Are you a Virtual Desktop Infrastructure (VDI) or virtualization administrator using different types of technologies and looking to unify management via modern management with Microsoft Intune? Stop the search, this article is for you. Learn about all the basics of implementing Microsoft Intune together with Windows 365 Enterprise.
In this post, we’ll cover:
Windows 365 delivers Cloud PCs—a complete and secure Windows experience hosted in the Microsoft Cloud and accessible on any device. Whether your employees are full-time or contractors, shift workers or seasonal staff, they can access their personalized Windows apps, settings, desktop, and data on the device of their choice and from wherever they work. Windows 365 Cloud PCs help enable BYOPC (Bring your own PC) programs, onboard employees within minutes, reduce management and security headaches, and ensure your workforce is always up and running. With Microsoft Entra ID and Microsoft Intune, Cloud PCs are easy to configure, deploy, manage, and secure, so you can maximize existing technology resources to meet the needs of all your employees.
Windows 365 Frontline is an exciting new offer that allows customers with shift workers the flexibility to provision Cloud PCs for up to three users with the purchase of a single license of Windows 365. In terms of feature stack, we want to bring a certain level of product parity across Windows 365 offerings. If you’re coming from multi-session or server operating system to Windows 365, this is an offering to investigate.
If you are looking for a cloud-based solution that meets the stringent compliance and security requirements of the U.S. government, Windows 365 Government is the right choice for you. Windows 365 Government enables you to stream personalized Windows apps, data, content, and settings from a regulated U.S. government cloud to any device at any time.
Windows 365 Government is designed for U.S. federal, state, and local government agencies, as well as contractors who hold or process data on behalf of those agencies. It is available for customers who qualify to use services hosted in Government Community Cloud (GCC) and GCC High environments, which adhere to specific regulatory and audit standards. With Windows 365 Government, you can benefit from the flexibility, scalability, and security of the cloud while maintaining compliance with your data sovereignty and residency requirements.
Already have Microsoft Entra ID activated in your tenant as a trial or subscription? If so, skip this step. If not, see Quickstart: Create a tenant (preview). You’ll also need to ensure you have the right licensing. If you have any of the licenses below, you are covered and good to continue:
Make sure one of the licenses is assigned to the IT admin account you are using right now! For more information, see Microsoft Intune licensing.
You can also use a Microsoft Intune Plan 1 Trial in the admin.microsoft.com portal to get started or follow these steps to set up Microsoft Intune.
Microsoft Intune is an integrated solution that simplifies management and lowers total cost of ownership (TCO) across multiple operating systems, cloud, on-premises, mobile, desktop, and virtualized endpoints, including Cloud PCs. It empowers organizations to provide data protection and endpoint compliance that supports a Zero Trust security model. This unified management tool brings together device visibility, endpoint security, and data-driven insights to increase IT efficiency and improve user experiences in any work environment.
Intune allows organizations to deliver the best possible endpoint experience through zero touch deployment, flexible, non-intrusive, mobile application management, and proactive recommendations powered by Microsoft Cloud data. Here are more benefits to modern management with Intune:
If you’re using any virtualization solution right now with OneDrive, we recommend you enable the OneDrive Known Folder Move feature. This allows you to synchronize the user’s desktop, pictures, videos, and documents to OneDrive. Windows 365 supports the OneDrive Known Folder Move feature out-of-the-box, so that the first time the user logs on, the files will be there. Windows 365 uses local profiles only to remove the complexity of profile management solutions such as FSLogix profile container. Cloud PCs are persistent, personal, and dedicated to the user. It’s replicated across multiple zones in an Azure region and automated restore points to make the profile high availability as part of the service.
Enterprise State Roaming is used to roam Windows Settings. Enable this in your Entra ID tenant settings to ensure Windows Personalization settings are also coming over!
You can use custom images (also referred to as a golden image) if desired. To do so, you need to pre-load your images via Azure as a Managed Image or the Shared Image Gallery. To learn more about creating custom images with Windows 365, see Add or delete custom device images.
For the largest benefit of modern management, we strongly recommend using the Gallery Images included in Windows 365, and to use Intune to install applications. While in VDI, you may have updated your image on a weekly basis, using a Gallery Image eliminates the challenge of repeatedly updating your custom image whenever a single component changes.
We recommend that you keep your images updated with the latest monthly security updates your version(s) of Windows. How nice would it be to have Microsoft take care of your Windows updates as part of another Microsoft cloud service? Enter Windows Autopatch. Windows Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates for Windows, Microsoft 365 Apps, Microsoft Edge, and Teams.
Windows Autopatch uses careful rollout sequences and communicates with you throughout the release, allowing your IT admins to focus on other activities and tasks. Want to learn how to enable Windows Autopatch as tenant in Microsoft Intune? See Enroll your tenant.
Enabling Windows Autopatch for Cloud PCs is extremely easy. Simply enable it via the provisioning policy process and you’re all set.
Modern management of Windows devices is achieved through mobile device management (MDM) solutions, such as Microsoft Intune. MDM providers allow configuration of Windows settings in a very similar way to AD-based Group Policy Objects (GPO) that many admins are familiar with today. In Intune, configuration profiles allow an administrator to easily add settings related to security, systems configuration, device restrictions, and the user experience. Under the hood, these settings are delivered through Windows Configuration Service Providers (CSPs).
Want to migrate your existing AD-based Group Policies into Microsoft Intune? This can be done with Group Policy analytics. Import your on-premises Group Policy Objects (GPOs), and create an Intune policy using your imported settings that can then be deployed to users and devices managed by your organization.
Based on the import and current usage, Group Policy analytics can find the equivalent setting in the Settings Catalog. To read more about the process, see Create a Settings Catalog policy using your imported GPOs in Microsoft Intune (public preview).
Security policies, or security baselines as they are commonly referred to, are pre-configured Windows settings that help you apply a known group of settings and default values that are recommended by Microsoft. When you create a security baseline, you’re creating a template that consists of hundreds of individual configuration policies.
Compliance policies are used to evaluate a device’s compliance against a pre-defined baseline, such as the requirement for a device to be encrypted or to be within a defined minimum OS version.
There are two parts to compliance policies in Intune:
Include actions that apply to devices that are noncompliant. Actions for noncompliance can alert users to the conditions of noncompliance and safeguard data on noncompliant devices. These can be combined with Conditional Access, which can block users and devices that don't meet the rules.
Security baselines are configuration options available in Intune for configuring profiles to help you secure and protect your devices and users. These new baselines feature an improved user interface and reporting experience, consistency and accuracy improvements, and the new ability to support assignment filters for profiles. It can save you a ton of time if you select the Windows 365 security baseline and attach it to the Microsoft Entra ID group that includes either your users or Cloud PCs to make them more secure. You can find the settings we enable in this baseline at the List of the settings in the Windows 365 Cloud PC security baseline in Intune. And, for more information, refer to Use security baselines to configure Windows devices in Intune.
It’s essential to secure access to Cloud PC devices in your Windows 365 environment. One way to achieve this is by using Conditional Access (CA), which allows you to secure your environment based on specific conditions. We strongly recommend implementing multi-factor authentication (MFA) for your Windows 365 environment, especially when accessing from unknown locations. Additionally, you may want to consider using security keys based on Fast Identity Online (FIDO) for authentication.
Including cloud app for Windows 365 and Azure Virtual Desktop in our CA policy helps secure all the different ways users are able to connect to their Cloud PCs. (Please note it might be called Windows Virtual Desktop instead of Azure Virtual Desktop in some Microsoft Entra ID tenants.)
Managing CA policies can be done in Microsoft Entra ID or in Microsoft Intune. The screenshot below shows Microsoft Intune, but the configuration is the same if you do it in Microsoft Entra ID.
After activating this policy for your Cloud PCs, Conditional Access settings will apply and enforce MFA inside the Windows 365 app.
Delivering applications to your end users, whether they’re working primarily on a physical PC or Cloud PC, is a very important factor for enterprises. We recommend that you read this article for great information on application deployment recommended practices.
Within Microsoft Intune, the process is easier as the back-end infrastructure is pre-built to start deploying apps almost immediately! So, what format of apps are supported as delivery types per operating system? Learn about all the supported app types in Intune more at Windows 10/11 app deployment by using Microsoft Intune.
The IntuneWin format is a way to pre-process Windows classic (Win32) apps. The tool converts application installation files into the .intunewin format. You can learn more about converting apps into this format at Prepare Win32 app content for upload.
Most likely, your Cloud PC will need to connect to back-end services that are either living in a private cloud datacenter on-premises or in Azure. Windows 365 Enterprise supports all Azure Networking services to connect to your own networks via ExpressRoute, Site2Site VPN, or SD-WAN. You must configure this via Azure Networking, meaning it requires an Azure subscription, vNet, and VPN connection. For a proof of concept (POC), you can easily configure a site-to-site VPN connection to ensure your Cloud PCs can talk with your intranet, databases, and application servers. Check out this tutorial to learn how to configure site-to-site VPN.
Once you complete this step, navigate to the Intune admin center to configure an Azure Network Connection before creating the provisioning policy (covered later in the article). There are two kinds of Azure Network Connections (ANCs) based on join type. Both let you manage traffic and Cloud PC access to network based resources, but they have different connectivity requirements.
See our documentation to learn more about how to configure an Azure network connection.
Co-management combines your existing on-premises Configuration Manager environment with the cloud using Intune and other Microsoft 365 cloud services. You choose whether Configuration Manager or Intune is the management authority for the different workload groups.
If you are interested in connecting your existing Configuration Manager infrastructure to Microsoft Intune for Co-management, please read How to enable co-management in Configuration Manager for more technical information.
Note: This section is enterprise focused. Windows 365 Business, which is designed for small-medium businesses with less than 300 users, can also be used, but we don’t cover that process in this post. |
First, ensure that you have Windows 365 Enterprise licenses. You can get them from the admin.microsoft.com portal or your Microsoft Sales representative. If you’re interested in Windows 365 Enterprise trial licenses, please contact us via this form.
For this post, we’re going to focus on Entra ID Join Cloud PCs only. If you’re relying on Kerberos, Hybrid Entra ID Join, Entra ID Join only combined with hosted networking doesn’t require you to bring in your own Azure subscription or networking—it’s very easy to configure! I bet you can do it while watching Netflix. To learn more about Hybrid Entra ID Join, see AD Joined Hybrid Windows 365 management in Intune.
Once you have purchased the licenses, assign the licenses to either an Entra ID group or directly to the user's account. The benefit of attaching a license is that licenses and Cloud PCs are automatically assigned to users when they become a group member.
Note: If you want to connect to your own on-premises network, other Public Cloud or Private Cloud datacenter, make sure to select the Azure Network connection via the other option during the provisioning policy configuration. |
Another option is to enable Windows Autopatch to have Microsoft take care of the Windows Updates of the Cloud PCs you’re provisioning.
To connect to your Cloud PCs, you can use various endpoint clients. The easiest way is to connect via the Windows 365 app. For full instructions to install the Windows 365 app, find it here.
Want to deploy the app to more endpoints on a large scale? Use the new Microsoft Store integration to easily publish the Windows 365 app to all your Windows Endpoints. For full instructions, read the article, Using Intune, install the Windows 365 app on physical devices.
Windows 365 Boot lets admins configure Windows 11 physical devices so that users can:
When a user turns on their physical device and signs in, Windows 365 Boot signs them in directly to their Cloud PC, not their physical device. If single sign-on is turned on for their Cloud PC, they don't have to sign in again to their Cloud PC. This expedited sign-in process reduces the time it takes the user to access their Cloud PC.
As for supported hardware devices, Windows 365 Boot works on any device that supports Windows 11. This also includes any mini pc–thin client form factors, such as the Asus/Intel NUC devices.
We’re working on adding a more personal sign-in experience with Windows Hello and extensive UBI key support soon! To learn more about Windows 365 Boot, also check out the blog post, Windows 365 Boot is now generally available!
Windows 365 Switch enables a seamless experience from within Windows 11 via the Task view feature. Windows 365 will be required on the endpoint after which all relevant elements will show up automatically inside the Task view feature (see below).
This new round-tripping feature is extremely valuable for bring-your-own device (BYOD) scenarios when you connect from your own Windows device to a secure company owned Cloud PC. Especially in times when business wants to do more with less—this is a great experience.
Learn more about Windows 365 Switch, see Windows 365 Switch is now Generally Available!
Both Citrix and VMware provide solutions that leverage all the benefits of Windows 365 with the protocol and client benefits from these partner solutions. It’s extremely easy to enable both solutions via our partner connectors integration inside Microsoft Intune.
Citrix HDX Plus for Windows 365 lets you integrate Citrix Cloud with Windows 365. This integration gives you access to Citrix HDX technologies for enhanced Cloud PC security and manageability. You can find more information to configure Citrix and Windows 365 at Set up Citrix HDX Plus for Windows 365 Enterprise.
VMware Horizon is a cloud-based service that lets you deliver Windows 365 Enterprise desktops to your users from any device and location. With VMware Horizon, you can use the power and security of Windows 365 Enterprise while simplifying the management and deployment of your virtual desktop infrastructure (VDI).
VMware Horizon for Windows 365 Enterprise is in limited public preview. To submit a request to join this preview, see Tech Preview – VMware Horizon extending Microsoft Windows 365. You can find more information about VMware and Windows 365 at Set up VMware Horizon for Windows 365 Enterprise.
Here is list of resources to dive deeper into Microsoft Intune and Windows 365.
Windows in the Cloud – video series:
Additional links:
Books:
Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X/Twitter. Looking for support? Visit Windows on Microsoft Q&A.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.