Microsoft Ignite Day 0 Live Blog: Pre-Day Session: Mastering Cloud Strategy: Deploy and Manage Windows 365
Hello from Microsoft Ignite in San Francisco. Today is Microsoft Ignite Day 0, pre-day sessions are being held today and I’m attenting Mastering Cloud Strategy: Deploy and Manage Windows 365. I’ll be live-blogging my notes and insights from this session here, so please excuse any typos or rough edges for now. I’ll update this post later to clean things up and add pictures if needed.
Scott Manchester is on stage for the session opening keynote
Azure Virtual Desktop release in 2019, Windows 365 in 2021, Windows 365 Link in 2024
Windows 365 Link can be provisioned in about 2 and a half minutes, should just be able to open the box and go very quickly, already Intune enrolled with highest security settings.
New Capabilities in 2025, Windows 365 Cloud Apps, Windows 365 Reserve, Windows 365 for Agents.
Pricing for Windows 365 reserve pricing will be announced at Ignite
6-12 minutes daily time saved per user on average using Windows 365
Traditonal VDI users are using multi-session and also don’t have a restart button to restart their VM.
Key Product Feature / Launches - Windows 365 cross-region disaster recovery and windows 365 disaster recovery plus. Can restore backups from different regions.
Windows app enhancements - The windows app is on every major store, PC, Android, etc - can be used to access your computer from anywhere on any device.
Nerdio is creating a tool to migrage from AVD to a full cloud PC with the click of one button.
Christine Gerth is on stage to give a Windows 365 Overview
Experiences & Licensing Types - Enterprise - For users who need access to a dedicated PC
Frontline Dedicated - Allows mutiple users with 1 license, but only 1 license can be used at a time
Frontline Shared - Is a pool of temporary devices, when a user needs to log in they grab a device from a pool, do what they need to do, log out, and another user comes in and grabs the devices. These are shared not dedicated devices.
Cloud Apps - Apps running on a cloud PC (preview) - Runs app only access rather than the full device.
Going to be a lot of screenshots in this section, I will upload later.
Dedicated mode would be for something for groups working in shifts.
Steve Thomas is on stage to talk about provisinoning
Transforming VDI into a SAAS service
Need an Azure sub, All associated azure resources per windows 365 region, congiure microsoft entra hybrid join, these are all optional options but may be something you need to do.
Windows 365 gives flexability
Why do image management when you can have Microsoft do it for you
Images are updated Monthly, Windows 10 is end of life and is still offered with Windows 365 for extended service, but highly reccomend using Windows 11
Don’t need to use update rings, take advantage of autopatch and let microsoft do it for you.
Still the capability to take advantage of doing entra hybrid joined with group policies, and also using SCCM co management.
Intune is the heart of Windows 365 with the Intune suite. Shouldn’t need to use config manager or any other on-prem resource.
Users cannot span multiple policies, wlil always used the first assigned policies to create devices for users
Changes to any part of a provisioning policy does not trigger a reprovision
Windows 365 Traditional is more VDI-like, but you can go Windows 365 full SaaS where Microsoft pretty much handles everything besides user identiy and application deployment, although those can of course be handled via Intune.
If you have on-prem resources that still need to be accessed you’ll need to be Hybrid joined, but if you think you have to be hybrid joined to access on-prem resources there are other ways to do this through zero trust gateways, and other VPn’s that can run on the cloud PC as well. Only reason to do hybrid join is for legacy applications or if you are still taking advantage of GPO
Consider the current device identity state, future goals, personas, geography, and applications when deploying W365
Applications are the big one, need to look at applications using legacy authentication.
Network considerations, are you going to use a microsoft hosted network? Or an Azure Network Conection. Reccomend using the Microsoft Hosted Network, a Virtual network fully managed by Microsoft. Equivalent to deploying a device to a users home.
ANC connection is equivalent to extneding the corporate network into Azure where the cloud PC’s sit, this is customer owned, customer operated virtual networking.
Consider before deploying, idenity, on-prem, simplicity, cost, flexibility, If you need on-prem direct access might consider ANC, but can still use MHN, no additonal cost with MHN, MHN is also simpler. Take advantage of newer resiliancy features using ANC.
Gallery image or custom image - Microsoft reccomends the gallery image, contains optimizations, M365 apps, always updated, no technical debt. Multiple version choices with gallery image. Custom image has to be stored in Azure storage so your paying storage cost as well.
A lot of people say intune or config man takes too long to push out applications, they are working on device preparation policies, simliar to Autopilot, can have your PC prepared with additonal components during the provisioning process. So the PC is provisioned, Intune installs apps and applies scripts, and then it’s ready. It’s called Device Preparation Policy (DPP) and is currently in preview for W365 frontline shared.
Dependencies readiness - DNS, Entra Connect, Azure readiness.
Hybird entra joined is the most problematic enrollment method, this is where they get the most support cases at Microsoft.
Highest areas for customer support volume happen in steps 5 and step 6, Microsoft Entra joined and domain join
Entra joined by itself with ANC is a bit simpler and some of the most problematic steps are removed
Windows 365 link endpoint, power on the device, sign in when prompted, get connected, use your cloud PC.
Not an endpoint, an enhanced periphial. We are periphial mangers now lol
Break time 1:55PM PST
We are back and Linda Zhu is going to talk about End User Experience
The Windows app has gotten then name becuase it’s used to access Windows in the cloud
One client across multiple services, Windows 365, Azure VD, Remote Dekstop, RD Services, Microsoft Dev Box
An overview of the Windows app and enviroment in Windows
Navigate to any app store and download the Windows app, can deploy as an IT admin / push it out, there is a standalone installer MSI and also the same for mac.
Identity switcher, the person who is logged in is auto logged into the app, but you can switch users / sign in with another account.
You can see all devices and favorite them to bring them to the top.
Right click on the PC and have multiple options, including restarting the deivce, renaming the cloud PC, view details
Can launch the feedback hub directly from the app and provide feedback to Microsoft directly.
Windows app can also deliver enhanced teams experiences
Now taking a look at the Windows app experience across other platforms.
W365 boot, can have win11 devices boot directly into the cloud PC, takes directly to the cloud PC instead of local windows operating system.
W365 switch allows you to switch between local desktop and cloud PC.
W365 Link is only built to access the cloud PC. Has essential components for Entra ID authentication etc.
Link doesn’t support certain types of plugins or periphials, so may not be optimal for all use cases. Doesn’t support YET, will support many more in the future? Unsure.
Windows in cloud strategy for Linux is to offer third party OEM’s an SDK and they can built those clients on their own.
Going back to the Windows app, showcasing some troubleshooting tools for users and IT admins.
Click on the PC 3 dots, you can inspect the connection and can perform troubleshooting steps to confirm the connection is good.
The ability to reset a cloud PC is not available unless an IT gives users the ability. Resetting is a nuclear option as it re-provisions the entire PC, probably don’t want to give users this option except in certain use cases.
Once connected to a PC, you have some more options for troubleshooting. On the top bar, you can look at connection information They can send the diagnostics directly to an admin and can be seen within Intune. Similar options on Windows app for Web.
Can look at health checks on the health checks tab, they run when you open the windows app, when theres changes to the network connection, can also run the mmanually. by clicking check again. Will check first for network connection, Windows version, service reachability.
Angelo senior product manager is now on stage to talk connectivity
MHN vs ANC (See screeshot later for comparisons)
If you have users that require ANC, you can use it for those users and use MHN everywhere else, so its’ very flexible.
Port 3389 is not used for a W365, it uses a different TCP 443 port for outbound connection (reverse connect). TLS 1.3 encrypted. This is the case for both MHN and ANC.
In the last 2 years tremendous progress has been made to speed up connection time.
Demo shows the speed of connection in an ideal network scenario. The left in 2023 takes about 23 seconds to connect, and today takes 7 seconds to connect.
Working to make UDP more available when RDP shortpath is not available using Global TURN Relay expansion. Allows for UDP instead of TCP for RDP connections. Expanded turn relays to over 40 regions globally (Ssee screenshot)
TURN relays dedicated to only W365 and AVD traffic.
If you have a user in India, they will connect to the latest turn relay, microsoft controls that traffic from that data center, through their backbone, back to the turn relay, and to the clients host machine. Better connections and less lag for users, will experience fewer dropped connections and more reliable sessions.
Implemented dedicated IP ranges to be only used for W365 and AVD traffic. Allows msoft to isolate traffic for the relays. Also allows network admins to know the traffic traversing through those IP addresses are only W365 and AVD traffic.
Once connected, want to keep the session connected at all costs, only wants the user to disconnect when they choose to disconenct. RDP multipath with UDP evaluates multiple paths at the same time and swithces to an active path behind the scene, which avoids single points of failure. Requires no changes from IT admins or end users, automatic and built into the service and is already available to all users with updated Windows app versions.
Now showing another demo to see RDP multipath in action.
Without RDP multipath, when the network goes down it takes about 30 seconds to get reconnected, with RDP multipath there is no downtime, it switches to another route instantly as long as there is another route to follow.
Optimizing RDP traffic, bypass proxy’s with RDP sessions to have a better experience. Proxy’s are not optimized for real time traffic. For example, a proxy requires TLS inspection, but this isn’t required with RDP becuase W365 is using TLS 1.3 encrypted traffic.
TCRP-based RDP reduced from 380 IPs to a single dedicate IP subnet
UDP-based (TURN) moved to a single dedicated IP subnet
Started partnering with SWG/VPN partners to integrate VPN optimizations.
Covering the same connection isnights that were covered earlier in the troubleshooting section.
ANC health checks (see screenshot of health checks that can be used from Intune admin center)
If you have a health check status as failed, it will block provisioning.
Jon Callahan is now on stage to talk about Intune Suite and Security Copilot
Endpoints managed by Intune tend to be more secure than endpoints not managed.
Microsoft Intune is a foundation for a Zero Trust Strategy, do not trust devices, apps, data by default.
Assume breach, assume that you are going to be attached and breached
Intune suite solutions
Copilot in Intune
Microsoft does not use your data to train, a core tenant of security copilot.
The way copilot works, take prompts, uses plugins and tools Microsoft has created so copilot knows how to process the question. Data then goes to a private instance of Azure OpenAI for security copilot.
Copilot does not give additonal access to things you because it uses RBAC
Talking about licensing and security compute units that are needed to use security copilot.
Can be accessed via a standalone experience, but also embeeded like within Intune on a sidebar, pull reports on policies, etc.
Endpoint privledge management
This guy is moving really fast so I’m going to miss a few things
Talking about EPM and how it works for installing programs, etc
Approved in Intune portal by admin
Enterprise App Managment (EAM) - talking about EAM and how it works.
Something just added to EAM is the ability to put a powershell script within the packager.
Now talking about remote help, which is just remote sessions. This is integrated within the Intune console.
Working on unattended support which can be used without the user there, not working yet but it is coming.
Shows alerts about the device, saying it’s not compliant during the remote session, assuming this goes off of compliance policies.
There are options to do admin rights / UAC prompts.
Now talking about advanced analytics - Takes all the data from endpoints and gives you tools / reports on that data.
Can see a timeline for a specific device, a timeline of events, a device was rebooted, an app crashed, windows update installed, etc.
Now talking about copilot assisted device query.
Hardware inventory has been updated a lot over the past year to get more information.
You can ask copilot a question such as What are the top 10 processes using the most memory on this device? It will then create the KQL query, and when ran will give you the information on the device, data is near real time. Getting back essentially what task manager looks like as if you were on that deivce.
This is also available via multi-device query, I’m also assuming to use copillt you need security copilot here.
Multi-device query uses cached data, which is done every 24 hrs on a device, so it may not be exact real-time data.
Recently released was a chat interface
Can access copilot anywhere, you just press the button and it pops up.
You ask a question about the enviroment, it looks at the data and gives you a readout for it.
Explorer gives a view into all tenant data, can look across data across entire tnenant, can see things about apps, devices, compiance, you name it it’s probably there. This also uses KQL, but can use copilot to assist with prompts.
Will be hearing alot about agents this week, Intune has a vulnerability and remediation agent. Looks at data and finds vulnerabilites in your enviroment and tells you about vulns and links to CVE’s so you can remediate. It’s in the Intune console, not in the defender console.
break time
Steve Thomas is back to talk about security best practices
Security in Windows Cloud - 3 areas, secure identity, secured access, secured data
Secured by default -
Trusted Launch Vms enabled by default
Port 3389 is disabled by default in W365
Credential Guard and HVCI (memory integrity) for new and reprovisioned cloud PC’s
Drive, Clipboard, low-level USB & Printer redirections are disabled by default.
Passwordless authentication is the way to go, using things like trusted signals, biometrics, ubi keys. Stops 99.9% of identity attacks. Makes MFA phishing-resistant.
If you implement passwordless you should also do SSPR just in case.
Now showing a demo of passwordless auth. Creating a provisioning policy for W365, make sure that Single sign-on is enabled as part of that process.
Go to RDP properties and set the Microsoft single son-on policy. Then the user can select the crednetials to log in, in this case they are using a yubi key that also requires a pin.
Take advantage of user re-authentication policies when using conditonal access, specifically after its been a certain amount of time. Can do this based on certain scenarios. (See screenshot of scenarios later)
