Forum Discussion
BYOD devices can't launch Windows 365 PC because of device compliance check during CA policy check.
We have a device compliance policy for all cloud apps. We would like to allow personal (BYOD) devices to be able to connect to Windows 365 Cloud PC. In the sign in logs we see the failures for application "Windows 365 Client" app id 4fb5cc57-dbbc-4cdc-9595-748adff5f414. We can't exclude that application in the conditional access policy as it's not available. We already added exclusions for Azure Virtual Desktop, Windows 365 and Windows Cloud Login.
How can we allow BYOD devices to connect to cloud PCs?
4 Replies
Hi wcaetano,
I would not try to solve this only by excluding individual Windows 365-related apps from the existing “require compliant device” policy.
Windows 365 sign-in and connection flows can involve multiple first-party services, and some of the apps shown in the sign-in logs are not always easy to target or exclude directly in Conditional Access.
For BYOD access, I would normally separate this into its own Conditional Access design:
Keep the strict “require compliant device” policy for corporate-managed devices and sensitive apps.
Then create a dedicated Windows 365 / Cloud PC access policy for the BYOD users or groups, using controls such as MFA, sign-in risk, location, session controls, or app protection where applicable, instead of requiring the physical BYOD device to be compliant.
The key point is that the Cloud PC itself can be managed and compliant, but the device used to connect to it may be personal and unmanaged. If your CA policy requires the connecting device to be compliant, BYOD devices will fail before the user can reach the Cloud PC.
Microsoft also has specific guidance for Conditional Access with Windows 365 here:
https://learn.microsoft.com/en-us/windows-365/enterprise/set-conditional-access-policies
So the practical fix is usually policy separation: do not apply a tenant-wide “require compliant device” control to the BYOD Windows 365 access path unless those personal devices are expected to be enrolled and compliant.
I would turn this around, and ask why these personal devices are failing compliance check? Check your compliance policies and see why they are not passing.
The conditional access policy probably requires the devices to be compliant.Hi wcaetano,
We’ve seen similar behavior with Windows 365 and BYOD scenarios as well. In practice, separating Cloud PC access into its own Conditional Access policy usually works better than relying only on application exclusions.
For personal devices, we’ve had better results using MFA and stricter session controls instead of requiring full device compliance.
Yes, the exclusions you configured for Azure Virtual Desktop, Windows 365, and Windows Cloud Login are application-based. However, the Windows 365 sign-in flow uses multiple backend services, and the “Windows 365 Client” shown in the sign-in logs is not always directly targetable in Conditional Access. Because of this, app-based exclusions alone may not be enough in this scenario.
In this case, the better approach is to keep the global “Require compliant device” policy in place and manage Windows 365 access for BYOD users with a separate Conditional Access policy. For those users, you can use controls like MFA instead of requiring device compliance.
