This week is al about Windows 10 in cloud configuration (also known as cloud config). Cloud config is focused on standardizing and simplifying management for users with focused workflow needs and initially started as a documented set of recommended configuration settings. At that point in time, it was already known that eventually it would evolve to be more than just documentation. And it really did evolved. With the latest service updates to Microsoft Intune (2103), a new guided scenario is introduced that will walk the IT administrator through a few important variables and that will create all the earlier mentioned recommended configuration settings. This post will start with a quick introduction about cloud config, followed with the steps to walk through the guided scenario. This post will end by showing the results of the guided scenario. In Microsoft Intune and on the device.
Introduction to cloud config
Let’s start with that cloud config is not a new Windows 10 version, nor a new licensing plan. Cloud config is really just a recommended set of configuration settings for different areas of Windows 10. Those areas includes Windows Autopilot, Windows 10 security baselines, Windows Update for Business, Microsoft 365 apps for enterprise, Microsoft Edge (including SmartScreen), OneDrive (including Known Folder Move), device compliance and more. Cloud config relies on Microsoft Intune for providing those configurations. That also enables Microsoft to further enhance the recommended configurations over time and allows organizations to easily distribute those enhancements.
The fact that cloud config is just a recommended set of configuration settings, also means that the usage of cloud config doesn’t require a reset of the device. The configuration settings can be assigned at any moment in time. Of course a reset of the device is the advice, as that will bring the device in the clean state, without potentially conflicting policies or settings. Cloud config can be used with Windows 10 Pro as well as Windows 10 Enterprise, and it relies on Microsoft 365 apps for enterprise (a minimum of OneDrive for Business and Microsoft Teams), Microsoft Intune and Azure AD. Those components would need to be licensed, either separate or as part of a licensing suite, to be fully utilizing cloud config.
As cloud config is focused on providing an easy method for creating a secure and standardized work environment, it’s ideal for specific use cases. Those use cases include frontline workers, remote workers and other users with focused workflow needs, like productivity and browsing. Other use cases might need a different approach and customizations, which defeat the purpose of cloud config. However, as cloud config is just a set of recommended configurations, those configuration can always be the starting point for other use cases. The main idea of cloud config itself, is to keep it simple and to keep the focus on the mentioned specific use cases.
Configuration of cloud config
With the latest service release of Microsoft Intune (2103), cloud config is now available as a guided scenario. That guided scenario will walk the IT administrator through the process that will eventually trigger the creation of the different resources (policies, apps, scripts, etc.) that technically represent cloud config. The following six steps walk through that guided scenario and the required input.
Important: This guided scenario assumes that the MDM authority is already set to Microsoft Intune and that automatic enrollment for Windows 10 devices is already configured.
- Open the Microsoft Endpoint Manager admin center portal, navigate to Troubleshooting + support > Guided scenarios > Deploy Windows 10 in cloud configuration and click Start to open Deploy Windows in cloud configuration guided scenario wizard
- On the Introduction page, read through the information and click Next
- On the Basics page, provide the following information (as shown in Figure 1) and click Next
- Autopilot device name template – The guided scenario will create a Windows Autopilot deployment profile and, similar to manually creating that deployment profile, that requires some input
- Apply device name template: Choose Yes or No as value, to either confirm that the default naming template (often DESKTOP-) is sufficient or to require configuring a custom naming template
- Enter a name: (Optional) When choosing to configure a custom naming template, provide the required naming template (this can include %SERIAL% and %RAND:x% as variables)
- Resource name prefix – The guided scenario will create multiple resources within Microsoft Intune and providing a resource name prefix will enable the IT administrator to easily recognize those resources
- Enter a resource prefix name: Provide a resource name prefix that will be used for all the resources and that is immediately shown in the overview below
- On the Apps page, provide the following information (as shown in Figure 2) and click Next
- Cloud config defaults – The guided scenario will at least create the cloud config default apps – Microsoft Teams and Microsoft Edge – as those apps are essential to the cloud config experience
- Select additional M365 apps (optional) – The guided scenario also enables the installation of the additional Microsoft 365 apps, as those apps can be beneficial to the user experience
- On the Assignments page, provide the following information (as shown in Figure 3) and click Next
- Choose groups – The guided scenario will create an assignment for all the resources that are created
- Choose Create new group or Choose an existing group as value, to either create a new group for the assignments or to use an existing group for the assignments
- Group name: (Optional) When choosing to create a group, provide a name for the group
- On the Review + deploy page, verify the configuration and click Deploy
Overview of the created resources
Once the Deploy Windows 10 in cloud configuration guided scenario is completed, an overview will be shown of the succeeded deployment. That overview, as shown in Figure 4, shows all the resources that are automatically created by this guided scenario. Let’s provide a quick summary of those resources and the main usage.
|Resource type||Actual resource||Main usage|
|AAD Security Group||Azure Active Directory security group||This resource is used for assigning all the other created resources|
|M365 App Suite||Microsoft 365 Apps (Windows 10)||This resource is used for deploying Microsoft Teams and the additionally selected Microsoft 365 apps, to make sure that the most important productivity apps are available|
|App||Microsoft Edge (Windows 10)||This resource is used for deploying the Microsoft Edge browser, to make sure that the latest version of the default browser is available|
|Windows 10 security baseline||MDM Security Baseline||This resource is used for applying the latest Windows 10 security baseline, to make sure that the device is secure|
|Autopilot profile||Windows Autopilot deployment profiles||This resource is used for customizing the out-of-the-box experience and automatically joining the device to Azure AD, to start the automatic enrollment in Microsoft Intune|
|Enrollment Status Page||Enrollment Status Page||This resource is used for providing users with an overview of the configuration progress of the different apps and profiles|
|Administrative template||Administrative Templates||This resource is used for configuring the different OneDrive settings for Known Folder Move, to provide the user with the best experience|
|Administrative template||Administrative Templates||This resource is used for configuring the different SmartScreen settings for the Microsoft Edge browser, to provide the user with secure browsing|
|Compliance policy||Windows 10 compliance policy||This resource is used for monitoring the compliance and health, to make sure that the device is compliant with the different security and update requirements|
|Script||PowerShell script||This resource is used for removing the built-in apps, to provide the user with a clean Start menu without the cloudiness of not needed apps|
|Windows 10 update ring||Windows 10 update ring||This resource is used for configuring the Windows 10 feature update behavior to keep the device up-to-date|
The last action that is left for the IT administrator, is to add devices to the group that is used for the assignment of the different created resources.
Important: The devices that are added to the group must be pre-registered in Autopilot.
Result of cloud config
When looking at the results of cloud config, it’s especially interesting to have a look at the default configurations that create a secure and standardized work environment. Now not from the technical perspective, but from the device perspective. The most important items are summarized below.
- The device will be Azure AD joined and Microsoft Intune managed
- The user will be a standard user on the device
- The built-in apps are removed and the Start menu is simplified
- The latest version of the Microsoft Edge browser is installed with SmartScreen enabled
- The latest version of Microsoft Teams is installed
- (Optional) The latest version of Microsoft 365 apps are installed
- OneDrive is configured with Known Folder Move enabled
- The latest security features are enabled, including Antivirus, BitLocker, Credential Guard, Firewall, SmartScreen and Attack Surface Reduction (ASR)
The most important impact to the look-and-feel is shown below in Figure 5. That shows and overview of the configuration of OneDrive (including Known Folder Move) and a clean Start menu with only Microsoft Edge, (optional) some Microsoft 365 apps and the built-in Windows tools (and accessories).
Note: Keep in mind that the user is a standard user on the device and that those standard permissions might introduce challenges with enabling BitLocker on the device.
For more information about Windows 10 in cloud configuration, refer to the following docs.