Quick Wins - Custom Images for Windows 365

Hi folks - Mike Hildebrand here.  Welcome to spring in the US - and another daylight-savings clock-change cycle for many of us (I find it odd that we just 'change time').  Lately, I've been having conversations with customers about 'custom image' support in Windows 365.  Like most aspects of IT, an image management system for standardized PC deployments can range from the simple ('Next > Next > Finish') up to the very complex (tiers, workflows and automations).

To be clear, we strongly recommend you use our Gallery Images for your Windows 365 Cloud PCs.  We'll happily take a lot of work off your plate, if you only let us!  However, we also provide customers with flexibility to integrate their custom image requirements into their Windows 365 deployments. 

• https://learn.microsoft.com/en-us/windows-365/enterprise/device-images#gallery-images 

For more details about Windows 365 images 'all-up,' check the docs:

• https://learn.microsoft.com/en-us/windows-365/enterprise/device-images 

For some very specific dos/don'ts, take 45 seconds and save yourself some grief:

• https://learn.microsoft.com/en-us/windows-365/enterprise/device-images#image-requirements 

That said, here's my walk-through of the 'dip a toe in the pool' method to try out the custom image capabilities of Windows 365.  I shared a version of this guidance with customers and colleagues, and it was suggested that I share it with the masses ... so here you go.

Step 1 - Create a VM in Azure

I keep it plain and simple; a ‘disposable’ VM

• • Start with a ‘Marketplace’ W365 Cloud PC image with the M365 Apps
    • These have optimizations to ensure the best remoting experiences

• • NOTE: I leave off monitoring agents, boot diagnostics, redundancy settings, etc.
  • TIP: Consider creating a ‘dedicated’ new Resource Group for a given image process
    • This makes cleaning up and reducing costs afterwards simple (which I'll cover at the end)

• • IMPORTANT NOTE: When making/using an initial VM as the source for the custom image, ensure “Standard” is chosen for ‘Security type’
    • “Trusted launch virtual machine” is the default - and won’t work for this process - AND it CANNOT be reverted on a deployed VM
    • Though subsequent Cloud PCs are always provisioned securely
      • https://learn.microsoft.com/en-us/windows-365/enterprise/security#security-features-enabled-by-default  

Step 2 - Customize it; prep it

Once the VM is created, login to it, customize it and then Sysprep it

• • Apps, patches, customizations, local policy, etc.
  • OOBE + ‘Generalize’ + ‘Shutdown’

• • • NOTE: Sysprep may error out - issues such as Bitlocker being enabled, or an issue w/ one or more Store apps can cause this. If it happens, check the log, as indicated on your VM 

• • • • For the apps issue, a PS command similar to this resolves it for me, but check the specific log on your VM for the details:

        • Get-AppxPackage *Microsoft.Ink.Handwriting.Main.* | Remove-AppxPackage

Step 3 - Capture it

Make sure the VM is stopped (it should be), then ‘Capture’ the image from the portal:

• The 'Subscription' you select (below) needs to be the same one as where your Windows 365 service lives
• Select ‘No, capture only a managed image.’

• TIP: In my lab, the image creation process takes around 15 minutes for a simple VM

Step 4 - Import it

Once the image is created, open the Intune portal and add it to Windows 365 via the 'Custom images' tab

• TIP: In my lab, the image import takes around 45 minutes
• NOTE: Up to 20 images can be stored here
• NOTE: the ‘Subscription’ you select (below) must match where you captured the image (above) or it won’t show up in the ‘Source image’ drop-down

Step 5 - Use it

After the image is imported into the Windows 365 service, it can be chosen from the Custom Image option in the Provisioning Policy wizard

• NOTE: If you attempt to delete a 'Custom image' that is configured in a Provisioning Policy, the deletion will fail
• NOTE: You can edit a Provisioning Policy and update/change the image, but that change will only affect new Cloud PCs provisioned from the Policy - it won't affect existing Cloud PCs spawned from that Policy. 

Cleanup

The VM, disk, IP, etc. and the 'Managed image' you created/captured above will incur costs in Azure - but not the 'Custom image' you uploaded to Intune/W365 (image storage there is included as part of the service).  

• • After you import the 'Custom image' to W365, you can/should consider deleting the Resource Group you created in Step 1 (which contains everything associated with your disposable VM – the VM itself, the disk, NIC, the image you captured, etc.).

!!!  HUGE warning - triple-dog-verify the Resource Group before you delete it  !!!

Cheers folks!

Hilde