The last few weeks were all about getting started with Windows 365 Enterprise Cloud PCs and Microsoft Dev Box. And especially for Windows 365 Enterprise also looking at the main different configuration options. As both are based on the same foundation, the result of both is a Cloud PC that is automatically enrolled and managed by Microsoft Intune. That automatic enrollment makes sure that it’s very easy to get started with managing Cloud PCs. By automatically enrolling into Microsoft Intune, all the standard Windows device management capabilities are also available for Cloud PCs. That means: device configurations, device compliance, application deployment, update management and reporting. This post provides a quick overview of the options that become available for easily managing Cloud PCs and that are actually different compared to other Windows devices.
Note: Device configurations and app deployments are fairly similare to other Windows devices and will not be discussed in this blog post. The only exception on the configuration is the Windows 365 security baseline.
Device filters and dynamic groups for Cloud PCs
When looking at managing Cloud PCs, it’s important to make sure that a filter and a dynamic membership rule is available for all Cloud PCs. That filter and that dynamic rule can be used to easily apply configurations and deployments only to Cloud PCs. Similar to what was earlier discussed on this blog about a filter specifically for Windows 365 Enterprise Cloud PCs. Something similar to that is applicable to Dev Box. The resulting Cloud PCs have similar limitations and also need a separate treatment in specific situations, like device compliance. Minor detail is that the filter and the dynamic rule for Cloud PCs might need some minor tweaking to get all Cloud PCs, as the model is different for Dev Box. Below is an example of a query for both types of Cloud PCs, and for a filter and a dynamic rule.
(device.model -startsWith "Dev Box") or (device.model -startsWith "Cloud PC")
(device.deviceModel -startsWith "Cloud PC") or (device.deviceModel -startsWith "Dev Box")
Note: The device model for the different forms of Cloud PCs is different. That is applicable to Windows 365 Enterprise and Microsoft Dev Box. When using Windows 365 Business, the device model is also different.
Device compliance for Cloud PCs
Device compliance contains some important differences with other Windows devices. The disk encryption of those devices is the most important difference, the usage of BitLocker is currently not supported on Cloud PCs. That requires at least a device compliance that doesn’t require disk encryption on the Cloud PCs. Without that, those devices won’t get compliant.
Note: For more details about device compliance for Windows 365 Enterprise Cloud PCs, refer to this previous post.
Security baseline for Cloud PCs
For Windows 365 Enterprise Cloud PCs a specific security baseline is available that contains the security best practices combined with real world implementation experiences. In many areas that security baseline will be applicable to all Cloud PCs. That provides an easy starting point for getting started with secure Cloud PCs. The baseline enables security configurations for Windows, Microsoft Edge and Microsoft Defender for Endpoint. And the best part of using the security baseline is that it contains versioning and an easy process to update to the latest version of the baseline. An overview of the general properties of the latest security baseline is shown below in Figure 1.
Note: For more information about the Windows 365 security baseline and its implementation, refer to the docs.
Remote actions for Cloud PCs
Another part of managing Cloud PCs, are the available remote actions. Just like for other Windows devices that are managed via Microsoft Intune, there are many actions available to remotely perform actions on Cloud PCs. The tight integration of Windows 365 Enterprise with Microsoft Endpoint Manager, makes it possible to perform extra remote actions to those Cloud PCs. When looking at the currently available remote actions, the following are available for Cloud PCs.
|Remote action||Windows 365 Enterprise||Microsft Dev Box|
|Sync||Available and working||Available and working|
|Restart||Available and working||Available, but not working*|
|Restore||Available and working||Available, but not working*|
|Reprovision||Available and working||Not applicable*|
|Resize||Available and working||Not applicable*|
|Collect diagnostics||Available and working||Available and working|
|Quick scan||Available and working||Available and working|
|Full scan||Available and working||Available and working|
|Update Windows Defender security intelligence||Available and working||Available and working|
|New remote assistance session||Available and working||Available and working|
|Place Cloud PC under review||Available and working||Available and working|
Note: Keep in mind that in many areas, the Cloud PCs of Windows 365 Enterprise and Microsoft Dev Box are similar. A big difference, however, is the direct integration with Microsoft Endpoint Manager. That might explain the difference in available remote actions. Another explanation could simply be the preview status of the latter product.
Note: For more information about the device management capabilities for Cloud PCs, refer to the docs.
Update management for Cloud PCs
An important part of managing Cloud PCs is update management. Just like for other Windows devices that are managed via Microsoft Intune, there are different options available for managing the update process on Cloud PCs. The standard managing capabilities via Windows Update for Business are available, in combination with update rings and feature update deployments. In addition to that, Windows Autopatch can be used to further simplify the process around keeping the Cloud PCs up-to-date. That is applicable to updates for Windows, Microsoft Edge, Microsoft Teams, Microsoft 365 apps for enterprise. Best part of it, Windows Autopatch is even directly integrated with the provisioning process of Windows 365 Enterprise. By using Windows Autopatch, the process around grouping devices and reporting around update deployments gets further simplified.
Note: For more information about Windows Autopatch and its implementation, refer to the docs.
Reporting and monitoring for Cloud PCs
For insights Microsoft provides a few reports specifically for Cloud PCs. And in this case specifically Windows 365 Enterprise Cloud PCs. For those Cloud PCs there are reports available about the resource performance and the remoting connections. The resource performance report provides the information to further optimize the vCPU and RAM resources on the Cloud PCs in the organization and the remoting connection report provides the information to monitor key performance metrics for connecting to the Cloud PCs (as briefly shown below in Figure 2).
Besides the additional reports, there are also some additional monitoring options for Cloud PCs available (as shown below inf Figure 3). For all Cloud PCs the monitoring overviews are available about user connections and restore points. The user connections overview provides insights in the connectivity errors experienced by users on the Cloud PC and the restore points overview provides insights in the available restore points of the Cloud PC.
For more information about managing Cloud PCs, refer to the following docs.
- Remotely manage Windows 365 devices | Microsoft Docs
- Managing Cloud PCs with Microsoft Intune | Microsoft Docs
- What is Windows Autopatch? – Windows Deployment | Microsoft Docs
- Deploy security baselines for Windows 365 | Microsoft Docs
- Resource performance report for Windows 365 | Microsoft Docs
- Remoting connection report for Windows 365 | Microsoft Docs