In this chapter, you'll learn everything you need to know about how to deploy Windows 365, what the requirements are, and the tips and tricks you have to know.

After this chapter, you'll know everything you need to get started with this new Microsoft cloud service, which simplifies deployment as well as cloud PC maintenance with Microsoft Endpoint Manager.

This chapter is very comprehensive and covers the following topics:

• Technical requirements for deploying Windows 365
• Self-service capabilities – IT admin
• Azure AD – MyApps unified (workspace) portal
• Auto-subscribing users in the Remote Desktop client
• Autopilot and cloud PCs – thin client (Kiosk)
• Monitoring and analytics
• Shadow users with Quick Assist
• Windows 11
• Microsoft Managed Desktop

To use Windows 365, you must meet the following requirements:

• The following are the licenses you will need to use Cloud PC/Windows 365:
  • Users with Windows Pro endpoints: W10 E3 + EMS1 E3 or M365 F3/E3/E5/BP
  • Users with non-Windows Pro endpoints: Win VDA E3 + EMS1 E3 or M365 F3/E3/F5/BP
• An Azure subscription:
  • Subscription owner (set up network connection)
• Virtual Network (VNet) in an Azure subscription:
  • Azure VNet must route to a DNS server that can resolve Active Directory (AD) records either on-premises or on Azure.
• This AD must be in sync with Azure AD to provide Hybrid Azure AD join (HAADJ). Azure AD join (AADJ) is currently being worked on.
• Microsoft Intune supported licenses (for example, Microsoft 365 E3):
  • Intune Service Admin or a cloud PC administrator

We will cover some of the subscriptions that are required in more detail.

Azure subscription

Make sure that you have an Azure subscription to configure...

From within Microsoft Endpoint Manager's Devices menu, IT admins can reboot cloud PCs remotely. The Restart button, which sits next to the Sync button to enforce MDM policy settings to the cloud PC, could also be a useful setting to provide.

Reprovisioning the cloud PC

You could also reprovision your cloud PC via the Reprovisioning button. Your machine will be reprovisioned, meaning that it will start from scratch in the same way as you started it initially, without any customization needing to be installed on the cloud PC.

You can find the Reprovision button under Devices | Overview | Reprovisioning:

Figure 4.18 – Reprovisioning – cleaning your cloud PC

Important Note

You need (at least) cloud PC administrator permissions to be able to do this.

IT admins will get the following notification prompt to confirm that reprovisioning works as an extra safety check:

You can also access your cloud PC environment via MyApps and consolidate all your other Software-as-a-Service (SaaS) applications in one unified portal experience.

You can open the https://myapps.microsoft.com/ portal on your computer or from the mobile version of the Edge browser on an iOS or Android mobile device.

You can find the end user experience of Azure AD MyApps in the following sections of Windows 365. When you click on the cloud PC app, you will be redirected to the IWP portal using single sign-on:

Figure 4.38 – MyApps portal

Multi-factor authentication and conditional access

We recommend going to Chapter 13, Identity and Security Management, later in this book, to learn more about conditional access.

Multi-factor authentication is enabled on your Azure AD tenant by default to ensure that hackers and other intruders stay out of your environment. Enabling this feature on Windows...

Note that the following setting only works on Windows 11 as an endpoint and will be backported to Windows 10 soon. There's a chance that when you read this book, the feature will already be available!

Once you have configured the ability to enroll the Remote Desktop client to your Windows 10 endpoints, you have performed the most fundamental step. However, if you stop here, the user who opens the app will be prompted to log in with their Azure AD credentials first before you see your cloud PC(s) to start the session.

This section explains how you can auto-subscribe users to the Remote Desktop (MSRDC/Store) application without the need to enter credentials!

The settings that make this way of logging on possible have to be implemented via Device | Configuration profiles, via the Settings Catalog feature. The steps are as follows:

1. First, open the Devices menu and create a new profile (for Windows 10 and later):

   Figure...

The great thing about the combined capabilities of Microsoft Endpoint Manager, Autopilot, and Windows 365 is that you can configure both physical and virtual MEM-managed endpoints.

For example, within Autopilot, you can configure a multi-app Kiosk type of Surface Go, a thin client that only populates the Remote Desktop client. Full configuration and enrollment happens without user interaction and when the client is done, the end user only has to log in with their Azure AD credentials to get access to their cloud PC!

Within the Device configuration profile that you attached, for example, to your lightweight thin client, you can configure the auto-launching capability of the Remote Desktop Win32 or Store application to make the experience more awesome:

Figure 4.69 – Configuring Kiosk mode profiles

However, that's not all we can do.

When combining this setting with the settings...

Ensuring that the performance and quality level of your cloud PC environment is good is just as (or perhaps even more) important as the implementation. Users need to be happy about their cloud PC and it should not impair their productivity.

Windows 365/cloud PC seamlessly integrates with all the monitoring and analytics capabilities that you use today for your physical endpoints. This means that you can easily distinguish between whether the problem is active on the physical endpoint or within the cloud PC session.

You will learn more about monitoring in Chapter 14, Monitoring and Endpoint Analytics, where we will take a much deeper dive into the specific metrics of ensuring the performance and quality of your Windows 365/cloud PC environment both proactively and reactively!

Here's a quick preview list of the reports/dashboards that are available at the time of writing:

• Startup performance
• Proactive remediations
• Recommended software...

Quick Assist is a new tool (simpler than Remote Assistance – it doesn't require any pre-configuration) you can use to give control of your computer to people you trust over the internet. The other great thing about Quick Assist is that it's free to use as part of your Windows 10 license!

Quick Assist is part of your cloud PC and all other physical Windows 10 operating systems. So, you just have to search for it in your Start menu to get started. Pretty simple, right?

Once you've done this, you will have to log in with your Azure AD credentials. If you are the user, you need to enter a 6-digit code. If you are the helpdesk employee or the IT admin, you have to click on Assist another person:

Figure 4.72 – Quick assist login

Wait for the session to load.

During the loading process, the helpdesk user will be asked for the type of control they wish to implement:

Figure 4...

Windows 365 provided day 1 support for Windows 11 during its general availability (GA) on October 5, 2021. Customers can enable the Trusted Platform Module (TPM) as part of their cloud PC so that they can use the hardware requirements of Windows 11.

Here, you can see how Windows 11 runs as part of Windows 365 inside the browser. Of course, all the other endpoints, such as Windows and macOS, are supported too:

Figure 4.74 – Windows 11

Microsoft Managed Desktop brings together Microsoft 365 Enterprise, cloud-based device management by Microsoft, and security monitoring, allowing your IT team to focus on core (IT-as-a-Service) business needs.

This service is different from cloud PC/Windows 365, but the service can be used to simplify the management layer of your physical endpoints while you, as a partner or customer, are responsible for your cloud endpoints.

When you are interested in using this service, please contact your Microsoft sales representative. The enablement process starts in the Microsoft Endpoint Manager console, under Tenant admin, followed by clicking Tenant enrollment:

Figure 4.75 – Managed Desktop

With that, we have come to the end of this chapter. Congratulations on completing it!

In this chapter, you've learned everything you need to know about the new Windows 365 service, from the fundamentals of it to deep-diving into the logistics of configuration. We covered all the steps required to deploy Windows 365 Enterprise, what the prerequisites are, and some other great tips to learn more about different optimizations for your deployment.

In the next chapter, we will take a deeper dive into the different aspects of managing your Windows 365 environment, as well as thinking about monitoring, application distributions for classic Windows applications (Win32) and MSIX, identity and security, and many more aspects.

1. Can you use Windows 365 in multiple regions across the globe, from the US to Europe, and even to the Middle East, Asia, and New Zealand?
   1. Yes
   2. No
2. What protocol is Windows 365 using as part of connecting to cloud PCs?
   1. Unified Desktop Protocol
   2. Blaster Disaster Protocol
   3. Remote Desktop Protocol

1. (A)
2. (C)

If you want to learn more about Windows 365 after reading this chapter, please go to one of the following other sections in this book:

• Chapter 12, User Profile Management
• Chapter 14, Monitoring and Endpoint Analytics
• Chapter 16, Troubleshooting Microsoft Endpoint Manager