How to Plan for a Windows 365 Cloud PC Deployment?

How to Get Started with Windows 365?

Windows 365/ Cloud PCs have become very popular very soon and have also come a long way in a very short period of time.

I have wanted to write a blog about Windows 365 and its capabilities for a while now, mainly because of how closely connected Microsoft Intune and Azure AD are. This is for anyone who is starting out with the product and/or needs to try it out. So let’s get started.

What is Windows 365, and What will this Answer?

A highly available VM in the cloud that is optimized to do more and personalized. Simply put, it’s Windows in the cloud. Windows as a Service or Cloud PC, in other words. There are 2 flavors at the moment.

Once you have the license and proper infrastructure, you can start provisioning them to your users according to the requirements.

Hybrid work has become a buzzword in organizations with the rise of the pandemic, and it is here to stay. I mean Hybrid work, not the pandemic 🙂

With this, the IT departments are making every effort to make their devices ready for Hybrid work. VPN, Remote Desktop Services, and other ways of connecting to the corporate infrastructure.

Enter Windows 365. This provides the users with the same experience from anywhere, any device that they launch the session from. IT departments can now provision the Cloud PCs (CPC) very easily, and it will not take a long time to get them up and running.

Power of the cloud, hey?

The best thing is it is still protected with the same security features you are using for your Identity Infrastructure (Eg: MFA)

What do you need to have to get started?

This is the high-level of the components, and I will be covering them in my upcoming blog posts.

• M365 Admin Portal
• Proper W365 License
• A W365 provisioning Policy
• Azure environment (vNet etc) to connect the device as a Hybrid
• Proper RBAC accounts

Sort out the Licensing Requirements

Windows 365 Enterprise

To take advantage of all things related to Enterprise benefits, users should be assigned with below

Each user that is assigned with a CPC should have Windows 10 Enterprise or Windows 11 Enterprise along with Microsoft Intune, Azure Active Directory Premium P1

Microsoft Intune, AAD Premium P1 and Windows 10/11 Enterprise is included in Microsoft 365 F3, Microsoft 365 E3, Microsoft 365 E5, Microsoft 365 A3, Microsoft 365 A5, Microsoft 365 Business Premium, and Microsoft 365 Education Student

Check M365 Maps by Aaron Dinnage, as he has made understanding licensing so easy (hats off!!!!)

Compare Windows 365 Enterprise and Business versions

Compare the features between Windows 365 Business and Enterprise versions from this link​​​​​​.

Right Size the CPC

If you are new to this, to get an understanding of the costs, you can go to this link to get an idea about how much you will be paying

As mentioned earlier, it is vital to understand the user requirements and what application they need to open in the CPC. Then, you can purchase the licenses appropriately.

Go to the Cloud PC Chooser link here, as that will guide you to go for the right sizing. Once you are done with the wizard you will get something similar to below.

while you can always check this with your CSP or the PS partner, you can go to M365 Admin Portal > Billing > Purchase Services

And search Windows 365.

Windows 365 Portal

This is where the fun begins! Sorry Anakin, I had to use your line because this is where the fun begins for real 🙂

Now that you have purchased the licenses go through the below steps to provision and configure the devices. The nitty-gritty of how to provision your first CPC will be published in the next Windows 365 blog post, as that will be easier for you to digest

• Go to the Intune Portal (endpoint.microsoft.com) > Devices > Windows 365.
  
• Overview of the page.
  

Windows 365 App

Before a dedicated app was released, the app to use was the Microsoft Remote Desktop app

But in the Ignite 2022, the Windows 365 App was announced, and at the moment, this is in Preview mode and can be downloaded from the Microsoft Store.

Because the CPC is not provisioned yet, when my user log in, they will be getting the below message.

I discussed how to get started with the product. Now I want to discuss what to think when planning for your Windows 365 deployment and especially how to set up RBAC. Before jumping into the technical side of W365, it is important to understand why you need Cloud PCs in the first place. Once identified, triaging the tasks is essential, and that’s where the RBAC comes in. As with other products, Windows 365 has a main admin role as well as built-in roles along with options for custom roles if needed. This is my take on those and how you can complete this step before configuring the devices. I hope this will be a good guide to add to your bookmarks 🙂

What Will I be discussing? 👇🏽

1. How to Choose and What to Consider?
2. CPC Lifecycle
3. Supported CPC Authentication
4. RBAC For The Win
5. All in Access
6. Cloud PC Built-in Roles
7. Create Your Own Custom Role Using Built-in Roles
8. Prepare Your Azure AD Groups
9. End User Communication
10. Wrapping Up

How to Choose and What to Consider?

Some major thinking points for you to determine how your Windows 365 implementation should be.

Do you need the CPC to have a line of site access to your DCs?

Some organizations require the devices to be joined to on-prem AD for various reasons, mainly as they treat the on-prem AD as the source of truth. Sometimes, the file shares are still coming from local file servers, and they need to be accessible.

Are you using GPOs or Intune policies? or both?

If you are in the middle of moving your GPOs to the cloud by replacing them with Intune policies, if you are using both in mixed mode or if you are still using GPOs only, you might need the CPC to be Hybrid AAD Joined.

Do users need LOB apps that are connected to your on-prem domain? or the app authentication managed via Azure AD?

Same as above, modern applications can be authenticated via Azure AD or if you have Azure AD App proxy setup for the apps that aren’t modern apps, you can consider provisioning CPCs that are Azure AD Joined. Then again, you should not have any local AD relationship with the devices as AAD Joined only talks with the cloud but not the on-prem AD.

There are situations where you may have apps whose authentication hasn’t been changed to Azure AD and still depend on LDAP or legacy authentication methods. This can be a deal breaker if you need to move the CPC authentication to Azure AD.

Any Geographical requirements?

This comes into play when you have users across many regions. This can align with your Azure Network if you have one, and it can be a compliance requirement to make sure the proper region retains your data at rest. Keeping it in the same region as the CPC user is in will enhance their performance as well.

Require M365 Apps and Teams?

This is more for choosing the right CPC sizes for the users. There can be users who do processor-heavy work or standard front desk-type work.

This link Cloud PC Chooser will help you to understand this better.

Check this planning guide from Microsoft

CPC Lifecycle

As a standard “physical” workstation where you purchase – configure – protect – monitor – and retire, CPCs also have a similar lifecycle.

My upcoming Windows 365-related blog posts will mainly go with the lifecycle theme as that will cover all ground.

Image from MS Learn

• Provision: Once you have the correct images, licenses, provisioning policies, and/or Azure Network setup, you can start provisioning the CPCs. Best to manage the provisioning via targetted groups so it will be easy to manage.
• Configure: Identifying the join requirements (AADJ or HAADJ), setting up security baseline policies, compliance policies as well as other Intune configuration profiles that help you to streamline the CPCs. I would add this is where you set up your RBAC for the rest of the IT team as well.
• Protect: Setting up Azure AD Conditional Access Policies, onboarding the CPC to Microsoft Defender for Endpoint, setting up Security Policies via Intune and other Information protection policies that prohibit copying/pasting and saving files to unmanaged locations, etc.
• Monitor: Endpoint Analytics, Intune reports, and Microsoft Productivity Score will help you to understand if the CPC environment is running without any performance issues. If you have any issues, then you can always resize the CPC – which I will be discussing in another post. Using Intune portal’s Proactive Remediations to improve CPC monitoring is another good way to understand if the CPCs are running as expected.
• Deprovision: Blocking access immediately, Revoking the user’s refresh token, and de-provisioning the CPC altogether can be done as that will securely remove access from the user, which can be due to various reasons.

Supported CPC Authentication

As we briefly touched base in the previous section, Azure AD provides authentication for Azure AD Joined (AADJ) CPCs, and Local AD provides authentication for Hybrid Azure AD Joined (HAADJ) CPCs.

• Windows desktop client
  • Username and password
  • Smartcard
  • Windows Hello for Business certificate trust
  • Windows Hello for Business key trust with certificates

Smartcard and Windows Hello authentication require the Windows desktop client to be able to perform Kerberos authentication when used with Hybrid AADJ. This requires the physical client to have a line of sight to a domain controller.

• Windows store client: Username and password
• Web client: Username and password
• Android: Username and password
• iOS: Username and password
• macOS: Username and password

RBAC For The Win

All in Access

• Windows 365 Administrator: Manages All Aspects of Windows 365
  • Manage Windows 365 Cloud PCs in Microsoft Endpoint Manager
  • Enroll and manage devices in Azure AD, including assigning users and policies
  • Create and manage security groups, but not role-assignable groups
  • View basic properties in the Microsoft 365 admin center
  • Read usage reports in the Microsoft 365 admin center
  • Create and manage support tickets in Azure AD and the Microsoft 365 admin center

You can go to Admin Center from admin.microsoft.com > Roles > and select the Windows 365 Administrator to add the members

Cloud PC Built-in Roles

• Cloud PC Administrator: Manages all aspects of Cloud PCs.
  • OS image management
  • Azure network connection configuration
  • Provisioning

• Cloud PC Reader: Views Cloud PC data available in the Windows 365 node in Microsoft Endpoint Manager but can’t make changes

You can go to Intune Admin Portal from endpoint.microsoft.com > Tenant Administration > Roles

Create Your Own Custom Role Using Built-in Roles

As you can see below, in the same Roles section of the Intune portal, go to Create and select Windows 365 role.

Provide the name of the role.

Set the options as needed.

Once created, you can assign the Role to your admins.

And done.

Prepare your Azure AD Groups

Having groups created and ready to go can be handy as you are finalizing the deployment strategy. The reason is you may have users that require different CPC sizes given the activities they perform. A good combination can be adding the proper licensing attached to the group along with the proper group name.

Example License = Windows 365 Enterprise 2 vCPU, 8 GB, 128 GB

Some examples of the Azure AD Group name can be done as

• W365CPC-ENT-2CPU-8MEM-128ST or
• CPC-ENT-2CPU-8RAM-128SSD or
• W365-ENT-2CPU-8RAM-128ST

End User Communication

Getting the comms right at the start will greatly help you in the rollout. For a standard workstation user, a Cloud PC can be a new word in their work vocabulary. Saturating them with proper announcements will help you and them for a good transition. Below are some talking points where you can provide information to your users.

• What is a Cloud PC?
• What can I do with a Cloud PC?
• How and what changes from what I do at the moment?
• Cloud PC Benefits?
• How to request a Cloud PC?
• How to access the Cloud PC?
• Whom to contact?

Wrapping Up

I hope this gave you a theatrical understanding of how to work with Cloud PCs and Windows 365 as a whole. This can be a large investment in your organization, and having the right strategy in mind can help to achieve goals in the right way without facing any roadblocks,