Simple steps to enabling Windows 365 Boot
July 24, 2023
Contributors:
Juan José Guirola Sr. (Microsoft)
Much excitement has been introduced by the announcement and availability of Windows 365 Boot. Especially now that, as of time of this writing, Windows 365 Boot is in Public Preview. To assist you with the configuration and deployment, you may be following the articles below:
- What is Windows 365 Boot?
- Windows 365 Boot guided scenario
- Physical device requirements
- Restrict access to physical device
These are all great starting points to get you started with enabling Windows 365 Boot in your environment. This article is meant to compliment the above articles to offer additional guidance and help clarify some of the steps mentioned in the articles above and simplify the deployment of Windows 365 Boot.
Complimentary Steps:
- Start by following the steps as described in Windows 365 Boot guided Scenario:
- https://learn.microsoft.com/en-us/windows-365/enterprise/windows-365-boot-guide
- Next follow the guidance as described in Restrict user access to Windows 365 Boot physical device:
- https://learn.microsoft.com/en-us/windows-365/enterprise/windows-365-boot-restrict-user-access-physi...
- These particular steps can be accomplished in Intune by introducing a Configuration profile with admin templates. Recommend creating a specific Configuration profile for each policy that you want to enforce. The article has us creating profiles for the following:
- Prevent access to physical device’s Task Manager
- Prevent users from changing the physical device’s password
- Set default credential provider
- Remove Notifications and Action Center from the task bar
- Prevent physical device notifications
- Prevent automatic launch of apps during user sign-in
- Improve sign-in on touch screen devices
- Follow Appendix Section “Restrict access to Physical Device” found in this document for detailed steps for creating each of these policies in Intune.
- Next follow the guidance as described in Windows 365 Boot physical device setup and requirements:
- https://learn.microsoft.com/en-us/windows-365/enterprise/windows-365-boot-physical-device-requiremen...
- NOTE: The instructions in the above link assumes that you are working with a physical device that has already been enrolled in Intune management. If you are working with a physical device that is currently not enrolled in Intune management, follow the steps in the link below to enroll the device into Intune. Once the device is enrolled in Intune, you can execute a device “Wipe” as instructed in the steps documented in the above link.https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-windows-10-device
- After initiating the wipe and you complete the Autopilot process and follow all prompts, you ultimately end up with login in directly into your Windows 365 Cloud PC.
Appendix
Restrict access to Physical device.
Policy #1 - Prevent Access to physical device’s Task Manager
Steps to create policy “Prevent Access to physical device’s Task Manager
- Go to Microsoft Intune admin center: https://endpoint.microsoft.com
- Select “Devices”. Then select “Configuration profiles” under Policy
- Ensure “Profiles” is selected, then click “Create profile”
- In “Create a profile Screen”, under Platform select “Windows 10 and later from drop down, and “Templates” from Profile type drop down. Select "Administrative templates” then Create
- Follow the prompts as presented in the profile creation – 5 total steps
- Basics
- Configuration settings
- Select "User Configuration" and in the search bar type Task Manager
- Select Remove Task Manager
- Select "Enabled" and then click on OK
- Scope tags
- You can choose to configure Scope tags. For this article we are electing to bypass this. Click Next.
- Assignments
- Select group that you want to target and click Next.
- Review + create
- Review configuration and click on Create.
-
Policy #2 - Prevent users from changing the physical device’s password
Steps to create policy “Prevent users from changing the physical device’s password
- Follow steps 1 – 5 as described in creating Policy #1
- Then follow the prompts as presented in the profile creation – 5 total steps
- Basics
- Configuration settings
- Select "User Configuration" and in search bar type remove change password
- Select "Remove Change Password"
- Select Enabled and Click on OK
- Scope tags
- You can choose to configure Scope tags. For this article we are electing to bypass this. Click Next.
- Assignments
- Select the group that you want to target and click Next.
- Review + create
- Review configuration and click on Create.
Policy #3 – Set default credential provider
Steps to create policy “Set default credential provider”
- Follow steps 1 – 5 as described in creating Policy #1
- Then follow the prompts as presented in the profile creation – 5 total steps
- Basics
- Configuration settings
- Select "Computer Configuration" and in search bar type Assign a default credential provider.
- Select "Assign a default credential provider".
- Select Enabled and enter the following CLSID to set username and password as the default: {60b78e88-ead8-445c-9cfd-0b87f74ea6cd}
- Click OKNote: The CLSID for credential providers can be located in following registry path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
- Scope tags
- You can choose to configure Scope tags. For this article we are electing to bypass this. Click Next.
- Assignments
- Select the group that you want to target and click Next.
- Review + create
- Review configuration and click on Create.
Policy #4 – Remove Notifications and Action Center from the task bar
Steps to create policy “Remove Notifications and Action Center from the task bar”
- Follow steps 1 – 5 as described in creating Policy #1
- Then follow the prompts as presented in the profile creation – 5 total steps
- Basics
- Configuration settings
- Select "User Configuration" and in search bar type Remove Notifications and Action Center.
- Select "Remove Notifications and Action Center".
- Select Enabled and OK.
- Scope tags
- You can choose to configure Scope tags. For this article we are electing to bypass this. Click Next.
- Assignments
- Select the group that you want to target and click Next.
- Review + create
- Review configuration and click on Create.
Policy #5 – Prevent physical device notifications
Steps to create policy “Prevent physical device notifications”
- Follow steps 1 – 5 as described in creating Policy #1
- Then follow the prompts as presented in the profile creation – 5 total steps
- Basics
- Configuration settings
- Select "User Configuration" and in search bar type Turn off toast notifications.
- Select "Turn off toast notifications".
- Select Enabled and OK.
- Scope tags
- You can choose to configure Scope tags. For this article we are electing to bypass this. Click Next.
- Assignments
- Select the group that you want to target and click Next.
- Review + create
- Review configuration and click on Create.
Policy #6 – Prevent automatic launch of apps during user sign-in
Steps to create policy “Prevent automatic launch of apps during user sign-in”
- Follow steps 1 – 5 as described in creating Policy #1
- Then follow the prompts as presented in the profile creation – 5 total steps
- Basics
- Configuration settings
- Select "User Configuration" and in search bar type Do not process the legacy run lis.
- Select "Do not process the legacy run list".
- Select Enabled and OK.
- Scope tags
- You can choose to configure Scope tags. For this article we are electing to bypass this. Click Next.
- Assignments
- Select the group that you want to target and click Next.
- Review + create
- Review configuration and click on Create.
Policy #7 – Improve sign-in on touch screen devices (OPTIONAL AND APPLICABLE ON DEVICES THAT REQUIRE THE USE OF TOUCH KEYBOARD)
Note: This is “enabled” by default on Windows devices.
[UPDATE] As of September 26, 2023, Windows 365 Boot is now Generally Available (GA). Here is the article for additional details: Windows 365 Boot is now generally available! - Windows IT Pro Blog (microsoft.com)
Continue the conversation by joining us in the Microsoft 365 Tech Community! Whether you have product questions or just want to stay informed with updates on new releases, tools, and blogs, Microsoft 365 Tech Community is your go-to resource to stay connected.