Windows 365 From Zero to Hero Series – Part 2 : End User & Admin Controls

mg

Introduction

Welcome back to Part 2 of our “Windows 365: From Zero to Hero” series! In Part 1, we covered the foundational aspects of Windows 365, including a deep dive into what Windows 365 is, how it works, and why it’s a game-changer for businesses. We explored its license options Business, Enterprise, and Frontline and walked through the steps to set up your first Cloud PC. We also explored the seamless user experience that Windows 365 provides, emphasizing how easy it is for users to access their Cloud PCs from virtually anywhere.

In addition, we touched on why Windows 365 is a smart choice over traditional VDI solutions, thanks to its ease of use, automatic updates, and lack of infrastructure management headaches. By the end of Part 1, you should have been able to set up your first Cloud PC and choose the appropriate licensing model that fits your organization’s needs.

Now in Part 2, we’re building on that foundation by diving into more advanced topics like admin controls, the Intune Admin Center, and end-user features. You’ll learn how to manage Cloud PCs more effectively, handle tasks such as reprovisioning or resizing, and even place a Cloud PC under review for legal or forensic purposes.

But it’s not just about admin controls Windows 365’s self-service features empower end users to handle common tasks, like resetting or restoring their Cloud PCs, giving them greater control while lightening the load for IT teams. Here’s why that’s a game-changer:

  • Reduced IT Workload: Users can handle basic tasks, reducing the number of help desk tickets and freeing up IT for more complex issues.
  • Increased Productivity: Users can solve issues themselves, minimizing downtime and improving efficiency.
  • Better User Experience: Giving users more control over their Cloud PCs enhances satisfaction and reduces frustration.
  • Cost Savings: Fewer support requests lower operational costs, helping organizations streamline IT processes.

By the end of this post, you’ll understand how to manage Cloud PCs more effectively while empowering users to take on routine tasks. Let’s dive in!

Intune Windows 365 Admin Controls

Windows 365 Restore

Restoring a Cloud PC in Windows 365 is a straightforward process that enables administrators or users (if allowed) to revert the Cloud PC to a previous state using restore points. These restore points capture the system’s configuration, applications, and settings at a specific time, allowing for easy recovery in case of an issue. A typical restore takes approximately 15 minutes, ensuring minimal downtime for the user. Restore points can be created automatically or manually within the Intune Admin Center.

Steps to Restore Windows 365

Sign in to Microsoft Endpoint Manager:

Navigate to Cloud PCs:

  • Select Devices from the left-hand menu.
  • Choose Windows 365 > All Cloud PCs.

Select the Cloud PC:

  • Locate the Cloud PC you want to restore and click on it.

Access Restore Options:

  • Click on the Restore tab in the Cloud PC’s details.

Choose a Restore Point:

  • Review available restore points, which show specific dates and times.
  • Select the restore point closest to when the Cloud PC was functioning correctly.

Initiate the Restore:

  • Click Restore to start the process.
  • Confirm your action when prompted, noting that changes after the selected restore point will be lost.

Wait for the Restore Process:

  • The restoration process takes approximately 15 minutes to complete. During this time, the Cloud PC will be unavailable.

Verify the Restore:

  • Once the process finishes, have the user log in and confirm that the Cloud PC is working as expected.

Steps to create a manual restore point

Sign in to Microsoft Endpoint Manager:

Navigate to Cloud PCs:

  • Go to Devices > Windows 365 > All Cloud PCs.

Select the Cloud PC:

  • Click on the Cloud PC for which you want to create a manual restore point.

Create a Manual Restore Point:

  • In the Restore Points section of the Cloud PC details page, select Create Restore Point.

Verify Restore Point Creation:

  • Once created, the manual restore point will appear in the list of available restore points for that Cloud PC.
  • This process takes +- 20 minutes

Windows 365 Reprovision

Reprovisioning a Cloud PC in Windows 365 allows administrators to reset the device to its default state, erasing all data and configurations. This process is helpful when a Cloud PC encounters issues or needs a fresh start. The entire reprovisioning process typically takes about 20 to 30 minutes, during which the Cloud PC is deleted and recreated with its original settings, and the associated Intune device record will also be deleted.

Steps to Reprovision a Cloud PC

Make sure to back up important data before proceeding, as all existing user data will be lost during reprovisioning.

  • Sign in to Microsoft Endpoint Manager: Go to Microsoft Endpoint Manager.
  • Navigate to Cloud PCs: Click Devices > Windows 365 > All Cloud PCs.
  • Select the Cloud PC: Choose the Cloud PC you wish to reprovision.
  • Initiate Reprovisioning: Select Reprovision from the Cloud PC’s actions menu.
  • Confirm the Action: Confirm the reprovisioning, understanding that the Cloud PC and its Intune device record will be deleted and then recreated.
  • When reprovisioning a Cloud PC, you will notice that the associated Intune endpoint (device record) is automatically deleted. In the Windows 365 portal, the status of the Cloud PC will change to Reprovisioning, indicating that the process is underway. Once complete, the Cloud PC will be recreated with its default settings.
  • When the status of your cloudpc is Provisioned the user can login again and start using his cloud pc

Windows 365 Resize

Resizing a Cloud PC in Windows 365 allows administrators to adjust the machine’s hardware configurationvsuch as CPU, RAM, or storage to better meet user demands. This feature is particularly helpful when workloads increase or decrease, ensuring that users have the appropriate resources for their tasks. Resizing is a simple process within the Microsoft Endpoint Manager Admin Center, but while the Cloud PC is resizing, user access will be temporarily disrupted. The entire process typically takes around 20-30 minutes.

Supported scenarios for resizing include increasing or decreasing the performance of the Cloud PC. You can upgrade a user’s configuration to improve performance or downsize it to save costs when they no longer need higher specs.

Step-by-Step Guide: Resizing a Single Cloud PC

  • Sign in to Microsoft Endpoint Manager: Go to Microsoft Endpoint Manager Admin Center.
  • Navigate to Cloud PCs: Select Devices > Windows 365 > All Cloud PCs.
  • Select the Cloud PC: Find and select the Cloud PC you want to resize.
  • Click Resize: On the Cloud PC details page, click Resize.
  • Choose the New Size: Select the new configuration (e.g., more CPU, RAM, or storage).
  • Confirm Resize: Confirm the action. The Cloud PC status will change to Resizing, and the process typically takes 20-30 minutes.

During this time, user access will be interrupted, and the new resources will be applied once resizing is complete.

Windows 365 Under Review

Placing a Cloud PC under review in Windows 365 is a powerful feature designed for digital forensics and legal investigations. It captures a forensic snapshot of the entire Cloud PC, securely saving it as a VHD file in your Azure Storage account. This snapshot can be used to investigate data without altering the original system, making it ideal for legal audits, internal security checks, or third-party investigations.

Why This is Important:

  • Useful for internal or external audits, legal requests, or security breaches.
  • Investigators can access the disk snapshot via the Azure portal or Azure Storage Explorer for in-depth analysis.
  • You can choose whether to let the user continue using the Cloud PC during the review or block their access for full control.

This feature provides a seamless way to ensure data integrity while meeting compliance and legal requirements without disrupting business operations.

How to Place a Cloud PC Under Review and Set Up the Required Azure Storage Account

Step 1: Set Up a Premium Azure Storage Account

To place a Cloud PC under review, you first need a premium Azure Storage account configured to meet the requirements. Follow these steps:

Sign in to Azure Portal: Go to Azure Portal.Create a New Storage Account:

  • Click Storage Accounts > Create.
  • Configure settings:
    • Region: Same region as the Cloud PC for optimal performance.
    • Performance: Choose Premium.
    • Account Type: Select Page blobs.
    • Minimum TLS version: Set to 1.2.
    • Network Access: Enable public access from all networks and ensure “Permit scope for copy operations” is set to null (the default value).

Assign Required Roles:

  • Access Control (IAM): In the storage account menu, select Access Control (IAM).
  • Click Add Role Assignment.

  • Assign the Storage Account Contributor role:
    • In the Role field, search for and select Storage Account Contributor.
    • Under Assign access to, choose User, group, or service principal.
    • Search for the Windows 365 service principal. This is necessary for the service to manage snapshots.
    • Click Save.

  • Assign the Storage Blob Data Contributor role:
    • Repeat the process to assign the Storage Blob Data Contributor role.
    • Again, search for the Windows 365 service principal and assign it.
    • Click Save.

Enabling Review on Device

  • Sign in to Microsoft Intune: Go to Microsoft Intune Admin Center.
  • Choose the Cloud PC:
    • Navigate to Devices > All Devices.
    • Select the Cloud PC you want to place under review.
  • Initiate Review:
    • Click the ellipsis (…) next to the device name.
    • Select Place Cloud PC under review.
  • If you made a mistake during the storage account setup, you might find that you’re unable to select the account when placing a Cloud PC under review. This typically happens if the necessary roles Storage Account Contributor and Storage Blob Data Contributor weren’t assigned properly or if the storage configuration doesn’t meet the required settings. Double-check your storage account setup, including role assignments and network access configurations, to ensure everything is correct before trying again.
  • Select the Azure Storage Account:
    • When prompted, choose the Azure subscription and Azure storage account that you set up with the necessary roles.
  • Choose User Access Options:
    • Block Access: The Cloud PC will be powered off immediately, and the user will be prevented from accessing the system during the review.
    • Allow Access: The Cloud PC user can continue using the PC while the snapshot is being created.
  • Start the Review:
    • Click Place under review to initiate the process.
    • Based on the size of the Cloud PC and its data, the process can take from minutes to several hours to complete. The snapshot will be saved as a VHD file in the designated Azure Storage account.

As you can see below, the VHD file created during the Cloud PC review process can be found in the Azure storage account we set up. You can access it via the Storage Browser in the Azure Portal. The disk is unencrypted, allowing you to attach it to a virtual machine for further analysis. If you’d like, I can document the full process of attaching and analyzing the VHD in a VM just let me know, and I’ll be happy to create that guide for you!


During my personal testing while placing a Cloud PC under review, I noticed a few inconsistencies. Although I allowed the end user to sign in during the review, I encountered a bug when trying to connect via the Windows app the “Connect” button was unclickable. On the web version, all controls were blocked, which is expected. However, I could connect to Windows 365 through the web version and launch it via the Web version on the Windows app. Please let me know if you have experience similar issues.

Windows 365 User Controls

Rename

The end user can “Rename” their Cloud PC, but it’s important to note that this only changes the display name visible to them. The actual device name in the Intune portal remains unchanged. This means the renaming action is purely cosmetic and does not impact how the device is listed or managed by administrators in Intune. The user will see their updated name in their portal, but admins will continue to reference the original device name in the backend.

Restart

The end user has the ability to reboot their Cloud PC both from the Windows app and from within their session. When initiated, the reboot process typically takes about 5 minutes to complete. This feature gives users more control over their Cloud PC’s state without needing to rely on administrators for routine tasks like rebooting.

Reset

The end user can also reset their Cloud PC to factory settings, but this can be blocked if necessary. We might not want to give this level of control to just anyone if you know who we mean, and if you don’t, well, it might just be you! 😉 The reset process takes the same amount of time as an admin-initiated reset, roughly 20-30 minutes. This feature can be convenient, but restricting it helps avoid unnecessary resets by overly curious users.

Restore

The end user has the ability to restore their Cloud PC to a previous state by selecting from available restore points, which are based on specific times and dates. This feature allows users to roll back to a stable version if needed. However, similar to resetting, this option can also be restricted by administrators to prevent misuse. The restore process takes approximately 15-20 minutes, providing users a convenient way to recover their Cloud PC without needing admin intervention.

Inspect Connection

When using the Inspect Connection feature in the web app, the process takes around 2 minutes to complete, after which it provides feedback indicating that no issues were detected. However, in the Windows app, the feature seems to have a bug it just keeps spinning in the notification tab without providing any feedback. This inconsistency suggests that the web version functions correctly, while the Windows app might need an update or fix to reflect the connection status properly.

Add to task view

The Add to Task View option simply adds the Cloud PC as a desktop page within your Task View in Windows. This allows you to easily switch between your Cloud PC and other desktops or apps you have open. Task View provides a convenient way to manage multiple desktops and helps users navigate between their Cloud PC and local environments seamlessly.

Settings

In the settings page of the Cloud PC, the only available option is to adjust the display settings. Specifically, you can choose to either allow the session to use all available screens (multiple monitors) or to have the session automatically fit the window you are using. No other settings, can be modified from this page. This provides a simple way to control how your Cloud PC display behaves during your session.

Conclusion

That’s a wrap on Part 2 of our “Windows 365: From Zero to Hero” series! We’ve explored key management features, from reprovisioning and resizing to empowering users with self-service options. Now, you’re set to manage Cloud PCs more efficiently and lighten the IT load.

In Part 3, we’ll dive into more exciting features like reporting, screenshot and picture protection, maintenance windows, and how to assign Intune policies to dynamic Cloud PC groups. I know I promised dynamic groups earlier, but don’t worry, it’s coming next!

If you’ve got any questions or feedback, feel free to drop a comment or message me. Stay tuned for Part 3 it’s going to be full of tips and tricks to get the most out of Windows 365!

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *