In my 1st blog post related to Windows 365, I discussed how to get started with the product. This is post #2 of the series and in this, I want to discuss what to think when planning for your Windows 365 deployment and especially how to set up RBAC. Before jumping into the technical side of W365 it is important to understand why you need Cloud PCs in the first place. And once identified, triaging the tasks are essential and that’s where the RBAC comes in. As with other products, Windows 365 has a main admin role as well as built-in roles along with options for custom roles if needed. This is my take on those and how you can complete this step before configuring the devices. Hope this will be a good guide to add to your bookmarks 🙂
If you missed my 1st blog post, please check below.
What I Will be discussing? 👇🏽
- How to choose and What to Consider?
- CPC Lifecycle
- Supported CPC Authentication
- RBAC For The Win
- Prepare Your Azure AD Groups
- End User Communication
- Wrapping Up
How to choose and What to Consider?
Some major thinking points for you to determine hows your Windows 365 implementation should be.
- Do you need the CPC to have a line of site access to your DCs?
Some organizations require the devices to be joined to on-prem AD for various reasons and mainly as they treat the on-prem AD as the source of truth. Sometimes the file shares are still coming from local file servers and they need to be accessible.
- Are you using GPOs or Intune policies? or both?
If you are in the middle of moving your GPOs to the cloud by replacing them with Intune policies or if you are using both in mixed mode or if you are still using GPOs only, you might need the CPC to be Hybrid AAD Joined.
- Do users need LOB apps that are connected to your on-prem domain? or the app authentication managed via Azure AD?
Same as above, modern applications can be authenticated via Azure AD or if you have Azure AD App proxy setup for the apps that aren’t modern apps, you can consider provisioning CPCs that are Azure AD Joined. Then again you should not have any local AD relationship with the devices as AAD Joined only talks with the cloud but not the on-prem AD.
There are situations where you may have apps that authentication hasn’t been changed to Azure AD and still depend on LDAP or legacy authentication methods. This can be a deal breaker if you need to move the CPC authentication to Azure AD.
- Any Geographical requirements?
This comes into play when you have users across many regions. This can align with your Azure Network if you have one and especially it can be a compliance requirement to make sure the proper region retains your data at rest keeping it in the same region as the CPC user is in will enhance their performance as well.
- Require M365 Apps and Teams?
This is more for choosing the right CPC sizes for the users. There can be users who do processor-heavy work or standard front desk type work.
This link Cloud PC Chooser will help you to understand this better.
🔗Check this planning guide from Microsoft
CPC Lifecycle
As a standard “physical” workstation where you purchase – configure – protect – monitor – retire, CPCs also have a similar lifecycle.
My upcoming Windows 365 related blog posts will mainly go with the lifecycle theme as that will cover all ground.
Provision
Once you have the correct images, licenses, provisioning policies, and/or Azure Network setup, you can start provisioning the CPCs. Best to manage the provisioning via targetted groups so it will be easy to manage.
Configure
Identifying the join requirements (AADJ or HAADJ), setting up security baseline policies, compliance policies as well as other Intune configuration profiles that help you to streamline the CPCs. I would add this is where you set up your RBAC for the rest of the IT team as well.
Protect
Setting up Azure AD Conditional Access Policies, onboarding the CPC to Microsoft Defender for Endpoint, setting up Security Policies via Intune and other Information protection policies that prohibits copy/paste and saving files to unmanaged locations, etc,
Monitor
Endpoint Analytics, Intune reports, and Microsoft Productivity Score will help you to understand if the CPC environment is running without any performance issues. If you have any issues, then you can always resize the CPC – which I will be discussing in another post. Using Intune portal’s Proactive Remediations to improve CPC monitoring is another good way to understand the CPCs are running as expected.
Deprovision
Blocking access immediately, Revoking the user’s refresh token, and de-provisioning the CPC altogether can be done as that will securely remove access from the user which can be due to various reasons.
Supported CPC Authentication
As we briefly touch base in the previous section, Azure AD provides authentication for Azure AD Joined (AADJ) CPCs and Local AD provides authentication for Hybrid Azure AD Joined (HAADJ) CPCs.
- Windows desktop client
- Username and password
- Smartcard
- Windows Hello for Business certificate trust
- Windows Hello for Business key trust with certificates
Smartcard and Windows Hello authentication requires the Windows desktop client to be able to perform Kerberos authentication when used with Hybrid AADJ. This requires the physical client to have a line of sight to a domain controller.
- Windows store client
- Username and password
- Web client
- Username and password
- Android
- Username and password
- iOS
- Username and password
- macOS
- Username and password
RBAC For The Win
All in Access
- Windows 365 Administrator – Manages All Aspects of Windows 365
- Manage Windows 365 Cloud PCs in Microsoft Endpoint Manager
- Enroll and manage devices in Azure AD, including assigning users and policies
- Create and manage security groups, but not role-assignable groups
- View basic properties in the Microsoft 365 admin center
- Read usage reports in the Microsoft 365 admin center
- Create and manage support tickets in Azure AD and the Microsoft 365 admin center
You can go to Admin Center from admin.microsoft.com > Roles > and select the Windows 365 Administrator to add the members
Cloud PC Built-in Roles
- Cloud PC Administrator – Manages all aspects of Cloud PCs.
- OS image management
- Azure network connection configuration
- Provisioning
- Cloud PC Reader – Views Cloud PC data available in the Windows 365 node in Microsoft Endpoint Manager, but can’t make changes
You can go to Intune Admin Portal from endpoint.microsoft.com > Tenant Administration > Roles
Create Your Own Custom Role Using Built-in Roles
As you can see below in the same Roles section of the Intune portal, go to Create and select Windows 365 role
Provide the name for the role
Set the options as needed
Once created you can assign the Role to your admins.
And done.
Prepare your Azure AD Groups
Having groups created and ready to go can be handy as you are finalising the deployment strategy. The reason is you may have users that require different CPC sizes given the activities they perform. A good combination can be adding the proper licensing attached to the group along with the proper group name.
Example License = Windows 365 Enterprise 2 vCPU, 8 GB, 128 GB
Some examples of the Azure AD Group name can be done as
W365CPC-ENT-2CPU-8MEM-128ST or
CPC-ENT-2CPU-8RAM-128SSD or
W365-ENT-2CPU-8RAM-128ST
End User Communication
Getting the comms right at the start will greatly help you in the rollout. For a standard workstation user, a Cloud PC can be a new word in their work vocabulary. Saturating them with proper announcements will help you and them for a good transition. Below are some talking points where you can provide information to your users.
- What is a Cloud PC?
- What can I do with a Cloud PC?
- How and what changes from what I do at the moment?
- Cloud PC Benefits?
- How to request a Cloud PC?
- How to access the Cloud PC?
- Whom to contact?
Wrapping Up
I hope this gave you a theatrical understanding of how to work with Cloud PCs and Windows 365 as a whole. This can be a large investment in your organization and having the right strategy in mind can help to achieve goals in the right way without facing any roadblocks,
EMS Route - Shehan Perera 
One thought on “How to Plan for a Windows 365 Cloud PC Deployment?”