From the frontlines: Empowering call center agents with Windows 365 Frontline
By: Tania Lima – Sr Product Manager | Windows 365 Call centers are dynamic environments where agents often work in shifts, handling customer inquiries around the clock. Providing these frontline employees with secure, consistent, and accessible computing environments is critical to maintaining productivity and excellent service. However, traditional desktop deployments, whether physical PCs or complex virtual desktop infrastructure (VDI), are often challenging to manage and scale for a shift-based workforce. Microsoft Windows 365 Frontline addresses this challenge by delivering Cloud PCs optimized for shift and part-time workers. With Windows 365 Frontline, organizations give call center agents full Windows desktop experiences from the cloud, while optimizing costs through a flexible licensing model that enables multiple employees to share Cloud PC resources during their respective shifts. This article explores the two modes of Windows 365 Frontline – dedicated and shared – and offers guidance on choosing the right approach for call centers, along with best practices for Microsoft Intune configuration and provisioning in these scenarios. Windows 365 Frontline overview Windows 365 is Microsoft's Cloud PC service that streams a full Windows desktop to any device. Windows 365 Frontline is a specialized offering within Windows 365 designed for organizations with frontline or shift-based workers – employees who don't need a Cloud PC 24/7, but rather only during working hours or on an intermittent basis. Instead of assigning a traditional one-to-one Cloud PC license per user, Frontline licenses are shared at the tenant level, allowing multiple users to utilize the same Cloud PC resources at different times. This model can significantly reduce costs for call centers and similar environments by ensuring you only pay for the maximum number of concurrent Cloud PC sessions needed, not for every employee in the directory. Windows 365 Frontline offers two modes of operation to accommodate different use cases: dedicated mode and shared mode. Both modes provide the same secure, high-performance Windows experience via the cloud, integrated with Microsoft Intune for management and Microsoft Entra ID for identity and security. The difference lies in how Cloud PCs are provisioned and used by multiple users. Dedicated mode: Personalized Cloud PCs for shift workers With Frontline Cloud PC in dedicated mode, each licensed user is provisioned their own personal Cloud PC, the same as a standard Windows 365 Enterprise scenario – with one crucial twist: a single Frontline license entitles up to three Cloud PCs, assigned to three different users, so long as only one Cloud PC is in use at any given time. In other words, one license is equivalent to 3 users (one active session at a time). This non-concurrent licensing is ideal for shift work. For example, if you have three call center agents covering morning, afternoon, and night shifts, you can assign each their own Cloud PC while consuming only one Frontline license. Each agent gets a dedicated, persistent Windows desktop with their apps, settings, and data, which remains available every time they log in. Because Frontline Cloud PC in dedicated mode is personal to each user, the user experience is consistent and tailored. Agents can customize their desktop, set up applications (or have them deployed via Intune), and retain files or settings from session to session. We recommend this modeor scenarios where employees require a prolonged and consistent desktop experience – for instance, full-time or regular part-time call center employees who work scheduled shifts on a daily basis. It ensures that each agent always returns to their own workspace in the cloud. To streamline shift handovers, Windows 365 Frontline Cloud PC in dedicated mode includes a built-in concurrency buffer that allows a temporary overlap of active sessions beyond the license limit. This is designed for those situations where one agent hasn't signed off yet and the next shift agent needs to sign in a few minutes early. The concurrency buffer permits exceeding the max concurrent user limit for short periods (up to 1 hour, a few times per day) to avoid blocking users during shift handovers. This means if one agent's session slightly overlaps with another's, both can be connected briefly without needing an extra license, and without being forced to log off. Once the time limit expires, users will be unable to log in until a Cloud PC is available. Shared mode: Ephemeral Cloud PCs for occasional use With Frontline Cloud PC in shared mode, a Cloud PC is not tied to any single user. Instead, you set up a collection of one or more Frontline Cloud PC in shared mode that a group of users can access one at a time. When a user in the group connects to a shared Cloud PC, they get a temporary session: a fresh user profile is generated at login, and when they sign out, the session data is wiped. The next user to sign in starts with a clean environment. This mode enables the sequential sharing of a single Cloud PC by multiple users. For each Frontline license, you may provision a single Cloud PC within the collection. While multiple users can access this Cloud PC, only one user may be active on it at any given time. Shared mode is well-suited for scenarios where users need only occasional or brief access to a Windows environment rather than a daily dedicated workspace. For example, consider a training workstation in a call center or a kiosk-style PC for supervisors to quickly check reports. Another use case is fortemporary staff or contractors who log in infrequently. In a call center context, shared mode could be used for a “floater” Cloud PC that any agent can use when extra capacity is needed, or for machines set aside for specific short tasks such as quality assurance checks by various team members. We don’t recommend shared mode for standard call center agents who have regular shifts, because those users benefit more from a persistent environment and dedicated mode can still provide cost savings in those cases. Instead, shared mode shines for truly ad-hoc access scenarios, where personalization isn't required. With Frontline Cloud PC in shared mode, since no user profile persists, it's important to ensure apps and configurations needed for the common tasks are pre-installed or available on demand. Users rely on cloud storage (OneDrive, SharePoint, web applications) for any data they need to save, because once they log off a shared Cloud PC, nothing is retained locally. The upside is that IT maintains a singular baseline configuration for all shared sessions and there's zero risk of one user’s data bleeding into the next session – the wipe on logoff provides a clean slate and extra security. Dedicated vs. shared mode comparison Feature Frontline Cloud PC in dedicated mode Frontline Cloud PC in shared mode Cloud PCs per license Up to 3 Cloud PCs per license (user-specific). Only 1 Cloud PC can be active at once (per license). 1 Cloud PC per license (pooled). Only 1 user session active at once (per Cloud PC). User experience Personalized persistent desktop for each user; data and settings saved between sessions. Non-persistent, generic desktop; user profile and data are reset on sign-out. Suitable use cases Shift workers who need their own space and apps (ex., daily call center agents with dedicated logins). Intermittent or short task usage (ex. shared training PC, occasional contractors or roaming supervisors). Provisioning method Cloud PCs are provisioned per user via Microsoft Entra ID group assignment. Each user gets their own Cloud PC instance. Cloud PCs are provisioned as a static pool (set number of identical Cloud PCs) and assigned to a group of users to share. Intune management Managed like any other individually assigned device. Supports user-targeted configurations. Managed as shared devices. Use device-targeted configs for apps/scripts (via device groups or Autopilot device prep) since users do not retain installs. Data storage Files and data persist on the Cloud PC (roam with user). Still recommended to use OneDrive/SharePoint for backup and mobility. Files and data do NOT persist locally. Must use OneDrive, SharePoint, or other cloud services for any data that needs to be retained. Intune configuration and recommendations for call centers Successfully deploying Windows 365 Frontline in a call center scenario requires optimal configuration of Microsoft Intune and adherence to best practices that maximize security and efficiency. Below are key recommendations. Provisioning policies Set up separate Windows 365 provisioning policies for your call center users depending on mode. In the Intune admin center, under Devices > Windows 365 > Provisioning policies, choose License type: Frontline, then specify the mode as dedicated or shared. For dedicated mode, assign the policy to a Microsoft Entra ID group containing your call center agents – Intune will automatically provision a Cloud PC for each user in the group (up to your license concurrency limits). For shared mode, assign the policy to a group of users and define the number of Cloud PC instances to create for that group. Name the shared Cloud PC pool descriptively (ex. "Call Center Training PC") so users recognize it. Use the Microsoft-hosted network unless integration with on-premises networks is needed and select a region close to your users for optimal performance. Image and applications Choose a base Cloud PC image that includes your core call center applications to speed up deployment. Microsoft provides gallery images (including options with Microsoft 365 Apps pre-installed). For Frontline Cloud PC in dedicated mode, each user gets this baseline image and can receive additional apps via Intune app deployment or Company Portal. For Frontline Cloud PC in shared mode, it's crucial to preload critical apps since users won't persist installs. Leverage the Windows Autopilot deployment preparation (preview) feature for shared mode provisioning policies. This feature lets you specify device-targeted apps and scripts that Intune should install on each Cloud PC during provisioning, ensuring that even the first user to sign in has all the required software ready. It helps avoid managing custom images while still delivering necessary apps on a clean shared PC each time. Microsoft Entra ID groups for access Manage which users can access Cloud PCs by controlling Microsoft Entra ID group membership. Since Frontline licenses are not assigned to individuals but pooled, any user in the provisioning policy’s assignment group will get access. For dedicated mode, ensure the group size aligns with available licenses (3 users per license). If the group has more users than license capacity, some users may not get a Cloud PC provisioned until additional licenses are added. Use the Connected Frontline Cloud PCs report in the Intune admin center to monitor how many Cloud PCs are active and if you’re hitting your license concurrency limit. Adjust group membership or purchase more licenses as needed to meet peak demand. Session time limits Configure automatic session timeouts to prevent a user from inadvertently locking a Cloud PC and blocking others. Use Intune to enforce idle session time limits and disconnected session sign-off for Windows 365 Frontline. For example, for a Frontline Cloud PC in shared mode that is idle for 15 minutes, disconnect the session, and for a session that has been disconnected for more than 5 or 10 minutes, sign the user out (ending the session).This ensures a Frontline Cloud PC in shared mode isn’t held by an inactive session, making it available to the next agent. For Frontline Cloud PC in dedicated mode, an idle timeout (e.g., 30 minutes) can free up the license concurrency slot without immediately logging the user off. You configure these settings in the Intune admin center using the settings catalog: Remote Desktop Session Host > Session Time Limits settings. Tuning these values helps balance user convenience with resource availability. OneDrive and user data Encourage or enforce the use of OneDrive Known Folder Move for Desktop, Documents, and Pictures so that user files are redirected to cloud storage. In dedicated mode, this ensures that if a user moves to a new Cloud PC or device, their files roam with them. In shared mode, this step is even more critical: when the user logs off, anything saved only on the local profile is erased. With Known Folder Move and cloud-based productivity apps, even a non-persistent session feels seamless as users access their files from OneDrive or SharePoint. Similarly, if users use Outlook, enable cached Exchange mode with cloud mailboxes so that email data isn't lost between sessions. Alternatively, direct users to access the new Outlook or Outlook on the web to avoid local data use. Security controls Treat Cloud PCs as you would any corporate device: apply Microsoft Defender for Endpoint monitoring and security baselines via Intune. One big advantage of Windows 365 for call centers is enhanced security – by default, Cloud PCs keep data off the local machine that the user is connecting from. Use Intune policies or Windows 365 settings to disable clipboard and drive redirection, prevent screenshots, and add watermarking if agents handle highly sensitive information (so data on the Cloud PC can't be easily copied out). Additionally, enforce multi-factor authentication (MFA) for Cloud PC access through Microsoft Entra ID Conditional Access, and limit Cloud PC access to only trusted networks or compliant endpoint devices for an extra layer of protection. Monitoring and scaling Continuously monitor usage patterns. Windows 365 usage reports help identify if your call center is reaching the concurrent connection limit. If agents frequently find Cloud PCs unavailable (shared mode) or get blocked due to concurrency (dedicated mode), you likely need more Frontline licenses or an adjusted strategy. Aim to have enough Cloud PCs to cover peak usage. Thankfully, adding capacity is straightforward – purchase additional Frontline licenses and update your provisioning policies. For shared mode, increase the Cloud PC count in the pool; for dedicated, new users in the group automatically get Cloud PCs if licenses are available. Likewise, if usage is consistently below capacity, consider reducing the number of provisioned Cloud PCs to optimize costs. Windows 365 provides the flexibility to scale up or down easily as your call center staffing changes, enabling organizations to efficiently adapt to operational fluctuations and changing demands. Endpoint devices When call center agents operate on-site with shared physical PCs or thin clients to connect to their Cloud PCs, configure these physical endpoints appropriately for shared usage. Windows PCs can be set up in Microsoft Entra ID Shared Device Mode or as kiosk devices that only allow launching the Windows App or a web browser for Cloud PC access. This ensures the local device doesn't store data between users and is locked down to its purpose. Intune can manage these Frontline Cloud PC in shared mode with policies to clear temp files on logout, enforce idle sign-out, and automatically launch the Windows App at login. By managing both the Cloud PC and the access device in Intune, IT creates a cohesive, secure experience for rotating call center shifts. Windows 365 Link devices in call centers Windows 365 Link devices offer a transformative solution for call centers by simplifying endpoint management and enhancing remote operability. These devices enable seamless access to Cloud PCs with high-fidelity Microsoft Teams support and multimedia redirection, which is critical for voice and video-heavy workflows. Windows 365 Link allows secure connections even to Cloud PCs that have never been signed into before, reducing onboarding friction for third-party agents. This is especially valuable for remote call centers, where maintaining client machines is challenging. Windows 365 Link can be shipped pre-configured, minimizing setup complexity and support overhead. Using Link devices supports scalable, secure, and efficient operations without compromising user experience or enterprise security policies. Windows 365 Link devices are intended to be managed in a manner consistent with other Windows endpoints within Intune; however, they operate on a streamlined Windows Cloud PC OS. This design reduces the range of management actions available, particularly with respect to enrollment and ongoing management actions. For more information visit Windows 365 Link documentation. Microsoft Teams If Microsoft Teams is part of the daily workflow for call center agents, we strongly recommend deploying the Microsoft Teams-optimized Windows App to access their Cloud PCs from Windows-based clients, in place of using the standard web-client. This approach ensures better performance, enhanced audio and video quality, and full support for Teams-specific optimizations such as offloading media traffic and reducing latency. Simple connection requirements for partners Many large organizations will work with third party call center partners to provide agents to support their customers, either as business as usual, or to provide out of hours and coverage for high call volume events. Ensuring these partner organizations can connect to your infrastructure, and connect to your applications, can be challenging and any changes can take time for your partners to roll out. By using Windows 365, you can deliver a defined list of software and network requirements (Windows App, with access to the Windows Cloud endpoints / Teams / Call Centre software), and minimize the number of changes required as your business evolves. Providing access to a new application, service, or resource is handled within the Cloud PCs that you control with no technical changes needed by the vendor or partner. Remote call center and BYOD scenarios Windows 365 empowers organizations to support remote call center agents through secure, scalable Cloud PC deployments that work seamlessly across bring your own device (BYOD) environments. Whether agents use personal laptops, tablets, or mobile phones, Windows 365 ensures secure access to corporate resources via the Windows app or browser-based clients, minimizing infrastructure overhead and simplifying endpoint management. This flexibility is especially valuable for outsourced or third-party call center partners, where device diversity and network variability are common. By centralizing application access within the Cloud PC, organizations enforce consistent security policies, reduce onboarding friction, and deliver reliable user experience, regardless of the agent’s physical location or device type. This model not only enhances operational agility but also strengthens data protection by isolating corporate workloads from unmanaged endpoints. Conclusion Windows 365 Frontline represents a transformative approach for call centers seeking to empower their agents with secure, flexible, and cost-effective computing environments. By offering both dedicated and shared modes, organizations can tailor Cloud PC deployments to match the unique needs of shift-based and occasional workers, optimizing resource utilization and reducing operational complexity. With robust integration into Microsoft Intune and Microsoft Entra ID, IT teams can streamline provisioning, enforce security best practices, and ensure seamless user experiences, whether agents are on-site, remote, or using their own devices. Ultimately, Windows 365 Frontline enables call centers to scale efficiently, enhance data protection, and deliver consistent service quality in today’s dynamic work landscape. This blog is part of the “From the Frontlines” series, where we explore different scenarios of how workers in field use devices and how IT admins can enable them. Check the other blog posts for more inspiration! As always, if you have any questions let us know in the comments or reach out to us on X @IntuneSuppTeam or @MSIntune!Microsoft Intune Advanced Analytics in action: Real-world scenarios for IT teams
By: Janusz Gal – Sr Product Manager | Microsoft Intune Microsoft Intune Advanced Analytics empowers IT admins and enterprise users to gain deep insights into device health, user experience, and organizational trends. Building on the foundation of Microsoft Endpoint analytics, Advanced Analytics offers enhanced device timeline reporting, flexible query options, anomaly detection, battery health monitoring, and resource performance tracking. IT admins can use Advanced Analytics to proactively manage their user devices, by turning raw telemetry into actionable insights, and optimizing IT support processes with near real time device information. In this blog post, we’ll review the capabilities provided by Advanced Analytics with example scenarios for how they can be used. Getting started Getting started with Advanced Analytics is easy! Once your license is in place and Endpoint analytics is enabled, Advanced Analytics features will become available in your tenant. For more details on the licensing requirements, review the following: What is Microsoft Intune Advanced Analytics. For those who haven’t enabled Endpoint analytics, now is the time. In the Intune admin center, navigate to Reports > Endpoint analytics. Select All cloud-managed devices in the dropdown (or a subset) and select Start to enable Endpoint analytics for your tenant. Figure 1 Endpoint analytics introduction pane in the Microsoft Intune admin center (Reports > Endpoint analytics). Some capabilities may take up to 48 hours for data to populate for Advanced Analytics analysis, such as anomaly detection, battery health monitoring, and inventory data shown in Device Query for multiple devices. Review Planning Advanced Analytics for a full list of prerequisites, a planning checklist, FAQ and more. Let’s take a look at the new capabilities available when you enable Advanced Analytics in Microsoft Intune. Custom device scopes Think of a subset of the organization you’d like to better understand and compare to the rest of the tenant. Possible examples include executive devices, maybe a specific country or region with a different budget, or even Microsoft Entra hybrid joined and cloud-native devices. With custom device scopes you can recalculate the whole set of Endpoint analytics reports based on scope tags and get the comparisons you need to make informed decisions. Let’s consider a scenario where a subset of the organization has Microsoft Entra hybrid joined Windows devices with decades of group policy being applied and you want to make the business case to invest the time in reviewing and building new policy in Intune. You can create a scope tag, for this example we’ll name it “Hybrid joined devices”, that you apply to hybrid joined devices, and then add that to the device scopes capability within Endpoint analytics. The manage device scopes setting can be accessed by selecting on the device scope selector on any filterable Endpoint analytics pane: Figure 2. Endpoint analytics device scope selection (Reports > Endpoint analytics > Overview). Figure 3. Manage device scopes pane for selecting and creating new device scopes (Reports > Endpoint analytics > Overview > Device scope > Manage device scopes). Under Endpoint analytics reports, navigate to the Startup performance report which showcases Core boot time and Core sign-in time. By default, this report is scoped to All Devices but is filterable using any tag including the one you just created: “Hybrid joined devices”. Figure 4. Startup performance report (Reports > Endpoint analytics > Startup performance). While results will differ for each organization, in the tenant shown here when you set the scope to “Hybrid joined devices”, you’ll see that Group Policy contributes 8 seconds to your Core-sign in time, and overall devices report 9 seconds slower boot times and 30 second slower sign-ins: Figure 5. Startup performance report, recalculated with Device scope. Just like that, you know that users are losing time on each reboot. Depending on how large the fleet is for your organization, that could be a significant amount and worth what it would take to modernize and plan to implement new policies. Of course, you can also use a custom device scope across the rest of the Endpoint analytics reports such as application reliability and work from anywhere. And with Advanced Analytics you also get two additional reports that can be sliced with device scopes – Resource performance and Battery health. Resource performance The resource performance report provides an analysis and score of CPU, memory, and storage metrics over time to identify underperforming devices. Let’s take the same scenario from before – reviewing the hybrid joined devices in your organization. If you have existing hybrid joined devices that are expecting a future device refresh, would it make sense to schedule that sooner because of their performance? When you review the resource performance score, you see how All devices are performing based on their CPU and RAM spike time scores – effectively, how often they are hitting their resource limits. Figure 6. Endpoint analytics resource performance report (Reports > Endpoint analytics > Resource performance). In Endpoint analytics, higher scores indicate that devices are providing better user experiences. For example, in the Resource performance report, a higher score indicates that devices are seeing less CPU spikes. Figure 7. CPU spike time score details pane (Reports > Endpoint analytics > Resource performance > CPU spike time score). You can view performance by specific models or devices using the navigation tabs at the top of the report. Periodically reviewing these results is helpful to ensure your devices are performing well within their ownership or refresh cycles. Better yet, you can use Baselines, which capture a snapshot of the scores for your tenant and allow you to track progress over time: Figure 8. Baselines selection (Reports > Endpoint Analytics > Overview > Baseline). You could, for example, directly see how the overall baseline scores improve a few months after a hardware refresh by checking a previous baseline against the current scores. This can help further justify hardware spending by showing quantifiable improvements to the user experience. For this example, since you know the hybrid joined devices are older than your cloud-native ones, you can reuse your custom device scope here to filter the resource performance report and compare the scores: Figure 9. Resource performance report recalculated via Device scope (Reports > Endpoint Analytics > Resource performance > Device scope set). Now you can also easily identify that your hybrid joined devices are performing worse than average, as they have a significantly lower resource performance score than All devices. Battery health monitoring Advanced Analytics also gives us access to the Battery health report which details capacity and runtime scores across the organization. Figure 10. Battery health report (Reports > Endpoint Analytics > Battery health). The top level report shows a battery capacity score and a battery runtime score, both of which provide a flyout with granular details on how devices are performing: Figure 11. Battery capacity score detail (Reports > Endpoint Analytics > Battery health > Battery capacity score). Figure 12. Battery runtime score detail (Reports > Endpoint Analytics > Battery health > Battery runtime score). Using these reports, you can easily identify devices that need a battery replacement, such as older devices or laptops that have been plugged in for years. These are great candidates to replace sooner – as ever-changing home or office work locations shift, you can improve user confidence in their devices by ensuring a fully charged battery lasts for hours. On the flipside – you can use the Battery health report to assess whether existing devices can have their lifespan extended. Maybe they are five years old but the batteries are still reporting more than 5 hours of runtime on a charge and greater than 80% health. For example, in the hybrid joined device scenario, you were looking for budget to refresh those devices sooner – if you can find existing devices with healthy batteries, you could also check their resource performance results and decide to keep them an extra few years if they are performing well. Device query for multiple devices Suppose you have used the previous capabilities – custom device scopes, resource performance reporting, and battery health reporting – to determine a group of devices within your organization that you want to perform some action on. As mentioned before, this could be extending their lifespan, planning a refresh, or investing in a tooling migration. If you need additional details from devices before making that decision you can use Device query for multiple devices. Device query for multiple devices provides insights about the entire fleet of devices using previously collected inventory data. And since it leverages the flexible and powerful Kusto Query Language (KQL), you can mix and match inventory attributes to get the list of devices that meet your requirements. For Windows devices, before you can use Device query for multiple devices you’ll need to create a Properties Catalog policy. Add the properties you would like to collect and assign the profile to the intended devices. All available properties are automatically collected for Android Enterprise, iOS, iPadOS, and macOS devices, so no extra configuration is needed. Figure 13. Configure and deploy a Properties Catalog profile. You can view collected inventory information for a single device under the Device inventory pane. After a device syncs with Intune, it can take up to 24 hours for initial harvesting of inventory data. Once you have the inventory information collected across the fleet, navigate to Devices > Device query to start querying. Figure 14. Device query for multiple devices (Devices > Device query). Expanding on the scenarios from before, consider a requirement to replace devices with high battery cycle counts. With Device query for multiple devices, you could join battery and CPU data, and better target planned replacements: Figure 15. Running a query (Devices > Device Query). Of course, you can use any of the inventory categories to find applicable devices including storage space, TPM details, enrollment information, and so on. For organizations with Security Copilot licensed and enabled, you can leverage Query with Copilot to generate the KQL queries for you using natural language: Figure 16. Copilot query generation (Devices > Device query > Query with Copilot). Once you have the results, you can export to a .csv to use elsewhere like sharing to the team handling procurement and hardware lifecycle management. Figure 17. Export device query results (Devices > Device Query > Run query > Export). Now that you have your list of devices, what if you need even more detailed information? Granular details from enhanced device timeline and Device query With the results from Figure 15, you were able to find a device with high battery cycles and a relatively old processor. At first glance this is a great candidate for replacement. With Advanced Analytics, you can explore further by navigating to Devices > Windows select a device and leverage the enhanced device timeline and Device query capabilities. The enhanced device timeline shows a 30-day history of events that occurred on a specific device including details on app crashes, unresponsive apps, device boots, device logons, and anomaly detected events: Figure 18. Device timeline pane showing multiple app crashes over the past two days (Devices > Windows > select device > User experience > Device timeline). From here, you have a much better and direct understanding of how a user’s device is performing. If a user frequently sees unresponsive apps, you are now reasonably confident that you’ve found a device worthy of further troubleshooting or replacement. Device query for a single device, on the other hand, let’s you investigate even further and query the device for real-time data such as Windows Event Log Events, Registry configuration, or Bios details. For the full list of properties refer to Intune data platform schema. Figure 19. Device query for a single device, returning process details (Devices > Windows > select device > Device query). With Device query and the enhanced device timeline, you can get all of the granular information needed to make informed decisions about a device. Find additional scenarios with anomaly detection Don’t have a specific goal or unsure of what needs to be resolved? Want to proactively address issues before users start reporting them? Use the Anomalies tab to identify deviations from normal behavior across your environment, such as a spike in application crashes. Figure 20. Anomalies tab showing multiple high severity detections (Reports > Endpoint Analytics > Overview > Anomalies). With the other capabilities provided by Advanced Analytics, you can investigate anomalies in several ways. To start, each anomaly provides a list of affected devices. By clicking through each of these devices, you can use Device query or the enhanced device timeline to get detailed information needed to troubleshoot properly. Figure 21. Anomaly detection report detailing affected devices (Reports > Endpoint Analytics > Overview > Anomalies > select affected devices). Medium and high severity anomalies include device correlation groups based on one or more shared attributes such as app version, driver update, OS version, and device model. Figure 22. Anomaly detection report detailing behavior and impact (Reports > Endpoint Analytics > Overview > Anomalies > select anomaly title). To investigate further, you could create a new custom device scope to recalculate the Endpoint analytics reports for affected devices, use the Resource performance report, or even the Battery health report if that is seemingly causing issues. While a common approach for organizations is an internal initiative that drives an investigation into analytics reports, anomaly detection is certainly a great starting point as well for improving user experience. What’s next Advanced Analytics is continuing to evolve with new capabilities to give you the insights you need on the user device experience. Stay tuned for further blog posts around additional Advanced Analytics and Intune reporting capabilities. If you have any questions or want to share how you’re using Advanced Analytics in Intune, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune!Blocking and removing apps on Intune managed devices (Windows, iOS/iPadOS, Android and macOS)
By: Michael Dineen - Sr. Product Manager | Microsoft Intune This blog was written to provide guidance to Microsoft Intune admins that need to block or remove apps on their managed endpoints. This includes blocking the DeepSeek – AI Assistant app in accordance with government and company guidelines across the world (e.g. the Australian Government’s Department of Home Affairs Protective Policy Framework (PSPF) Direction 001-2025, Italy, South Korea). Guidance provided in this blog uses the DeepSeek – AI Assistant and associated website as an example, but you can use the provided guidance for other apps and websites as well. The information provided in this guidance is supplemental to previously provided guidance which is more exhaustive in the steps administrators need to take to identify, report on, and block prohibited apps across their managed and unmanaged mobile devices: Support tip: Removing and preventing the use of applications on iOS/iPadOS and Android devices. iOS/iPadOS devices For ease of reference, the below information is required to block the DeepSeek – AI Assistant app: App name: DeepSeek – AI Assistant Bundle ID: com.deepseek.chat Link to Apple app store page: DeepSeek – AI Assistant Publisher: 杭州深度求索人工智能基础技术研究有限公司 Corporate devices (Supervised) Hide and prevent the launch of the DeepSeek – AI Assistant app The most effective way to block an app on supervised iOS/iPadOS devices is to block the app from being shown or being launchable. Create a new device configuration profile and select Settings Catalog for the profile type. (Devices > iOS/iPadOS > Configuration profiles). On the Configuration settings tab, select Add settings and search for Blocked App Bundle IDs. Select the Restrictionscategory and then select the checkbox next to the Blocked App Bundle IDs setting. > Devices > Configuration profile settings picker = 'Blocked App Bundle IDs' Enter the Bundle ID: com.deepseek.chat Assign the policy to either a device or user group. Note: The ability to hide and prevent the launch of specific apps is only available on supervised iOS/iPadOS devices. Unsupervised devices, including personal devices, can’t use this option. Uninstall the DeepSeek – AI Assistant app If a user has already installed the app via the Apple App Store, even though they will be unable to launch it when the previously described policy is configured, it’ll persist on the device. Use the steps below to automatically uninstall the app on devices that have it installed. This policy will also uninstall the app if it somehow gets installed at any point in the future, while the policy remains assigned. Navigate to Apps > iOS/iPadOS apps. Select + Add and choose iOS store app from the list. Search for DeepSeek – AI Assistant and Select. > Apps > iOS/iPadOS > Add App searching for 'DeepSeek - AI Assistant' app Accept the default settings, then Next. Modify the Scope tags as required. On the Assignments tab, under the Uninstall section, select + Add group or select + Add all users or + Add all devices, depending on your organization’s needs. Click the Create button on the Review + create tab to complete the setup. Monitor the status of the uninstall by navigating to Apps > iOS/iPadOS, selecting the app, and then selecting Device install status or User install status. The status will change to Not installed. Personal Devices – Bring your own device (BYOD) Admins have fewer options to manage settings and apps on personal devices. Apple provides no facility on unsupervised (including personal) iOS/iPadOS devices to hide or block access to specified apps. Instead, admins have the following options: Use an Intune compliance policy to prevent access to corporate data via Microsoft Entra Conditional Access (simplest and quickest to implement). Use a report to identify personal devices with specific apps installed. Takeover the app with the user’s consent. Uninstall the app. This guide will focus on option 1. For further guidance on the other options refer to: Support tip: Removing and preventing the use of applications on iOS/iPadOS and Android devices. Identify personal devices that have DeepSeek – AI Assistant installed and prevent access to corporate resources You can use compliance policies in Intune to mark a device as either “compliant” or “not compliant” based on several properties, such as whether a specific app is installed. Combined with Conditional Access, you can now prevent the user from accessing protected company resources when using a non-compliant device. Create an iOS/iPadOS compliance policy, by navigating to Devices > iOS/iPadOS > Compliance policies > Create policy. On the Compliance settings tab, under System Security > Restricted apps, enter the name and app Bundle ID and select Next. Name: DeepSeek – AI Assistant Bundle ID: com.deepseek.chat Under Actions for noncompliance, leave the default action Mark device noncompliant configured to Immediately and then select Next. Assign any Scope tags as required and select Next. Assign the policy to a user or device group and select Next. Review the policy and select Create. Devices that have the DeepSeek – AI Assistant app installed are shown in the Monitor section of the compliance policy. Navigate to the compliance policy and select Device status, under Monitor > View report. Devices that have the restricted app installed are shown in the report and marked as “Not compliant”. When combined with the Require device to be marked as compliant grant control, Conditional Access blocks access to protected corporate resources on devices that have the specified app installed. Android devices Android Enterprise corporate owned, fully managed devices Admins can optionally choose to allow only designated apps to be installed on corporate owned fully managed devices by configuring Allow access to all apps in Google Play store in a device restrictions policy. If this setting has been configured as Block or Not configured (the default), no additional configuration is required as users are only able to install apps allowed by the administrator. Uninstall DeepSeek To uninstall the app, and prevent it from being installed via the Google Play Store perform the following steps: Add a Managed Google Play app in the Microsoft Intune admin center by navigating to Apps > Android > Add, then select Managed Google Play app from the drop-down menu. r DeepSeek – AI Assistant in the Search bar, select the app in the results and click Select and then Sync. Navigate to Apps > Android and select DeepSeek – AI Assistant > Properties > Edit next to Assignments. Under the Uninstall section, add a user or device group and select Review + save and then Save. After the next sync, Google Play will uninstall the app, and the user will receive a notification on their managed device that the app was “deleted by your admin”: The Google Play Store will no longer display the app. If the user attempts to install or access the app directly via a link, the example error below is displayed on the user’s managed device: Android Enterprise personally owned devices with work profile For Android Enterprise personally owned devices with a work profile, use the same settings as described in the Android Enterprise corporate owned, fully managed devices section to uninstall and prevent the installation of restricted apps in the work profile. Note: Apps installed outside of the work profile can’t be managed by design. Windows devices You can block users from accessing the DeepSeek website on Windows devices that are enrolled into Microsoft Defender for Endpoint. Blocking users’ access to the website will also prevent them from adding DeepSeek as a progressive web app (PWA). This guidance assumes that devices are already enrolled into Microsoft Defender for Endpoint. Using Microsoft Defender for Endpoint to block access to websites in Microsoft Edge First, Custom Network Indicators needs to be enabled. Note: After configuring this setting, it may take up to 48 hours after a policy is created for a URL or IP Address to be blocked on a device. Access the Microsoft Defender admin center and navigate to Settings > Endpoints > Advanced features and enable Custom Network Indicators by selecting the corresponding radio button. Select Save preferences. Next, create a Custom Network Indicator. Navigate to Settings > Endpoints > Indicators and select URLs/Domains and click Add Item. Enter the following, and then click Next: URL/Domain: https://deepseek.com Title: DeepSeek Description: Block network access to DeepSeek Expires on (UTC): Never You can optionally generate an alert when a website is blocked by network protection by configuring the following and click Next: Generate alert: Ticked Severity: Informational Category: Unwanted software Note: Change the above settings according to your organization’s requirements. Select Block execution as the Action and click Next, review the Organizational scope and click Next. Review the summary and click Submit. Note: After configuring the Custom Network Indicator, it can take up to 48 hours for the URL to be blocked on a device. Once the Custom Network Indicator becomes active, the user will experience the following when attempting to access the DeepSeek website via Microsoft Edge: Using Defender for Endpoint to block websites in other browsers After configuring the above steps to block access to DeepSeek in Microsoft Edge, admins can leverage Network Protection to block access to DeepSeek in other browsers. Create a new Settings Catalog policy by navigating to Devices > Windows > Configuration > + Create > New Policy and selecting the following then click Create: Platform: Windows 10 and later Profile type: Settings Catalog Enter a name and description and click Next. Click + Add settings and in the search field, type Network Protection and click Search. Select the Defender category and select the checkbox next to Enable Network Protection. Close the settings picker and change the drop-down selection to Enabled (block mode) and click Next. Assign Scope Tags as required and click Next. Assign the policy to a user or device group and click Next. Review the policy and click Create. When users attempt to access the website in other browsers, they will experience an error that the content is blocked by their admin. macOS macOS devices that are onboarded to Defender for Endpoint and have Network Protection enabled are also unable to access the DeepSeek website in any browser as the same Custom Network Indicator works across both Windows and macOS. Ensure that you have configured the Custom Network Indicator as described earlier in the guidance. Enable Network Protection Enable Network Protection on macOS devices by performing the following in the Microsoft Intune admin center: Create a new configuration profile by navigating to Devices > macOS > Configuration > + Create > New Policy > Settings Catalog and select Create. Enter an appropriate name and description and select Next. Click + Add settings and in the search bar, enter Network Protection and select Search. Select the Microsoft Defender Network protection category and select the checkbox next to Enforcement Level and close the Settings Picker window. In the dropdown menu next to Enforcement Level, select Block and select Next. Add Scope Tags as required and select Next. Assign the policy to a user or devices group and select Next. Review the policy and select Create. The user when attempting to access the website will experience the following: http://www.deepseek.com showing error: This site can't be reached Conclusion This blog serves as a quick guide for admins needing to block and remove specific applications on their Intune managed endpoints in regulated organizations. Additional guidance for other mobile device enrollment methods can be found here: Support tip: Removing and preventing the use of applications on iOS/iPadOS and Android devices. Additional resources For further control and management of user access to unapproved DeepSeek services, consider utilizing the following resources. This article provides insights into monitoring and gaining visibility into DeepSeek usage within your organization using Microsoft Defender XDR. Additionally, our Microsoft Purview guide offers valuable information on managing AI services and ensuring compliance with organizational policies. These resources can help enhance your security posture and ensure that only approved applications are accessible to users. Let us know if you have any questions by leaving a comment on this post or reaching out on X @IntuneSuppTeam.
