The idea of hybrid work is something that has captivated the minds of people for years. And it’s not surprising when you consider the long list of advantages that individuals and businesses alike stand to gain. By using Cloud PCs, businesses can have their employees working from anywhere and using just about any device.
In this guide, I will be focusing on Windows 365 Cloud PC and giving you the step-by-step process for Cloud PC provisioning and deployment.
Introduced by Microsoft last year, Windows 365 gives you Windows running on the cloud. And from the overwhelming response to the service that we witnessed, it’s quite clear that there is a lot of interest in Cloud PC technology.
Recap on Windows 365
Windows 365 is essentially a service that will run your desktop on the cloud. In the words of Windows 365 General Manager Wangui McKelvey, “Windows 365 takes the operating system to the Microsoft Cloud, securely streaming the full Windows experience — including all your apps, data, and settings — to your personal or corporate devices. This approach creates a fully new personal computing category, specifically for the hybrid world: the Cloud PC.”
And as Microsoft has stated, you can stream apps, tools, data, and settings from the cloud across any device. This means that you can use Apple devices
(Mac, iPads, etc), Android devices, and Linux PCs among others to access your desktop on the cloud. This gives you the convenience of being able to pick up your work right where you left off because the Windows experience does not differ. Regardless of where you may be or the device that you are using.
Planning your deployment with Cloud PC
Deploying Windows 365 Cloud PC is a significant undertaking for any organization. As such, it needs meticulous planning to carry out.
There are several objectives that will need to be considered such as determining what end users will need to access on their Cloud PC. For instance, if your end users are going to use Windows 365 to access specialized software, then you’ll need to look into installing all lines of business apps.
Another objective would be considering the geographical locations of your end-users. Because Windows 365 can provide Cloud PCs in multiple Azure locations, it makes it possible to provide the Cloud PCs in a location with the lowest latency to your end users’ physical location.
Cloud PC management
The next objective to consider will be the management of Cloud PCs. In this instance, you’ll need to determine who will be managing the Cloud PCs as well as which management groups will have which permissions.
With the above done, you now need to look at how end users will connect to a Cloud PC. This means you need to know whether they’ll be using a browser or a Remote Desktop Client. And then, as far as licensing goes, you need to assess all use cases and evaluate workloads to determine the specific licenses that will be needed.
Cloud PC next steps
For the next step, you need to do a complete review of your endpoint management and infrastructure. This will enable you to determine whether you are going to keep your existing management plan for devices or if you need to come up with something different for the Cloud PC. So you need to look at Cloud PC management, application of policies (GPO or Intune), and the updating policy for all devices.
With all this considered, it becomes time to plan how and when users will receive their Cloud PCs. Here you can start by creating several different rollout phases based on your environment. Pilot and/or test groups are a great way to start with early stages involving willing participants who will provide feedback.
At the end of each phase, you can use the feedback provided to determine how to map the way forward for the rest of the organization. Also, it’s important to have clearly defined goals and success metrics if you want to stay on top of things and keep your rollout on track.
In the midst of all this planning, however, it’s key to have clear communication with all users. People need to understand what exactly the goals are and why the organization has chosen the Windows 365 Cloud PC.
Additional considerations with Cloud PC
Having a smooth rollout requires people to be fully informed of all the changes and potential disruptions that they will need to prepare for. You need to determine what information users need and this includes information about the Cloud PC and why the organization wants it.
During the pilot and subsequent onboarding phases, you should continue to provide additional information so that users understand the process and its importance. Just as important as the information is how you’ll communicate with users. You could have meetings or leverage platforms like Microsoft Teams or email.
Another key area to consider during the planning phase is your IT support and help desk staff. These individuals play a significant role in ensuring a smooth adoption of Cloud PC. They can help educate your end-users and show how to connect to and use the Cloud PC.
Because of this, IT support and help desk staff need adequate training to be able to provide the required support to end-users and resolve any issues that may arise. And they also need to know how and at which level of end-users they will be supporting. This training should touch on all the various scenarios that Windows 365 will be used for and should also consider training on all supported Windows 365 platforms.
Overview of provisioning
When we talk of provisioning, we are referring to the process that is going to create a Cloud PC virtual machine and then set it up for the user. It’s also responsible for the completion of other tasks that prepare it for use and the sending of access information to the user. The process starts with admins providing configuration details to set up the process.
After which, users with a Windows 365 license and matching the configuration details will automatically have a Cloud PC provisioned for them. Because provisioning works on a one-time per user and per-license basis, each user and license pair can only have one Cloud PC provisioned for them. The provisioning process is going to proceed as follows:
- Starts with the creation of a provisioning policy to manage access to the Cloud PCs. Provisioning policies are key to the entire process as they are responsible for building, configuring, and availing Cloud PCs to end-users. Each policy will require you to provide details regarding the on-premises network connection, the image used to create each Cloud PC, and an Azure AD user group.
- Assignment of a Windows 365 license to users in the Azure AD user will begin the provisioning process. And the provisioning of the Cloud PC will be carried out automatically by Windows 365 after which it will then send the necessary access information to the user. The automation is going to proceed in 3 phases that will be invisible to the administrator.
- The last part of the process involves the end-user receiving the necessary access information that will allow them to sign in to the Windows Cloud PC from anywhere.
Provisioning policy objects
Provisioning policies are essential objects in the MEM admin console that carry the required rules and settings that enable Windows 365 to set up and configure Cloud PCs for your users. Admins will have the responsibility of providing the required information when creating provisioning policies. This includes:
On-premises network connection – the OPNC provides the platform that enables the policy to connect to your on-premises resources. It’s responsible for identifying:
- The relevant Azure subscription for your Cloud PC.
- Which domain and Organizational Unit to join.
- The AD credentials that should be used.
Image – all Cloud PCs provisioned with a particular policy will carry a Windows image that is used as the reference image. This image can either be one that you select from the gallery or a custom image that you provide yourself.
Assignment – the role of the assignment is the identification of one or more Azure AD user groups. All licensed users in the policy’s Azure AD users group will then have Windows 365 automatically provision Cloud PCs for them. Also, users who may be added at a later date will get Cloud PCs as well.
The above information is absolutely integral to the provisioning process because without it the Cloud PCs cannot be provisioned. Once you’ve seen to the creation of the provisioning policies, Windows 365 takes over the provisioning process thus automatically providing users with Cloud PCs.
Modifying provisioning policies
Once provisioning of the Cloud PC is complete, there will be no possibility of a re-occur unless you perform a reprovision. Any alterations to the provisioning policy won’t trigger a reprovision and these alterations also won’t be applied to already provisioned Cloud PCs.
So any modifications that you make to a provisioning policy will only apply to subsequently provision Cloud PCs or those that are reprovisioned. Furthermore, changing the name of the provisioning policy will not update the Cloud PC name under All Cloud PCs. And it’s also not going to update the enrollmentProfileName in Azure AD
Deleting a provisioning policy
Only provisional policies that are not assigned to any Azure AD groups can be deleted. Removing the targeting of a provisioning policy that was used for successful Cloud PC provisioning will put the Cloud PCs into a grace period. And those Cloud PCs will face automatic deletion once this grace period has expired.
Provisioning policy conflict resolution
Since the assignment of provisioning policies is made to user groups the risk of overlapping groups/users does exist. In the instance where a user may have more than one provisioning policy assigned, the provisioning process will only consider the first assigned policy and ignore the rest. And in the event of reprovisioning, the policy used will be the one that has been modified most recently (if changes have been made to one of the provisioning policies).
If provisioning of a Cloud PC fails, the process automatically retries twice. And if it still fails, the process will stop and the affected Cloud PC is marked as Failed. There’ll also be an error message displayed. You’ll then need to figure out why the provisioning of the Cloud PC has failed. Once you get to the root cause, you can manually restart the provisioning process by clicking Retry.
Reprovisioning of Cloud PCs is something that admins can perform remotely. It comes in useful when:
- You need to test various Cloud PC configurations.
- There are problems with a provisioned Cloud PC.
- A user requires a new Cloud PC.
You can also leverage the reprovisioning action for Cloud PCs that are in a Failed provisioning state in the Windows 365 provisioning node. Basically, you can look at reprovisioning like resetting a physical device. Since this action deletes the Cloud PC and creates a new one, all data, apps, etc, will also be deleted. The reprovisioning will use the configurations of the provisioning policy used by that user’s Azure AD group.
Users with multiple Windows 365 licenses
Users with multiple Windows 365 licenses can have more than one Cloud PC. In this scenario, each license can have a Cloud PC with the appropriate specifications provisioned. However, it’s worth noting that you cannot have different provisioning policies for different user licenses. The Cloud PCs for these users will be provisioned using the same provisioning policy.
Clean up with Cloud PC
In the event of a provisioning failure or deletion of a Cloud PC after the grace period, Windows 365 will delete all objects that were created during provisioning. This will be done about 3 hours after the failure and will include Intune objects, Azure AD device objects, and Azure vNics.
Because other objects are relying on the network security groups the latter won’t be deleted. Neither will on-prem Azure AD computer accounts that were joined to the domain during provisioning. This is because Windows 365 does not have the necessary permissions and therefore can only disable the redundant computer objects.
Being a cloud-based service means that you need to have internet access to use Windows 365 services. As such, there are certain networking requirements that will support the necessary connections. These requirements are client-specific because they are based on your workload. Below are some of those requirements:
General network requirements
Azure virtual network – having a virtual network in your Azure subscription is a necessity. And it should be in the same region as where the Windows 365 desktops are created.
You’ll need to define your AD DS DNS servers as the DNS servers for the virtual network so that the virtual network can resolve DNS entries for your AD DS environment.
The Azure vNet needs access to an enterprise domain controller (on-premises or Azure).
There should also be a subnet within the vNet and IP address space must be available.
Network bandwidth is based on Azure’s network guidelines.
Allow network connectivity
Your Azure network configuration will need to allow traffic to the following service URLs and ports:
Organizations’ Cloud PCs should be able to join on-prem Active Directory because this is a Hybrid Azure AD Join requirement. Cloud PCs should be able to resolve DNS records for your on-prem AD environment. So you’re going to need to configure your Azure vNet where the Cloud PCs are provisioned as follows:
1) Verify that your Azure vNet has network connectivity to DNS servers that can resolve your Active Directory domain.
2) Navigate to Azure vNet’s Settings, select DNS Servers, and then choose Custom.
3) Type in the IP address of DNS servers that environment that can resolve your AD DS domain.
As you know by now, Windows 365 uses Azure network infrastructure. It follows therefore that you’ll need an Azure subscription to select a virtual network while deploying Windows 365 Enterprise. Costs incurred for using a Cloud PC are as follows:
- Network traffic into a Cloud PC is free.
- Any outbound traffic will incur charges against the Azure subscription for the virtual network.
- Office data such as email incurs egress charges if the Cloud PC and a user’s data reside in different regions.
- For RDP networking traffic you should always expect egress charges.
Choosing a Cloud PC option
After making the decision to sign up for the Cloud PC, you now need to choose what option is best suitable for your business. Microsoft offers clients two license types to cater to different business needs.
However, for both license types, the price will depend on the size of the Cloud PC. There are some significant differences between the business and enterprise licenses that are worth knowing before deciding. These include:
1) Business is designed for small to medium enterprises with a maximum of 300 users whereas Enterprise is for much larger businesses looking to deploy Cloud PCs throughout their entire organizations and with an unlimited number of users.
2) For Business, the desktop will be attached to a virtual network that Microsoft manages and has the added benefit of clients not being charged for network egress fees. When it comes to Enterprise, the desktops are attached to the customers existing Azure virtual network. And clients will also have to pay standard network egress fees.
3) Enterprise clients will get both standard and custom images but Business clients will get only standard images.
4) Business clients will have to go through a process of manual configuration and app installation. Enterprise clients will get automatic configuration and app installations because of the advantage of full integration with Microsoft Endpoint Manager/Microsoft Intune.
5) For the Enterprise license, users will also need licenses for Windows 10 Enterprise or Windows 11 Enterprise, Microsoft Endpoint Manager, and Azure Active Directory P1. Business clients won’t require any additional licenses.
Having looked at the various differences, it’s clear to see that for smaller businesses looking to buy, deploy, and manage Cloud PCs, the Business license is the way to go. And it has the following options:
Basic – at a cost of $31/month and with support for up to 300 users, this option allows you to run light productivity tools and web browsers. Clients will get 2vCPU, 4GB RAM, and 128 GB Storage.
Standard – this option will cost $41/month and also supports up to 300 users. Clients will get 2vCPU, 8GB, and 128 GB of storage allowing you to run a full range of productivity tools and line-of-business apps.
Premium – the last option costs $66/month and gives you access to 4vCPU, 16 GB of RAM, and 128 GB of storage. With this, you get support for up to 300 users and can run high-performance workloads and heavier data processing.
For larger businesses looking to manage their Cloud PCs with Microsoft Endpoint Manager and take advantage of integrations with other Microsoft services, Windows 365 Enterprise is the choice for you. The options on offer are as follows:
Basic – at a cost of $31/month and with support for unlimited users, this option allows you to run light productivity tools and web browsers. Clients will get 2vCPU, 4GB RAM, and 128 GB Storage.
Standard – this option will cost $41/month and also supports an unlimited number of users. Clients will get 2vCPU, 8GB, and 128 GB of storage allowing you to run a full range of productivity tools and line-of-business apps.
Premium – the last option costs $66/month and gives you access to 4vCPU, 16 GB of RAM, and 128 GB of storage. With this, you get support for an unlimited number of users and can run high-performance workloads and heavier data processing.
Image source: Microsoft
Assigning licenses in Cloud PC
Before users can start using their Cloud PCs, you will need to first assign licenses to them. The necessary licenses are available for purchase from the Microsoft 365 store and you can get there by going through the Microsoft 365 Admin Center: https://admin.microsoft365.com.
Once you have purchased all the appropriate licenses, you can begin the task of assigning licenses to all your users. To do this you first need to login to the Azure Active Directory admin center.
And for license assignment to a single user, you use the Microsoft 365 Portal. Once in there go to Users > Active Users and select the user that you want to assign with a license. Then, go to the tab “Licenses and apps” and select your Cloud PC license. Apply the changes while clicking on Save changes below.
Assigning group-based licensing is slightly different. For this, you go to the Azure Portal and then head over to your Azure Active Directory. If you look to your left-hand side you’ll see Licenses. Go there and select All Products.
Next, you select the available Cloud PC license and then click Assign. So to enable group licensing, go to the left-hand side, and select Licensed Groups. Yet again you’ll need to click on Assign and select the group that you want to automatically license for the Windows 365 Cloud PC feature.
Creating an on-premises connection
Another requirement that organizations will have is the need to have an on-premises connection. An on-premises network connection (OPNC) is an object in the Microsoft Endpoint Manager admin center that provides Cloud PC provisioning profiles with the required information to connect to on-premises resources.
Before getting started with Cloud PC, you’ll need the following:
- AD DNS domain name
- Organizational unit
- Configure Azure AD Connect
- AD username UPN
- AD join password
So first you need to find your domain name which is simple enough with access to a domain controller. Once you know your domain name then you can proceed to validate the User Principal Name Suffix (UPN Suffix). Checking that your UPN Suffix is routable is extremely important to avoid problems later on.
With that done, you need to create an Organizational Unit that will allow you to properly manage your CloudPCs and dedicated GPOs. To perform this task, go to AD Users and Computers mmc and then head over to where you want to set your new Organizational Unit. Next, you can then either right-click an existing Organizational Unit or click where you want to create a new one.
Next, you need to ensure that Azure AD Connect is properly configured to get users synchronized with Azure AD. This you will do by opening Azure AD Connect and then selecting Configure device options.
Finally, you need to fill in the AD username UPN and the AD domain password. Then click Next. On the page, that then appears click Review+create. It should take no more than a few minutes to create the on-premises network connection. And if you have configured everything properly, you’ll see a “checks successful” status.
Creating a provisioning policy
The next step in this process requires you to create a Provisioning Policy so that you can provision the Cloud PC with an image of choice and is based on Azure AD security groups. Provisioning policies hold key provisioning rules and settings allowing the Windows 365 service to set up and configure the right Cloud PCs for your users. To create a provisioning policy, follow the steps below:
1. Sign in to the MEM admin center and select Devices > Windows 365 (under Provisioning) > Provisioning policies > Create policy.
2. On the General page, enter a Name and Description (optional) for the new policy.
3. For OPNC select the connection to use for this policy > Next.
4. On the image page, you need to select one of the following options for the image type:
- Gallery Image: Choose Select > select an image from the gallery > Select. Here you’ll get default images for your use.
- Custom image: Choose Select > select an image from the list > Select. This shows you the list of images that you uploaded using the Add device images workflow.55
5. Select Next.
6. On the Assignments page, choose Select groups > choose the groups you want this policy assigned to > Select > Next.
7. On the Review + create page, select Create. It can take up to 60 minutes for the policy creation process to complete, depending on when the Azure AD connect sync last happened.
With the information provided through the on-premises network connections and the creation of provisioning policies, Windows 365 can now provision Cloud PCs for licensed users. Performing the provisioning process will involve Windows 365 automatically completing the following stages:
- Core provisioning – this process does all the necessary tasks required to stand up a VM until a user can successfully sign in.
- Post-provisioning configuration – modifications can be made to the configuration for the purpose of optimizing the Cloud PC end-user experience.
- Assignment – a user is assigned to the Cloud PC and can now sign in.
After everything has been set up, users will then need to know how they can connect to the Cloud PC. We need to clarify what clients can be used as well as what options the end-users will have. Also, we need to know how administrative credentials can be provided to the end-user. Microsoft has provided two ways for users to connect to the Cloud PC:
I. Web browser – the first method that users have for accessing the Cloud PC is via a web browser. All you have to do is simply navigate to windows365.microsoft.com. Once there you can log in with the user credentials that have a desktop provisioned and the portal will show you an overview of the desktops available to you. However, to access the Cloud PC using this website, users devices need to meet the following requirements:
- Supported operating systems: Windows, macOS, ChromeOS, Linux.
- A modern browser like Microsoft Edge, Google Chrome, Safari, or Mozilla Firefox (v55.0 and later).
When using windows365.microsoft.com, end users can carry out various tasks on their Cloud PCs by selecting the gear icon on a Cloud PC card.
- Rename: doing this will change the name of the Cloud PC that the user sees on the website. But, performing this action doesn’t change any name in Microsoft Endpoint Manager, Azure Active Directory, on the device, or in the Remote Desktop Apps.
- Restart: this will restart the Cloud PC.
- Troubleshoot: whenever a user is encountering challenges with connecting to the Cloud PC, this will help you to troubleshoot and try to resolve those challenges. A few checks will be run including verifying that all the files and agents necessary for connectivity have been properly installed. There will also be a check for the availability of Azure resources.
II. Remote desktop – the second method that Microsoft offers clients for connecting to the Cloud PC is by using the Microsoft Remote Desktop app.
This is designed to enable users to access and control a remote PC, including a Cloud PC. So for those who have been using Azure Virtual Desktop, this is an app they will already be familiar with. Setting up the Remote Desktop is a relatively simple process that requires you to follow a few steps:
- First, you’ll have to download the Remote Desktop app. You can find it on the Download App page on www.microsoft.com/windows-365?rtc=1.
- Next, you select Subscribe.
- The next step will require you to enter your Azure Active Directory credentials.
- You will then see the Cloud PC appear on a list. Simply double-click it to launch.
Managing Cloud PCs
Next, let’s discuss just how you’ll be managing your Cloud PCs. For the management of your Cloud PCs, you’ll be using Microsoft Intune. The latter is a 100% cloud-based mobile device management and mobile application management platform for your apps and devices. And this also includes your Cloud PCs. Signing in to Intune requires you to navigate to the Microsoft Endpoint Manager admin center.
To start, you’ll want to go over to the landing page for managing your Cloud PCs which is the Overview tab. To access it, you need to sign in to the Microsoft Endpoint Manager admin center > Devices > Windows 365 (under Provisioning).
This section is going to provide you with some information about how your Cloud PCs are performing. You’re going to see:
- Provisioning status: this summarizes your organization’s Cloud PC status.
- Connection health: this provides a summary of the health of your organization’s on-premises network connection.
All Cloud PCs page
On this page, you’re going to see a summary and list view with details regarding the status information for each of your organization’s Cloud PCs. The list view automatically refreshes every 5 minutes and by using it you can search filter, and sort. Users with multiple Windows 365 SKUs assigned to them will get multiple Cloud PCs and this means that in the All Cloud PCs list view there’ll be multiple rows for a single user.
Name – Name of the Cloud PC.
Device name – The Windows computer name.
Image – this is the image that was used during provisioning and so may not reflect the current Cloud PC version.
PC type – the Windows 365 SKU assigned to the user.
Status – this reflects the current provisioning status of the Cloud PC and possibilities include:
- Provisioned: shows when provisioning was successful.
- Provisioning: the provisioning is still in progress.
- Provisioned with warnings: shows when a non-critical step failed in the provisioning process but the user still has access.
- Not provisioned: this happens when a user has been assigned a Windows 365 license but doesn’t have a provisioning policy assigned to them.
- Deprovisioning: appears when the 7 day grace period has ended and the Cloud PC is undergoing deprovisioning.
- Failed: shows when the provisioning process has failed.
- In grace period: indicates when a license/assignment change occurs for a user with a current Cloud PC.
- Pending: it means that there are currently no available licenses in your tenant to process the provisioning request.
User – indicates the user to whom the Cloud PC is assigned.
Date modified – shows a timestamp reflecting the last status change of the Cloud PC.
Like any other managed device, the option exists to remotely manage Cloud PCs using Intune. You’ll find that there are several remote management actions that Cloud PCs will support and they include:
- Quick scan
- Full scan
- Update Windows Defender
*Reprovisioning and resizing are both remote actions that are unique to Cloud PC devices.
Conclusion About Cloud PC
Microsoft’s personalized desktop solution brings a lot of advantages to the way enterprises operate. As technology continues to evolve in leaps and bounds, so too are the devices at our disposal. This has brought us to a point where many people in their various organizations are using many different devices to perform work-related tasks.
And businesses realize that bring-your-own-device policies will be integral moving forward. This is why platforms like Windows 365’s Cloud PC are potential game-changers. Giving users access to their desktops from anywhere and using almost any device enables businesses to operate at a completely higher level.
Furthermore, the last couple of years have shown just how important the need is for workers to be able to work from anywhere. This has helped to keep a lot of companies operational. Not only that but leveraging cloud computing helps the organization to lower its overall hardware expenses.
The Cloud PC also allows organizations to stay within their budgets by selecting the options that are best suited to their business. And if the need to scale arises then that can easily be achieved. Windows 365 Cloud PC really does have the potential to do great things for any business. It’s certainly worth a try.
Pingback: Weekly Newsletter – 15th to 21st January 2022 - Windows 365 Community
Pingback: Weekly Newsletter – 22nd to 28th January 2022 - Windows 365 Community