The importance of virtual machines to businesses continues to grow as the technology itself has constantly improved. Services like Windows 365 can become integral to an organization’s IT operations by providing highly secure, efficient, and scalable Cloud PCs.

As hybrid work environments grow even more popular among remote-capable employees, businesses need to take advantage of tested solutions such as Windows 365. Once you have made your decision, it’s also vital to provision your Cloud PCs correctly so your IT environment operates seamlessly.

Why Choose Windows 365?

A simple web search will probably show you several options that your business has when trying to pick a virtual machine solution. So, here are a few reasons why the Windows 365 Cloud PC may be the ideal solution for your organization:

• Flexibility – one of the best features of Windows 365 is that it is accessible from anywhere using any device. This gives remote employees a great degree of convenience, too. This is because, in addition to accessing their desktops from anywhere. It’s equally convenient that the Cloud PC allows them to do so on any device they have on hand.
• Scalability – unsurprisingly, this one is very popular with a lot of businesses. As a service that caters to both small and large enterprises, Windows 365 offers a range of solutions to meet each client’s specific needs. By providing flexible configurations, each organization receives a service plan that adequately meets its performance requirements while remaining cost-efficient. As the business evolves, computing resources can scale to meet usage needs.
• Security – security concerns are often the primary reason organizations turn aways cloud-based services. Fortunately, Windows 365 addresses those concerns with security features such as Microsoft Defender and Zero Trust principles, among others. Such features play a major role in keeping your organization’s data extremely secure at all times.

Significance of Provisioning Policies

Provisioning policies are the elements necessary for creating and assigning Cloud PCs to their users. They will determine which operating system version to use, as well as join type, language, and region.

By using critical provisioning rules and settings, these policies will facilitate the building and configuring of Cloud PCs before availing them to end users. Once you create and assign a provisioning policy to the Microsoft Entra user security groups or Microsoft 365 Groups, the Windows 365 service will verify licensing and configure the Cloud PC.

KEY INFORMATION 

Before proceeding with the creation of provisioning policies, IT professionals should take note of the following information:

• Windows 365 Enterprise – Windows 365 does not provision Cloud PCs for users in an assigned group who don’t have Cloud PC licenses assigned. Furthermore, each Cloud PC license assigned to a user will use only one provisioning policy to set up and configure the Cloud PC. A Cloud PC will always provision using the first assigned policy.
• Windows 365 Frontline in dedicated mode – you should prepare for some users to not get their Cloud PCs. This occurs if there are more users in your Microsoft Entra user group than the number of Cloud PCs available for the selected size. And if any users are removed from the Microsoft Entra user group, the respective Cloud PCs automatically move into a grace period.
• Windows 365 Frontline in shared mode – in this instance, users removed from your Microsoft Entra user group will lose access to their Cloud PCs. And if the Microsoft Entra user group is removed from the assignment, the Cloud PCs are automatically deprovisioned with no grace period.
• Windows 365 Reserve – Cloud PCs will not automatically provision when creating the provisioning policy. Instead, provisioning will require the “Provision” device action. Additionally, some users might not receive their license assignment. For example, you may have more users in your Microsoft Entra user group than the number of licenses available in the tenant. Each Cloud PC license assigned to a user will have only one provisioning policy used to set up and configure the Cloud PC. And as before, Cloud PC provisioning always uses the first assigned policy.

Creating a Provisioning Policy

To create a provisioning policy, you will need to first provide some general information:

• Start by navigating to the Microsoft Intune Admin center and signing in. With that done, select Devices > Windows 365 (under Device onboarding) > Provisioning policies > Create policy.
• Next, you’ll need to provide a Name for the new policy on the General page. You can also provide a description (optional).
• There are 2 experience types you can choose from. The first option gives you access to a full Cloud PC desktop and is available for all Windows 365 license types. This means that end users can connect to a full Windows desktop experience. The second option is only available for Windows 365 Frontline in shared mode and allows end users to only access apps that run on a Cloud PC.
• At this juncture, you’ll need to choose a license type, which can be Enterprise, Frontline, or Reserve. However, those who select Frontline will require Windows 365 Frontline licenses to create a provisioning policy for Frontline Cloud PCs. Additionally, if you choose Frontline, you need to choose between Dedicated and Shared.

Deciding on a Join Type

If you choose to go with either Enterprise or Frontline, then you will need to pick a Join Type.

MICROSOFT ENTRA JOIN

Opting for Microsoft Entra Join has several advantages, such as streamlined device management and configuration, which helps to simplify IT operations. Combined with the excellent security measures and reduced delays in provisioning, there are plenty of reasons to make this option very attractive. To set up Entra Joined Windows 365 Cloud PCs, here are some of the requirements to consider:

• You need an Intune and a Microsoft Entra tenant.
• You also need to have Intune default device type enrollment restrictions set to Allow Windows (MDM) platform for corporate enrollment.
• With Intune as the primary device management, an Intune license will be necessary.
• Enterprise users need licenses for Windows E3, Intune, Microsoft Entra ID P1, and Windows 365 to use their Cloud PC. On the other hand, Frontline users need licenses for Windows E3, Intune, and Microsoft Entra ID P1. They will be added to the Microsoft Entra security group in the provisioning policy to use their Cloud PC.
• You need to have an administrator role. This can be either an Intune Administrator in Microsoft Entra ID or a Windows 365 Administrator if you want to provision Cloud PCs.

Entra Join comes with three options for network:

• Microsoft hosted network – you start by choosing the Geography where you want your Cloud PCs provisioned. With that done, you can pick a Region from the following:
• [Recommended] All default regions within the geography (not supported for Frontline in shared mode) – enables you to maximize resiliency and provisioning success. This is the recommended option because it allows Cloud PCs to distribute across the maximum number of regions with a similar latency experience.
• A single region group – for those who want all their Cloud PCs to be in one specific country or region group, it will be ideal to choose only that region group. By doing so, Cloud PCs will then distribute across its regions. This delivers maximum resiliency at the region-group level.
• A specific region – this is your best option if you want to ensure that all your Cloud PC provisioning occurs in the specific region that you chose. Additionally, you can also choose regions across multiple region groups.
• Auto opt-in – there is also an auto opt-in checkbox available that, if you enable, will automatically include any future regions or region groups as they become available. This gives you the convenience of benefiting from the latest Azure expansion without the need for manual updates.
• Azure network connection – for this policy, you need to select an Azure network connection (ANC).

HYBRID MICROSOFT ENTRA JOIN

Hybrid Microsoft Entra Join also has its advantages, especially for businesses that want to tap into the benefits of cloud-based solutions while still using on-premises applications and servers. This works well because these types of devices enable a seamless operation for both systems. However, you need to be aware that you cannot use this policy without selecting an ANC.

Choosing an Azure Network Connection

An ANC is required for your provisioning policy if you have chosen either of the options below:

• Join type – Hybrid Microsoft Entra Join
• Join type – Microsoft Entra Join and

Network – Azure network connection

The steps below will guide you through the selection of an ANC:

• Pick one or more ANCs on the General page for Azure Network Connection.
• Those who select more than a single ANC can set the priority order for those ANCs. Doing so is a simple process that requires you to hover over an ANC before selecting and dragging on the three dots. After doing that, you can then drag the ANC to a different position in the list.

If the first ANC in the list has no issues, it will always be used to provision Cloud PCs under this policy. However, in the event that something is wrong, then the policy will use the ANC that is next on the list, provided that it’s healthy.

Using Alternate ANCs

Having alternate Azure Network Connections is a great option to have that helps minimize delays during provisioning. Without alternate ANCs, the Cloud PC provisioning process for policies that use an unhealthy ANC is blocked. As one can imagine, this would be extremely frustrating.

It’s this kind of scenario that gave rise to the alternate ANC, a great feature enabling you to define more than one ANC within a provisioning policy. Admins can add several alternate ANCs listed according to priority.

As mentioned earlier, if the highest-priority ANC fails, the next one on the list will be used. If the primary ANC recovers, it will automatically be used for new Cloud PCs being provisioned.

USE CONSIDERATIONS

Below are some of the considerations that businesses should look at before adding additional ANCs.

• Alternate ANC use is optional. A provisioning policy only requires a single ANC, and adding alternate ANCs is not mandatory. This simply means that those with a single ANC and who see no reason to change will not be required to modify their existing configurations.
• Alternate ANC selection is automatic. The choice of which ANC to use is automatic and follows the priority order list. Therefore, admins don’t need to manually make changes if the primary ANC becomes unhealthy. If a failure occurs, the next healthy ANC on the list will be the default. Admins should also be aware that they should not add an alternate ANC if they don’t want to provision into an alternate region.
• Alternate ANCs should use the same domain. The alternate ANCs that you add to your provisioning policy should match the domain you use as your primary ANC if you are using a Hybrid Microsoft Entra Join ANC. If you don’t ensure this match, you can easily end up with some Cloud PCs joined to the primary ANC domain. Additionally, others may join the alternate ANC domain.
• Alternate ANCs should be geographically appropriate. This is because the alternate ANCs will be substitutes if the primary ANC becomes faulty. You need to carefully consider the Azure regions in which these ANCs are created. You want to avoid having regions geographically far apart, as well. In this scenario, Cloud PCs in those regions are not suitable for the users you intend to provision.
• Monitor your ANC health. Admins should be meticulous about regularly checking the health of primary ANCs. Otherwise, you could find yourself constantly dealing with a primary ANC that is frequently unhealthy. This results in more alternate ANC usage than you anticipated. You can avoid this by ensuring your primary ANC is always healthy, thereby reducing the need for the alternate ANC. An alternate ANC should be a fallback. And you should not add one unless you fully comprehend the consequences that come with provisioning Cloud PCs in a different ANC.
• You can have Alternate ANCs in the same region. They don’t necessarily need to be located in a different region. There may be situations where alternate ANCs in the same region provide value.

Image Selection

Windows 365 enables the use of both default and custom operating system images to automatically create Cloud PCs. Microsoft Intune provides users with a gallery containing default images. These can be used when creating provisioning policies for Cloud PCs.

In this gallery, users will find a more than adequate list of regularly updated images available for use. But, if you decide against this, you also get the option to upload your own custom images. However, regardless of whether you prefer default or custom, all images must meet the following requirements:

• Supported versions of Windows 10 or Windows 11 Enterprise.
• Generation 2 images.
• Generalized VM image.
• Single Session VM images.
• No recovery partition.
• The image must never have been Active Directory, Microsoft Entra ID joined, Intune-enrolled, or enrolled for co-management.  
• In addition to the above, custom images should also exist in an Azure subscription. They should also be stored as a managed image in Azure.

To select an image, head over to the Image page and for Image type, pick one of the following options:

• Gallery image – Choose Select > select an image from the gallery > Select. (Note: For Reserve, the default gallery image is Automatic, where Windows 365 selects the latest image.)
• Custom image: Choose Select > select an image from the list > Select.
• Optional – If you chose Access only apps for Experience in the previous steps, then you can view applications discovered in the image. You will also be available to publish as Cloud Apps after creating the provisioning policy.

Once you’re done with your selection, click Next.

Wrap Up

Windows 365 Cloud PCs provide many benefits that can help businesses enhance their IT operations. End users get to access their desktops remotely and remain productive without having to worry about data security. Businesses can scale their resources up or down depending on their specific needs.

And just as importantly, Windows 365 is designed to be easy to set up by simplifying processes such as the creation of provisioning policies. As we’ve seen in part I of this blog, the process is not complicated, and we’ll be continuing our look into provisioning policies in the second part of this blog.