Management Design options for Windows 365 Cloud PC (Intune and Co-Management)

Published Mar 14 2022 09:55 PM 4,446 Views
Microsoft

Let’s explore device management options for Windows 365 Cloud PC (Intune and Co-Management)!

 

Remember to loop back to the main deck for Windows 365 Cloud PC Healthcare Series

 

Last few weeks we looked at Windows 365 Cloud PC Architecture Design Provisioning options to rollout Cloud PCs in your environment. We gained better insights on HOW/WHEN should position and build a better Windows 365 ecosystem. We understand device management recommendations (Intune and Co-Management) for Windows 365 Cloud PCs are tailored based on hosting provisioning scenarios.

 

The purpose of this document is to address Windows 365 Cloud PC device management design options (Intune & Co-Management) based on hosting provisioning scenarios, a high-level overview for each solution and deployment considerations giving our HLS customers a wider insight of information to make them successful on their journey building a Windows 365 foundation.

 

Let’s dive right in!

 

 

Management Design options for Windows 365 Cloud PC (Intune and Co-Management)

 

OPTION 1: (Windows 365 Azure AD Joined + hosted in Microsoft Network)

Cloud PCs are managed by Intune (Co-Management optional)

 

Based on OPTION 1 hosting scenario “recommended device management solution is Microsoft Intune, optional Co-Management

 

jsifuentes_1-1647315786560.png

 

Intune:

 

  • Cloud PCs are hosted in the cloud (Microsoft Hosted Network) and managed in the cloud (Microsoft Intune)
  • Cloud PCs are enrolled as Azure AD Joined and managed out-of-the-box by Microsoft Intune
  • This is the recommended device management solution for Cloud PCs in OPTION 1
  • Removes customer constraints (e.g., Microsoft Endpoint Configuration Manager, Cloud Management Gateway, etc...)
  • Cloud PCs have direct unified endpoint management integration from a single-pane-of-glass Microsoft Endpoint Manager admin portal
    • Windows 365 Cloud PC: your cloud pc solution
    • Microsoft Intune: your cloud pc management solution
    • Microsoft Defender for Endpoint: your cloud pc security solution
    • Azure AD Conditional Access: the brains of the operation for your cloud pc Zero Trust architecture
  • Simplicity for your Cloud PC management workloads
    • Application delivery
    • Endpoint security
    • Endpoint report analytics
    • Windows 365 Security baselines
    • Settings catalog and Administrative Templates
    • Device management profiles (e.g., Compliance, Device Configuration, Scripts, etc...)
    • Windows Updates (e.g., Ring policies, Feature update and Quality updates)
    • CSP policies
  • Elasticity for your Cloud PC remote management needs (e.g., reprovision, Restore Points, resize, remote assistance “Remote Help”, etc...)

 

Co-Management:

 

  • Optional you can bring your on-premises device management solution Microsoft Endpoint Configuration Manager (MECM) for OPTION 1
  • This option requires Microsoft Endpoint Configuration Manager + Cloud Management Gateway
  • This option fully relies on customer device management on-premises environment
  • There are a few considerations before you can manage the Cloud PCs:
    • An Azure subscription and on-premises infrastructure
    • Deploy and configure a Cloud Management Gateway (CMG)
    • A public SSL certificate for the CMG
    • Configure management distribution points and clients to use CMG
    • Enable Co-Management in Configuration Manager
    • Configure Intune to deploy the CM client for your Cloud PCs
      • Note: you should deploy the CM client AFTER the Cloud PC has provisioned
    • You can follow this document that covers the deployment and configuration of Co-Management for “internet-devices” by leveraging a Cloud Management Gateway and Microsoft Endpoint Configuration Manager:

Tutorial - Enable co-management for internet devices - Configuration Manager | Microsoft Docs

 

 

OPTION 2: (Windows 365 Azure AD Joined + hosted in Customer Network)

Cloud PCs are managed by Intune (Co-Management optional)

 

Based on OPTION 2 hosting scenario “the optimal experience device management solution is Microsoft Intune, optional Co-Management

 

jsifuentes_2-1647315846917.png

 

Intune:

 

  • Cloud PCs are hosted in the Customer Network and managed in the cloud (Microsoft Intune)
  • Cloud PCs are enrolled as Azure AD Joined and managed out-of-the-box by Microsoft Intune
  • This is the optimal experience device management solution for Cloud PCs in OPTION 2
  • Removes customer constraints (e.g., Microsoft Endpoint Configuration Manager, Cloud Management Gateway, etc...)
  • Cloud PCs have direct unified endpoint management integration from a single-pane-of-glass Microsoft Endpoint Manager admin portal
    • Windows 365 Cloud PC: your cloud pc solution
    • Microsoft Intune: your cloud pc management solution
    • Microsoft Defender for Endpoint: your cloud pc security solution
    • Azure AD Conditional Access: the brains of the operation for your cloud pc Zero Trust architecture
  • Simplicity for your Cloud PC management workloads
    • Application delivery
    • Endpoint security
    • Endpoint report analytics
    • Windows 365 Security baselines
    • Settings catalog and Administrative Templates
    • Device management profiles (e.g., Compliance, Device Configuration, Scripts, etc...)
    • Windows Updates (e.g., Ring policies, Feature update and Quality updates)
    • CSP policies
  • Elasticity for your Cloud PC remote management needs (e.g., reprovision, Restore Points, resize, remote assistance “Remote Help”, etc...)

 

Co-Management:

 

  • Optional you can bring your on-premises device management solution Microsoft Endpoint Configuration Manager (MECM) for OPTION 2
  • This option requires Microsoft Endpoint Configuration Manager (Optional: Cloud Management Gateway)
  • This option fully relies on customer device management on-premises environment
  • There are a few considerations before you can manage the Cloud PCs:
    • An on-premises infrastructure
    • Enable Co-Management in Configuration Manager
    • Configure Intune to deploy the CM client for your Cloud PCs
      • Note: you should deploy the CM client AFTER the Cloud PC has provisioned
    • You can follow this document that covers the deployment and configuration of Co-Management for “existing-devices” by leveraging a Microsoft Endpoint Configuration Manager:

Tutorial: Enable co-management for existing clients - Configuration Manager | Microsoft Docs

 

Available guidance!

          

If you’re looking for documentation for a How-to (CM client deploy for Azure AD Joined Cloud PCs from Intune?), we have created this blog as a technical guidance for our HLS customers with existing Microsoft Endpoint Configuration Manager (MECM) environments to help Deploy CM clients for Azure AD Joined Cloud PCs (without Cloud Management Gateway) from Intune with detailed technical information, enjoy!

 

 

OPTION 3: (Windows 365 Hybrid Azure AD Joined + hosted in Customer Network)

Cloud PCs are managed by Co-Management (Intune optional)

 

Based on OPTION 3 hosting scenario “HLS dark-to-cloud customers device management solution is Co-Management, optional Intune

 

jsifuentes_0-1647918031931.png

 

Co-Management:

 

  • Cloud PCs are hosted in the Customer Network and managed by the Customer (Co-Management)
  • Cloud PCs are enrolled as Hybrid Azure AD Joined and managed by Co-Management
  • Targeted for our HLS dark-to-cloud customers device management solution for Cloud PCs in OPTION 3
  • This option fully relies on customer device management on-premises environment
  • Customers can take advantage of existing MECM environments and bring into a hybrid state without moving to the cloud
  • Customers can scale up and transition Co-Management workloads to Intune
  • Cloud PCs have available unified endpoint management integrations from a single-pane-of-glass Microsoft Endpoint Manager admin portal
    • Windows 365 Cloud PC: your cloud pc solution
    • Microsoft Endpoint Configuration Manager: your on-premises pc management solution
    • Microsoft Defender for Endpoint: your cloud pc security solution
    • Azure AD Conditional Access: the brains of the operation for your cloud pc Zero Trust architecture
  • Scalability from existing well-developed MECM environment for your Cloud PC management workloads
    • Application delivery
    • Endpoint security
    • Desktop report analytics
    • Group Policy Objects (GPO)
    • Administrative Templates
    • Device management profiles (e.g., Compliance, Device Configuration, Scripts, etc...)
    • Windows Server Update Services (WSUS)
    • MDM policies
  • Elasticity for your Cloud PC remote management needs (e.g., reprovision, Restore Points, resize, remote assistance “Remote Help”, etc...)
  • This option requires Microsoft Endpoint Configuration Manager
  • There are a few considerations before you can manage the Cloud PCs:
    • An on-premises infrastructure
    • Enable Co-Management in Configuration Manager
    • Configure MECM to deploy the CM client for your Cloud PCs
      • Note on Client PUSH: If AD System Discovery and Client Push is enabled, the OU used for Windows 365 CPC’s must be excluded from discovery. You should deploy the CM client AFTER the Cloud PC has provisioned
    • You can follow this document that covers the deployment and configuration of Co-Management for “existing-devices” by leveraging a Microsoft Endpoint Configuration Manager:

Tutorial - Enable co-management for internet devices - Configuration Manager | Microsoft Docs

 

Intune:

 

  • Optional if you don’t have a MECM environment you could leverage Intune as your Cloud PC device management solution for OPTION 3
  • There are a few considerations for this design
    • Azure AD Connect must configured for Hybrid Domain Joined
    • Hybrid Azure AD Joined Cloud PCs are directly attached to on-premises Active Directory environment
    • Active Directory environment relies on Group Policy Objects for device management
  • You should consider reviewing available Windows 365 Cloud PC Design provisioning options to scale up and benefit from Unified Endpoint Management cloud integrations

 

Conclusion

 

We want our HLS customer to be fully in control of their Windows 365 ecosystem. By allowing multiple options to manage the Cloud PCs gives them freedom to test both management design solutions (Intune) and (Co-Management) with the ability to scale up and move workloads as needed, all underneath your single-pane-of-glass Microsoft Endpoint Manager for all your device management needs.

 

If you want to learn more about management options for Windows 365 Cloud with Microsoft Endpoint Manager, please visit our documentation.

Managing Cloud PCs with Microsoft Intune | Microsoft Docs

 

 

Bookmark this link for Windows 365 Cloud PC Series: https://aka.ms/HLSWindows365

 

Thanks for visiting – Juan Sifuentes LinkedIn

Co-Authors
Version history
Last update:
‎Mar 21 2022 08:01 PM
Updated by: