Organizations have countless products that they have to enable them to optimize the productivity of staff members. These products can come from different vendors and so it’s extremely important to guarantee the quality of these tools. And when there is a lifecycle policy available, like with Windows 365 lifecycle, organizations are confident. They can be certain that the products they are purchasing have been rigorously tested, are built extremely securely, and will meet any necessary compliance and security regulations. With Windows 365, clients know that they are using a product that meets all of the above and can perform to very high standards.
Windows 365 Lifecycle Policies
Microsoft gives its customers products that come with industry-leading lifecycle policies. These ensure that when purchasing a product, you’ll be receiving something with consistent, transparent, and predictable guidelines for software support and servicing.
And these policies are valid for all Microsoft customers regardless of where they are across the globe. However, it’s important to remember that how these policies are used will depend on the regulatory requirements in other countries. Also, the application of these policies may differ according to the industry sector.
The level of quality that customers get is a result of the development process. Microsoft puts into high-quality methods into these Windows 365 lifecycle policies. In addition to the specialists at Microsoft, the process also involves customers, partners, and analysts to produce a policy that meets all expectations.
Because of this, customers can plan better and manage their support requirements effectively. Microsoft provides Fixed Lifecycle policies for products that have defined end-of-support dates at the time of release. Then, for products that will receive continuous support and servicing, there are Modern Lifecycle Policies.
Fixed Windows 365 Lifecycle Policy
This type of policy is aimed at plenty of commercial and some consumer products. Customers can acquire through retail purchase and/or volume licensing. It is a policy that offers:
- Defined support and servicing Lifecycle timeline at the time of product launch.
- A minimum of five years of Mainstream Support which is the first phase of the product lifecycle.
- An additional period of Extended Support for some products.
Receiving the support may possibly require you to deploy the latest Service Pack or update.
Modern Windows 365 Lifecycle Policy
This type of policy is designed for products that will be serviced and supported continuously. However, there are certain conditions that need to be met for products and services to remain in support. These requirements are as follows:
- It will be the customer’s responsibility to ensure that they stay current. This includes servicing and system requirements that are defined for a particular service or product.
- Customers also need to verify that they are licensed to use the service or product.
- It’s again necessary to check that Microsoft currently offers support for that service or product.
Microsoft provides a modern lifecycle policy for Windows 365. This ensures Cloud PC users will have a great product that has continuous support.
The Cloud PC lifecycle
Microsoft has developed a setup whereby Windows 365 will coordinate and manage the lifecycles of all Cloud PCs. And due to the fact that Cloud PCs exist only in the cloud, the management of their lifecycles will be significantly easier than that of physical Windows devices. The lifecycle of the Cloud PC comprises 5 stages which are:
- Provision
- Configure
- Protect
- Monitor
- Deprovision
Provision
In keeping in line with the goal of making things simple, Windows 365 provides clients with an optimized experience for Cloud PC deployment. Microsoft has integrated the admin experience for setting up deployments into the MEM admin center.
The provisioning process will prove to be easier than one may imagine because it is an automated one. All you need to do is assign a Windows 365 license to a user. Then, add them to a group targeted with a provisioning policy, and the provisioning of the user’s Cloud PC will proceed automatically. The process will:
- create a Cloud PC virtual machine.
- set it up for the end-user.
- perform any other necessary tasks to ready the Cloud PC for use.
- send access information to the user.
A simplified admin experience
What Microsoft has done is create a simplified admin experience that makes the provisioning much simpler and more straightforward. Once you’ve finished providing a few configuration details, Cloud PCs will be automatically provisioned for all users who have a Windows 365 license and matching configuration details.
Because this process is a one-time per user and per license process, a user and license pair can only have a single Cloud PC provisioned for them. The complete process is going to follow the steps below:
- Starts with the creation of a provisioning policy to manage access to the Cloud PCs. Provisioning policies are key to the entire process as they are responsible for building, configuring, and availing Cloud PCs to end-users. Each policy requires you to provide details regarding the on-premises network connection, the image used to create each Cloud PC, and an Azure AD user group.
- Assignment of a Windows 365 license to users in the Azure AD user group will begin the provisioning process. And the provisioning of the Cloud PC will be carried out automatically by Windows 365. After which it will then send the necessary access information to the user. The automation is going to proceed in 3 phases that will be invisible to the administrator.
- The last part of the process involves the end-user receiving the necessary access information. This will allow them to sign in to the Windows Cloud PC from anywhere.
Configure
As for Cloud PCs, they need to be configured and secured similarly to any other endpoint in your environment. Microsoft integrates configuration into the provisioning process thus making it simpler. Every Windows 365 Cloud PC will either be:
- Azure AD joined or
- Hybrid Azure AD joined.
Azure AD joined devices can be deployed by any organization regardless of the size or sector of a business. Moreover, Azure AD join will work in hybrid environments. This gives you access to both cloud and on-premises apps and resources. These devices can be signed into using an organizational Azure AD account.
To enhance the security of corporate resources, access can be controlled depending on the Azure AD account as well as the Conditional Access policies that govern the device. You also get Mobile Device Management (MDM) tools. These include Microsoft Intune or Microsoft Endpoint Configuration Manager. Both allow admins can use to enhance security and establish greater control over Azure AD joined devices.
Great for hybrid organizations
Hybrid Azure AD joined devices are joined to your on-premises Active Directory and registered with Azure Active Directory. This scenario can be a good option for hybrid organizations that already have on-premises AD infrastructure. The hybrid Azure AD joined devices can be signed into with organizational accounts. This works by using a password or Windows Hello for Business for Win10 and above. The key capabilities available include:
- Configuration Manager standalone or co-management with Microsoft Intune
- SSO to both cloud and on-premises resources
- Conditional Access through Domain join or through Intune if co-managed
- Self-service password reset and Windows Hello PIN reset on lock screen.
Once the Cloud PCs have been joined they will then be enrolled into Microsoft Endpoint Manager. Because of this enrollment, every Cloud PC will be instantly ready for Azure AD Conditional Access. And management through Microsoft Endpoint Manager granted. And this also includes co-management if necessary.
Microsoft Endpoint Manager plays the vital role of using compliance policies. They enable you to verify that your Cloud PCs are compliant. Understandably, when it comes to cloud computing, security is of very great concern. Windows 365 does a great job of addressing that through the optimized security baseline that is available for Cloud PCs. Leveraging this baseline would be a good way to securely configure your Cloud PCs with minimal overhead.
However, in case you have concerns, the baseline is optional. Additionally, you’ll find that these baselines have been optimized to ensure that remote connectivity won’t be affected.
Protect
The integration between Windows 365 and the rest of Microsoft 365 intends to ensure that you can secure your Cloud PCs to meet your standards. Similar to physical devices that come with Microsoft Defender for Endpoint, the Windows 365 environment will also get the same security.
Because of Microsoft Endpoint Manager’s integration with Microsoft Defender for Endpoint, your Cloud PCs will get instant protection as soon as they provision occur. As a result, Cloud PCs get excellent security measures in place from the first-run experience.
Gallery imagery
Also, it’s worth noting that the provisioning of Cloud PCs uses a gallery image. And to further strengthen your security, the image will have the latest updates for Windows 10 through Windows Update for Business. Among the available features include the ability to use the endpoint detection and response capabilities of Microsoft Defender for Endpoint to determine device risk.
Similarly, you can also get protection for your Windows 365 environment through Azure AD Conditional Access. This protection comes with an option that would be of great interest to certain users whereby you can exclude Windows 365 itself from device compliance policies.
The advantage that this has is that it allows your end users access to their Cloud PCs from any supported device they choose. However, to ensure that those users are securely authenticated, Windows 365 offers multi-factor authentication, sign-in risk, and various other controls.
Updates are another key element in ensuring a highly secure Cloud PC environment. With that in mind, Windows 365 will carry out the installation of the latest quality updates using the Windows Update auto-scan ability.
It’s important to verify that your end users sign in to their newly provisioned Cloud PCs as soon as possible so that the necessary updates can install swiftly. Another thing that you can do to strengthen security is to disable the clipboard and drive redirection so that you optimize data loss prevention. By disabling this feature, users won’t be able to:
- Copy or paste information from their Cloud PCs to other unmanaged locations.
- Save files to their personal devices from Cloud PCs.
Monitor
For Windows 365 to work effectively for its users, it’s extremely important to verify that the end user gets a virtual machine that can adequately meet their needs. To aid in this operation, Windows 365 integrates with the Endpoint analytics in Microsoft Productivity Score.
These analytics are important for providing you with insights that allow you to measure how your organization is working as well as the quality of the experience that you are delivering to your users.
Leveraging the data on offer can help you identify policies or hardware issues that are causing problems for end users such as long boot times or other disruptions. All of this generally stems from IT not having enough feedback or visibility into the end user experience.
So to resolve this, Endpoint analytics aim to improve user productivity while simultaneously reducing IT support costs thanks to the provision of insights into the user experience.
Additionally, Endpoint analytics gives you a measurement of the compute and memory load on your Cloud PCs. Following this, you can use Windows 365 to resize those Cloud PCs so that they can meet the needs of different users and their apps.
A seamless experience
Along with other device actions, the resize is available in Microsoft Endpoint Manager. And setting it up this way allows you to have a seamless experience between your Cloud PCs and other endpoints.
Another tool that you can use to enhance Cloud PC monitoring and remediation is Proactive Remediation. These remediations are script packages that can detect and fix common support issues on a user’s device before users even realize there’s a problem.
By using these remediations, you can vastly improve the end user experience as well as reduce the load on support staff. They are also very flexible so you can schedule them to run hourly, daily, etc. Not only that but you can create your own script packages to perfectly meet your requirements.
Alternatively, you can deploy one of the provided script packages that should help you in reducing support tickets. Ultimately, by using Proactive Remediation, you can extend the built-in Microsoft 365 optimizations that are provided by Windows 365. Among these optimizations include those for a heterogenous IT environment.
Deprovision
Now and again a situation may arise that may require you to revoke a user’s Cloud PC access. And Windows 365 provides you with a couple of remedies. You can use these to remove anyone’s access.
The first method you can use involves removing the user’s license or targeted provisioning following which the Cloud PC will transition into a seven-day grace period. The potential benefit of this option is that it allows for errors and reinstatement in a way that does not affect the user.
Alternatively, if you need to block access immediately, you can disable the user account in the on-premises Active Directory. You can additionally revoke the user’s refresh tokens in Microsoft Azure Active Directory.
So, at the expiration of the seven-day grace period, Windows 365 will then deprovision the Cloud PC and its storage completely. The encryption of Windows 365 Cloud PCs using server-side encryption in Azure Disk Storage (platform-managed keys) helps to ensure that the devices deprovision securely.
However, if you find yourself in a situation whereby you determine that removing a user’s license was the right course of action and not a mistake, then you don’t need to wait out the seven days.
Windows 365 allows you to proceed with your action by clicking on the In Grace Period state and then selecting End Grace Period. Consequently, this will transition the Cloud PC to the state of Deprovisioning while the Cloud PC is deleted.
Cloud PC operating systems
As I’ve already gone over above, Windows 365 lifecycle policies govern operating systems’ servicing and support. And this also includes end of support. When we talk of lifecycle we are referring to the period during which Microsoft provides support for the operating system as well as releases regular security updates.
Also, we find that not all products share the same lifecycle timeline. The lifecycle timeline of each product will be determined by its respective lifecycle policy. And this will also be consistent by product family for new and future versions. With the older products, however, lifecycle timelines may differ so there will be a need to verify the necessary information.
Windows 365 Cloud PCs run on the Windows OS and are therefore governed by the Microsoft 365 Lifecycle Policy. When the operating system on a Cloud PC eventually reaches the end of support, it will no longer receive security updates, non-security updates, and assisted support.
Image status
Windows 365 keeps up to date of all necessary end of support information in Microsoft Endpoint Manager. There the information will be located on the Provisioning policies page under Image status. Below is information you can use to verify whether the OS on the image within each provisioning policy is supported or not.
Image status | Gallery image | Custom image |
Supported | This lets you know that the Cloud PCs that have been created using this policy have a Windows operating system that is supported by Microsoft and can thus receive updates. | Same as gallery image. |
Warning | In this scenario, the OS would have expired within the previous six months. So the Cloud PCs that were created using this policy have an OS that is no longer supported. Because of this, those Cloud PCs are extremely vulnerable and don’t benefit from security updates. | Same as gallery image. |
Unsupported | The Cloud PCs created using this policy would be running a Windows operating system that hasn’t been supported for over six months. So this is a policy that can no longer be assigned to any users. Consequently, you will need to resolve the issue by updating the OS image in the provisioning policy to an image with a supported OS. All Cloud PCs that were created using this policy are vulnerable and no longer receive security updates. Furthermore, they cannot be provisioned or reprovisioned. If you were to attempt to provision a Cloud PC using this policy you would not be successful and face a Windows Image out of Support message. | Not applicable. |
You can also find the status values for custom images under the OS support status column on the Device images page. Once we get to the end of support date, you’ll no longer be able to select gallery images that use the expired OS for newly created provisioning policies. In addition, those images also won’t be available for use when editing existing provisioning policies.
Wrap Up on Windows 365 Lifecycle
As with all Microsoft products and services, Windows 365 is governed by a Lifecycle policy enabling the delivery of industry-leading service to clients. In a world of rapidly increasing cybercrime, organizations are looking for products and services that get excellent support and regular security updates.
And as more and more organizations are migrating to the cloud and adopting Windows 365, the modern lifecycle policy that governs Windows 365 takes on even greater importance. It gives you a clear picture of what to expect from the provisioning of your Cloud PCs all the way to the deprovisioning protocols.
Leveraging the support that Microsoft provides will help your organization to run a more streamlined IT environment. Coupled with the ease with which you can deploy Cloud PCs to your users, this clearly highlights the principle of simplicity that Windows 365 is known for most. So, for any organizations that are considering a cloud computing environment, one such as Windows 365 would be a great option to consider.
Pingback: Intune Newsletter - 16th December 2022 - Andrew Taylor
Pingback: Virtual Desktops Community Newsletter 8th December – 15th December 2022 – Virtual Desktops Community