Blog Post

Core Infrastructure and Security Blog
3 MIN READ

Deprovisioning Cloud PCs in Windows 365

JakeStoker's avatar
JakeStoker
Icon for Microsoft rankMicrosoft
Jul 14, 2022

 

I am based out of the UK as a Senior Program Manager / Modern Work Architect Specialist (MWAS) within the Endpoint Management space. Today I am going to cover the hot topic which is Windows 365 and more specifically the deprovisioning process piece of the lifecycle.

 

Bringing Cloud PCs into the world is different from a typical VM or physical device, taking them out of the world is different too. Typically, you would “Wipe” a physical windows device from the MEM console to reset the device. With Windows 365 Cloud PCs, you must take a different route to achieve this.

How to Deprovision a Cloud PC

 

There are a couple of ways that you can deprovision a Cloud PC. One of which is to remove the Windows 365 license from the user which you want to deprovision the Cloud PC for. This will then place the Cloud PC into a state of “Grace Period” for 7 days. A Grace Period exists to prevent accidental deletion. For example, if an admin accidentally removes a load of licenses from users you wouldn’t want all those Cloud PCs to start immediately deleting. If you re-assign the license within the Grace Period, the device will not be deprovisioned.

 

Note: If you move the license to another user this will not take the Cloud PC out of the grace period. You cannot move a Cloud PC from one user to another without provisioning a fresh Cloud PC.

 

 

 

 

 

Another method to Deprovision a Cloud PC is to remove the user from the Group which is targeted by the Provisioning Policy which was used to provision the Cloud PC or Remove the Group from the Provisioning Policy Assignment. Again, this will place the Cloud PC into the Grace Period state. As before, if you add the user back to the group or re-assign the group to the provisioning policy before the Grace Period ends, the Cloud PC will remain provisioned.

 

In this demo environment my group “CPC” only contains one user so I can remove the group from the provisioning policy assignment.

 

 

 

 

How to End the Grace Period

 

At this stage you are probably wondering “what if I don’t want to wait 7 days for the grace period? I know this was not a mistake and I want to delete the Cloud PC now.”

 

In this case you can go ahead and end the grace period for a particular Cloud PC by clicking on the “In Grace Period” state and choosing End Grace Period. This will then change the Cloud PC to the state of “Deprovisioning” whilst the Cloud PC is being deleted.

 

 

 

 

 

 

Ending the grace period is not one of the available bulk actions in the MEM console today and therefore in the UI you can only end the grace period one by one. You may encounter a scenario where you want to bulk deprovision many Cloud PCs at the same time and this would be time consuming. I have uploaded a PowerShell script into GitHub which will deprovision all Cloud PCs which are in a Grace Period. Special thanks to Donna Ryan from the Windows 365 CAT team for providing a fantastic base script to build upon.

 

Post Deprovisioning Clean-up

 

After the cloud PC is deleted after the grace period has ended, the Windows 365 service also takes care of cleaning up the following objects:

 

  • Intune Object
  • Azure AD Object
  • Azure vNIC

Note: If the device was provisioned as Hybrid Azure AD Joined, the on-premises active directory object will be disabled but it will not be deleted. Deleting the object is the responsibility of the administrator of Active directory to remove as part of ongoing maintenance.

 

Resources

 

Provisioning in Windows 365 | Microsoft Docs

Cloud PC lifecycle in Windows 365 | Microsoft Docs

 

Thanks for reading this post. Add your experiences with Windows 365 in the comments section.

 

Disclaimer
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

 

Updated Jul 12, 2022
Version 1.0
JakeStoker
  • urijah1's avatar
    urijah1
    Copper Contributor
    Jul 20, 2022

    Thanks JakeStoker  for this article. We recently adopted Windows 365 as a quick way to scale up our distributed workforce. 

     

    What we have encounter is if a Azure AD user has two Cloud PCs with two different license types and the one of the licenses are removed, BOTH Cloud PCs are deprovisioned.  After the grace period ends, the Cloud PC for the license that was removed is deleted (which is expected) and the license that stayed intact was then provisioned a brand new Cloud PC (not expected).  You can see how this upset the user who's Cloud PC that they needed to keep was abruptly deleted. The Cloud PCs were in different provisioning policies and groups so it makes no sense why both of them would get deleted when only one license was removed. 

     

    I'm able to reproduce this scenario.  It appears that you have to catch the Cloud PC you want to keep when it's in the grace period and remove the user from provisioning group then re-add the group membership for the license to re-apply.  I've opened a Microsoft Support case and have yet to hear back on a reason why this is the case.  Maybe you might want to test this out and add this to your post to help others that are using multiple Cloud PCs for one user and when it's time to deprovision just one of them. 

  • urijah1's avatar
    urijah1
    Copper Contributor
    Jul 26, 2022

    JakeStoker Thanks Jake. I did some more testing today with deprovisioning Cloud PCs when a user has multiple licenses and it now appears to work as expected with only one Cloud PC being put in the grace period.  I'm not sure if there was an update to the provisioning process for Cloud PCs or this was some bug that was fixed.  Anyways, all looks well right now.  

  • DevrajMukherjee's avatar
    DevrajMukherjee
    Copper Contributor
    Oct 31, 2023

    I need some understanding here, how Windows 365 is able to delete the Azure AD object, as I understand Windows 365 Service only gets access to subscription, vnet and resource group and not on Entra ID. For Entra I suppose Windows 365 requires separate access.

     

    Our issue at this moment is when we re-provision/.de-provision a device the Intune object and Azure vNic gets removed as Windows 365 service has access on them. But there is no Delete Device action by Windows 365 on Entra ID. What exactly is required on Entra ID so that delete device action is executed by Windows 365 Service.