Introduction and Initial Thoughts

The Windows 365 Link is a neat little purpose-built device, designed to enable easy deployment and simple, secure access to your Windows 365 Cloud PCs. 

The Link device is a ‘last mile’ endpoint device; there are pre-requisites that need to be in place in Intune, Entra and Windows 365 for both deployment of Link, as well as on-going use of Link to access Cloud PCs. 

In many cases, where Intune, Entra and Windows 365 are in ‘Production’ use in typical enterprise environments, many/most of the pre-reqs will already be met – but not always. 

Lastly, it is easy to forget that “Entra Join” and “Intune enrollment” are separate backend actions, occurring separately, in separate services and with different limits and controls

All that to say, your current tenant configurations might allow you to successfully deploy Link devices, right now.  If you’re feeling lucky, give it a try; otherwise, read on… 

Deployment Model – User-driven or Admin-driven

User-driven – a given end-user goes thru OOBE and moments later, device is Entra joined, and Intune enrolled.  The user is passed right into her CPC (or the ‘CPC chooser’ if she has more than one assigned).

IMPORTANT: If Link is enrolled this way, by a typical end user:

1. 1. It will be listed (and renamable and resettable) in that user’s Company Portal device list.
      • If the Link device is going to be shared, you might not want the enrolling user to be able to reset or rename it as that could impact others use of the Link device.
   2. Link devices start off as ‘personal’ Windows devices. You may need to adjust your Intune tenant’s Windows device platform enrollment restrictions to accommodate for this. 

• • Otherwise, you’ll probably encounter this failure during enrollment:

 

 

 

 

 

 

 

 

To address this, you can either:

• Upload a “Corporate device identifiers” CSV file into Intune with the Link device info (probably the simplest way to deal with this situation):

OR

• Set the default policy to “Allow” personally owned Windows devices to enroll (not common in enterprise environments)

OR

• If you’ve set the default policy to “Block” personally owned Windows devices from enrolling (common in enterprises):

• • You can create a subsequent “Device Platform Enrollment Restriction Policy” and set the Windows platform to “Allow” personally owned devices, then assign the Policy to ‘All Users’ (or a group of users) and use an Intune filter (discussed further below) to Include the Link devices

Admin-driven - a DEM ID is used to go through OOBE and moments later, device is Entra joined and Intune enrolled and then the device is ready for users to access their CPCs

DEM IDs are ‘normal’ Entra IDs that are marked specially in Intune and are:

o   Limited to the Entra join settings defined in the Entra portal

o   Limited to enroll up to 1000 devices into Intune - but not bound by the Intune device enrollment limit settings defined in the Intune portal

o   Exempt from Intune “Device Platform Enrollment Restrictions”

Because of these conditions and depending on your tenant settings, you might need to create more than one DEM ID if you need to deploy 100s or 1000s of Link devices (maybe create “one DEM ID per location” or “one DEM ID for each “batch” of Link deployments or something similar). 

Also, consider your DEM ID naming standards (i.e. DEM-LNK-01) and be sure to have processes in place to exempt the DEM IDs from being cleaned up/purged; deleting DEM IDs used to deploy active devices is a no-no:

 

 

 

 

 

 

NOTE: Since DEM IDs generally don’t have a CPC provisioned/licensed, there is an error after the OOBE/Entra join/Intune enrollment completes – just click ‘Sign out’ and the link will return to the Sign in screen:

 

 

 

 

 

 

 

 

Review Existing Tenant Configurations  

Entra settings 

Limits to Entra Join device counts- limits apply to all users (incl DEM IDs)

 

 

 

 

 

 

 

 

 

 

 

• NOTE: ‘Custom’ can be any value up to 100:

 

 

 

 

 

Authentication Methods – managed via Entra; apply to both enrollment of the Link, as well as day-to-day use to access Cloud PCs

• For enrollment, username + password is the default but you can use others by clicking ‘Sign-in options’ on the OOBE screen (i.e. a FIDO2 key):

 

 

 

 

 

 

 

 

 

 

• For day to day use you can use two options

(a)   Web sign in – by default, and out of the box, username ('Email) and password is available

(b)   FIDO2 key – you’ll need to enable the “Use Security Key For Signin” setting via Intune and target the Link devices before the security key icon/option will show up.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Intune settings

• Limits to Intune enrollments – limits for users (up to 15); DEM IDs ignore these limits (each DEM can enroll up to 1000 devices)

 

 

 

 

 

 

 

 

 

 

 

 

 

Additional Considerations and FAQs

• Link device names can’t be customized/edited during deployment, but the devices can be renamed via Company Portal or the Intune Portal, after deployment, if desired:
  • “CALL-CTR-01”
  • “ALEXW-LNK-01”

 

 

 

 

 

 

 

 

 

 

 

• “Do Link devices on-board to Microsoft Defender for Endpoint?”

  • If your existing Intune tenant is configured to on-board devices into MDE, then yes
  • However, the MDE agent, AV settings, etc. are NOT active within the OS – you’ll just see a device record in MDE with some device telemetry

• “Do I need to configure Link devices for Windows Update settings, rings, etc.?”

  • No, the Link OS has local Windows Updates settings defined to check for OS and firmware Updates, each night at 3:00 am local time.
  • If the device is in a ‘sleep’ state, the OS will wake itself and check for Updates, including firmware.
  • NOTE: this wakeup only checks for Updates – it doesn’t wake the MDM stack in the OS nor check-in to Intune if it’s in a ‘sleep’ state.
  • NOTE: a manual check for Updates can be done from the device

 

 

 

 

 

 

 

 

 

 

 

 

• “What are the most-common policy settings that aren't OS defaults?”

  • The following common power and privacy settings can be changed via Intune as shown:
  • Set the device’s 5-minute default screen time out (set to 1 hr/3600 seconds in the policy below)
  • Set the device’s location service to discover and auto-set the local-to-the-Link time zone 
  • Set the device’s Power Management settings to prevent it from going to ‘sleep’
    • IMPORTANT: As mentioned above, a Link that’s in a ‘sleep’ state isn't remotely admin-manageable from the Intune portal

• “How do I create an Assignment Filter for Link in Intune?”

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

• “Can I turn off physical capabilities on the device?”

  • Yes - take a look here for UEFI controls to manage ports and configurations at the firmware level
  • Manage firmware settings for Windows 365 Link devices. | Microsoft Learn

• “Does SSO work to get me signed into the Link and right into my Cloud PC?”

  • Indeed, it does!  Just make sure SSO is enabled and working for the CPCs
    • Realize this requires more than just the checkbox in the CPC Provisioning Policy; review additional SSO setup

 

 

 

 

Unbox and Connect

• In the box is the device, a power brick and a power cord
• Ports
  • Front
    • 1 - standard headphone jack
    • 1 – USB-A port
    • Power light
    • Power button
  • Back
    • 1 - USB-C port
    • 2 - USB-A ports
    • 1 - DisplayPort
    • 1 - HDMI port
    • 1 - RJ-45/LAN
    • 1 - Power jack

 

• Here's my desktop setup for this article:

 

 

 

 

 

 

 

 

 

 

 

En'Roll the Bones

• After plugging it all in, turn it on and at OOBE, click ‘Next’

NOTE: You’ll see the Wi-Fi connection UI if not using a physical network cable

 

 

 

 

 

 

 

 

 

 

 

• Enter ID and pwd or click ‘Sign-in options’ for different sign in method (i.e. FIDO2):

 

 

 

 

 

 

 

 

NOTE: Even though ‘Domain join instead’ is listed there as a Sign-in option, it doesn't work and isn’t supported

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

For those more inclined to 'Moving Pictures' ...

Full enrollment + Link Sign-in + CPC SSO + disconnect - NOTE: this first vid SEEMS 'long' but I'd argue it's actually amazingly fast (Entra Join + Intune Enrollment + CPC sign in + close Evernote + Disconnect) ... ~1 minute and 30 sec 😎

 

Link Sign-in + CPC SSO + Disconnect ~30 seconds

NOTE: Right-click the vid > 'Refresh' to watch again

A Few Other Resources

• Setup vid (first 6 min are overview; setup starts around 6 min mark)
  • https://www.youtube.com/watch?v=joec9L6EeqU&t=4s

• Docs - https://learn.microsoft.com/en-us/windows-365/link/

That's a Wrap!

If you can't tell, I think the Link is a great device that continues to expand the Windows 365 solution.  I hope these details help you as you try them out in your environment.  Drop a note into the comments and share how your Windows 365 journey is going.

Also, a couple of shout-outs - AJ for allowing me to 'borrow' the Link device (good luck getting it back); Dan Ram for validating scenarios and details; Mr. Shannon and Matt A. for their Link help and Brandon Wilson for helping (as always) w/ blog snafus.

Cheers!

Hilde