Windows 365 Study Guide


“With Windows 365, we’re creating a new category: the Cloud PC. Just like applications were brought to the cloud with SaaS, we are now bringing the operating system to the cloud…”

- Satya Nadella, Chairman and CEO, Microsoft


Introduction to Windows 365

What is Windows 365?

Windows 365 is a cloud-based service that automatically creates a new type of Windows virtual machine (Cloud PCs) for your end users. Each Cloud PC is assigned to an individual user and is their dedicated Windows device. Windows 365 provides the productivity, security, and collaboration benefits of Microsoft 365.

Windows 365 is available in two editions:

What is a Cloud PC?

A Cloud PC is a highly available, optimized, and scalable virtual machine providing end users with a rich Windows desktop experience. It’s hosted in the Windows 365 service and is accessible from anywhere, on any device.

End users have a 1:1 relationship with their Cloud PC. It’s their own personal PC in the cloud.

How is Cloud PC Billed?

How to connect?

Cloud PCs are billed in a per-user per-month cost model. This model means your organization doesn’t have to manage the variability of compute and storage costs of a traditional hosted desktop model.

Access from a variety of devices and operating systems:

Form factor:

Desktop / Laptop / Tablet / Phone

Platform:

Windows / Mac, iOS / Android


Cloud PC Recommendations

This table shows examples of the different sizes available for a Cloud PC:

  • Available SKUs

    [2vCPU/4GB/256GB] [2vCPU/4GB/128GB] [2vCPU/4GB/64GB]

    Example scenarios:

    Firstline workers, call centers, education/training/CRM access, mergers and acquisition, short-term and seasonal, customer services.

    Recommended apps

    Microsoft 365 Apps, Microsoft Teams (Audio only), OneDrive, Adobe Reader, Microsoft Edge, line-of-business apps, Defender support.

  • Available SKUs

    [2vCPU/8GB/256GB] [2vCPU/8GB/128GB]

    Example scenarios:

    Bring-your-own-PC, work from home, market researchers, government, consultants.

    Recommended apps

    Microsoft 365 Apps, Microsoft Teams, Outlook, Excel, Access, PowerPoint, OneDrive, Adobe Reader, Microsoft Edge, line-of-business apps, Defender support.

  • Available SKUs

    [4vCPU/16GB/512GB] [4vCPU/16GB/256GB] [4vCPU/16GB/128GB]

    Example scenarios:

    Finance, government, consultants, healthcare services, bring-your-own-PC, work from home.

    Recommended apps

    Microsoft 365 Apps, Microsoft Teams, Outlook, Excel, Access, PowerPoint, Power BI, Dynamics 365, OneDrive, Adobe Reader, Microsoft Edge, line-of-business app, Defender support.

  • Available SKUs

    [8vCPU/32GB/512GB] [8vCPU/32GB/256GB] [8vCPU/32GB/128GB]

    Example scenarios:

    Software developers, engineers, content creators, design and engineering workstations.

    Recommended apps

    Microsoft 365 Apps, Microsoft Teams, Outlook, Access, OneDrive, Adobe Reader, Microsoft Edge, Power BI, Visual Studio Code, virtualization-based workloads: Hyper-V, Windows Subsystem for Linux (WSL), line-of-business apps, and Defender support.

Video: Simple Architecture Deployment Demo 👇

Test performance

To ensure experience expectations are met, you should test your deployment with simulation tools. You can track the user experience and resource consumption with services like Endpoint Analytics.

If extra resources are needed for the Cloud PC, an admin or end user can easily upgrade the size of their Cloud PC. For more information, see Resize a Cloud PC.

Windows 365 offers fixed-price licensing (through Microsoft 365) for different Cloud PC sizes. You should assess your business requirements to determine which sizes make sense for your users.


How to deploy Windows 365?!

Start with Simplest Deployment Model

Device Identity 👉 Azure AD Joined

Networking 👉 Microsoft Hosted Network

Management 👉 Microsoft Intune

OS Images 👉 Gallery Images

Client App 👉 Windows 365 App

Start here: Microsoft-hosted network

This option is simple, reliable, and scalable, offering Cloud PC connectivity where Microsoft provides the service in a true SaaS approach. With this option, Microsoft:

Do you need Custom Image?!

Creating a custom Image is an optional step. You could very well use Microsoft provided Gallery Images for provisioning Windows 365 Cloud PCs. Microsoft does provide both Windows 10 and Windows 11 Cloud PC optimized Images. The best approach is to do customization of your organisations operating system post deployment using Microsoft Intune.

If you still want to create a Custom Image for your Windows 365 for whatever reason, you can use these steps shown in the tutorial video (Episode 03)

Sysprep Command:

sysprep.exe /generalize /shutdown /oobe

Video: Custom Image Creation Demo 👇


Windows 365 “three” Architecture Options

Option #1: AADJ +Microsoft Hosted Network

Video: Technical Walkthrough 👇

Benefits

  • No Azure subscription is required

  • All you need is the required licenses

  • No additional costs for network infra

  • No Azure Networking expertise or managment

  • Low complexity and rapid deployment

  • Aligned to Zero Trust Model

  • Very high speed internet

  • Aligned to SaaS Model

Considerations

  • Not compatible with Hybrid Azure AD Join

  • No direct access to on-premises resources

  • A VPN or private access needed to access internal resources

  • No control of the VNet

  • Local network communication between Cloud PCs are blocked

  • Port 25 and Ping/ICMP is blocked

  • No way for admins to control the IP address ranges and/or address space.

  • No GPO management, only Intune.


Option #2: AADJ + BYO Azure Network

You have two options for network deployment of the Windows 365 service:

  • Use a Microsoft-hosted network

    • Recommended option.

    • Ideal for the Windows 365 Software-as-a-Service (SaaS) features of simplicity, reliability, and scalability.

    • Supports the Azure Active Directory join identity model.

    • No requirement for Azure subscription or expertise.

  • Use Azure Network Connections (ANC)

    • Supports both Azure AD join and hybrid Azure AD join identity models.

Video: Technical Walkthrough 👇

When using Azure AD join, you’re not required to create a connection from the VNet to your on-premises network. You must merely make sure that there is outbound internet connectivity to the required endpoints.

However, you might want to add an on-premises connection for accessing resources located in your on-premises file servers and applications. You can create the connection by using ExpressRoute or site-to-site VPN, but these options present extra cost and complexity.


Option #3: Hybrid AADJ + On-premises Network

Video: Technical Walkthrough 👇

With Hybrid Azure AD join, a connection to the on-premises network is required from the VNet. The only way to reach the DC infrastructure located there is to use the ANC deployment option. This connection is a critical component so care should be taken to ensure reliability and redundancy.

Benefits

  • Full control of the VNet.

  • Direct line-of-sight to on-premises infrastructure.

  • The vNet can be configured with a site-to-site VPN or ExpressRoute connection.

  • Cloud PC operated like it’s on an on-premises location.

  • Simple peering to other VNets.

Considerations

  • Azure subscription required.

  • Egress costs. Because the VNet is associated with your own Azure account, any egress costs are incurred to your Azure subscription.

  • Azure networking expertise or management required.

  • Higher complexity. You must manage and maintain your network.

  • Longer deployment. This extra time is caused by the high number of customer side elements that must be configured first.

  • Higher Risk. An ANC deployment is more complex than a Microsoft-hosted network deployment. This complexity increases the risk of connectivity issues.


Windows 365 “Boot“

What is Windows 365 Boot?

Windows 365 Boot is in public preview. During this preview, Windows 365 Boot is designed for shared PC scenarios.

Windows 365 Boot lets admins configure Windows 11 physical devices so that users can:

  • Avoid signing in to their physical device.

  • Sign in directly to their Windows 365 Cloud PC on their physical device.

Multiple users can use the same physical device to sign in to their own personal Cloud PCs. When each user signs in to the physical device, their unique identity takes them to their assigned and secure Cloud PC.

This flexibility makes Windows 365 Boot a good solution for workers such as nursing, salespeople, and call centers, who share company physical devices. Such workers might frequently switch between physical tasks and computer interaction. Windows 365 Boot lets them bypass the lengthy startup process and boot directly into their secure Cloud PC to pick up right where they left off.

Video: Boot to Cloud PC Setup and Demo 👇

Shift workers can:

  1. Sign out from their Cloud PC on the physical device.

  2. Pass the physical device over to the next employee during a shift change.

  3. The next shift worker can use the same physical device to sign in to their Cloud PC.


Windows 365 “Switch”

What is Windows 365 Switch?

Windows 365 Switch lets you sign in and connect to your Cloud PC using the Windows 11 Task view.

Just like switching between your local desktops, you can now switch between your Cloud PC and your physical device.

Requirements

To use Windows 365 Switch, you must meet the following requirements:

  • Your Physical Device:

    • Windows 11 Pro or Enterprise version 22621.2050 or later.

    • Enrolled in the Windows Insider Program, Beta Channel (preferred) or Dev Channel.

    • Windows 365 app version 1.3.179.0 or later.

  • Your Cloud PC:

    • Enrolled in the Windows Insider Program, Beta Channel (preferred) or Dev Channel.

Video: Windows 365 Switch Setup and Demo 👇

Note: 

Once you have established the connection to the Cloud PC. Switching to and from the Cloud PC will happen within less than a second!


Windows 365 “Frontline”

What is Windows 365 Frontline?

Windows 365 Frontline makes it easy and affordable to extend the power of Cloud PCs to shift workers, allowing them to securely access their personalized Windows experience on any device without the hassle of sharing physical PCs. Free up your frontline employees to work from anywhere, helping to boost their productivity and job satisfaction.

Windows 365 Frontline is a version of Windows 365 that helps organizations save costs by providing a single license to provision three Cloud PC virtual machines. Each license:

  • Lets you provision up to three Cloud PCs.

  • Provides one concurrent session.

How will licensing for Windows 365 Frontline work?

A single license can be shared with up to three employees.

Organizations should purchase licenses equivalent to the number of employees who will access Cloud PCs during the same shift, or same hours of the day. For example, an organization with 300 employees only needs to purchase 100 Windows 365 Frontline licenses to enable all 300 employees with Cloud PC access over the course of the day.

Video: Windows 365 Frontline Setup and Demo 👇

Note: 

Windows 365 licenses will show up in the Microsoft 365 admin center under the Products tab only, and do not need to be assigned to specific users.


Windows 365 VS “Microsoft Dev Box”

What is Microsoft Dev Box?

Microsoft Dev Box gives you self-service access to high-performance, preconfigured, and ready-to-code cloud-based workstations called dev boxes. You can set up dev boxes with tools, source code, and prebuilt binaries that are specific to a project, so developers can immediately start work. If you're a developer, you can use dev boxes in your day-to-day workflows.


The Dev Box service was designed with three organizational roles in mind: platform engineers, developer team leads, and developers. Microsoft Dev Box bridges the gap between development teams and IT, by bringing control of project resources closer to the development team.

Which licenses do I need to use Dev Box?

To use Dev Box, each user must be licensed for Windows 11 Enterprise or Windows 10 Enterprise, Microsoft Endpoint Manager, and Azure Active Directory P1. In addition to being available independently, these licenses are included in Microsoft 365 F3, Microsoft 365 E3, Microsoft 365 E5, Microsoft 365 A3, Microsoft 365 A5, Microsoft 365 Business Premium, and Microsoft 365 Education Student Use Benefit subscriptions.

Video: Microsoft Dev Box Setup and Demo 👇

Note: 

Microsoft Dev Box doesn't support the use of guest accounts or Microsoft accounts.


Windows 365 VS “Azure Virtual Desktop”

What is Azure Virtual Desktop?

Azure Virtual Desktop is a desktop and app virtualization service that runs on the cloud.

Here's what you can do when you run Azure Virtual Desktop on Azure:

  • Set up a multi-session Windows 11 or Windows 10 deployment that delivers a full Windows experience with scalability

  • Present Microsoft 365 Apps for enterprise and optimize it to run in multi-user virtual scenarios

  • Bring your existing Remote Desktop Services (RDS) and Windows Server desktops and apps to any computer

  • Virtualize both desktops and apps

  • Manage desktops and apps from different Windows and Windows Server operating systems with a unified management experience

How do you pay for W365 and AVD?

  • W365 – is a fixed, per-user, per-month cost for the W365 licenses bought in the M365 portal.

  • AVD – is a monthly cost based on your Azure consumption including the size of VMs and how long they’re on for. This is billed as part of your Azure subscription.

Video: AVD Setup and Demo 👇

Note: 

With AVD, you pay for what you use. Azure VMs are deployed as session hosts for virtual desktop sessions and you pay for the Virtual Machines (VMs) through an Azure subscription. The monthly cost of the VMs is based on their size (CPU and memory), and you are billed for running time regardless of whether anyone is using them. Therefore, if your users only need their Virtual Desktops during business hours, then you can shut them down out of hours to reduce the monthly cost of your VMs.


How to secure your Windows 365 Cloud PC?

Enable MFA on Windows 365 Cloud PCs

Multi-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan.

It is essential to secure identities and environments from hackers in today’s world, and Windows 365 is no exception. Azure Multi-factor Authentication (MFA) In combination with conditional Access, makes securing your Windows 365 environment even easier and more manageable.

Available verification methods

  • The following additional forms of verification can be used with Azure AD Multi-Factor Authentication:

    • Microsoft Authenticator

    • Authenticator Lite (in Outlook)

    • Windows Hello for Business

    • FIDO2 security key

    • OATH hardware token (preview)

    • OATH software token

    • SMS

    • Voice call

Video: MFA to secure Cloud PC Setup and Demo 👇

Note: 

MFA prompt language is determined by browser locale settings. If you use custom greetings but don’t have one for the language identified in the browser locale, English is used by default. Network Policy Server (NPS) will always use English by default, regardless of custom greetings. English is also used by default if the browser locale can't be identified.


How to “Patch” Cloud PC using “Autopatch”?

Patching Cloud PCs using Windows Autopatch

Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.


What are the licensing requirements for Windows Autopatch?

  • Windows Autopatch is included with Window 10/11 Enterprise E3 or higher (user-based only). For more information, see More about licenses.

  • Azure AD Premium (for Co-management)

  • Microsoft Intune (includes Configuration Manager 2010 or greater via co-management)

Windows Autopatch supports Windows 365 for Enterprise. Windows 365 for Business isn't supported.

Video: Patch Cloud PC using “Autopatch” 👇

Note: 

Windows Autopatch requires Windows 10/11 Enterprise E3 or higher, to be assigned to the users. Without the availability of that license, or a license that includes that license, Windows Autopatch won’t be avialable.


“Secure” Cloud PC using “FIDO2 key”?

Prerequisites and Requirements

  • Azure Active Directory (Azure AD)

  • Azure AD Multi-Factor Authentication (MFA)

  • Azure AD Conditional Access (CA)

  • Enable Combined security information registration *

  • Microsoft Endpoint Manager (MEM)

  • Microsoft compatible FIDO2 security key

  • For Azure AD joined devices, the best experience is on Windows 10 version 1903 or higher.

  • Hybrid Azure AD joined devices must run Windows 10 version 2004 or higher.

  • WebAuthN requires Windows 10 version 1903 or higher **

  • To use Windows 365 Enterprise, each user needs a license for Windows 10 or 11 Enterprise, Microsoft Endpoint Manager (Intune), and Azure AD P1 (e.g., Microsoft 365 E3 + Windows 365 Enterprise 4 vCPU, 16 GB, 128 GB)

To use security keys for logging in to web apps and services, you must have a browser that supports the WebAuthN protocol. These include Microsoft Edge, Chrome, Firefox, and Safari

Video: Secure Cloud PC using “FEITIAN FIDO2 key” 👇

I used Mindcore.dk blog to create this video


Windows 365 Reporting

Prerequisites and Requirements

Video: Windows 365 Reporting Hands-on Lab 👇


Requirements for Windows 365

Licensing

  • You must have an Intune license to use Intune to manage the devices.

  • Users must have licenses for Windows E3, Intune, Azure AD P1, and Windows 365 to use their Cloud PC.

  • or Microsoft 365 E3

Intune

  • A valid and working Intune

  • Ensure that Intune device type enrollment restrictions are set to Allow Windows (MDM) platform for corporate enrollment.

Role and Identity

  • User identity: Cloud PC users must be configured with hybrid identities so that they can authenticate with resources both on-premises and in the cloud.

Management

  • You must use Microsoft Intune admin center to manage your Cloud PCs.

  • You must have a Windows 365 Enterprise license to manage Cloud PC configurations.

Azure

None, if you plan on provisioning Azure AD joined Cloud PCs on a Microsoft hosted network.

  • If you choose to provision Cloud PCs on your own network, an active Azure subscription with the following configurations is required:

    • Sufficient permissions to grant Windows 365:

      • A reader role on the subscription.

      • Network contributor permissions on the resource group.

      • A network contributor role on the vNet.

Domain

None, if you plan on provisioning Azure AD joined Cloud PCs on a Microsoft hosted network.

  • If you choose to provision Hybrid Azure AD joined Cloud PCs, then the following configurations on your domain are required:

    • If an organizational unit is specified, ensure it exists and is valid.

    • An Active Directory user account with sufficient permissions to join the computer into the specified organizational unit within the Active Directory domain. If you don't specify an organizational unit, the user account must have sufficient permissions to join the computer to the Active Directory domain.

    • User accounts that are assigned Cloud PCs must have a synced identity available in both Active Directory and Azure Active Directory.

Network

To use your own network and provision Azure Active Directory (Azure AD) joined Cloud PCs, you must meet the following requirements:

  • Azure virtual network: You must have a virtual network (vNET) in your Azure subscription in the same region as where the Windows 365 desktops are created.

  • Network bandwidth: See Azure’s Network guidelines.

  • A subnet within the vNet and available IP address space.

To use your own network and provision Hybrid Azure AD joined Cloud PCs, you must meet the above requirements, and the following requirements:

  • The Azure virtual network must be able to resolve DNS entries for your Active Directory Domain Services (AD DS) environment. To support this resolution, define your AD DS DNS servers as the DNS servers for the virtual network.

  • The Azure vNet must have network access to an enterprise domain controller, either in Azure or on-premises.

Azure Active Directory

  • Azure Active Directory Domain Services isn't supported because it doesn't support Hybrid Azure AD join.

  • Infrastructure configuration: If you plan on provisioning Hybrid Azure AD joined Cloud PCs, you must configure your infrastructure to automatically hybrid Azure AD join any devices that domain join to the on-premises Active Directory. This configuration lets them be recognized and managed in the cloud.


Quick Links

Configure your Cloud PC

W365 Business docs

W365 Roadmap

Help me choose Cloud PC

W365 Enterprise docs

W365 Frontline

Plans and pricing

Comparison

W365 Boot

Windows 365 FAQs

Join community

W365 Regions


Previous
Previous

Azure AI Study Guide

Next
Next

Teams Study Guide