Simplifying The Creation of Windows 365 Provisioning Policies (part II)

Posted on by

Before an organization can deploy Windows 365, it needs to conduct research to gather the information needed to develop an execution plan. You need to look at your current IT setup so you can determine where your greatest need is and how Windows 365 Cloud PCs will integrate into your IT operations. And after looking at all of that, you also need to carefully consider how to set up a Cloud PC environment that will serve you well.

As discussed in the previous blog, part of those considerations should focus on how to properly create provisioning policies. In this second blog, we’ll be continuing with looking at how best to manage your provisioning policies so that you end up with Cloud PCs that function just as you envision.

The Provisioning Process

In the first blog, I went over the importance of provisioning policies and how they are responsible for creating, configuring, and deploying Windows 365 Cloud PCs. I talked about how you’ll first have to sign in to the Microsoft Intune admin center and provide some general information, including the experience and license type you want.

Subsequently, I provided information on the use of Azure Network Connections (ANCs) and how to go about selecting an image for a Cloud PC. Having understood these steps, let’s now take a look at configurations.

Determine Your Configurations

Start by going over to the Configurations page and selecting a Language & Region under the Windows Settings. The selected language will install on Cloud PCs provisioned with the policy that you’re creating.

This next step is not mandatory. It involves selecting a Apply device name template to create a Cloud PC naming template to use when naming all Cloud PCs provisioned with this policy. Admins should note that although the naming template will update the NETBIOS name, it won’t affect the display name of the Cloud PC. Additionally, there are certain rules to follow when creating the template:

  • Enterprise and Frontline dedicated mode:
  • Names should be between 5 and 15 characters.
  • Names can contain letters, numbers, and hyphens.
  • No blank spaces or underscores can appear in the names.
  • Use the %USERNAME:X% macro to add the first X letters of the username. (This is optional)
  • Use the %RAND:Y% macro to add a random string of characters, where Y equals the number of characters to add. Y must be 5 or more. Names must contain a randomized string. (This is a requirement)
  • Frontline shared mode:
  • Names must have exactly 15 characters.
  • Names can contain letters, numbers, and hyphens.
  • No blank spaces or underscores can appear in the names.
  • Prefix should contain 7 characters or less.
  • Use the %RAND:Y% macro to add a random string of characters, where Y equals the number of characters to add. Y must be 8 or more. Names must contain a randomized string. (This is a requirement).

ADDITIONAL SERVICES

This next step is also optional. Head over to Additional services and select a service to install on Cloud PCs provisioned with this policy:

  • Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. The service works on both physical and virtual devices. Admins should note that the Windows Autopatch option isn’t available for Frontline in shared mode.
  • Those who already have Windows Autopatch configured to manage their Cloud PCs need to know that this option replaces the existing policy. Consequently, they should be aware that the replacement could potentially disrupt any dynamic distribution that is already configured in Autopatch.
  • When you select Windows Autopatch, the system assigns devices to a new ring as the last ring of the Autopatch group.
  • You can manually enable dynamic distribution for your Cloud PCs by changing the Autopatch Groups dynamic distribution list to include the Entra ID group to which your Cloud PCs are being added.
  • None. Manage and update Cloud PCs manually.
  • Although Autopatch is not available for Frontline devices in shared mode. It still remains possible for these devices to enroll in Autopatch and receive Windows update policies.
  • Windows Autopilot is a collection of technologies to set up and pre-configure new devices, getting them ready for productive use. It helps ensure that Intune applications and scripts are installed during initial enrollment and setup. And with all the features it has, the main selling point for this service is how it simplifies the Windows device lifecycle. It does so for both IT and end users, from initial deployment to end of life.
  • User Experience Sync is a cloud-native solution that delivers a seamless and consistent experience for users across Cloud PC and Cloud App sessions. It is a feature that is available for Windows 365 Frontline Cloud PCs in shared mode. If you choose to enable it, Windows 365 will store user-specific Windows and app experience data in central cloud storage and reconnect it whenever the user signs in to the Cloud PC in this provisioning policy.

By preserving Windows personalization, users will benefit from a consistent, productive experience every time they sign in to their Cloud PC or Cloud App. User storage limits depend on the Frontline license type and are pooled across all assigned users.

When everything’s done, click Next.

Scope Tags

If you want, Windows 365 gives you the option to create scope tags for your provisioning policy. Scope tags are particularly important for ensuring that Admins’ access and visibility tie to what they expect to manage. Limiting access in this manner serves to enhance overall security for your organization.

Only admins assigned the Microsoft Entra Intune Administrator role can create, update, or delete scope tags. This means that admins with scope tags in their role assignments can’t update or delete the scope tag from the master list of scope tags. To create a scope tag:

  • Go to the Microsoft Intune Admin center and select Tenant administration > Roles > Scope (Tags) > Create.
    • On the Basics page, provide a Name and Description (optional). Choose Next.
    • Now you go to the Assignments page and select the groups containing the devices that you want to assign this scope tag. Click Next.
    • On the Review + create page, choose Create.

Creating Assignments

  • Navigate to the Assignments page, choose Select groups > choose the groups you want this policy assigned to > Select. Nested groups aren’t currently supported.
  • A Cloud PC size for each group in the policy will need to be selected for Windows 365 Frontline in dedicated mode.
  • Choose Select one > select a size under Available sizes > Select.
  • This step is optional. You can create an assignment to reserve licenses for the group members by following the steps given below:
  • Navigate to Assignment and type in an Assignment name.
  • Under Number of licenses, type in the number of licenses that you would like to reserve for the group. You can also see the number of unassigned licenses.
  • When it comes to Windows 365 Frontline in shared mode, you will need to:
  • Choose Select one > select a size under Available sizes > Select.
  • Now you need to enter a Friendly name > select a Cloud PC number > Next. This Friendly name will be visible in the end user’s Windows app.
  • Click Next.

Review and Create

Once you have completed all the steps that I have gone over and you’ve checked that everything is as it should be, you can now head over to the Review + create page and select Create. Those who use Microsoft Entra hybrid join as the join type should be prepared to wait for up to an hour for the policy creation process to complete.

Ultimately, how much time it takes will depend on when the Microsoft Entra Connect sync last happened. And then, following the creation and assignment of the provisioning policy, Windows 365 will automatically begin the process of provisioning Cloud PCs.

Making Changes to Provisioning Policies

In some instances, you may find yourself needing to make changes to your provisioning policies so that you can change assignments or key attributes, like image and network connection. To do so, you’ll need to:

  • Navigate to the Microsoft Intune Admin center and sign in. Then, select Devices > Windows 365 (under Provisioning) > Provisioning policies > select a policy.
  • Next, if you go to the policy page, you can make changes to the General information, Image, and Assignments by selecting Edit next to each header. Admins should note that no modifications take effect for previously provisioned Cloud PCs. This includes if the network, image, region, or single sign-on configuration in a provisioning policy is edited.

The changes that you are making to the provisioning policy will apply to newly provisioned or reprovisioned Cloud PCs. Therefore, if you want to change the image of your previously provisioned Cloud PCs to match the new image, then you will have to reprovision these Cloud PCs. And if you want the network, region, or single sign-on of previously provisioned Cloud PCs to adopt the new changes, you’ll need to apply the current configuration.

Name changing

Changing the name of the provisioning policy in the General information will result in the following modifications:

  • Any Cloud PC in the All Cloud PCs node applies the new policy name updated in the Provisioning policy column.
    • All new Cloud PCs resulting from the provisioning policy will apply the new name registered as the device’s enrollmentProfileName in Microsoft Entra ID and Microsoft Intune. Note that the enrollmentProfileName property for Cloud PCs applies only during initial enrollment. Admins must remember to edit any dynamic device group rules that use the enrollmentProfileName property if they decide to change the name of a provisioning policy. Doing so allows the rules to continue to include the correct Cloud PCs.
  • Property = enrollmentProfileName
  • Operator = Equals
  • Value = <New name for provisioning policy>

The provisioning process proceeds automatically when new users with valid Cloud PC licenses are assigned to the provisioning policy. On the other hand, if users are removed from the provisioning policy assignment:

  • The grace period triggers for Enterprise Cloud PCs.
  • Frontline Cloud PCs in dedicated mode are immediately deprovisioned, but those in shared mode remain unaffected.

Applying the Current Configuration for Enterprise and Frontline in Dedicated Mode

Applying a configuration change to existing Cloud PCs is easy. Just modify and then save the changes to an existing provisioning policy. After which, you go to the policy page and select Apply this configuration. With that done, you can now proceed to choose the configuration change to apply to existing Cloud PCs from the list provided, which includes region and single sign-on. Click Apply.

Applying the Current Configuration for Frontline in Shared Mode

Apply a configuration change to existing Cloud PCs by modifying and then saving the changes to an existing provisioning policy. After which, you go to the policy page and select Reprovision. Once you’ve done that, you’ll now need to decide on the percentage of Cloud PCs that you want to make sure is available for user connections. Then, select Continue.

Getting Started

After successfully completing the creation of a provisioning policy, the new Windows 365 policy will be deployed. A bit of patience is required because, as mentioned above, completing the policy creation process can take up to 60 minutes. Admins can keep an eye on the status of the policy deployment via the Intune portal.

When the process is complete, admins can then check if the provisioned Cloud PC is accessible. The verification happens using the Windows App or any web browser. And if the authentication succeeds, then the newly provisioned Cloud PC will appear as ready for use. End users can access their Cloud PCs according to the information in the table below.

Windows 365 EditionWindows Appwindows.clous.microsoft web clientMicrosoft Remote DesktopLG Web OS
Windows 365 Business              X              X               X              X
Windows 365 Enterprise              X              X               X              X
Windows 365 Frontline              X              X  
Windows 365 Government              X              X  

Note: Microsoft Remote Desktop support will end in March 2026. Furthermore, the Remote Desktop Connection client (mstsc.exe) is not a supported connection method for Windows 365 users. So, even though you may successfully use it for troubleshooting, you should not be reliant on it for daily access. Instead, use a supported client, such as the Windows App or the Microsoft Remote Desktop app.

Access Options

WINDOWS APP

Windows App connects remotely to your Windows devices and apps from Azure Virtual Desktop, Windows 365 Cloud PCs, Microsoft Dev Box, Remote Desktop Services, and PCs, securely connecting you to Windows devices and apps. It can be used on any device and is thus the recommended application to connect to Windows 365 Cloud PCs.

Users connecting using a web browser on a desktop or laptop will be able to do so without needing to download and install any software. Not only that, but Windows App is available for Windows, macOS, iOS/iPadOS, Android, Chrome OS, web browsers, as well as Meta Quest VR headset.

Windows 365 web site

Alternatively, users can access their Cloud PCs using the Windows 365 web site (windows.cloud.microsoft). However, for one to access their Cloud PC from this web site, they will need a device that runs a supported operating system such as Windows, macOS, ChromeOS, or Linux. Additionally, a modern browser like Microsoft Edge, Google Chrome, Safari, Mozilla Firefox (v55.0 and later), or LG webOS 23 will also be a requirement.

Home Page

After getting access to their Windows 365 home pages, users can see the Cloud PCs they have access to in the Your Cloud PCs section. On this page, users find 2 options for connecting to their Cloud PCs:

  • Open in browser – enables you to open your Cloud PC in the web client. This option is not available to mobile devices.
  • Open in Remote Desktop app – enables you to open your Cloud PC in Remote Desktop.

Conclusion

Adding Windows 365 Cloud PCs to your operations does not need to be an overly complicated process. Microsoft has designed Windows 365 with a vision of making it a platform that is easy to deploy, use, and maintain. But, as with any endeavor, careful planning can make all the difference. Hence, the reason behind this two-part blog. By going over all the steps involved in creating a provisioning policy, admins will have a much easier time setting up their Cloud PC environments.

Feel free to comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.