Blog Post

Healthcare and Life Sciences Blog
6 MIN READ

Management Design options for Windows 365 Cloud PC (Intune & Co-Management)

Juan_Sifuentes's avatar
Mar 15, 2022

Let’s explore device management options for Windows 365 Cloud PC (Intune & Co-Management)!

 

Remember to loop back to the main deck for Windows 365 Cloud PC Healthcare Series

 

Last few weeks we looked at Windows 365 Cloud PC Architecture Design Provisioning options to rollout Cloud PCs in your environment. We gained better insights on HOW/WHEN should position and build a better Windows 365 ecosystem. We understand device management recommendations (Intune & Co-Management) for Windows 365 Cloud PCs are tailored based on hosting provisioning scenarios.

 

The purpose of this document is to address Windows 365 Cloud PC device management design options (Intune & Co-Management) based on hosting provisioning scenarios, a high-level overview for each solution and deployment considerations giving our HLS customers a wider insight of information to make them successful on their journey building a Windows 365 foundation.

 

Let’s dive right in!

 

 

Management Design options for Windows 365 Cloud PC (Intune & Co-Management)

 

OPTION 1: (Cloud PC Entra ID Joined + hosted in Microsoft Network)

Cloud PCs are managed by Intune (Co-Management optional)

 

Based on OPTION 1 hosting scenario “recommended device management solution is Microsoft Intune, optional Co-Management

 

 

Intune:

 

  • Cloud PCs are hosted in the cloud (Microsoft Hosted Network) and managed in the cloud (Microsoft Intune)
  • Cloud PCs are enrolled as Entra ID Joined and managed out-of-the-box by Microsoft Intune
  • This is the recommended device management solution for Cloud PCs in OPTION 1
  • Removes customer constraints (e.g., Microsoft Configuration Manager, Cloud Management Gateway, etc...)
  • Cloud PCs have direct unified endpoint management integration from a single-pane-of-glass Microsoft Intune admin portal
    • Windows 365 Cloud PC: your cloud pc solution
    • Microsoft Intune: your cloud pc management solution
    • Microsoft Defender for Endpoint: your cloud pc security solution
    • Entra ID Conditional Access: the brains of the operation for your cloud pc Zero Trust architecture
    • Microsoft Intune Suite: your cloud pc Unified Endpoint Management solution
  • Simplicity for your Cloud PC management workloads
    • Application delivery
    • Endpoint security
    • Endpoint report analytics
    • Windows 365 Security baselines
    • Settings catalog and Administrative Templates
    • Device management profiles (e.g., Compliance, Device Configuration, Scripts, etc...)
    • Windows Updates (e.g., Ring policies, Feature update and Quality updates)
    • Intune CSP policies
  • Elasticity for your Cloud PC remote management needs (e.g., reprovision, Restore Points, resize, remote assistance “Remote Help”, etc...)

 

Co-Management:

 

  • Optional you can bring your on-premises device management solution Microsoft Configuration Manager (MCM) for OPTION 1
  • This option requires Microsoft Configuration Manager + Cloud Management Gateway
  • This option fully relies on customer device management on-premises environment
  • There are a few considerations before you can manage the Cloud PCs:
    • An Azure subscription and on-premises infrastructure
    • Deploy and configure a Cloud Management Gateway (CMG)
    • A public SSL certificate for the CMG
    • Configure management distribution points and clients to use CMG
    • Enable Co-Management in Configuration Manager
    • Configure Intune to deploy the CM client for your Cloud PCs
      • Note: you should deploy the CM client AFTER the Cloud PC has provisioned
    • You can follow this document that covers the deployment and configuration of Co-Management for “internet-devices” by leveraging a Cloud Management Gateway and Microsoft Configuration Manager:

Tutorial - Enable co-management for internet devices - Configuration Manager | Microsoft Docs

 

 

OPTION 2: (Cloud PC Entra ID Joined + hosted in Customer Azure Network)

Cloud PCs are managed by Intune (Co-Management optional)

 

Based on OPTION 2 hosting scenario “the optimal experience device management solution is Microsoft Intune, optional Co-Management

 

 

Intune:

 

  • Cloud PCs are hosted in the Customer Network and managed in the cloud (Microsoft Intune)
  • Cloud PCs are enrolled as Entra ID Joined and managed out-of-the-box by Microsoft Intune
  • This is the optimal experience device management solution for Cloud PCs in OPTION 2
  • Removes customer constraints (e.g., Microsoft Configuration Manager, Cloud Management Gateway, etc...)
  • Cloud PCs have direct unified endpoint management integration from a single-pane-of-glass Microsoft Intune admin portal
    • Windows 365 Cloud PC: your cloud pc solution
    • Microsoft Intune: your cloud pc management solution
    • Microsoft Defender for Endpoint: your cloud pc security solution
    • Entra ID Conditional Access: the brains of the operation for your cloud pc Zero Trust architecture
    • Microsoft Intune Suite: your cloud pc Unified Endpoint Management solution
  • Simplicity for your Cloud PC management workloads
    • Application delivery
    • Endpoint security
    • Endpoint report analytics
    • Windows 365 Security baselines
    • Settings catalog and Administrative Templates
    • Device management profiles (e.g., Compliance, Device Configuration, Scripts, etc...)
    • Windows Updates (e.g., Ring policies, Feature update and Quality updates)
    • Intune CSP policies
  • Elasticity for your Cloud PC remote management needs (e.g., reprovision, Restore Points, resize, remote assistance “Remote Help”, etc...)

 

Co-Management:

 

  • Optional you can bring your on-premises device management solution Microsoft Configuration Manager (MCM) for OPTION 2
  • This option requires Microsoft Configuration Manager (Optional: Cloud Management Gateway)
  • This option fully relies on customer device management on-premises environment
  • There are a few considerations before you can manage the Cloud PCs:
    • An on-premises infrastructure
    • Enable Co-Management in Configuration Manager
    • Configure Intune to deploy the CM client for your Cloud PCs
      • Note: you should deploy the CM client AFTER the Cloud PC has provisioned
    • You can follow this document that covers the deployment and configuration of Co-Management for “existing devices” by leveraging a Microsoft Configuration Manager:

Tutorial: Enable co-management for existing clients - Configuration Manager | Microsoft Docs

 

Available guidance!

          

If you’re looking for documentation for a How-to (deploy SCCM client for Entra ID Joined Windows 365 Cloud PCs), we have created this blog as a technical guidance for our HLS customers with existing Microsoft Configuration Manager (MCM) environments to help Deploy CM clients for Entra ID Joined Cloud PCs (without Cloud Management Gateway) from Intune with detailed technical information, enjoy!

 

 

OPTION 3: (Cloud PC Hybrid Entra ID Joined + hosted in Customer On-premises Network)

Cloud PCs are managed by Co-Management (Intune optional)

 

Based on OPTION 3 hosting scenario “HLS dark-to-cloud customers device management solution is Co-Management, optional Intune

 

 

Co-Management:

 

  • Cloud PCs are hosted in the Customer Network and managed by the Customer (Co-Management)
  • Cloud PCs are enrolled as Hybrid Entra ID Joined and managed by Co-Management
  • Targeted for our HLS dark-to-cloud customers device management solution for Cloud PCs in OPTION 3
  • This option fully relies on customer device management on-premises environment
  • Customers can take advantage of existing MCM environments and bring into a hybrid state without moving to the cloud
  • Customers can scale up and transition Co-Management workloads to Intune
  • Cloud PCs have available unified endpoint management integrations from a single-pane-of-glass Microsoft Intune admin portal
    • Windows 365 Cloud PC: your cloud pc solution
    • Microsoft Configuration Manager: your on-premises pc management solution
    • Microsoft Defender for Endpoint: your cloud pc security solution
    • Entra ID Conditional Access: the brains of the operation for your cloud pc Zero Trust architecture
    • Microsoft Intune Suite: your cloud pc Unified Endpoint Management solution
  • Scalability from existing well-developed MCM environment for your Cloud PC management workloads
    • Application delivery
    • Endpoint security
    • Desktop report analytics
    • Group Policy Objects (GPO)
    • Administrative Templates
    • Device management profiles (e.g., Compliance, Device Configuration, Scripts, etc...)
    • Windows Server Update Services (WSUS)
    • MDM policies
  • Elasticity for your Cloud PC remote management needs (e.g., reprovision, Restore Points, resize, remote assistance “Remote Help”, etc...)
  • This option requires Microsoft Configuration Manager
  • There are a few considerations before you can manage the Cloud PCs:
    • An on-premises infrastructure
    • Enable Co-Management in Configuration Manager
    • Configure MCM to deploy the CM client for your Cloud PCs
      • Note on Client PUSH: If AD System Discovery and Client Push is enabled, the OU used for Windows 365 CPC’s must be excluded from discovery. You should deploy the CM client AFTER the Cloud PC has provisioned
    • You can follow this document that covers the deployment and configuration of Co-Management for “existing devices” by leveraging a Microsoft Configuration Manager:

Tutorial - Enable co-management for internet devices - Configuration Manager | Microsoft Docs

 

Intune:

 

  • Optional if you don’t have a MCM environment you could leverage Intune as your Cloud PC device management solution for OPTION 3
  • There are a few considerations for this design
    • Entra Connect must configured for Hybrid Domain Joined
    • Hybrid Entra ID Joined Cloud PCs are directly attached to on-premises Active Directory environment
    • Active Directory environment relies on Group Policy Objects for device management
  • You should consider reviewing available Windows 365 Cloud PC Design provisioning options to scale up and benefit from Unified Endpoint Management cloud integrations

 

Conclusion

 

We want our HLS customer to be fully in control of their Windows 365 ecosystem. By allowing multiple options to manage the Cloud PCs gives them freedom to test both management design solutions (Intune) and (Co-Management) with the ability to scale up and move workloads as needed, all underneath your single-pane-of-glass Microsoft Intune admin console for all your device management needs.

 

If you want to learn more about management options for Windows 365 Cloud with Microsoft Intune, please visit our documentation.

Managing Cloud PCs with Microsoft Intune | Microsoft Docs

 

 

Bookmark this link for Windows 365 Cloud PC Series: https://aka.ms/HLSWindows365

 

Thank you for stopping by; Juan Sifuentes | CETS | Healthcare.

    

Updated Oct 29, 2024
Version 11.0
No CommentsBe the first to comment