Windows 365: Technical design
Introduction
This post is the second part of my Windows 365 series, where we look into all technical considerations and the technology to provide Cloud PCs.
Before you start a proof-of-concept, you should know:
- The business (use cases) and IT requirements
- The technology and design aspects (in this post)
- Make decisions on how to setup and configure Windows 365
Prerequisites
Before we start you should ensure that your environment meets the prerequisites of Windows 365.
- Licensing
- Windows E3, Intune, Microsoft Entra ID P1, and Windows 365
- Management
- You must have an Entra ID & Intune tenant
- Networking
- Ensure network endpoints are available for the physical client
- Don't use any traffic interception technologies like SSL inspection
- Depending on network architecture you choose:
- Microsoft hosted network: none
- Azure Network Connection (ANC): Azure subscription with various resources - More information
- Ensure availablity to the Microsoft Intune service, to Azure Virtual Desktop and to the Windows 365 service
- Read about the bandwith specifications to get to know how inbound and outbound network data traffic is treated. Simply put:
- Microsoft hosted network: Inbound free / outbound data per month is based on the RAM of the Cloud PC
- ANC: Inbound free / Outbound is charged consumption-based
- Supported Azure regions for Cloud PC provisioning
- If you plan for Hybrid Entra Join, verify domain requirements
Provisioning
The provisioning of a Cloud PC is the first phase during its lifecycle. Provisioning means the initial setup, preparation and foundational configuration. This requires a Provisioning Policy, which is create in the Intune portal and has 4 elements:
- General
- Image
- Configuration
- Assignments
General
License type
Choose from Windows 365 Enterprise or Frontline Learn more
Join type
The join type to Entra defines the identity trust and enables capabilities like single sign on. Two common ways exist:
- Entra joined
- Computer object only exists in Entra
- Sign in with Entra cloud account
- Works out of the box
- Hybrid Entra joined
- Computer object exists in local Active Directory and Entra
- Sign in with Entra account to Windows 365 and with local AD identity to Windows
- Requires
- Entra Connect Sync enabled
- Azure Network Connection to establish communication with your domain controllers
Network
Networking and connection is an important topic, since Windows 365 runs as a service in Microsoft's network. This means, that the traffic in- and outgoing is already with high-performance. But there is no direct connection to your on-premises network and resources. Basically, there are 2 network types to choose from in a provisioning profile:
- Microsoft hosted network
- Microsoft provisions, maintains and runs the network for your Cloud PCs
- The Cloud PC stands "directly" in the internet
- Set up a point-to-site VPN if needed to access on-premises
- Azure network connection (requires Azure resources)
- Bring your own network - the Cloud PC has connection to an Azure network, which you provision, maintain and run
- Route traffic over your network to apply full controls, including granular security
- Set up a site-to-site VPN via Expressroute so that the Azure network has a seamless connection to your on-premises
Source
Connection to on-premises network
There are 2 ways to establish connection to resources located in your on-premises network:
- Point-to-site VPN
- A VPN agent is installed on the Windows 365 machine and the user/device. authenticates
- Site-to-site VPN
- The Windows 365 machine is in an Azure network that has a direct connection (Expressroute for example) with your on-premises. No client installation, not authentication on the machine.
Client connectivity
The network performance and stability from your access device to your Cloud PC must have a good internet connection. Orientate with this resource
To improve the network connectivity in complex networks, take a look at RDP shortpath
Geography and region
Geographical dataceneter location, where the Cloud PC is hosted
Entra single sign-on
Use a single prompt to authenticate users for Windows 365 and their Cloud PC. Means that the authentication through Entra to the Windows 365 service also signs you into Windows.
Image
When it comes to the image, so the operating system platform that is used to provision Cloud PCs, we have two options to choose from:
- Gallery image
- Microsoft provides the latest image for you
- Windows 10/11 with Microsoft 365 Apps or OS optimizations is available
- Custom image
- Bring your own image, provide a source from Azure
- Must be generalized, generation 2 and Windows 10 Enterprise or newer
- The Windows 365 service principal must have reader access on your subscription more information
Configuration
Language & Region
Select the preferred language and Region or country for your Cloud PCs.
Cloud PC naming
Specify a naming template for the hostname and display in Intune.
Additional Services (Windows Autopatch)
Equip your Cloud PC with additional services. Windows Autopatch is a service from Microsoft to handle Windows Updates automatically for your Intune enrolled machines. Learn more
Assignments / Cloud PC onboarding for users
The effective provisioning of a Cloud PC for a user is very simple. Verify the following steps:
- User has a Windows 365 license assigned (either direct or through group)
- A Windows 365 Provisioning policy is set up and assigned to a group, where the user is member of
- The Cloud PC will automatically start to provision (usually takes ~30 minutes) See the different states of a Cloud PC:
- Failed - provisioning is not finished and failed for some reason
- In grace period - license was revoked and Cloud PC still works for 7 days until it gets deprovisioned (this will trigger an alert)
- Provisioned - ready to connect & use
- Provisioned with warning - ready to connect & use, but with something gone wrong
- Provisioning - the Cloud PC is currently getting prepared and can not be connected, await
- Not provisioned - license assigned to user, but the provisioning has not started
That's it! 🚀
Alerts
If you deploy Windows 365 in your tenant make sure to enable alert rules that will inform you when there is a service issue in your environment that has a high impact on the Cloud PC infrastructure.
Learn more about custom alerts for Windows 365: