can offer clients high-level security in the handling of all personally identifiable data.
The vast amounts of data that Autopatch handles will be stored in Azure data centers depending on data residency. It’s also important to recognize that the data that is being accumulated is necessary for Autopatch to keep the service operational. If you decide to remove a device from Windows Autopatch, the data will be kept for no more than 30 days.
WINDOWS 10/11 DIAGNOSTIC DATA
To keep Windows secure, up to date, address any issues, and continuously make improvements, Autopatch leverages Windows 10/11 Enhanced diagnostic data. Within the enhanced diagnostic data setting, you’re going to find more comprehensive information concerning devices enrolled in Autopatch. Not only that but you also get detailed information about the devices’ health, capabilities, and settings.
So, when you select enhanced diagnostic data, data will be collected including the required diagnostic data. Because of how Autopatch only wants to process strictly necessary data, we can expect to see changes in the diagnostic data terminology in the future. The objective is to change the diagnostic level to Optional with Autopatch looking to implement the limited diagnostic policies to fine-tune the diagnostic data collection required for the service.
Not all system-level data from Windows 10/11 optional diagnostic data will be processed and stored by Windows Autopatch. It only caters to data obtained from enrolled devices such as application and device reliability, and performance information. Therefore, clients should know that their personal data such as chat and browser history, voice, text, or speech data will not be processed or stored by Autopatch.
Wrap up
All of us can benefit immensely from a service that can help us manage the update process a lot more efficiently. It can save us valuable time, minimize errors, and enable our businesses to be more productive. Microsoft has developed Windows Autopatch with all this and more in mind. Using this service is meant to help your IT staff by removing some of their burdens while simultaneously reducing the time taken by patching cycles. So, if you want a service that can add a lot of value to your business, then Autopatch is one that’s worth considering.
One of the biggest challenges that organizations can face is how their employees handle security protocols. Many will admit that some of the greatest vulnerabilities can come from something as avoidable as simple reused passwords for multiple scenarios. By doing this, individuals will not only leave themselves exposed to attacks but will put the entire organization’s network at risk as well.
This type of challenge is precisely what Microsoft is trying to address with Windows Hello. It gives individuals a simpler but significantly more secure option to access various platforms. In this particular blog, I want us to take a look at how Windows Hello and Cloud Kerberos Trust can provide organizations with better security solutions.
Introducing Windows Hello
For the benefit of those who may not yet be familiar with this service, let’s start by going over what Windows Hello is. As already mentioned above, how users access various platforms is something that can create vulnerabilities in an organization’s network.
So, with Windows Hello, Microsoft is giving us a biometrics-based solution that gives Windows 10 or Windows 11 users the option to sign in to their devices, apps, and networks using a fingerprint, iris scan, or facial recognition. The great thing about this solution is that it gives users a more personal way to authenticate access and offers enterprise-grade security but eliminates the need to type in a password.
Expectedly, some users worry about access to their biometric data by third parties. Fortunately, Windows assures us that your data continues to be highly encrypted and secure. Also, it does not leave your device nor is it stored anywhere else. And as long as you have a compatible device with the necessary hardware, getting started is easy. This is because there is a wizard that will teach the device to recognize your biometric credentials.
You will, however, need to set up a PIN as a backup in case any of the biometric authentication measures happen to fail. Simply put, Windows Hello provides a simple but highly secure authentication service that can also ease concerns about typing in passwords or using sign-in gestures in public.
Windows Hello for Business
Now that we’ve gone over what Windows Hello is, let’s take a look at how it differs from Windows Hello for Business (WHfB). In the simplest of terms, WHfB has all the features of Windows Hello as well as other more advanced ones. Whereas Windows Hello is more suited to the home environment, WHfB, as the name suggests, intends to suit businesses.
For the configuration of WHfB, you can use either a GPO or MDM. Also, Windows Hello for Business uses a PIN backed by an asymmetric key pair or certificate-based authentication. Eliminating the use of use hashes and thus the transmission of passwords means that security is significantly better. And if you want to use the asymmetric key, you’ll require Azure AD or the implementation of a Windows Server 2016 domain controller.
What is Cloud Kerberos Trust?
With the development of Windows Hello for Business Cloud Kerberos Trust, Microsoft is aiming to provide Windows Hello for Business with a simple passwordless experience. The objective is to also avail the service to new or existing Windows Hello for Business deployments. One of the key things about Windows Hello for Business Cloud Kerberos Trust is that it leverages Azure AD Kerberos. Doing it this way means that you create a simpler deployment as compared to the key trust model:
In this scenario, the deployment of a public key infrastructure (PKI) or changing an existing PKI becomes unnecessary.
Additionally, synchronizing public keys between Azure AD and Active Directory for users to access on-premises resources also becomes unnecessary.
Lastly, the deployment of passwordless security key sign-in becomes something that you can do with very little extra setup.
Therefore, with all these potential benefits, Microsoft advises that Windows Hello for Business Cloud Kerberos Trust be the recommended deployment model when compared to the key trust model. And for clients that do not need to support certificate authentication scenarios, this is also the most recommended deployment model.
Azure AD Kerberos and Cloud Kerberos Trust authentication
When it comes to requesting Kerberos ticket-granting-tickets (TGTs) for on-premises authentication, we find that certificate authentication-based Kerberos features usage by both key trust and certificate trust. And when performing this type of authentication, there are two requirements to meet.
PKI for DC certificates,
End-user certificates for certificate trust.
In the case of Cloud Kerberos Trust, by using Azure AD Kerberos this negates the need for a PKI to request TGTs. Also, these TGTs can be issued for one or more AD domains by Azure AD for Azure AD Kerberos. And then as far as Windows is concerned, when authenticating with Windows Hello for Business it can request a TGT from Azure AD.
Once a TGT has been returned, Windows can then use it for sign-in or to access AD-based resources. However, it’s worth noting that Kerberos service tickets and authorization will still remain under the control of on-premises domain controllers.
With an enabled Active Directory domain, an Azure AD Kerberos server object will then be created in the domain and it will:
Not associate with any physical servers but will, however, still appear as Read Only Domain Controller (RODC) object.
Be solely used by Azure AD to create TGTs for the Active Directory domain. Furthermore, the Azure AD Kerberos Server object must adhere to the same rules and restrictions applied to RODCs.
It’s important to note, though, that there is something to consider before implementing the Cloud Kerberos Trust deployment model. You have to first verify that each of the Active Directory sites where users will be authenticating with Windows Hello for Business has enough read-write domain controllers.
Prerequisites
Requirement
Notes
Multi-factor authentication
There are a few options that you can use to meet this requirement. These include:
Ø Azure AD multi-factor authentication
Ø multi-factor authentication is provided through AD FS or any other comparable solution.
Windows 10, version 21H2, or Windows 11 and later
For clients that are using Windows 10 21H2, they will need to check that they have KB5010415 installed.
And then those using Windows 11 21H2, need to have KB5010414 installed.
Also, when it comes to Azure AD-joined and Hybrid Azure AD-joined devices, expect to find no Windows version support difference.
Windows Server 2016 or later Domain Controllers
For clients that are using Windows Server 2016, they will need to check that they have KB3534307 installed.
And then for those using Windows Server 2019, KB4534321 must be installed.
Azure AD Kerberos PowerShell module
This is the module that will be necessary for the enabling and management of Azure AD Kerberos. You can find it through the PowerShell gallery.
Device management
The management of Windows Hello for Business Cloud Kerberos Trust can be done in a couple of ways:
Ø using group policy,
Ø using mobile device management (MDM) policyYou will need to enable this feature using policy because it comes disabled by default.
Authentication to on-premises resources
For authentication to on-premises resources to work properly, Cloud Kerberos Trust will need to be enabled for the concerned user. Once enabled, if you attempt to access domain resources, the process will begin with the device receiving a name hint from metadata in the PRT. Then, a DC locator will find a valid DC before a partial TGT from Azure AD Kerberos is sent with a TGS_REQ to this valid DC. After this, a partial TGT validates and then a TGT is returned. However, the user will still need to be synchronized from Active Directory. And this is an important step that allows us to find the domain name associated with the user, in the event of ticket requests from the KDC.
Azure Active Directory
When it comes to Azure AD-joined devices, authentication to Active Directory will only begin when a particular user tries to access a resource that requires Kerberos authentication. At this point, the Kerberos security support provider will then leverage metadata from the WHfB key in order to get a hint of the user’s domain.
Once the hint is available, the provider can then use a DC locator to find a 2016 domain controller. A domain hint is absolutely necessary for the DC locator. And this will be obtained from the onpremisedomainname that you get with the PRT. Next, the client will get a Domain Controller returned for the continuation of normal service ticket issuance.
The Kerberos provider will then forward a partial TGT,, obtained from Azure AD from a prior Azure AD authentication with the domain, controller once an active 2016 domain controller is found. On this partial TGT, signed by Azure AD Kerberos, all you will get is the user SID. It will be the role of the domain controller to check the validity of the partial TGT. If the process has been successful, the KDC will then send a full TGT to the client after which the client can request service tickets.
Deployment process
To complete the deployment of Windows Hello for Business Cloud Kerberos Trust, there are two steps to follow:
Set up Azure AD Kerberos.
Configure a Windows Hello for Business policy and deploy it to the devices.
Deploy Azure AD Kerberos
For those who have already deployed on-premises SSO for passwordless security key sign-in, you should be aware that this means that Azure AD Kerberos is already deployed as well in your hybrid environment. So, this negates the need to redeploy or change your existing Azure AD Kerberos deployment to support Windows Hello for Business. If you haven’t done so, however, you can find the instructions in this section Enable passwordless security key sign-in to on-premises resources by using Azure AD.
Configure Windows Hello for Business policy
Once you have the Azure AD Kerberos object set up, you’ll need to enable Windows Hello for Business Cloud Kerberos Trust on your Windows devices. To configure your devices using Microsoft Intune you can follow the instructions below.
Intune policies can configure Windows Hello for Business if the devices are already under Intune management. You have several options available to you if you want to enable and configure Windows Hello for Business in Intune:
Devices enrolled in Intune can have a tenant-wide policy applied to them. However, this policy can only be applied at enrolment time. So any changes that are later made to its configuration will not apply to already enrolled devices. This is precisely why, most of the time, you’ll find this policy disabled. And then WHfB can be enabled using a policy targeted to a security group.
A device configuration policy can be applied as soon as the device is enrolled in Intune. If you make any changes to the policy, these will only apply to the devices during regular policy refresh intervals. You get several policy types that you can choose from:
If you want to verify exactly which Windows Hello for Business policy was applied at enrollment you can follow the steps below:
Navigate to the Microsoft Intune admin center and sign in.
Select Devices > Windows > Windows Enrollment.
Select Windows Hello for Business.
Now you can check the status of Configure Windows Hello for Business as well as any other configurable settings.
Enable Windows Hello for Business
Windows Hello for Business is configurable using an account protection policy and to do so you can follow the steps below:
Navigate to the Microsoft Intune admin center and sign in.
Select Endpoint security > Account protection.
Select + Create Policy.
If you want to go with Platform then you should select Windows 10 and later. But if you want Profile then you should select Account protection.
Select Create.
Decide on a Name and then, optionally, a Description > Next.
If you go and select Disabled under Block Windows Hello for Business, you’ll be able to see multiple available policies.
It’s important to note that these policies are optional to configure, but the recommendation is to configure Enable to use a Trusted Platform Module (TPM) to Yes.
Under Enable to certificate for on-premises resources, select Not configured.
Select Next.
You’ll also have the option to add scope tags and select Next.
Assign the policy to a security group that contains as members the devices or users that you want to configure > Next.
Go over the policy configuration again and if satisfied select Create.
Configure the Cloud Kerberos Trust policy
If you want to configure the Cloud Kerberos Trust policy, you can do so using a custom template. Also, this configuration is done separately from enabling Windows Hello for Business. The configuration process should follow the steps below:
Navigate to the Microsoft Intune admin center and sign in.
Select Devices > Windows > Configuration Profiles > Create profile.
For Profile Type, select Templates and select the Custom Template.
Next, you need to provide a name for the profile. Ideally, this is something simple such as “Windows Hello for Business Cloud Kerberos Trust.
Then, head over to Configuration Settings where you’ll need to add a new configuration with these settings:
Ø Name: Windows Hello for Business Cloud Kerberos Trust or something else similarly simple
Ø Description (optional): Enable Windows Hello for Business Cloud Kerberos Trust for sign-in and on-premises SSO
(This tenant ID will need to be replaced with the tenant ID for your Azure AD tenant)
Ø Data type: Boolean
Ø Value: True
Ø The final step requires you to assign the policy to a security group whose members are the devices or users that you want to configure.
A very important thing that you need to be aware of is that you will first need to ensure that the Use certificate for on-premises authentication policy is not configured on all the machines that you want to enable Cloud Kerberos Trust. The reason for this is that if you enable this policy then certificate trust will take precedence over Cloud Kerberos Trust.
Provision Windows Hello for Business
When it comes to the provisioning of Windows Hello for Business, the process will begin once a user has signed in. That is, of course, if they meet all the prerequisites. In cases where Cloud Kerberos Trust is enabled by policy on Hybrid Azure AD-joined devices, then Windows Hello for Business Cloud Kerberos Trust will also perform a prerequisite verification.
And if you want to view the status of the prerequisite check you can navigate to User Device Registration admin log under Applications and Services Logs > Microsoft > Windows. Alternatively, you can also view this information from a console by using the dsregcmd /status command.
During a Cloud Kerberos Trust prerequisite check, the system will be looking to pick up whether the user has a partial TGT before the provisioning process proceeds. And the importance of this check is to validate whether Azure AD Kerberos is set up for the user’s domain and tenant.
Upon completion of the check and verification of the Azure AD Kerberos setup, the user can then receive a partial TGT during sign-in with one of their other unlock methods. There are three possible states that you can encounter during the check: Yes, No, and Not Tested. You will see the Not Tested state in a couple of situations:
Cloud Kerberos Trust is not being enforced by policy
The device is Azure AD joined
However, please note that Azure AD-joined devices will not have the Cloud Kerberos Trust prerequisite check performed on them. Users can still sign in on Azure AD-joined devices even if Azure AD Kerberos is not provisioned. But, they won’t have SSO to on-premises resources secured by Active Directory.
PIN setup
Once a user completes the sign-in process, the process for enrolling in Windows Hello for Business begins and happens as follows:
The user will see a full-screen page appear prompting them to use Windows Hello with the organization account. They can then proceed to select OK.
Next up in the process will be the multi-factor authentication portion of the enrollment. The user will then receive notification that the system is trying to contact them through their configured form of MFA. And without the success, failure, or timing out of the authentication, the provisioning process cannot proceed. If the MFA fails or times out, the user faces an error and see a request to retry.
Once there is a successful MFA, the user will then be asked to create and validate a PIN. This PIN needs to adhere to the complexity policies that may be set on the device.
Sign-in
Signing in can be done as soon as the user has finished setting up a PIN with Cloud Kerberos Trust. For those using Hybrid Azure AD joined devices there will need to be a line of sight to a DC when the PIN is first used. However, after this initial sign-in or unlocking with the DC, the system will leverage cached sign-in for subsequent unlocks without line of sight or network connectivity.
Migrate from key trust deployment model to Cloud Kerberos Trust
Occasionally, there may be situations where someone may have deployed Windows Hello for Business using the key trust model, but is now looking to migrate to the Cloud Kerberos Trust model. To do so you only need to follow a few simple steps:
Start by setting up Azure AD Kerberos in your hybrid environment.
Then you’ll need to enable Cloud Kerberos Trust via Group Policy or Intune.
Also, you’ll need to first sign out and sign in to the device using Windows Hello for Business when it comes to hybrid Azure AD joined devices.
When signing in for the first time, users of hybrid Azure AD joined devices must sign in with new credentials while having line of sight to a DC.
Migrate from certificate trust deployment model to Cloud Kerberos Trust
An important thing to note is that when moving from certificate trust deployment to a Cloud Kerberos Trust deployment, you’re not going to find a direct migration path. So, if you want to migrate to Cloud Kerberos Trust the Windows Hello container will first need to be deleted. For users that are interested in using the Cloud Kerberos Trust model but had initially deployed Windows Hello for Business using the certificate trust model, they will need to redeploy Windows Hello for Business. The steps to do that are given below:
To begin the process, the certificate trust policy will need to be disabled.
With that done you must then leverage either Group Policy or Intune to enable Cloud Kerberos Trust.
The next step involves the removal of the certificate trust credential using the command certutil -deletehellocontainer from the user context.
Sign out and sign back in.
Lastly, you can now provision Windows Hello for Business using the method that is best for you.
And similar to the previous scenario, when signing in for the first time, users of hybrid Azure AD joined devices must sign in with new credentials while having line of sight to a DC.
How Azure AD Kerberos enables access to on-premises resources
Kerberos TGTs can be issued for one or more of your Active Directory domains by Azure AD. The benefit of this feature is that it enables users to sign in to Windows with modern credentials, such as FIDO2 security keys, and then access traditional Active Directory-based resources.
However, your on-premises Active Directory DCs will retain control over authorization as well as the Kerberos Service Tickets. It’s also going to be in your on-premises Active Directory instance where Azure AD Kerberos Server objects will be created and subsequently securely published to Azure AD. These objects have no links to any physical servers. They are only resources that can be used by Azure Active Directory to generate Kerberos TGTs for your Active Directory domain.
Users will first need to sign in to a Windows 10 device with a FIDO2 security key and authenticates to Azure AD.
Next, Azure AD will go through the directory looking for a Kerberos Server key that matches the user’s on-premises Active Directory domain.
At this point, a Kerberos TGT will then be generated by Azure AD for the user’s on-premises Active Directory domain. There’s no authorization data on this TGT, only the user’s SID.
The client will now receive the TGT as well as the user’s Azure AD Primary Refresh Token (PRT).
Then, an on-premises Active Directory DC will be contacted by the client machine in order to trade the partial TGT for a fully formed TGT.
The client machine is now able to access both cloud and on-premises resources because of the Azure AD PRT and full Active Directory TGT that it has obtained.
Requirements
There are a few prerequisites that need to be met if you are to proceed. And these are:
All concerned devices need to have Windows 10 version 2004 or later.
All Windows Servers will need to have Windows Server 2016 or later and have patches installed for Windows Server 2016 and Windows Server 2019.
AES256_HMAC_SHA1 must be enabled when Network security: Configure encryption types allowed for Kerberos policy is configured on domain controllers.
You need to have the necessary credentials to carry out the steps in the scenario:
Ø an Active Directory user who is a member of the Domain Admins group for a domain and a member of the Enterprise Admins group for a forest. Referred to as $domainCred.
Ø an Azure AD user who is a member of the Global Administrators role referred to as $cloudCred.
Supported scenarios
In this section, the scenario that we’ll be going over supports SSO in the situations below:
Cloud resources such as Microsoft 365 and other Security Assertion Markup Language (SAML)-enabled applications.
On-premises resources, and Windows-integrated authentication to websites. The resources can include websites and SharePoint sites that require IIS authentication and/or resources that use NTLM authentication.
Unsupported scenarios
The scenarios given below will not be supported:
Windows Server Active Directory Domain Services (AD DS)-joined (on-premises only devices) deployment.
Remote Desktop Protocol (RDP), virtual desktop infrastructure (VDI), and Citrix scenarios by using a security key.
# Install the Azure AD Kerberos PowerShell Module.
Install-Module -Name AzureADHybr
Something that you should be aware of is that the Azure AD Kerberos PowerShell module uses the AzureADPreview PowerShell module to provide advanced Azure AD management features. For those that already have the Azure AD PowerShell module installed on the local computer, there could be a conflict that would result in the failure of the installation.
So, if you want to avoid any such conflicts then you need to include the “-AllowClobber” option flag. The Azure AD Kerberos PowerShell module can be installed on any computer from which you can access your on-premises Active Directory DC. And this can happen without having to depend on the Azure AD Connect solution.
Furthermore, you’ll find that the Azure AD Kerberos PowerShell module is distributed through the PowerShell Gallery. What this Gallery will provide is a central repository for PowerShell content. If you are looking for useful PowerShell modules containing PowerShell commands and Desired State Configuration (DSC) resources then this is the place to find them.
Create a Kerberos Server object
Once you have completed the installation of the Azure AD Kerberos PowerShell module, admins can now use it to create an Azure AD Kerberos Server object in their on-premises directory. You’ll now need to perform the following for each domain and forest in your organization that contains Azure AD users:
To begin, you’re going to need to use the Run as administrator option to open a PowerShell prompt.
Next, there will be some PowerShell commands that are used for creating a new Azure AD Kerberos Server object both in your on-premises Active Directory domain and in your Azure Active Directory tenant that you will need to run. You can find examples of these prompts on this page.
View and verify the Azure AD Kerberos Server
At this point, you may want to check that everything that you’ve done has come out the way it’s supposed to. So, to check out the Azure AD Kerberos Server that you’ve been working on, you can use this command:
By using this command, you’ll be able to see the properties of the Azure AD Kerberos Server. Doing so allows you to verify these properties and determine if this was the result you were looking for.
Running against another domain by supplying the credential will connect over NTLM, and then it fails. The issue can be resolved for users in the Protected Users security group in Active Directory by following these steps:
Navigate to ADConnect and sign in as another domain user
Don’t supply “-domainCredential”
The user that’s already signed in is the one whose Kerberos ticket is going to be used. However, you need to verify whether the user has the required permissions in Active Directory to execute the previous command and you can do so by executing whoami /groups.
VERIFYING PERMISSIONS
Property
Description
ID
Refers to the unique ID of the AD DS DC object. Occasionally, you will find this ID called slot or its branch ID.
DomainDnsName
Refers to the Active Directory domain’s DNS domain name.
ComputerAccount
The computer account object of the Azure AD Kerberos Server object (the DC).
UserAccount
Refers to the disabled user account object containing the Azure AD Kerberos Server TGT encryption key. The account’s domain name is given below:
CN=krbtgt_AzureAD,CN=Users,<Domain-DN>.
KeyVersion
Refers to the key version of the Azure AD Kerberos Server TGT encryption key. The version can only be assigned after the creation of the key and will be incremented each time the key is rotated. Increments are based on replication metadata and are likely greater than one. Please note that you should always ensure that the KeyVersion for the on-premises object and the CloudKeyVersion for the cloud object are the same.
KeyUpdatedOn
Simply refers to the date and time of the creation or update date and time of the Azure AD Kerberos Server TGT.
KeyUpdatedFrom
The Domain Controller where the Azure AD Kerberos Server TGT encryption key was last updated.
CloudId
This is the ID from the Azure AD object and it should also be the same as the ID from the first line of the table.
CloudDomainDnsName
Refers to the Azure AD object’s DomainDnsName and it should be the same as the DomainDnsName from the second line of the table.
CloudKeyVersion
Refers to the KeyVersion from the Azure AD object which needs to be the same as the KeyVersion from the fifth line of the table.
CloudKeyUpdatedOn
Refers to the KeyUpdatedOn from the Azure AD object and it should be the same as the KeyUpdatedOn from the sixth line of the table.
Rotate the Azure AD Kerberos Server key
Users are advised to regularly rotate the Azure AD Kerberos Server encryption krbtgt keys. And as far as what schedule to follow, it’s recommended that you use the same rotation schedule applied to all the other Active Directory DC krbtgt keys.
Remove the Azure AD Kerberos Server
In some cases, you may need to revert the scenario and remove the Azure AD Kerberos Server from both the on-premises Active Directory and Azure Active Directory. To do so, you can follow the command below:
We find that in Azure AD the Azure AD Kerberos Server object is represented as a KerberosDomain object. And each on-premises Active Directory domain will be represented as a single KerberosDomain object in Azure AD.
Wrap up
Something that should be as simple as a password can create plenty of problems for businesses. If a user forgets a password this will hinder productivity and will cost the business as IT has to come in and resolve the issue. This is just one example of how issues with passwords can be problematic for businesses. And these situations can create vulnerabilities in an organization’s network that can leave them exposed to malicious actors. As you go over these problems, it’s easy to see why Windows Hello for Business can be just the right tool to address these challenges. It’s a service that offers you a simple but secure way to authenticate identities and thus enhance your overall organizational security. With cyber-attacks becoming more prevalent and sophisticated, solutions like Windows Hello for Business look like the way to go for the future.