In this chapter, you’ll learn everything you need to know about how to deploy Windows 365, such as what the requirements are, how to connect to Cloud PCs via the new Windows App, Windows 365 Boot and Switch, and other tips and tricks to configure Cloud PCs in the most secure way possible.

After this chapter, you’ll know everything you need to get started with this Windows 365 cloud service, which simplifies deployment as well as Cloud PC maintenance with Microsoft Intune.

This chapter is very comprehensive and covers the following topics:

• Technical requirements for deploying Windows 365
• Required URLs
• Remote Desktop Protocol (RDP) requirements
• Connect to on-premises networks (optional)
• Learn how to provision a Cloud PC
• Custom image management
• Moving Cloud PCs
• Security baselines
• Restore points
• Connecting to your Cloud PC
• Windows App
• User Actions
• Supported redirections...

To use Windows 365, you must meet the following requirements. For Entra ID Join, you do not need to bring in an Azure subscription or Azure vNet.

Figure 5.1: Technical requirements for deploying Windows 365

Required URLs

For the connection to be established, certain URLs must be allowed on the client network that the user is connected to and, likewise, the network the Cloud PC is connected to must allow specific outbound URLs. Be aware there are different URLs for the Azure public cloud and Azure Cloud for US Government; see the following tables to find the URL requirements.

The Azure Virtual Network(s) (VNets) you create for Windows 365 is required to have outbound TCP access to the underlying services we use as part of the firewall rules in the customer’s Azure subscription.

In the following tables, you will find a snippet of what URLs and ports are required to open to communicate with the Windows 365...

In this section, we will be explaining the steps to start the provisioning of one or thousands of Cloud PCs for your business. The steps are extremely simple. Let’s go:

1. Open the Microsoft Intune admin portal via intune.microsoft.com.
2. Go to Devices | Provisioning | Windows 365.
3. Go to Provisioning Policies.

Figure 5.9: Windows 365

4. Click on Create Policy.

Figure 5.10: Provisioning policies

5. Enter the name of the Provisioning Policy in the Name box.

Figure 5.11: Create a provisioning policy

6. Once done, configure your preferred Join type. Either Microsoft Entra Join or Hybrid Microsoft Entra Join.
7. Select the Geography and Region you want to use to deploy your Cloud PCs in. Windows 365 is Multi-Geo and is designed to meet your data residency requirements while retaining single-tenant administration and full-fidelity collaboration experiences between users...

It’s essential to secure access to Cloud PC devices in your Windows 365 environment. One way to achieve this is by using Conditional Access (CA), which allows you to secure that environment based on specific conditions. We strongly recommend implementing multi-factor authentication (MFA) especially when accessing Cloud PCs from unknown locations, so end users need to provide more than just a username and password when they are off the corporate network. Additionally, you may want to consider using security keys based on Fast Identity Online (FIDO) for authentication as it provides phish-resistant credentials and frictionless logins as you would only need to either use a USB stick or NFC-based smartcards to log directly into your Cloud PC versus typing in your credentials!

Including a cloud app for Windows 365 and Azure Virtual Desktop in your CA policy helps secure all the different ways users are able to connect to...

If you want to deploy Windows App to Windows 10 or Windows 11 endpoints on a bulk basis, we recommend you use the new Microsoft Store app deployment option in Microsoft Intune, as it can be silently deployed to your end users’ devices either in a device or user context.

1. To use the app enrolment option in Intune, go to Apps and select Microsoft Store app (new).

Figure 5.41: Microsoft Store app (new)

2. Search for Windows App.

Figure 5.42: Search Windows App

3. Finish the app configuration, as per your own needs.

Figure 5.43: App information – Windows App

4. Assign the app enrolment to your Entra ID group that includes the users (installs per user that signs in to the device) or devices (installs once per device) that should receive Windows App.

Figure 5.44: Assignment...

From within Microsoft Intune’s Devices menu, IT admins can reboot Cloud PCs remotely. The Restart button, which sits next to the Sync button to enforce MDM policy settings to the Cloud PC, could also be a useful setting to provide.

Supported redirections per endpoint platform

You can access your Cloud PCs via Windows via the new Windows App. There are also other clients available for mobile platforms and other operating systems such as MacOS, and Linux client support is provided via partners such as IGEL and 10Zig, and users can use the new Windows App web portal on Linux today as well!

The following table explains the differences between the different endpoints that are supported for Windows 365 at the time of writing:

Figure 5.46: Windows App Connect to/from table

Windows effects configuration

The following table shows the differences per platform for display features.

Figure 5.47: Windows effects configuration...

Windows 365 Boot is one of the newest Windows integrations released as part of Windows 365 and Windows 11. The feature allows users to boot directly to Cloud PCs from the initial Windows login screen. The feature allows users to sign in to their Windows 365 Cloud PC directly from a physical device running Windows. This is useful for shared PC scenarios, where users can access their own personal and secure Cloud PC without signing in to the physical device itself. To use Windows 365 Boot, IT administrators need to configure the physical devices and push the Windows 365 Boot settings to them with Intune. This means that the pain of logging on to a local Windows PC first, opening Windows App, and clicking connect, has completely vanished!

In this section, we will be explaining how you can push the Windows 365 Boot components to your Windows 11 endpoints via Microsoft Intune via a simplified guided flow scenario that is purposely built for this feature...

You can now boot to your Windows 365 Cloud PC from your designated company-owned device. You will be able to seamlessly log in to your Windows 365 Cloud PC from the Windows 11 login screen using password-less authentication methods like Windows Hello for Business. Passwordless provides more seamless and frictionless logins and a reduced attack surface for credential stuffing, cracking, and phishing attacks.

In the previous section, you’ve seen how you can enable Dedicated User Mode via the new addon into our Windows 365 Boot-Intune guided flow scenario.

The new dedicated mode also comes with a fast account switcher experience to effortlessly switch profiles used during the login process, personalized experiences with your username and password, display picture on the lock and login screen, remember your username, and so on.

Figure 5.71: This is a Windows Cloud PC

End users have the power to handpick their Cloud PC of choice, making personalization a breeze via the Windows App client. Soon, users will be able to pick which Cloud PC they can use directly from the first logon experience, too!

Figure 5.72: Integrated experiences

Windows 365 now also supports redirection of battery status information; for example, when using Windows 365 Boot dedicated mode on a surface laptop or another OEM device such as a Lenovo ThinkPad, you will be able to see how much battery you have left inside the Cloud PC session.

Figure 5.73: Battery status

Windows 365 Switch provides the ability to easily move between the Cloud PC and the local desktop using the same familiar keyboard commands Alt + Tab, as well as a mouse click or a swipe gesture. Everything works from within Windows 11 via the Task view feature. Windows App will be required on the endpoint and afterward, everything will show up automatically inside the Task view feature (see the following).

The hidden gem here is that users can do the same inside their Cloud PC, that is go to Task view and now switch back to the local PC.

This new round-tripping feature is extremely valuable for bring-your-own-device (BYOD) scenarios when you connect from your own Windows device to a secure company-owned Cloud PC. This is a great experience when businesses want to do more with less financial outlay.

Some of the most recent Windows 365 Switch improvements Microsoft has made are:

• Improved disconnect experience for Windows 365 Switch: You can...

To manage your Windows 365 Cloud PC environment, you sometimes need to push configuration settings to multiple endpoints to provide actions at scale to a certain group of users.

Under Devices | Windows, you can find your endpoint objects to perform individual device actions, for example:

• Sync settings
• Restart the Cloud PC
• Restore to a previous point in time
• Reprovisioning the Cloud PC
• Resize
• Collect diagnostics
• Windows Defender settings (scan, update agent, etc.)
• Configure Remote Assistance
• Place the Cloud PC under review

1. Go to All devices in Intune, followed by Bulk Device actions.

Figure 5.78: Bulk Device Actions

2. Select OS Windows.
3. Select Cloud PCs as Device type.
4. Select your bulk device action. Different variations are possible to make your life as an IT admin easier!

Figure 5.79: Bulk device action Cloud PCs

Ensuring that the performance and quality level of your Cloud PC environment is good is just as important as (or perhaps even more so than) the implementation. Users need to be happy about their Cloud PC and it should not impair their productivity.

Windows 365 Cloud PC seamlessly integrates with all the monitoring and analytics capabilities in Microsoft Intune that you use today for your physical endpoints. This means that you can easily distinguish whether the problem is active on the physical endpoint or within the Cloud PC session.

You will learn more about monitoring in Chapter 14, Monitoring and Endpoint Analytics, where we will take a much deeper dive into the specific metrics of ensuring the performance and quality of your Windows 365 environment both proactively and reactively!

Here’s a quick preview list of the reports/dashboards that are available at the time of writing:

• Startup performance
• Proactive remediations...

If you want to go even deeper into Windows 365, we recommend you purchase the book Mastering Windows 365, released by Christiaan Brinkhoff, Sandeep Patnaik, and Morten Pedholt.

This level 500+ technical deep dive goes further into details of the RDP protocol and other tips and tricks. The book is a great add-on to this book, and will look amazing on your bookshelf! You can purchase the book via Amazon, Packt, or directly via aka.ms/MasteringW365.

With that, we have come to the end of this chapter. Congratulations on completing it!

Figure 5.85: Mastering Windows 365

In this chapter, you’ve learned everything you need to know about the new Windows 365 service, from the fundamentals of it to deep diving into the logistics of configuration. We covered all the steps required to deploy Windows 365 Enterprise, what the prerequisites are, and some other great tips to learn more about different optimizations for your deployment.

In the next chapter, we will take a deeper dive into the different aspects of managing your Windows 365 environment, as well as thinking about monitoring, application distributions for classic Windows applications (Win32) and MSIX, identity and security, and many more aspects.

1. Can you move existing Cloud PCs to other regions without losing any user and application data?
   1. Yes
   2. No
2. What protocol is Windows 365 using as part of connecting to Cloud PCs?
   1. Unified Desktop Protocol
   2. Blaster Disaster Protocol
   3. Remote Desktop Protocol

1. a
2. c

If you want to learn more about Windows 365 after reading this chapter, please go to one of the following other sections in this book:

• Chapter 12, Copilot/AI
• Chapter 13, Identity and Security Management
• Chapter 14, Monitoring and Endpoint Analytics
• Chapter 16, Troubleshooting Microsoft Intune

Learn more on Discord

To join the Discord community for this book – where you can share feedback, ask questions to the author, and learn about new releases – follow the QR code below:

https://packt.link/SecNet