Windows 365 Enterprise provides an easy method to automatically provision Cloud PCs, without the complex skillsets that are required for successful deployment in other virtualization environments. Windows 365 also offers flexibility, allowing organizations to manage Cloud PC users, deployment locations, and lifecycles.
This article reviews some common considerations you can make for initial user provisioning, when you might need multiple provisioning policies, and how to manage those provisioning policies going forward.
To expand on the last point, consider this environment’s user and network topology:
In this scenario, the OPNC is deployed to a virtual network (vNet) and domain controller in East U.S. Therefore, all Cloud PCs are provisioned in East U.S., even for users in North Europe. This can generate latency for the users in Europe as they connect across the globe to their Cloud PCs.
If the customer wants to deploy Cloud PCs locally to all users, then they need to create a vNet in North Europe, and either configure vNet peering back to the main site with the domain controller or deploy a domain controller in that site. Either way, they need to make sure that the new vNet has line of sight to a domain controller for domain join, and update the DNS settings on the new vNet.
Finally, create an OPNC for each vNet to make them available for multiple provisioning policies. This will allow you to create provision profiles for different user groups, and deploy each Cloud PC in the appropriate geographic location.
The final topology would look like this:
In this scenario, you need to apply different provisioning policies to different users based on their user personas. You may also want to personalize Cloud PCs for a specific user profile, and perhaps departmental apps that are user assigned aren’t suitable for other reasons. In this instance, you can combine multiple provisioning policies with dynamic groups and then assign the appropriate apps and configuration settings to that dynamic group. As an example, complete the following steps to create a policy for users with a “Finance” persona:
Now, when you add users to the group targeted by the Finance provisioning policy, the device will automatically provision, and the assigned Finance apps will start installing on the Cloud PC as soon as it’s finished initial provisioning.
Note: The user inside the Azure AD group targeted to the provisioning policy must be assigned a Windows 365 license to kick off the provisioning process. To simplify this process, you can target the same Azure AD group to the license and the Cloud PC provisioning process will kick off automatically!
You might want to give users multiple Cloud PCs, and Windows 365 supports this—but there are couple of caveats to be aware of:
As an example of these two scenarios, the following diagram shows a user who has two assigned licenses, and both Cloud PCs are provisioned from Provisioning Policy 1 (which was the first assigned policy):
In this last scenario, you want to update a provisioning policy or move users between them. This can be useful if you have custom images and want to manage image updates either through a test group of users or by updating the Cloud PC for all users.
When you update a provisioning policy, the Windows 365 service will not automatically update all the associated Cloud PCs with the new policy settings. This is by design to stop an automatic destructive action from immediately impacting users. If you want to force an update of a user’s Cloud PC, go to the device’s Overview page in the Endpoint Manager admin center and select Reprovision. This will start reprovisioning of that Cloud PC, but using the latest settings contained in the provisioning policy (OPNC or image change).
If you need to force reprovisioning across multiple Cloud PCs, it’s possible to automate a bulk action using the Graph API for Cloud PC.
Once a Cloud PC has been re-provisioned with the latest provisioning policy settings, it will be reflected in the All cloud PCs page, as shown in the following screenshot:
If a user moves department or geography permanently, then you might have a reason to reassign them a different provisioning policy. This is possible, but note that when a user is no longer in scope for their existing policy (removed from the assigned group) then the service will initially place the existing Cloud PC into a grace period of seven days. This prevents accidental data loss or loss of service for the user. Once this seven-day period has expired, and the user is already assigned a new provisioning policy, the service will automatically start provisioning a new Cloud PC right away.
On our roadmap we’re building the ability to override the seven-day grace period and remove the Cloud PC immediately, which will speed up your ability to move users between provisioning policies. You will see an option similar to the following image:
We’ve covered some common scenarios around Cloud PC provisioning policies to help you understand different options for your environment and the flexibility that Windows 365 provides. We hope this information helps you as you work to design the best implementation for your organization. For comprehensive information about Windows 365 Cloud PC provisioning, see Provisioning overview. If you have additional questions or feedback, please add a comment below.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.