Windows 365 provisioning is the automated process in the base of provisioning policies created in Endpoint Manager admin center Windows 365 blade. After users are assigned the Windows 365 licenses and provisioning policies are created and targeted to Azure AD user security groups or Microsoft 365 groups, the devices provisioning process will kick off automatically and the devices will be automatically assigned to the users in policy assignments group.
Provisioning policies can be created in the base of different Azure regions, different images, or other different customer requirements. But one user cannot be put in assignments groups of different provisioning policy because the Windows 365 service always uses the first assigned policy to provision the devices for that user.
Scenario 1, Provision Windows 365 in the base of azure region
If a customer has users in different physical branches like in Asia, Europe, US etc. The customer can provision Windows 365 for their users in the base of their physical locations for network connection benefits.
Sign into the Microsoft Endpoint Manager admin center, select Devices > Windows 365 > Provisioning policies > Create policy, below is an example of creating a provisioning policy and targeting it to West Europe users. All the users in the assignments group will get their devices from West Europe.
Users can confirm their Windows 365 location. Open https://windows365.microsoft.com, log in with Azure AD account, users will see the provisioned Windows 365 under their name. Click settings\System information, the
Scenario 2, Provision multiple Windows 365 with different settings for one user
Technically there is no blocker to target multiple provisioning policies to one user. However, only the earliest created policy will be working to provision Windows 365 for the same user. If the user requires multiple versions of Windows 365 devices with different Azure regions or OS images, we can update the same provisioning policy to provision more than one Windows 365 devices with different regions or OS versions for the same user. Below are the two circumstances:
- If the user has 2 Windows 365 devices with same OS and regions provisioned already, but the user needs one of the existing Windows 365 devices to be reprovisioned to a new OS image or a new Azure region, Windows 365 Admin can update the provisioning policy to use new OS image or new Azure region at first, then reprovision one of the existing Windows 365 to the new version. After the reprovisioning is finished, admin needs to change the provisioning policy back to its original region or OS image selection in order not to impact other users in the same assignments group reprovisioning. For example, A user has 2 4V16G Windows 365 devices with windows 10 in West US region already, if he\she wants to change one of the 4V16G windows 10 to Windows 11, or change to Europe region, we can use above way to reprovision one of the existing Windows 10 to Windows 11.
- If the user has existing Windows 365 devices already, he wants to add one more device with different region or OS image from his existing devices. Windows 365 admin can update the provisioning policy to use new OS image or Azure region at first, then assign the user with new Windows 365 license, the new Windows 365 device will be provisioned with the new OS or Azure region immediately. For example, A user has existing 4V16G Windows 10, then he\she wants to add a new Windows 11, Admin can modify the current provisioning policy to point to Windows 11 and the correct region, then go to AAD assign the new license to the user. The new Windows 365 with Windows 11 will be provisioned for this user right away.
Scenario 3, Replace provisioning policy assignments group without deprovisioning existing devices
When we remove the assignments group from the provisioning policy or remove the members from the assignments group, the users’ Windows 365 devices will be deprovisioned immediately.
If we accidently attached wrong assignments group to the provisioning policy, and all the devices have been provisioned already and the users actively used them daily, but this assignments group is being used by other purpose and we need to remove it from provisioning policy. Under such circumstances, we can use the steps below to avoid deprovisioning existing devices, subsequently avoid impacting users.
- Create a new Azure AD group, add all provisioned devices’ users into this group. Open the provisioning policy and edit the “Assignments”, then add this group to the provisioning policy assignments and save the policy change.
- Reopen the provisioning policy, click “Edit” the “Assignments” again, then remove the original group which is also for other purpose and only leave the new group there.