Create provisioning policies
Cloud PCs are created and assigned to users based on provisioning policies. These policies hold key provisioning rules and settings that let the Windows 365 service set up and configure the right Cloud PCs for your users. After provisioning policies are created and assigned to the Azure AD user security groups or Microsoft 365 Groups, the Windows 365 service checks for appropriate licensing for each user and configures the Cloud PCs accordingly.
A few things to keep in mind:
- If a user in an assigned group doesn’t have a Cloud PC license assigned, Windows 365 won’t provision their Cloud PC.
- For each Cloud PC license assigned to a user, only one provisioning policy is used to set up and configure the Cloud PC. The Windows 365 service always uses the first assigned policy to provision the Cloud PC.
Create a provisioning policy
-
Sign in to the Microsoft Endpoint Manager admin center, select Devices > Windows 365 (under Provisioning) > Provisioning policies > Create policy.
-
On the General page, enter a Name and Description (optional) for the new policy.
Tip
Your provisioning policy name cannot contain the following characters: < > & | " ^
-
For On-premises network connection, select the connection to use for this policy > Next.
-
On the Image page, for Image type, select one of the following options:
- Gallery image: Choose Select > select an image from the gallery > Select. Gallery images are default images provided for your use.
- Custom image: Choose Select > select an image from the list > Select. This will show the list of images that you uploaded using the Add device images workflow.
-
Select Next.
-
On the Assignments page, choose Select groups > choose the groups you want this policy assigned to > Select > Next.
-
On the Review + create page, select Create. It can take up to 60 minutes for the policy creation process to complete, depending on when the Azure AD connect sync last happened.
Edit provisioning policies
As an admin, you create provisioning policies and on-premises network connections to set up Windows 365 to provision Cloud PCs. Using this information, Windows 365 provisions Cloud PCs for your licensed users. This article explains all of the steps that Windows 365 completes automatically in the provisioning process.
There are three stages that Windows 365 automatically completes for Cloud PC provisioning:
- Core provisioning: Core provisioning performs every task required to stand up a VM and get it to the point of successful user sign-in.
- Post-provisioning configuration: Configuration changes are made to optimize the Cloud PC end-user experience.
- Assignment: The user is assigned to the Cloud PC and the user can now sign in.
Core provisioning
Core provisioning is optimized to only perform absolutely necessary steps to make sure a Cloud PC is provisioned successfully.
- Allocate Azure capacity: When provisioning first begins, Windows 365 allocates Azure capacity in the customer’s supported region of choice. Customers don’t need to manage capacity and allocation manually.
- Create VM: A virtual machine is created based on the Windows 365 license assigned to the user. Each Windows 365 license includes hardware capacity information. The VM is created with these specs.
- Perform vNic injection: When the VM is created, a virtual NIC is created and injected into the customers provided vNet. This lets the Cloud PC connect to the customers on-premises network.
- Active Directory domain join: After the VM is running, an Active Directory domain join operation is performed to join the machine to the customer's domain.
- Hybrid Azure AD Join: To enable the cloud management scenarios, a Hybrid Azure AD Join must occur. At this stage, the Cloud PC is domain joined and should be a member of an Azure AD syncing OU. In this step, we wait for the computer object to appear in Azure AD.
- Intune MDM enroll: After the Azure AD object is available, the Cloud PC is enrolled in Intune. This is performed as a device enrollment and no user credentials need to be provided.
- Primary user assignment: The Cloud PC user is assigned to the Intune primary user to make sure self service and reporting scenarios work seamlessly.
Post provisioning configuration
After core provisioning is complete, Windows 365 optimizes the configuration to ensure the best end-user Cloud PC experience.
-
Hide Start Menu power icons: Hide the shutdown button in the start menu (HKLM:\Software\Microsoft\PolicyManager\default\Start\HideShutDown\value) and Hide the shutdown button in the login screen (HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutDownWithoutLogon).
-
Disable Windows reset action: reagent: c.exe /disable
-
Assign user as administrator (when applicable): $Member = 'user@contoso.com' # use OnPremisesUserPrincipalName Add-LocalGroupMember -Group "Administrators" -Member $Member
-
Set Teams for VDI mode: Hosted desktop optimization (HKLM:\SOFTWARE\Microsoft\Teams\IsWVDEnvironment).
-
Enable time zone Redirection: Enable the setting (HKLM:\Softare\Policies\Microsoft\Windows NT\Terminal Services\ fEnabletimezoneRedirection).
-
Resize OS disk partition to match license: Resize the OS disk to match the size of the Azure Managed Disk.
$DriveLetterCopy$MaxSize = (Get-PartitionSupportedSize -DriveLetter $DriveLetter -ErrorAction Stop).SizeMax if((Get-Partition -DriveLetter $DriveLetter).Size -lt $MaxSize){ Resize-Partition -DriveLetter $DriveLetter -Size $MaxSize }```
Unlike core provisioning, if one or more of these optimizations fail for some reason, provisioning will still succeed. The Cloud PC will be marked as Success with warnings and the process will move onto the assignment stage.
In the case of failure, you can manually trigger a reprovisioning if you prefer to see post provisioning configuration succeed.
Assignment
After core provisioning and post provisioning configuration workflows are complete, the relevant user is assigned to the Cloud PC.
At this point, the user can sign in to windows365.microsoft.com and access their Cloud PC.
Comments
0 comments
Article is closed for comments.