Windows 365 Deployment: Adoption Lifecycle and End User Experience

With your Cloud PCs provisioned and deployed to your users you can now kick your feet back and enjoy the simplistic cloud deployment, right? Unfortunately, not quite. While it is true that Windows 365, being a cloud deployment, will greatly reduce the necessary administration tasks compared to Azure Virtual Desktop or physical Windows PCs, it is not without its needs. It is still necessary to understand the lifecycle of a Cloud PC from start to finish as well as how users intend to access the solution. This lifecycle generally begins after you have completed the initial setup tasks.This lifecycle generally begins after you have completed the initial setup tasks described in the previous article. 

Microsoft defines five stages for a Cloud PC Administrative lifecycle: 

Provision Phase

Provisioning is the automated process of creating a Cloud PC for a user and fully configuring it to the point that it is ready for user access.  For Business users, this process happens automatically the moment a license is assigned. For Enterprise users, the process was described in the previous article, requiring Microsoft Endpoint Manager and Azure VNET configurations to assign the require policies and locations to provision a Cloud PC. 

As with any solution, errors and failures are bound to happen, especially with an automated provisioning process with minimal controls.  Microsoft has documented the most common provisioning errors to assist with any provisioning issues including join failures, networking issues, or other OS and user related errors.  If a provisioning failure occurs, the Windows 365 service attempts to automatically clean up any object created during the provisioning attempt including Intune\Microsoft Entra ID (formerly Azure AD) Objects and Azure vNICs.  A failed provisioning process retries two times, for a total of three tries, before a Cloud PC gets put into a Failed state. Administrators can always attempt to manually retry or re-provision the Cloud PC, which initiates a reset that deletes and recreates a new Cloud PC.

For Windows 365 Business only, an account called CloudPCBPRT is automatically created in your Azure Active Directory when a Windows 365 Business license is procured. Do not delete this account. This account is used during the provisioning of Business Cloud PCs and, if deleted, would cause the provisioning process to fail. 

Configure Phase

Once provisioned, Cloud PCs should be treated just like any other PC in your environment. They need to be equally configured and secured.  Enterprise Cloud PCs are automatically domain-joined, configured as Hybrid Microsoft Entra ID (formerly Azure AD), and enrolled into Intune. What this means is that they are instantly capable of having any Microsoft Endpoint manager configuration profiles and Applications (with protection policies) deployed the moment the Cloud PC has completed provisioning and at or before first logon. 

 

To help with Cloud PC configurations, Microsoft Entra ID (formerly Azure AD) Dynamic Device Groups can be used for Intune policy assignments. Attributes available for Windows 365 include: 

 

  • Property = “deviceModel” 
  • Value = “Cloud PC” 
  • Value = “2vCPU/4GB” (or other Cloud PC Size) 
  • Property = “enrollmentProfileName” 
  • Value = “ProvisioningProfileName” 

Just like any device within Intune, there are several remote actions that can be initiated on a Cloud PC.  Similar tasks include Restart, Sync, Rename, Quick\Full Scan, and Update Defender.  Two additional tasks also include Reprovision and Resize. Reprovision is a full wipe and reset. Resize lets you upgrade a Cloud PC size. You must have appropriate Cloud PC licenses available to resize.  Currently, Resizing is only supported to increase the Cloud PC specs, not reduce. If you require a smaller Cloud PC, the only available option is to reprovision.   

Protect Phase

Cloud PCs are as much as part of your Microsoft 365 environment as any other device.  As mentioned, they are enrolled into Intune. This allows for you to configure and apply corporate compliance policies. They are also Hybrid Microsoft Entra ID (formerly Azure AD) Joined. This provides two signals for application of conditional access policy scenarios that can include other conditions such as risk factor or enforce multi-factor authentication.  All to ensure the device is secured user is securely authenticated prior to accessing the Cloud PC.   

 

In addition, you can use Microsoft Endpoint Manager to onboard Cloud PCs to Microsoft Defender for Endpoint for endpoint detection and response capabilities. Intune can push applicable security baselines, Windows OS updates, anti-virus policies, and attack surface reduction measures. 

 

Intune can also be used to define additional local admins on all Cloud PCs. By default, users are not administrators of their Cloud PC. This can be done directly in the MEM Admin Center at Devices > Windows 365 > … > User Settings > Add. Select a security group and any member of that security group will be local administrators on all Cloud PCs. 

 

Finally, Cloud PCs support controls for RDP Device redirections via Group Policy. Not all types of redirections are supported, and it differs based on what client is used to access your Cloud PC. Microsoft has these documented here. 

Monitor Phase

Just as the configuration and protection phases, Cloud PCs should be monitoring just like any other PC in the organization. Yet there are a few additional features and reports provided that can maximize efficiencies within your Windows 365 deployments. These include integrations with Microsoft Productivity Score and Endpoint Analytics.   

Endpoint Analytics provides metrics on the CPU\Memory and network usage for each Cloud PC. These are provided across two reports, Resource Performance and Remote Connection. Cloud PCs need to be onboarded to Endpoint Analytics via an Intune data collection policy to take advantage of these reports. 

The Resource Performance report helps optimize resources for determinations such as the need to resize a Cloud PC to meet user demands. This report provides an overall performance rating as well as CPU/Memory spike metrics.

The Remote Connection report provides network connection metrics including Round Trip Time (RTT) and Sign in time.  Microsoft classifies good values to be under 100ms for RTT and under 30 seconds for Sign in time.

Microsoft Productivity Score provides insights to your entire Microsoft 365 environment.  It utilizes data from Endpoint Analytics as part of the overall score.  Both Endpoint Analytics Windows 365 reports contribute to Microsoft Productivity Score.  You can access the report from Microsoft 365 Admin home under Reports > Productivity Score. 

Deprovision Phase

The final phase involves managing the secure removal of a Cloud PC from a user.  This could be for various reasons such as termination, license upgrades, or simply the end of a project where the Cloud PC may no longer be required.  To initiate a Cloud PC deprovisioning process, simply remove the users license or targeted provisioning policy.  For deprovisioning Cloud PCs, Microsoft provides a seven (7) day grace period.  During this time, a user can be reassigned a license or provisioning policy and regain access to their Cloud PC.  After the grace period, Windows 365 completely removes the Cloud PC and its associated disks.  Administrators can manually choose to end the grace period early within the Intune portal. 

End User Experience

Once a Cloud PC is ready to go, each user has two means of accessing their Cloud PC, via web or client:  

 

Supported OS required (Windows, MacOS, ChromeOS, Linux) 

Supported Browser required (Edge, Chrome, Safari, Firefox) 

  • Microsoft Remote Desktop client (Download accessible via Windows 365 Home page) 

Business users are automatically local administrators.  Enterprise users must be assigned as a local admin via Intune if the organization desires it.  This is by design as Business Cloud PCs are not enrolled into Intune automatically, although they can be manually enrolled, whereas Enterprise Cloud PCs are automatically enrolled and are meant to be fully managed by Intune and the organization.   

 

Users have a few controls for their Cloud PCs.  Both Enterprise and Business users can Restart their Cloud PC from either the web page or Remote Desktop client.  They can Rename their Cloud PC.  This only changes the display name of the Cloud PC on the web page or Remote Desktop client.  It does not change the actual device name on the Cloud PC, or the name shown in Microsoft Entra ID (formerly Azure AD) or Microsoft Endpoint Manager.  Finally, each user can trigger a Troubleshoot command.  This is an automated check to assist if there are any issues connecting to your Cloud PC. 

 

Business users also have one additional action, Reset.  A reset will completely wipe the Cloud PC, including the OS, apps, and any local files and/or settings made.  A new, clean Cloud PC will then be reprovisioned.  Enterprise users do not have this option as this is controlled by the organization within Microsoft Endpoint Manager. 

Conclusion

Windows 365 is a fantastic offering by Microsoft to greatly reduce the complexity of a VDI environment.  However, it is not a one-size-fits-all solution, and it may not be a fit for every organization.  Also, while greatly reducing the necessary administrative tasks, this solution still requires some essential management and maintenance to ensure a smooth lifecycle and operations of your VDI environment. 

 eGroup | Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft Best Practices and utilizing a secure and productive environment.  Our team can provide a full end-to-end solution including planning and design, best practice deployment methods, end user training and adoption, and continued support throughout the life of the solution. Contact our team of Cloud Computing Consultants today!