Windows 365 is a great way to give users the freedom to manage their Cloud PC's to increase productivity, security and improves collaboration
Patrick Köhler
@WVDLogix

Version 1.1: 02.08.2021
 
Hello and welcome to my full guide on Windows 365 which goes live on 02.08.2021!

With the announcement of Windows 365, Cloud PC, is the new Desktop as a Service offering by Microsoft and therefor I wanted to provide you with an end-to-end article, describing everything you need to know about the service and even more. 

This article will be a techincal walkthrough, I will not cover any cost related topics except the required step of the license assignment

Before we jump into the sections, let me explain to you, how I built this article. 

A Table of Contents can be found underneath the following list: 

  • Chapter 1 – Identity and On-Premises
    In this chapter, I will walk you through the prerequisites that comes with Windows 365. I will explain you in detail, what you need to take care of when you want to get started. I will NOT walk you through the deployment of a domain controller, but will explain, how Windows 365 will be integrated into your on-premises Active Directory.
  • Chapter 2 – Azure Infrastructure
    As Windows 365 requires some Azure components to work, or probably you want to integrate your Azure service to be accessible for your end users from within their Cloud PC, you might need to consider some things. Those will be managed and highlighted in this section.
  • Chapter 3 – Firewall Ports and Connectivity
    In this chapter, I will highlight the possibilities for image management in Windows 365. I will explain how you can use your custom image to provide it to your end users. This allows you to save time and lets your users start within a few minutes.
  • Chapter 4 – License management
    In this section I will show you how to assign a license to your users to make them eligible to use their personal PC.
  • Chapter 5 – Windows 365
    Now that we’ve learned how to prepare our environment, we will learn in this section how to enable Windows 365 to provision our Cloud PC’s. Additionally, we will see if the prerequisites are met and how to deploy the desktops with our pre-defined image, while creating a provisioning policy.
  • Chapter 6 – User Connectivity 
    In this chapter you will learn, how to connect to your recently published Cloud PC. Learn how to identify issues when connecting with your cloud pc while using Microsoft Endpoint Manager and gather the required logs. Additionally, I will show you what controls are available to the end users. 
  • Chapter 7 – Image Management / Custom Images (Release date: 09.08.2021)
    In this chapter, I will highlight the possibilities for image management in Windows 365. I will explain how you can use your custom image to provide it to your end users. This allows you to save time and lets your users start within a few minutes
  • Chapter 8 – Microsoft Endpoint Manager & Application Management (Release date: 16.08.2021)
    In the Endpoint Manager section, we will discover how to access the service Windows 365 and how to prepare Microsoft Endpoint Manager. This chapter shows additionally the controls of Microsoft Endpoint Manager (Intune).
  • Chapter 9 – Troubleshooting and Maintenance (Release date: 23.08.2021)
    Users are reporting problems? How to tackle them? We will have a look at common tasks and things you must consider when issues arise!

Table of Contents

Chapter 1 - Identity and On-Premises

As many of you already know, Windows 365 Cloud PC still needs an “on-premises connection” in order to join the virtual machines to the local Active Directory domain. But what means local? 

In my example I tested the following scenarios successfully:

As you can see, the main dependency is how you connect to your domain controller. In my demonstration example, I’m using a virtual machine hosted on Azure which acts as a Domain Controller. If you’re operating in a larger environment I would suggest you to do the same to avoid higher latencies to your on-premises VMs. 

But what exactly do you need to prepare before getting started with Cloud PC

Something I’ve identified during my testing is that non-routable domain names, such as *.local, are NOT supported with Windows 365 Cloud PC! Make sure, you’ve changed the UPN suffix of your users accordingly to make sure you don’t get provisioning problems! 

To summarize, Windows 365 requires both Azure AD and an Active Directory Domain Controller that can reside in Azure or on-premises. What Microsoft declares as on-premises connectivity is pointing to where the actual Active Directory services reside.

Find out your domain name

The first prerequisite is to find out the domain name. This should be a quite easy task if you have access to a domain controller, however, you can find out the domain name easily, while using a PowerShell commandlet:

				
					Get-ADDomain | Select Forest
				
			

Validate User Principal Name Suffix (UPN Suffix)

Now that we know our domain name / forest name, we need to ensure that the UPN Suffix is routable. This is extremely important for your Cloud PCs to work, as non-routable domains (e.g. *.local) lead to issues in the deployment at a later stage. 

There are multiple methods available on how to remediate issues, if your users UPN suffix is non-routable. In short, select a user in your Active Directory Users and Computers mmc, do a right-click and select “Properties”, navigate to the Account tab and ensure a routable domain is selected for a user:

You can also change the UPN Suffix in Bulk for all your users if required. First you need to add a routable domain name via the Active Directory Domains and Trusts mmc on your Domain Controller. Do a right-click on Active Directory Domains and Trust and select Properties

Now you can insert the Alternative UPN suffix, which represents your routable domain (in case this doesn’t match with your already implemented environment) and click on Add on the right side. 

Finalize the configuration while clicking on OK or Apply

Now we just need to run a PowerShell commandlet to change the UPN suffix for all users in the environment. Make sure to replace yourdomain.local with your non-routable domain name and routabledomain.com with your domain that you want to use for your Cloud PCs. 

 

				
					$LocalUsers = Get-ADUser -Filter {UserPrincipalName -like '*yourdomain.local'} -Properties UserPrincipalName -ResultSetSize $null

$LocalUsers | foreach {$newUpn = $_.UserPrincipalName.Replace("yourdomain.local","routabledomain.com"); $_ | Set-ADUser -UserPrincipalName $newUpn}
				
			

If you want to identify, which users in your environment might get an issue with Cloud PC while having a non-routable UPN Suffix, you can use a tool IDFix to identify and remediate the issue as well. 

The tool should be well known for you, when you want to prepare your users for Microsoft 365 migrations (AzureAD Sync, Exchange Online etc.) 

More information and the tool itself can be downloaded from the official Microsoft repository. 

GitHub – microsoft/idfix: Microsoft IdFix

Screen shot of the tool running

Create an Organizational Unit for the Cloud PCs

The next thing you want to make sure is to create an Organizational Unit to ensure that you can properly manage your CloudPCs and dedicated GPOs. To do so, navigate to your Active Directory Users and Computers mmc and navigate to a place, where you want to set your new Organizational Unit (hereafter described as OU). 

Do a right-click on an existing OU or a place where you want to create your new OU select New > Organizational Unit and give it a proper name. 

In my case I will call the OU “CloudPC”. The naming convention is entirely up to you and your organizational recommendations. 

Now you have successfully created an OU for your future Cloud PCs and an option to set your GPOs at this level.

Configure Azure AD Connect (Synchronization of computer objects)

To get our users synchronized with our Azure Active Directory (Azure AD), we need to setup our Azure AD Connect properly. In this blog, I assume that you have Azure AD Connect already in place, if not, I recommend you to watch the following tutorial getting you started. 

But even if you have Azure AD Connect in place, lets validate that the required configuration settings are met. That means, it’s important to validate that Device synchronization is enabled and a policy is in place to hybrid join your CloudPCs to Azure AD. 

The first step to validate this is, to open Azure AD Connect on your preferred server. 

Select Configure device options.

On the overview page, click Next

Provide your Azure AD global administrator credentials and click on Next

Validate or Configure Hybrid Azure AD join. Hit Next, once your selection is made. 

Select Windows 10 or later domain-joined devices and click Next

On the next page, you need to configure a service connection point (hereafter described as SCP). It is used to discover Azure AD tenant information for the devices. 

Select the forest with the routable domain (e.g. wvdlogix.net) and click on the green Add on the right hand side.  

Now you need to provide your on-premises Enterprise Admin credentials. Once, this is successfully done, you will see the username represented in the console. 

Once this is done click Next

Information – if you don’t have the Enterprise Admin credentials for that forest, you can download the script to configure the SCP offline, as stated above. 

Azure AD Connect, will now perform a few checks and if everything is ready to go, you can click Configure to perform the action, so that devices / virtual machines joined to your Active Directory domain, will be hybrid joined to your Azure AD as well, wich allows you further controls at a later time. 

Once the task has been done successfully, you will get the screen to exit the agent.

Before we set the policy to allow our virtual machines to be controlled via Intune, we need to ensure, that the recently created OU is part of our synchronization scope (if limited). 

For that reason open Azure AD Connect agian, but this time navigate to Customize synchronization options and click Next. 

Now you need to provide your Azure AD credentials again. On the page with the forest to be synchronized, leave the option as is (if not configured, please refer to the tutorial mentioned above) and Click Next

On the next screen select the OU that you’ve created for the synchronization of later computer objects with Azure AD. Hit Next once you made your selection. 

The following screen allows you to set optional synchronization features. This is not what we want to do in addition here, so we click Next. On the Single Sign On page, click Next as well and start the configuration once Azure AD Connect says its ready to configure

Well done, this step is accomplished as well!

Last but not least, we need to create a GPO in the Group Policy Management console on your Domain Controller to allow our computers to be managed by Intune. For that reason, create a new GPO in the OU that we’ve created earlier and configure the following setting: