Getting started with Windows 365 – Part 2. Provisioning an Azure Ad Joined Cloud PC

Posted on August 28, 2022 by ncbrady

Introduction

This is Part 2 in a new series of guides about getting started with Windows 365. This series of guides will help you to learn all about Windows 365 in a clear and insightful way. This series is co-written by Niall & Paul, both of whom are Enterprise Mobility MVP’s with broad experience in the area of modern management. At the time of writing, Paul is a 6 times Enterprise Mobility MVP based in the UK and Niall is a 12 times Enterprise Mobility MVP based in Sweden. In this series we aim to cover everything we learn about Windows 365 and share it with you to help you to deploy it safely and securely within your own organization. In Part 1, we introduced you to what Windows 365 actually is, selecting the right edition with the level of management that you need, choosing the plan that suits your users needs at a cost you can afford, or modifying the configuration to make it more suited to your individual needs, purchasing licenses and saving money for your organization via the Windows Hybrid Benefit. In this part, we’ll learn how to provision an Azure Ad joined Cloud PC and take a look at the different network options available when provisioning an Azure Ad joined Cloud PC.

Below you can find all parts in this series:

In this part we’ll cover the following:

  • Azure AD join capabilities for Windows 365 Cloud PCs
  • Assigning licenses to users
  • Adding licensed users to an Azure AD group
  • Decide which network your Azure AD Joined Cloud PCs will use
  • Create or reuse resource group (optional)
  • Create or reuse a virtual network (optional)
  • Create azure network connection (optional)
  • Create provisioning policy

Azure ad join capabilities for Windows 365 Cloud PCs

When Windows 365 was originally released (July 2021), it initially supported the Hybrid Azure AD join scenario. Based on customer feedback, Microsoft announced support for Azure AD joined Cloud PCs in Windows 365 Enterprise November 2021 and that went through a private preview before it was initially released in February 14th, 2022, and Globally Available in May 2022.

Note: Azure AD Join doesn’t require connectivity to a Windows Server Active Directory (AD) domain unlike Hybrid Azure AD Join, which does require that connectivity.

azure ad join support released feb 2022.PNG

Azure ad joined Cloud PCs have the following benefits:

  • You can create Azure AD joined Cloud PCs without bringing any additional Azure infrastructure.
  • You can create Azure AD joined Cloud PCs on your own network, by using an on-premises network connection.
  • You can provide Cloud PCs for cloud-only users in your organization.
  • Gain more flexibility to sign in to your Cloud PC using Windows Hello for Business.

Assigning licenses to users

You need to assign a Windows 365 license to your user(s) in order for them to use the service, much as you would with any Microsoft 365 product. To do this, open the Microsoft 365 admin center and expand the Billing node, select Licenses, and choose the appropriate Windows 365 product from those you’ve purchased.

assigning licenses.png

Next click on + Assign licenses and select the user(s) you wish to apply the license to in the Assign licenses to users window. Finally click on Assign.

assigning the license to a user.png

You will get a confirmation of the action showing the type of Windows 365 license.

you assigned a license to.png

Adding licensed users to an Azure AD group

Next, you need to add the licensed user(s) to an Azure AD group, you can name the group whatever you want but it would be a good idea to match the name of your Azure AD group to the Provisioning policy that we will create later in this guide by using a naming convention. In this example, we have created an Azure AD group called W365 North Europe AAD W11 and we’ve added the licensed user(s) to that group. That way we can quickly determine that members of this group will get a Windows 365 Cloud PC configured for Northern Europe, using Azure AD Join and running Windows 11.

user added to aad group.PNG

Decide which network your Azure AD joined Cloud PCs will use

You need to decide which network type your Cloud PC’s will use for the Azure AD Join scenario. There are 2 choices listed below.

  •  A Microsoft-hosted network
  •  Your own network (using an Azure network connection)

Tip: If you want your Azure AD Joined Windows 365 Cloud PCs to be 100% Cloud Only then select the built-in Microsoft-hosted network. If you select that choice then you can skip the next three optional steps. If however you want to control the region where your network is located (in relation to your users) and which DNS settings your Cloud PC’s will use plus many other additional network settings, then you should configure the next three steps.

Create or reuse a Resource Group (optional)

Windows 365 uses Resource Groups in Azure to store certain resources, such as Virtual networking. When creating a provisioning policy for a Cloud PC you can select to use the Microsoft hosted network (cloud only) or use a previously created Azure network connection (ANC). If you choose the option to use your own network via an Azure network connection, that ANC needs to be in a Resource Group. To prepare for that, we’ll create a new Resource Group in Azure.

Note: If you want your Azure AD Join based Windows 365 Cloud PC’s to be cloud only you can skip this step.

Login to https://portal.azure.com and click on Create a resource, select Resource Groups, select Create and create a new resource group in an Azure region close to you. Click Review + create to complete the wizard.

create a resource group.png

Create or reuse a Virtual Network (optional)

Windows 365 in an Azure AD Join scenario can use a Microsoft Hosted Network to be completely cloud only, or can use Virtual Networks to allow your Cloud PC’s to use specific network settings that you define.

Note: If you want your Azure AD Join based Windows 365 Cloud PC’s to be cloud only you can skip this step.

To use your own network and provision Azure AD joined Cloud PCs, you must meet the following requirements:

  • Azure virtual network: You must have a virtual network (vNET) in your Azure subscription in the same region as where the Windows 365 desktops are created.
  • Network bandwidth: See Azure’s Network guidelines.
  • A subnet within the vNet and available IP address space.

In your newly created Resource Group, click on Create and select Virtual Network. Here you can define the ip addresses to use if that’s your preference.

create a virtual network.png

define the IP Addresses and additional network info for the virtual network, followed by Create.

 

Create Azure network connection (optional)

Windows 365 in an Azure AD Join scenario can use a Microsoft Hosted Network to be completely cloud only, or can use an Azure network connection to allow your Cloud PC’s to access your on-premises network resources.

Note: If you want your Azure AD Join based Windows 365 Cloud PC’s to be cloud only you can skip this step.

To create your own Azure Network connection, open the Microsoft Endpoint Manager console, select the Windows 365 node, and then select Azure network connection. Keep in mind that each tenant has a limit of 10 Azure network connections, if you need more than that you must contact Microsoft support.

create azure network connection.png

 

Next, click on + Create and select Azure AD Join from the two available options.

click on create and select Azure AD Join.png

Next give the Azure network connection (ANC) a suitable name, before selecting the Resource Group (that you created above) and the Virtual Network (that you also created above).

select Name Join type subscription resource group virtual network and subnet.png

Click on Next and then click on Review + Create.

The ANC status will initially be running checks

running checks.png

and if all goes well it’ll change status to Checks Successful after approximately 30 minutes.

checks successful.png

 

Create provisioning policy

Next you need to create a provisioning policy. In the Windows 365 node, click on the Provisioning policies tab.

create provisioning policy.png

 

Click on + Create policy and start filling in the details. In the General screen once you select Azure AD Join as Join type,that you’ll have the choice of selecting the Microsoft hosted network or to use an Azure network connection (ANC) that you created previously. If you want your Windows 365 Cloud PC’s to be cloud only select the Microsoft hosted network, otherwise select the ANC that is applicable to your region.

creating provisioning policy.png

 

On the Image screen, you can select the type of image from built-in images provided by Microsoft (Gallery image) to using one you make yourself (Custom image). If you select Gallery image you’ll need to click on Select to select from a list of created images. In this example we’ll go with the Windows 11 Enterprise + Microsoft 365 apps image

 

select an image.png

On the Configuration screen, select your desired Language + Region (preview) and whether or not you want to use the new Windows Autopatch feature.

Configuration screen.png

On the Assignments screen, select one or more groups that you want to target with this Provisioning Policy. We’ll use the previously created W365 North Europe AAD W11 Azure AD Group for this purpose.

assignments screen.png

when done click on Review + Create and your provisioning policy is complete.

policy is created.png

At this point all the hard work is done and you can select the All Cloud PCs tab. This will reveal the status of any Windows 365 licensed users targeted by the provisioning policy.

 

Cloud PC is provisioning.png

This process can take some time to deploy the actual Cloud PC, so you’ll have to refresh this view in order to see when everything is complete. While you are waiting, please up-vote the following Windows 365 feedback so that we can get an email notification once the provisioning process is completed.

Note that if the licensed user(s) opens the Windows 365 web page https://windows365.microsoft.com at this point, they’ll see something liked the following (after satisfying MFA). This is another reason why an email notification to both the Admin and the User would be great.

windows365 website as licensed user.png

Note: During this process we did not create any User settings to define Local administrator settings, or Point in time restore options. If you need to configure them, then do so in the User settings tab. You can always add those settings after provisioning a Cloud PC, just ensure that the Cloud PC restarts to get the new policy.

After some time, the Cloud PC will be provisioned and you can see that in the MEM console, in addition to details of its provisioning policy, the device name, PC Type, Azure network connection and image.

finally provisioned.png

At this point, the licensed user(s) can access their Cloud PC directly at the Windows 365 web page.

win365 pc is provisioned.png

After clicking on Open in browser, the user will be prompted for credentials, MFA prompt and they are in.

pc is provisioned and logged in via web browser.png

Job done !

That’s it for this part, please join us in Part 3 where we’ll learn how to provision a Hybrid Azure AD Join Cloud PC.

Recommended reading

 

This entry was posted in azure ad join, Windows 365. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.