Welcome to the Windows 365 Enterprise interactive demo
Select Start to continue.
Select Start to continue.
Windows 365 securely streams your desktop, apps, settings and content from the Microsoft cloud to all of your devices to provide a personalized Windows experience anywhere. Windows 365 extends end-user computing from the client to the cloud for business of all sizes, simplifying the experience with a complete service to securely buy, manage, and scale, all in one place.
Windows 365 Enterprise leverages Microsoft Intune to enable customers to provision and manage Cloud PCs using the same skills they use to deploy physical PCs, fully integrated with Entra ID and built on Azure.
This interactive demo walks you through key aspects of the Windows 365 Enterprise experience including:
- Provisioning Windows 365 Enterprise Cloud PCs - Utilize Microsoft Intune to deploy, configure and manage Cloud PCs - and then review the employee experience when using their Cloud PCs.
- Business Continuity and Disaster Recovery – Configure and test point-in-time restore for Windows 365 or Windows 365 Disaster Recovery Plus.
- Secure Client Access – Configure Microsoft Entra ID single sign-on (SSO) for Windows 365 and Intune Mobile Application Management (MAM) for Windows App
- Windows 365 Link – learn more about the simple, secure, purpose-built device for Windows 365 You can use the interactive experience by following the prompts to click and fill out highlighted links and form fields, or you can simply sit back and watch.
To get started, choose one of the demos at left.
There are a number of Windows 365 Interactive Demos available.
Select one to open in a new tab or select Continue to begin this interactive demo.
Windows 365 Enterprise leverages Microsoft Intune to enable customers to provision and manage Cloud PCs using the same skills they use to deploy physical PCs, fully integrated with Entra ID and built on Azure.
This interactive demo will walk you through utilizing Microsoft Intune to deploy, configure and manage Cloud PCs - and then reviewing the employee experience when using their Cloud PCs (including a preview of the new GPU capabilities coming to Windows 365 Enterprise Cloud PCs).
To get started, choose an exercise at left.
This exercise assumes that you have already purchased the appropriate Windows 365 license(s) in the Microsoft 365 admin center (https://admin.microsoft.com) or via another channel. To learn more about the features and pricing for Windows 365 Enterprise consult this Microsoft site (Windows 365 enterprise plans and pricing | Microsoft).
Beginning in the Microsoft 365 admin center, logged in as admin@contoso.com, select Users > Active users in the left navigation.
On the Active Users page, locate the user that you want to assign a Windows 365 - Cloud PC license.
In this case, select Adele Vance.
On Adele’s person card, select the Licenses and apps tab.
Windows 365 offers a wide range of Cloud PC sizes/configurations to suit your employees’ computing needs. Included in these offerings are GPU-enabled Cloud PCs (currently in public preview) that are suitable for graphics intense workloads that need to be performance optimized. These offerings can help with graphic design, image and video rendering, 3D modeling, data processing and visualization applications that require a GPU to perform.
In this exercise, Contoso’s admin has already purchased licenses for GPU-enabled Windows 365 Enterprise Cloud PCs and wants to assign one to Adele Vance to support their work on advanced 3D modeling.
Select the checkbox next to Windows 365 Enterprise GPU Super to assign that license to Adele.
Click the Save changes button to finalize the license assignment.
Once the changes have been saved, you can click anywhere on the screen to complete this exercise and continue on to provision Adele’s GPU-enabled Cloud PC in Microsoft Intune.
Select an exercise to continue.
Cloud PCs are created and assigned to users based on provisioning policies defined in Microsoft Intune. In this exercise, you will be using the Microsoft Intune admin center to create and assign a Cloud PC provisioning policy. Provisioning policies allow you to define key parameters including which network will host the Cloud PC and whether it will be joined to the enterprise Active Directory and synced to Microsoft Entra (Hybrid Microsoft Entra join) or joined directly to Microsoft Entra (Microsoft Entra join).
Once a provisioning policy is assigned to a user or group, the Windows 365 service will check for appropriate licensing for those users and then provision and configure Cloud PCs accordingly.
Note: The administrator account being used in this demo has the Intune Service Admin role assigned.
Picking up in the Microsoft Intune admin center, logged in as Contoso’s administrator, select Devices in the left navigation.
On the Devices | Overview page, select Windows 365.
On the Devices | Windows 365 page, select the Provisioning policies tab.
On the Provisioning policies tab, click the Create policy button.
On the Create a provisioning policy page, select the Name field and type or copy/paste Windows 365 GPU and press Enter.
Contoso will be taking advantage of the option to join Cloud PCs directly to Microsoft Entra and host those Cloud PCs on Microsoft’s network. This is a great way to enable the benefits of Cloud PCs for your organization without the need to create and manage a connection to on-premises infrastructure.
Verify that the Join type is set to Microsoft Entra join and then select Microsoft hosted network as the network.
If you select the combination of Microsoft Entra Join and Microsoft Hosted network, you will need to select a geography and region.
To ensure the best experience for Contoso’s employees, you will be creating a provisioning policy for each of the regions in which Contoso has branch offices and then assigning those policies to the users in those regions. For this exercise, you will be starting with the US West.
Click to expand the Geography menu and then click to scroll down and Select US West.
Leave the Region set to the recommended default (automatic) and click the Next button at the bottom of the Create a provisioning policy page.
When creating a provisioning policy you have the option of using a custom device image or selecting from the built-in gallery of images. The customer is free to pick whatever solution fits best for their needs.
Select Change under Windows 11 Enterprise + Microsoft 365 Apps H2 to review the images available in the gallery.
Contoso will be using the default – the latest Windows 11 + Microsoft 365 Apps image from the gallery, so select the X to close the select an image panel and then click Next at the bottom of the Create a provisioning policy page.
Windows 365 allows you to specify the default language and region settings for Cloud PCs created with this policy. Contoso will be leaving this set to the default value of English (United States) for this particular provisioning policy. Windows 365 also supports Windows Autopatch, enabling you to shift the planning and operation of the Windows and Microsoft 365 update process from your organization to Microsoft.
Contoso isn’t yet taking advantage of this service – so leave Additional Services set to None and then click Next.
On the assignments tab, click the Add groups button.
On the select groups to include pane, click in the Search field to type and then type or copy/paste Windows 365 and press Enter.
Select Windows 365 GPU Users from the search results and then click Select at the bottom of the pane.
Verify that the Windows 365 GPU Users group is listed under Groups on the Assignments tab and then click the Next button.
Review your settings and then click the Create button. After clicking Create, the new Cloud PCs will start to provision directly for the Microsoft Entra group members that you assigned to the provisioning policy.
Once you get confirmation that the provisioning policy has been created, select the All Cloud PCs tab.
On the All Cloud PCs tab, you can see that Adele Vance’s GPU-enabled Windows 365 Cloud PC is now being provisioned. Click anywhere on the screen to continue to the point when provisioning is complete.
Now that Adele’s new Cloud PC is provisioned, select CPC-adele-01DYT to open the detailed view for that Cloud PC and learn more about the management capabilities in Intune.
Microsoft Intune provides comprehensive management and security options for administrators overseeing Windows 365 Cloud PCs through the Microsoft Intune admin center, reviewing the top toolbar, these options include:
- Sync: This option allows you to synchronize the Cloud PC with Intune to ensure that the latest configurations and policies are applied to the device.
- Restart: This option enables you to remotely restart the Cloud PC, which can be useful for applying updates or resolving issues that require a reboot.
- Restore: This feature allows you to restore the Cloud PC to a previous state, which can help in recovering from problematic configurations or software issues.
- Reprovision: This option allows you to reprovision the Cloud PC, essentially resetting it and reapplying all initial configurations and applications.
- Resize: This feature enables you to change the hardware configuration of the Cloud PC, such as increasing or decreasing the allocated resources like CPU, RAM, or storage.
- Collect diagnostics: This option allows you to collect diagnostic logs from the Cloud PC to help troubleshoot and diagnose issues.
- Quick scan: This initiates a quick security scan on the Cloud PC to check for any potential security threats or issues.
- Full scan: This performs a more thorough security scan compared to the quick scan, potentially taking longer but providing a more comprehensive check for security threats.
- Update Windows Defender security intelligence: This option updates the security intelligence data for Windows Defender on the Cloud PC, ensuring it has the latest definitions to detect and prevent threats.
- Rotate local admin password: This feature allows you to rotate the local administrator password on the Cloud PC, enhancing security by regularly changing the password.
When you are done reviewing the management capabilities, click anywhere on the screen to complete this exercise and continue with the interactive demo.
Select an exercise to continue.
The Cloud PC recommendations report in the Intune admin center is an AI-powered feature that provides Windows 365 administrators with tailored recommendations to optimize the use and performance of Windows 365 Cloud PCs. Leveraging an evolving machine learning model, Windows 365 analyzes factors such as end user Cloud PC usage patterns, platform-level resource utilization data, and user/application performance needs to provide actionable recommendations as to whether Cloud PCs are:
- Rightsized: Cloud PCs used frequently and sized appropriately for the workload that end users are putting on them.
- Undersized: Cloud PCs underpowered for the workload they’re supporting. Users might be having a poor experience. To improve results, IT can increase the device’s resources by resizing to a larger SKU.
- Oversized: Cloud PCs overpowered for the workload they’re supporting. For these devices, the same quality of experience can be delivered to users with fewer resources, enabling IT to reduce costs by resizing the devices to a smaller SKU.
- Underutilized: Cloud PCs used rarely or not at all. Any Cloud PC with less than 40 hours of active connected time over a 28-day period falls into this category. These Cloud PCs might not be needed—providing an opportunity to reduce or optimize costs by removing or re-allocating Cloud PC licenses.
These AI-powered recommendations help you optimize total cost of ownership (TCO) while providing a productive employee experience — enabling you to ensure you have the appropriate number and allocation of licenses and that Cloud PCs are right-sized for employee needs. As employee usage evolves and changes over time, you can continue to utilize this intelligent resource to help make informed decisions that enhance the overall Windows 365 experience and optimize costs.
Starting in the Microsoft Intune admin center, signed in as admin@contoso.com, select Reports in the left navigation.
On the Reports page, under Device management in the left navigation, select Cloud PC overview.
On the Cloud PC overview reports page, you have at a glance access to information about connection quality, Cloud PC utilization and availability, Frontline Cloud PC usage (if applicable to your organization), cross-region disaster recovery status, and the new AI-based Cloud PC recommendations.
Select Cloud PC recommendations to explore the recommendations in more detail.
On the Cloud PC recommendations page, you can see that, while many of Contoso’s Cloud PCs have been determined to be rightsized for employee usage, there are also many that are undersized, oversized, or underutilized. Cloud PCs in these categories present opportunities to optimize total cost of ownership and improve the employee experience by right-sizing Cloud PCs and appropriately allocating licenses.
Before drilling down into those reports, let’s review the other pivots available when reviewing the overall data set. Select Insights by device to see that view.
On the Insights by device tab, you will be presented with a list of all Cloud PCs in the report which you can quickly search or column sort to get a picture of overall usage, whether specific clusters of users or Cloud PC sizes are currently underutilized, over/undersized, etc.
When you are ready, select Insights by model to review that alternative view.
The Insights by model tab provides an easily digested consolidated view of how the Cloud PC recommendations land across the various Cloud PC sizes in your organization. For example, in this case, you can quickly see that there is a small cluster of users on 4vCPU/16GB/128GB who would benefit from a higher-powered Cloud PC.
Let’s return to the overview page to drill down further. Select the Overview tab.
On the Cloud PC recommendations page, under Underutilized, select View report.
On the Underutilized Cloud PCs report, you will see all of the Cloud PCs that have been determined to have low or no usage. These Cloud PCs are potential candidates for license removal or re-allocation to optimize your organization’s costs. In addition to allowing you to sort on properties like total time connected or the Cloud PC size, you can export a report from this page to facilitate follow-up (for example, focusing first on Cloud PCs with no utilization as candidates for license removal or re-allocation).
From this view, you can also drill into specific Cloud PCs to glean additional insight into metrics such as CPU utilization over the time period.
Select Cloud PC recommendations in the Home > Reports | Cloud PC overview > Cloud PC recommendations breadcrumb at the top of the page to return to the overview page.
Next, we’ll review the Undersized Cloud PC report—select View report under that heading.
On the Undersized Cloud PC page, you will find a list of Cloud PCs that have been determined to be underpowered for the workload they are currently supporting. In addition to providing insight into CPU and RAM utilization (enabling you to quickly sort to find the most resource-constrained Cloud PCs), you will find recommendations on Cloud PC sizes that would provide a better experience for affected users/devices, making it easier to follow up by increasing the device’s resources by resizing to a more powerful SKU.
Let’s continue and review the Oversized Cloud PC recommendations. Select Cloud PC recommendations in the Home > Reports | Cloud PC overview > Cloud PC recommendations breadcrumb at the top of the page to return to the overview page.
Select View report under Oversized to navigate to that report.
On the Oversized Cloud PC page, you will find the Cloud PCs that have been deemed to be overpowered for the workload they are currently supporting. For these users/devices, a high-quality experience can be provided with fewer resources. These devices are good candidates to resize to a smaller/less expensive SKU—reducing cost while preserving the user experience.
You have now completed this exercise. Click anywhere on the screen to continue with the interactive demo.
Select an exercise to continue.
Supported by all Windows 11 devices (as well as Windows, macOS, iOS and iPadOS, Android, and web browsers), Windows App provides a direct path to your Cloud PC from the taskbar or start menu. Windows App enables employees to enjoy the full Windows 11 experience while moving between your local and Cloud PCs. With the app, you can use your Cloud PC as a window or full screen.
Windows App is designed with a customizable home screen to cater to your unique workflow needs. You can access Windows across multiple different services and remote PCs from a single place, and pin your favorites you access most. The app delivers high-performing and reliable experiences for Microsoft Teams and your other Microsoft 365 apps as well as other features to enhance your remote experience, such as:
- Multiple monitor support.
- Custom display resolutions.
- Dynamic display resolutions and scaling.
- Device redirection, such as webcams, audio, storage devices, and printers.
- Regular and automatic app updates mean you’re always using the most up-to-date version of Windows 365.
In addition to Windows 365 Cloud PC, Windows App securely connects you to Windows devices and apps on a device of your choice from:
- Azure Virtual Desktop
- Microsoft Dev Box
- Remote Desktop Services
- Remote PC
Windows App is available on Windows, macOS, iOS and iPadOS, Android, and web browsers.
Windows App can also be downloaded and installed from the Microsoft Store.
Starting in the Windows App on Adele’s Windows 11 PC, select Sign in.
Sign in as Adele Vance using passwordless authentication:
Username: select Adele’s account (adelev@contoso.com) to continue.
Approve sign in request: Click anywhere on the screen to simulate approving the request using the Authenticator app on Adele’s phone.
Review and click through the introductory content.
Adele currently has 2 Windows 365 Cloud PCs, as you can see from the indicators on the device tiles. You can also see that the right tile corresponds to their new GPU Enabled Cloud PC.
Select the ‘…’ (three dots) management menu for Adele's Cloud PC to review the available capabilities. The Windows 365 App supports a number of management actions for Cloud PCs.
- Favorite – Add this Cloud PC to the Favorites view in the Windows App.
- Restart - Restarts the Cloud PC.
- Reset - Reset does the following:
- Reinstalls Windows.
- Removes your personal files (OneDrive data remains).
- Removes any changes you made to settings.
- Removes your apps.
- Restore – Using Windows 365 Point-in-time restore, you can restore your Cloud PC to the exact state it was in at a previous point in time.
- Rename - Changes the name of the Cloud PC shown to the user in the Windows App and on windows365.microsoft.com.
- Inspect Connection – Makes it easy to review your Cloud PCs connectivity and get steps for resolving any issues discovered.
- Pin to – pin this Cloud PC to the Windows Taskbar for quick access.
- View details – Provides basic information about the Cloud PC, user and license assigned.
- Add to Task view – Add this Cloud PC to Windows Task view for quick context switching between the local desktop and Cloud PC.
- Settings – Configure display and view settings.
Adele wants to add their GPU-enabled Cloud PC to the Windows App Favorites screen.
Select Favorite from the menu.
Once the Cloud PC has been marked as a favorite, select Go to Favorites in the notification.
Select Connect to connect to Adele’s GPU Enabled Cloud PC.
Adele’s GPU-enabled Cloud PC is now open in full screen mode. GPU-enabled Windows 365 Cloud PCs offer significant advantages over standard Enterprise Cloud PCs by providing enhanced graphical and computational performance for workloads requiring:
- Graphics-Intensive Applications: GPU-enabled Cloud PCs are designed to handle graphics-intensive applications such as CAD (Computer-Aided Design), 3D modeling, video editing, and rendering software. This ensures smooth performance and quick rendering times, which are critical for professionals in creative and engineering fields.
- Improved Compute Power: The inclusion of GPUs significantly boosts the computational capabilities of Cloud PCs, making them suitable for data-intensive tasks, machine learning, and AI workloads. This can accelerate complex computations and improve efficiency for data scientists and researchers.
These capabilities benefit many disciplines, including:
- Creative Professionals: Graphic designers, video editors, and animators who rely on software such as Adobe Creative Cloud, Autodesk Maya, and Blender benefit from the enhanced graphical capabilities and performance.
- Engineers and Architects: Professionals using CAD software like AutoCAD, SolidWorks, and Revit can perform complex modeling and simulations more efficiently.
- Data Scientists and Researchers: Those working with large datasets, machine learning models, and AI can utilize the GPU power for faster data processing and model training.
- Financial Analysts: Users involved in financial modeling and quantitative analysis can leverage GPU resources to run complex simulations and calculations.
Adele uses Blender for their work – let’s review how the GPU enabled Cloud PC handles a complex 3D particle simulation benchmark for Blender.
Click on Windows Start to open the start menu, then select Blender from the list of pinned applications.
Once Blender has loaded – select File > Open and select basic_particle_simulation.blend to open that Blender benchmark simulation.
When the simulation has loaded, click Play to view the simulation in action.
After the simulation has completed – close the Blender window.
You have now completed this exercise.
Click anywhere on the screen to continue with the interactive demo.
Congratulations on completing the Windows 365 Enterprise Cloud PC Provisioning and Monitoring interactive demo.
You can choose any exercise to review or select the Home button to return to the beginning of the Windows 365 Interactive Demo.
In an era where remote work and cloud computing have become integral to business operations, ensuring the resilience and availability of virtual desktop environments is more critical than ever. Windows 365 Enterprise offers both built-in and optional business continuity and disaster recovery functionality for organizations. Point-in-time restore capability is supported for all Windows 365 Enterprise Cloud PCs without an additional license and provides the administrator with the capability to restore a Cloud PC to the exact state it was in at an earlier point in time. For organizations that need some or all of their devices protected beyond the standard point-in-time restore capability there are optional services – Windows 365 Cross-region Disaster Recovery and Windows 365 Disaster Recovery Plus that offer a robust, cost-effective way to safeguard your Cloud PCs against regional outages and ensure uninterrupted access for end users.
Point-in-time restore for Windows 365 lets an administrator restore a Cloud PC to the exact state it was at an earlier point in time. You can create new or edit settings to automatically create restore points at regular intervals for groups of Cloud PCs. You can also create on-demand restore points for specific times. Admins can also give users permission to restore their own Cloud PCs.
Windows 365 Cross-region Disaster Recovery creates geographically distant temporary copies of Cloud PCs that can be accessed in the selected backup region during a disaster recovery event. When activated, it moves users to a new Cloud PC in a temporary region until the recovery is complete.
Windows 365 Disaster Recovery Plus also replicates Cloud PC disk snapshots in an alternate region though it goes a step further than Cross-region disaster recovery by pre-allocating a backup Cloud PC in the selected backup region – allowing for quicker recovery in the event of an outage.
Key benefits of implementing optional business continuity and disaster recovery for Windows 365 Cloud PCs include:
- Enhanced Business Continuity: Minimize downtime by enabling failover capabilities across different Azure regions during regional disruptions.
- Data Resiliency: Protect critical workloads by replicating Cloud PC environments across multiple geographic locations.
- Regulation and Compliance: Allows the designation of a backup Cloud PC to be in a recovery region that is a sufficient distance from the primary Cloud PC location, while adhering to data residency / compliance requirements.
- Optimized End-User Experience: Ensure seamless access and productivity for end users, even in the face of regional outages.
Select either point-in-time restore for Windows 365 or Windows 365 Disaster Recovery Plus to launch the interactive demo for that capability.
Windows 365 empowers organizations with a secure, scalable Cloud PC environment designed to enhance productivity and resilience. Among its powerful features is point-in-time restore, which provides the ability to quickly recover systems to a previous state, minimizing downtime and protecting against data loss. This capability ensures business continuity by offering a straightforward and reliable way to reverse unintended changes or recover from disruptive incidents.
This interactive demo will guide you through configuring and executing point-in-time restore through the Microsoft Intune admin center. With Windows 365, recovering from setbacks becomes a streamlined process, ensuring your organization remains agile and resilient in the face of change.
When you are ready to begin – select exercise 1.
Exercise 1:
Point-in-time restore can be configured as a new or existing user setting in Microsoft Intune. All users in groups assigned to the user setting will have permission to use the point-in-time restore feature. Additionally, you can configure point-in-time restore to let your enterprise users start a restore on their Cloud PC.
This exercise will begin in the Microsoft Intune admin center, logged in as admin@contoso.com.
In the left navigation of the Microsoft Intune admin center, select Devices.
On the Devices | Overview page, select Windows 365 in the left navigation.
On the Devices | Windows 365 page, select the User settings tab.
On the User settings tab, select Create.
On the Add user setting page, select the Name field to type, then type or copy/paste Cloud PC Point-in-time Restore and press Enter.
Contoso wants to give employees permission to restore their own Cloud PCs - select the checkbox to Allow user to initiate restore service.
Next you will choose an interval for how often restore points will be created. You can choose to set short-term restore points every 4, 6, 12, 16, or 24 hours. Each Cloud PC in the assigned group(s) has 10 short-term restore points saved at the intervals that you define in the user setting. For example, if you choose 4 hour intervals, each assigned Cloud PC has 10 restore points spread out every four hours over the last 40 hours. As a consequence, a shorter frequency results in a shorter overall history of restore points. Contoso has chosen 4 hours as the appropriate setting for their requirements.
Click to expand the Frequency of restore-point service menu and select 4 hours.
Review your settings and then select Next.
On the Assignments tab, select Add groups.
Select the Cloud PC Users – US West group and click Select.
Verify that Cloud PC Users – US West is now listed under Groups and select Next.
Review the settings and select Create.
You have successfully created and assigned a new user setting. Users in the group assigned to this user setting will now be able to use the point-in-time restore feature as specified.
Click anywhere on the screen to continue with the interactive demo and review how the administrator can initiate point-in-time recovery in Microsoft Intune.
Congratulations on completing exercise 1.
Select exercise 2 to continue.
You can use the Microsoft Intune admin center to restore a Cloud PC to a previous state.
Starting in the Microsoft Intune admin center, logged in as admin@contoso.com, select Devices in the left navigation.
On the Devices | Overview page, select Windows 365.
On the Devices | Windows 365 page, select the All Cloud PCs tab.
Select Adele’s Cloud PC (CPC-adele-BL4XG) at the top of the list.
The Cloud PC management page within the Microsoft Intune admin center provides IT administrators with a centralized interface to oversee and manage all deployed Cloud PCs. This page offers a comprehensive view of each Cloud PC’s status, configuration, health, and activity. From here, administrators can initiate actions such as resizing, restarting, troubleshooting, and, crucially, restoring Cloud PCs to previous states.
Select Restore to proceed with initiating point-in-time restore for Adele’s Cloud PC.
Select the most recent restore point (4/7/2025, 10:10:19AM) and then click Select.
Note: because Contoso has configured a 4 hour frequency for point-in-time restore, there will be 10 short-term restore points available for Adele’s Cloud PC. In addition to the configurable short-term restore points, there are also four long-term restore points that aren't configurable. These long-term restore points are saved every seven days.
Review the text of the Restore this Cloud PC to the selected point dialog and click Restore.
Recall that all changes made to the Cloud PC between the saved restore point and when the restore is started will be lost. This lost information includes all data, documents, installed applications, configurations, downloads, and other changes stored locally on the Cloud PC. External data stored in cloud services, like OneDrive, won't be lost.
You have successfully initiated point-in-time restore for Adele’s Cloud PC, the Cloud PC will now show as restoring in Microsoft Intune (for administrators), as well as windows365.microsoft.com and the Windows App (for Adele) until it’s complete.
Click anywhere on the screen to complete the point-in-time restore for Windows 365 interactive demo.
Congratulations on completing exercise 2.
Select exercise 3 to continue.
Supported by all Windows 11 devices (as well as Windows, macOS, iOS and iPadOS, Android, and web browsers), Windows App provides a direct path to your Cloud PC from the taskbar or start menu. Windows App enables employees to enjoy the full Windows 11 experience while moving between your local and Cloud PCs. With the app, you can use your Cloud PC as a window or full screen. The app delivers high-performing and reliable experiences for Microsoft Teams and your other Microsoft 365 apps as well.
In addition to Windows 365 Cloud PCs, Windows App securely connects you to Windows devices and apps on a device of your choice from:
- Azure Virtual Desktop
- Microsoft Dev Box
- Remote Desktop Services
- Remote PC
In this exercise, you will review the employee experience when using Windows App to restore their Cloud PC to a previous restore point. Recall that when creating and assigning the user setting to enable point-in-time restore, you also selected the checkbox to Allow user to initiate restore service. As a consequence, users will be able to initiate point-in-time restore directly within their Windows App and windows365.microsoft.com experience.
Starting in the Windows App on Adele’s Windows 11 PC, select Sign in.
Sign in as Adele Vance using passwordless authentication:
- Username: select Adele’s account (adelev@contoso.com) to continue.
- Approve sign in request: Click anywhere on the screen to simulate approving the request using the Authenticator app on Adele’s phone.
Adele currently has 1 Windows 365 Cloud PC as you can see from the indicator on the device tile. You can also see that the tile corresponds to their new GPU Enabled Cloud PC. Select the ‘…’ (three dots) management menu for Adele’s GPU Enabled Cloud PC to review the available capabilities.
Windows App supports a number of management actions for Cloud PCs.
- Favorite – Add this Cloud PC to the Favorites view in the Windows App.
- Restart - Restarts the Cloud PC.
- Restore – Using Windows 365 Point-in-time restore, you can restore your Cloud PC to the exact state it was in at a previous point in time.
- Rename - Changes the name of the Cloud PC shown to the user in the Windows App and on windows365.microsoft.com.
- Inspect Connection – Makes it easy to review your Cloud PCs connectivity and get steps for resolving any issues discovered.
- Pin to – pin this Cloud PC to the Windows Taskbar for quick access.
- View details – Provides basic information about the Cloud PC, user and license assigned.
- Add to Task view – Add this Cloud PC to Windows Task view for quick context switching between the local desktop and Cloud PC.
- Settings – Configure display and view settings.
Adele is having issues with their Cloud PC after a recent app install and wants to restore the Cloud PC to a previous healthy state. Select
Review the dialog text explaining the implications of restoring your Cloud PC, then select the checkbox indicating Yes, I want to restore this Cloud PC.
Select the restore point (4/8/2025, 10:10:06AM) and then click Restore.
Note: because Contoso has configured a 4 hour frequency for point-in-time restore, there will be 10 short-term restore points available for Adele’s Cloud PC. In addition to the configurable short-term restore points, there are also four long-term restore points that aren't configurable. These long-term restore points are saved every seven days.
Adele’s Cloud PC is now being restored. In a short period of time it will be ready for her to connect.
You have completed this exercise – click anywhere on the screen to continue.
Congratulations on completing exercise 3.
You can select any exercise to review or select Home on the toolbar to return to the beginning of the interactive demo.
Windows 365 Disaster Recovery Plus will be generally available in spring 2025. It is currently available in preview as a licensed add-on for Windows 365 Enterprise edition only. Windows 365 Disaster Recovery Plus is specifically designed for users whose Cloud PC use demands high disaster recovery performance in case of an outage. These needs include faster recovery time, lower risk of data loss, and pre-allocated capacity that helps ensure recovery in case of an infrastructure outage.
As with Windows 365 Cross-region Disaster Recovery, Windows 365 Disaster Recovery Plus replicates Cloud PC disk snapshots in an alternate region. When it’s activated, users will be pointed to a temporary Cloud PC. During an outage, the user will have access to their temporary Cloud PC with all installed applications and settings based on the latest restore point. However, it’s important to note that no work is saved. Any work done should be saved to another option in the Microsoft Cloud, such as Microsoft OneDrive or Microsoft SharePoint. After the temporary Cloud PC is deactivated, no applications, data, or other information will be preserved from the temporary Cloud PC, and the user will be returned to their primary Cloud PC as it was prior to the disaster recovery event.
This demo will guide you through the steps to configure, validate, and test optional business continuity and disaster recovery for Windows 365 Cloud PCs using Windows 365 Disaster Recovery Plus, enhancing your organization's business continuity strategy.
When you are ready, select an exercise to continue.
In this demo, we assume that Contoso has already purchased and assigned the appropriate Windows 365 Enterprise licenses, as well as the appropriate add-on licenses for Windows 365 Disaster Recovery Plus. With the appropriate licenses assigned, configuration of Windows 365 Disaster Recovery Plus is intuitive and can be completed in a small number of steps using the Microsoft Intune admin center.
Starting in the Microsoft Intune admin center, logged in as admin@contoso.com, select Devices in the left navigation.
On the Devices | Overview page, under Device onboarding in the navigation, select Windows 365.
On the Devices | Windows 365 page, select the User settings tab.
On the User settings tab, select +Add.
On the Add user setting page, select the Name field to type, then type or copy/paste Disaster Recovery Plus - West US and press Enter.
Select the check box to Enable users to reset their Cloud PCs.
Set the values under Point-in-time restore service per Contoso’s requirements. These values also apply to cross region disaster recovery:
- Select the check box to Allow users to initiate restore service.
- Click to expand the dropdown menu and select 4 hours as the Frequency of restore point service.
Click to expand Optional Business Continuity and Disaster Recovery Settings.
Next to Enable Additional DR For This User Setting – click to expand the dropdown menu and select Disaster Recovery Plus (Preview).
Note that for any particular user setting, you can specify Disaster Recovery Plus, Cross-Region Disaster Recovery, or choose to stick with the built-in point-in-time restore service. By specifying different user settings and assigning to distinct devices/groups, you can create the optimal configuration for your organization’s needs.
Contoso’s Cloud PCs run on Microsoft’s hosted network, so leave the Network type as is. With Windows 365 Cross-region Disaster Recovery and Windows 365 Disaster Recovery Plus, full copies of your Cloud PCs disks are kept in the backup location, including all data stored on the Cloud PC disk. When configuring a backup location, it is important to consider things like data sovereignty and geographic distance between the user and the Cloud PC backup location. In this case, you are configuring Windows 365 Disaster Recovery Plus for Contoso’s Western US region and want to ensure sufficient distance between locations to provide resilience without introducing too much latency (greater distance between your backup Cloud PC and your user’s connect location increases network latency and impacts performance).
Click to expand the Geography menu and select US East.
Leave the region set to Automatic (default) and select the check box to Allow user to initiate disaster recovery and then select Next.
On the Assignments page, you can add the groups to which you want this user setting applied. All Cloud PCs associated with a user share the same cross region disaster recovery settings.
Select Add groups.
On the Select groups to include panel, choose Cloud PC Users - US West (note: Adele Vance and Bianca Pisoni are members of this group) and then click Select.
Verify Cloud PC Users – US West is now listed under Groups and select Next.
Review your settings and then select Create.
You have now successfully configured Windows 365 Disaster Recovery Plus for members of the Cloud PC Users – US West group. To see the current state of Cloud PC and health, licensing, and disaster recovery readiness, you can check the Cloud PC optional business continuity and disaster recovery status report in Microsoft Intune.
Click anywhere on the screen to learn how to access that report.
Congratulations on completing exercise 1.
Select exercise 2 to continue.
The ‘Cloud PC optional business continuity and disaster recovery status’ report shows you pertinent information about the health and readiness of your Cloud PCs. In this exercise we will first assess health, licensing and disaster recovery readiness of Contoso’s Cloud PCs – then proceed to activate Windows 365 Disaster Recovery Plus.
Starting on the home page of the Microsoft Intune admin center, select Reports in the left navigation.
On the Reports page, select Cloud PC Overview in the left navigation.
On the Reports | Cloud PC Overview page, select Cloud PC optional business continuity and disaster recovery status.
The Cloud PC optional business continuity and disaster recovery status report will show you pertinent information for the Cloud PCs in your organization, including:
- Configuration alert - indicating whether the Cloud PC is in a healthy or unhealthy state.
- License type – indicates whether this Cloud PC is licensed for Disaster Recovery Plus (DR Plus), Cross Region Disaster Recovery (Cross region), or the built-in point-in-time restore service (None).
- Disaster recovery status: Active outage, Activation expiring, or Not active.
- Current restore point: indicates the date/time corresponding to the backup copy stored in the recovery location.
- Backup CPC status: if the user is licensed for DR Plus, this field indicates if the allocated backup Cloud PC is ready for failover in the event of an outage. If the user is licensed for Cross-region Disaster Recovery (Cross region), this field will not be populated unless an active outage is underway and recovery has been initiated.
The Cloud PCs are appropriately licensed and enabled for disaster recovery plus and cross-region disaster recovery, and the backup copies are active – you are now ready to test disaster recovery plus.
Select Devices in the left navigation to continue.
Using bulk actions in Microsoft Intune, you can activate/deactivate disaster recovery plus (or cross-region disaster recovery) for individual devices or devices for all users in a group.
Activating Windows 365 Disaster Recovery Plus will move users to a pre-allocated backup Cloud PC in a temporary region (previously configured to be US East for Contoso’s US West Cloud PC users). Users can’t access their Cloud PCs until the move is complete.
During the outage, the user will have access to their temporary Cloud PC with all installed applications and settings based on the latest restore point. However, it is important to know that no work will be saved. Any work done should be saved to another option in the Microsoft Cloud, such as Microsoft OneDrive or Microsoft SharePoint. After the temporary Cloud PC is deactivated, no applications, data, or other information will be preserved from the temporary Cloud PC, and the user will be returned to their primary Cloud PC as it was prior to the disaster recovery event.
On the Devices | Overview page, select All devices in the left navigation.
On the Devices | All devices page, select Bulk device actions.
On the basics tab, click to expand the OS menu and then select Windows.
Click to expand the Device type menu and select Cloud PCs.
Expand the Device action menu and select Optional disaster recovery.
Expand the Optional disaster recovery menu and select Activate disaster recovery plus.
Note that you use this same model to activate or deactivate both Windows 365 Disaster Recovery Plus and Windows 365 Cross-region Disaster Recovery.
Verify your configuration and select Next.
On the devices tab, you will select the devices to which this action applies.
Click to expand the Selection type menu and then choose Apply this action to devices registered to its group members.
Under No group selected, click Select a group.
On the Select groups to include panel, choose the Cloud PC Users - US West group and then click Select.
Confirm that you now see 2 Cloud PCs (1 assigned to Adele and 1 assigned to Bianca) – then select Next.
Select Create to initiate the bulk action.
Once this action is executed, Contoso’s ‘Cloud PC Users - US West’ users will be temporarily moved to their backup Cloud PCs in US East. When you deactivate Windows 365 Disaster Recovery Plus (using the same bulk action approach) or the activation expires, users will be transitioned back to their primary Cloud PC in US West.
Click anywhere on the screen to continue and briefly review the employee experience when using their temporary Cloud PC.
Congratulations on completing exercise 2.
Select exercise 3 to continue.
In the previous exercise, you activated Windows 365 Disaster Recovery Plus for members of the ‘Cloud PC Users – US West’ group: Adele Vance and Bianca Pisoni. In this exercise, you will briefly review how to verify the current state of their Cloud PCs using the Cloud PC optional business continuity and disaster recovery report.
Starting on the home page of the Microsoft Intune admin center, select Reports in the left navigation.
On the Reports page, select Cloud PC Overview in the left navigation.
On the Reports | Cloud PC Overview page, select Cloud PC optional business continuity and disaster recovery status.
Note that Adele and Bianca's Cloud PCs are now in the Active Outage stage, reflecting that Disaster Recovery Plus has been successfully activated and failover to the Backup Cloud PC has taken place.
You have now successfully configured, validated, and tested (by activating through bulk actions) Windows 365 Disaster Recovery Plus.
Click anywhere on the screen to complete this exercise.
Congratulations on completing the interactive demo.
You can select any exercise to review, or select the Home button on the toolbar to return to the beginning of the Windows 365 Enterprise interactive demo.
This section of the interactive demo explores the step-by-step configuration of several key security features in Windows 365 Enterprise, enabling organizations to strengthen access control, safeguard sensitive data, and support compliance initiatives.
We focus on three high value scenarios:
- Configuring Microsoft Entra Single Sign-On (SSO) to streamline authentication across Cloud PCs and Microsoft 365 services, reducing password fatigue while improving identity security.
- Applying Microsoft Intune application management policies to the Windows App—including controls over USB peripheral access, keyboard input, and clipboard behavior—to enforce data protection across unmanaged devices.
- Placing a Cloud PC under review, leveraging Microsoft’s built-in legal hold capability to capture a point-in-time snapshot of a Cloud PC for investigation or compliance purposes.
Select an option at left to continue.
Microsoft Entra ID single sign-on (SSO) integration with Windows 365 simplifies identity management and enhances the user experience by providing seamless, secure access to Cloud PCs and integrated applications. This interactive demo walks through clear, step-by-step instructions for configuring Microsoft Entra ID SSO, empowering IT administrators to streamline user authentication and bolster organizational security.
Leveraging SSO with Windows 365 ensures users can securely authenticate once and effortlessly access their applications and resources, significantly reducing password fatigue and improving productivity. From an administrative perspective, integrating SSO centralizes identity management, strengthens security posture through conditional access policies, and significantly decreases IT overhead associated with managing multiple sets of credentials. By following the steps in this interactive demo, organizations can quickly realize these benefits, delivering both operational efficiency for IT teams and an intuitive, frictionless experience for end users.
Note: To configure your Microsoft Entra tenant, you must be assigned one of the following Microsoft Entra built-in roles or equivalent:
- Application Administrator
- Cloud Application Administrator
When you are ready – select an exercise to continue.
Prior to enabling Microsoft Entra ID SSO for Windows 365 or Azure Virtual Desktop, you must first allow Microsoft Entra authentication for Windows in your Microsoft Entra tenant. Doing so enables the issuance of RDP access tokens allowing users to sign in to your Windows 365 Cloud PC or Azure Virtual Desktop session hosts. In this exercise, you will use the Azure Cloud Shell to enable the required properties.
Starting in the Azure Portal, logged in as admin@contoso.com, select the Azure Cloud Shell icon (next to the notification in the portal header).
After connecting and authenticating – click to maximize the Azure Cloud Shell window.
We’ll begin by ensuring the Azure context is set to the subscription we want to use – in this case ‘Contoso Azure Subscription.’
Click anywhere on the screen to simulate typing the cmdlet:
Set-AzContext Subscription “Contoso Azure Subscription”
Next, import the Authentication and Applications Microsoft Graph modules and connect to Microsoft Graph with the Application.Read.All and Application-RemoteDesktopConfig.ReadWrite.All scopes (in this demo you have previously installed the Microsoft Graph PowerShell SDK). Click anywhere on the screen to simulate running the following commands:
Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Applications
Connect-MgGraph -Scopes "Application.Read.All","Application-RemoteDesktopConfig.ReadWrite.All"
You will need to consent on behalf of Contoso for the requested scopes.
Click anywhere on the screen to switch to https://microsoft.com/devicelogin in Microsoft Edge.
Select the Code field to type, then type or copy/paste FBSTVCXYR and press Enter or click Next.
Choose the admin@contoso.com account to sign in.
Review the permissions requested, then select the checkbox to Consent on behalf of your organization and select Accept.
After successfully signing in and consenting – click anywhere on the screen to close Microsoft Edge and return to the Azure Command Shell.
We need to set the isRemoteDesktopProtocolEnabled property to true on the service principal's remoteDesktopSecurityConfiguration object for the following Microsoft Entra applications:
- Microsoft Remote Desktop (a4a365df-50f1-4397-bc59-1a1564b8bb9c)
- Windows Cloud Login (270efc09-cd0d-444b-a71f-39af4910ec45)
To do so, we’ll get the object ID for each service principal and store them in variables. First, get the object for Microsoft Remote Desktop by clicking anywhere to run the following command:
$MSRDspId = (Get-MgServicePrincipal -Filter "AppId eq 'a4a365df-50f1-4397-bc59-1a1564b8bb9c'").Id
Then get the object ID for Windows Cloud Login by clicking anywhere to run the following command:
$WCLspId = (Get-MgServicePrincipal -Filter "AppId eq '270efc09-cd0d-444b-a71f-39af4910ec45'").Id
Now, set the property isRemoteDesktopProtocolEnabled to true for Microsoft Remote Desktop by clicking anywhere to fun the following command. Note: there's no output from these commands.
If ((Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId) -ne $true) { Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId -IsRemoteDesktopProtocolEnabled }
Then do the same for Windows Cloud Login by clicking anywhere to run the following command:
If ((Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $WCLspId) -ne $true) { Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $WCLspId -IsRemoteDesktopProtocolEnabled }
Verify that the commands ran successfully for Microsoft Remote Desktop by clicking anywhere on the screen to simulate typing:
Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId
And verify that the output confirms IsRemoteDesktopProtocolEnabled was set to True.
Verify that the commands ran successfully for Windows Cloud Login by clicking anywhere on the screen to simulate typing:
Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $WCLspId
And verify that the output confirms IsRemoteDesktopProtocolEnabledwas set to True.
You have successfully enabled Microsoft Entra authentication for Remote Desktop Protocol – click anywhere on this screen to complete this exercise.
Congratulations on completing exercise 1.
Select exercise 2 to continue.
When single sign-on is enabled, a new Microsoft Entra ID app is introduced to authenticate users to the session host. If you have conditional access policies that apply when accessing Windows 365 or Azure Virtual Desktop, review the recommendations on setting up multifactor authentication to ensure users have the desired experience. In Contoso’s case – you will be creating a new conditional access policy to require Multi-factor Authentication.
Beginning in the Microsoft Intune Admin Center, signed in as admin@contoso.com, select Endpoint security in the left navigation.
On the Endpoint security | Overview page, select Conditional access in the page navigation.
On the Conditional access | Overview page, select Create new policy.
Select the Name field to type, and then type or copy/paste Cloud PC Auth Policy and press Enter.
Under Users, select 0 users and groups selected.
Choose Select users and groups and then select Users and groups.
On the Select users and groups panel, click in the Search field to type and then type or copy/paste West US and press Enter.
Choose the Cloud PC Users – US West group and click Select.
Under Target resources, choose No target resources selected.
Under Include, choose Select resources and then under Select click None.
On the Select resources panel, click in the Search field to type. Type or copy/paste Windows 365 and press Enter – then select Windows 365 from the search results.
Next, click in the Search field to type again. Type or copy/paste Azure Virtual Desktop and press Enter – then select Azure Virtual Desktop from the search results.
Click in the Search field to type once again. Type or copy/paste Microsoft Remote Desktop and press Enter – then select Microsoft Remote Desktop from the search results.
Click in the Search field to type one final time. Type or copy/paste Windows Cloud Login and press Enter – then select Windows Cloud Login from the search results.
Verify that the apps are all listed under selected items and click Select.
Under Access controls > Grant, select 0 controls selected.
On the Grant panel, under Grant access, select Require Authentication Strength.
Verify that Multifactor authentication is specified as the required authentication strength and click Select.
Under Session, click 0 controls selected.
On the Session panel, select Sign in frequency.
Leave the default selection of periodic reauthentication, and select the field to type. Then type or copy/paste 7 and press Enter.
Click to expand the Select units menu and choose Days.
Verify that Periodic reauthentication is now set to 7 days and click Select.
Verify your policy settings and click Create.
You have successfully created and assigned a new conditional access policy requiring MFA for Windows 365 and Azure Virtual Desktop devices.
Click anywhere on the screen to complete this exercise.
Congratulations on completing exercise 2.
Select exercise 3 to continue.
For Windows 365 Cloud PCs, SSO can be enabled on any provisioning policies. You can find the Use Microsoft Entra single sign-on option under the Join type on the General page. This can be done when creating a new provisioning policy or when editing an existing provisioning policy, with an option to apply SSO to existing Cloud PCs.
In this scenario, you will be updating an existing Cloud PC provisioning policy and applying the change immediately to applicable Cloud PCs.
Starting in the Microsoft Intune admin center, logged in as admin@contoso.com, select Devices in the left navigation.
On the Devices | Overview page, under Device onboarding, select Windows 365.
Select the Provisioning policies tab on the Devices | Windows 365 page.
Select the Contoso West US Branch provisioning policy.
Next to General, select Edit.
Select Use Microsoft Entra single sign-on and then click Next.
Review the settings and click Update.
After updating the provisioning policy, select Apply this configuration to apply the changes to existing Cloud PCs.
Review the dialog text, then select Microsoft Entra single sign-on for all devices and click Apply.
Note: When you apply single sign-on, Cloud PCs deployed before April 2023 are shutdown during the application process. As this operation takes time, applying SSO to a large number of Cloud PCs can restart the VMs over a long period of time and won't complete immediately.
You have successfully updated and applied the provisioning policy for Cloud PCs in Contoso’s West US location. Those Cloud PCs are now being updated to enable Microsoft Entra SSO. Click anywhere on the screen to complete this exercise.
Congratulations on completing exercise 3.
Select exercise 4 to continue.
With Microsoft Entra SSO now enabled (and multi-factor auth required) for Cloud PCs - let’s take a look at the employee experience. In this case, we will be reviewing Adele Vance’s (a Contoso employee) experience when accessing their Windows 365 Cloud PC via Windows App on their Windows 11 Laptop.
Supported by all Windows 11 devices (as well as Windows, macOS, iOS and iPadOS, and web browsers), Windows App provides a direct path to your Cloud PC from the taskbar or start menu. Windows App enables employees to enjoy the full Windows 11 experience while moving between your local and Cloud PCs. With the app, you can use your Cloud PC as a window or full screen.
Microsoft Entra SSO has a number of benefits for employees, including:
- Seamless User Experience
- Users log in once and gain immediate access to their Cloud PC and all integrated apps without multiple authentications.
- Reduces friction and frustration due to fewer prompts for credentials.
- Increased Productivity
- Immediate access to productivity apps and resources streamlines workflow.
- Users spend less time managing passwords or performing repetitive sign-ins.
- Simplified Credential Management
- Users need to remember fewer credentials, significantly reducing password fatigue.
- Decreased likelihood of password-related issues like lockouts and resets.
- Consistent Experience Across Devices
- Provides a unified sign-in experience across multiple devices, whether accessing their Cloud PC via desktop, mobile, or web.
This demo starts after Adele launches the Windows App on their Windows 11 laptop.
On the Welcome to Windows App screen, select Sign in.
Sign in using Adele Vance’s credentials:
- Username: select the field to type and then type or copy/paste adelev@contoso.com and press Enter or click Next.
- Password: select the field to type and then type or copy/paste password and press Enter or click Sign in.
Click anywhere on the screen to simulate using the Microsoft Authenticator app to approve the authentication request.
Adele has now successfully authenticated using MFA and is ready to connect to their Cloud PC.
Select Connect on the device tile for their Cloud PC.
Adele is now connected to their Cloud PC in full screen mode. Because Microsoft Entra SSO is enabled, they will have immediate access to their Cloud PC and all integrated apps without multiple authentications. As an example, let’s take a common task like checking email using Outlook on the web.
Select the Microsoft Edge icon in the Windows Taskbar to launch Edge.
Select the address bar to type, and then type or copy/paste https://outlook.office365.com and press Enter.
Outlook on the web is now open and Adele has been automatically signed in using Microsoft Entra SSO. Adele’s experience will be similarly seamless with other Microsoft 365 web and native applications.
Click anywhere on the screen to complete this exercise.
Congratulations on completing the interactive demo.
You can select any exercise to review, or select the Home button on the toolbar to return to the beginning of the Windows 365 Enterprise interactive demo.
Select Start to continue.
Microsoft recently announced that Windows App - your secure gateway to Windows environments across Windows 365, Azure Virtual Desktop, Microsoft Dev Box, and more - is now supported by Microsoft Intune Mobile Application Management (MAM) on both iOS and Android devices.
Microsoft Intune MAM enables administrators to manage and protect corporate data at the application level on both managed and unmanaged devices. This means you can secure your organization's data within applications without requiring full device enrollment, making it ideal for Bring Your Own Device (BYOD) scenarios.
With this announcement, Windows App joins a comprehensive ecosystem of applications supported by Intune MAM. For a more complete picture, you can refer to the official list of Microsoft Intune protected apps.
In this interactive demo – you will learn how to configure Intune MAM for Windows App on unmanaged iOS and iPadOS devices at Contoso.
When you are ready, select an exercise to continue.
As a first step, you will define a filter for unmanaged iOS/iPadOS devices. Intune allows you to define filters for devices enrolled in Intune (managed devices) or apps managed by Intune (managed apps). Filters enable you to assign a policy based on rules you create – narrowing the assignment based on criteria such as manufacturer, OS version, whether the device is personal or organization-owned, etc.
Starting in Microsoft Intune admin center, logged in as admin@contoso.com, select Devices in the left navigation.
Click to scroll down in the left navigation of the Devices | Overview page and select Filters.
On the Devices | Filters page, click Create then select Managed apps.
On the Create Filter page, click in the Filter Name field to type, then type or copy/paste Unmanaged iOS devices and press Enter.
Click to expand the Platform menu and select iOS/iPadOS - then click Next.
Use the rule builder to define a rule for unmanaged devices:
- Click to expand the Property menu and select deviceManagementType.
- Expand the Operator menu and select Equals.
- Expand the Value menu and select Unmanaged.
- Click in the Rule syntax field to generate the expression and then click Next.
Review the settings and then select Create.
You have successfully created a filter for unmanaged iOS and iPadOS devices and are ready to define an App Protection Policy for Windows App on these devices – select Apps in the left navigation of the Intune admin center to continue.
Select an exercise to continue.
Intune app protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. These policies allow you to control how data is accessed and shared by apps on mobile devices. A policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of actions that are prohibited or monitored when the user is inside the app.
On the Apps | Overview page navigation, under Policy, select App protection policies.
On the Apps | App protection policies page, click Create policy and then choose iOS/iPadOS.
On the Create Policy page, select the Name field to type and then type or copy/paste Unmanaged iOS / iPadOS App Protection Policy and press Enter.
Select the Description field to type and then type or copy/paste Requirements for unmanaged devices to access corporate resources and then press Enter.
Click Next to continue.
Select the app to target with this policy – click + Select public apps.
On the Select apps to target panel, click in the Search field to type, then type or copy/paste Windows and press Enter.
Choose Windows App and then click Select.
Verify that Windows App is now listed under Public apps and click Next.
This page provides settings for data loss prevention (DLP) controls, including cut/copy/paste, and save-as restrictions. These settings determine how users interact with data in the apps that this app protection policy applies. Click anywhere on the screen to scroll down and then block clipboard and third-party keyboard access:
- Expand the Restrict cut, copy and paste between other apps menu and then choose Blocked.
- Choose Block to prevent the use of third-party keyboards to mitigate against third parties accessing sensitive company data.
Select Next to continue to the Access requirements page.
The Access requirements page provides settings to allow you to configure the PIN and credential requirements that users must meet to access apps in a work context. Contoso will be using the default settings for iOS/iPadOS managed apps – select Next to continue.
The Conditional launch page provides settings to set the sign-in security requirements for your app protection policy:
- Under Device conditions, expand the Setting menu and choose Min OS Version.
- Select the Value field to type and then type or copy/paste 17.4.1 and press Enter.
- Expand the Action menu and choose Block access.
Configure the Maximum allowed device threat level:
- Expand the Setting menu and choose Max allowed device threat level.
- Expand the Value menu and select Secured.
- Expand the Action menu and choose Block access.
Specify the MTD service:
- Expand the Setting menu and choose Primary MTD Service.
- Expand the Value menu and select Microsoft Defender for Endpoint.
Select Next to continue.
The assignments page enables you to assign the app protection policy to groups of users. Under included groups – click Add groups.
On the Select groups to include panel, choose Contoso Engineering and then click Select.
To associate a filter with this assignment, select Edit filter in the Contoso Engineering row.
On the Filters panel, select Include filtered devices in assignment, then choose Unmanaged iOS devices and click Select.
Verify the assignment settings and click Next.
Click anywhere on the screen to scroll down and review your App Protection Policy settings, then click Create.
Congratulations, you have successfully created an App Protection Policy for unmanaged iOS/iPadOS devices at Contoso and assigned it to the Contoso Engineering group. Select App configuration policies to continue.
Select an exercise to continue.
Intune app configuration policies enable administrators to remotely customize and manage the settings of Windows App on iOS/iPadOS and Android devices, ensuring a consistent and secure user experience when accessing Windows environments. By deploying these policies, IT teams can pre-configure essential settings within Windows app—such as device, camera and clipboard redirection—without requiring manual setup on individual devices. This streamlines the deployment process, reduces the potential for user error, and ensures compliance with organizational policies.
On the App | App configuration policies page, select +Add and then choose Managed apps.
On the Create app configuration policy page, select the Name field to type, then type or copy/paste Unmanaged iOS / iPadOS redirections and press Enter.
Select the Description field to type, then type or copy/paste No drive and clipboard redirection on an unmanaged device and press Enter.
Next, click +Select public apps.
On the Select apps to target panel, click in the Search field to type, then type or copy/paste Windows and press Enter.
Choose Windows App and then click Select.
Verify the basic settings and select Next.
We will not be configuring settings from the settings catalog – select Next.
On the Settings page, click to expand General configuration settings.
Under General configuration settings, you can specify configuration settings for Windows App using the existing AVD RDP properties. Start with the drive redirection settings:
- Select the Name field to type, then type or copy/paste drivestoredirect and press Enter.
- Select the Value field to type, then type or copy/paste 0 and press Enter. A value of 0 corresponds to ‘disabled’ and will prohibit access to the local drive on iPadOS.
Specify the redirectclipboard setting:
- Select the Name field to type, then type or copy/paste redirectclipboard and press Enter.
- Select the Value field to type, then type or copy/paste 0 and press Enter. A value of 0 corresponds to ‘disabled’ and will prevent local clipboard access.
Verify the settings, then click Next to continue to the Assignments page.
The assignments page enables you to assign the app configuration policy to groups of users. Under included groups – click Add groups.
On the Select groups to include panel, choose Contoso Engineering and then click Select.
To associate a filter with this assignment, select Edit filter in the Contoso Engineering row.
On the Filters panel, select Include filtered devices in assignment, then choose Unmanaged iOS devices and click Select.
Verify the assignment settings and click Next.
Verify the app configuration policy settings and select Create.
You have successfully created and assigned an App Configuration policy. Select Endpoint security in the left navigation of the Intune admin center to continue to create a Conditional Access policy.
Select an exercise to continue.
In the Endpoint security | Overview left navigation under Manage, select Conditional access.
On the Conditional Access | Overview page navigation, select Policies.
Select New policy.
On the new Conditional Access policy page, select the Name field to type, then type or copy/paste AVD and W365 MAM enabled clients only and press Enter.
Specify which users the policy applies to - Select 0 users and groups selected and then, under Include, select All users.
Now, specify the target resources to protect. Select No target resources selected and then under Include, choose Select resources, and then under Select click None.
Your policy should target both Azure Virtual Desktop and Windows 365 Apps:
- On the Select panel, click in the Search field to type, then type or copy/paste Azure Virtual Desktop and press Enter.
- Select Azure Virtual Desktop from the search results.
- Click in the Search field again to type, then type or copy/paste Windows 365 and press Enter.
- Select the Windows 365 app and then click Select.
Under Conditions, click 0 conditions selected.
Under Device platforms, select Not configured.
Select iOS and Android:
- Set the Configure toggle to Yes.
- Under Include, choose Select device platforms.
- Select Android, then select iOS.
- Click Done.
Under Client apps, select Not configured
Select the client apps this policy will apply to:
- Set the Configure toggle to Yes.
- De-select Browser, Exchange ActiveSync, and Other clients.
- Click Done.
Specify MFA and App Protection Policies as requirements for access:
- Under Access controls > Grant, click 0 controls selected.
- On the Grant panel, select Require multifactor auth.
- Select Require app protection policy and then click Select.
Given that this is Contoso's initial test deployment - you'll be creating the policy in report-only mode.
Review your Conditional Access policy settings and then click Create.
Congratulations, you have completed the interactive demo. Click anywhere on the screen to continue.
Congratulations on completing the Intune Mobile Application Management (MAM) Support for Windows App on iOS and Android interactive demo.
You can choose any exercise to review or select the Home button to return to the beginning of the Windows 365 Interactive Demo.
In regulated industries or during internal investigations, organizations may need to preserve the state of a user’s Cloud PC without risk of alteration or data loss. Windows 365 Enterprise supports this requirement through the ability to place a Cloud PC under review - enabling IT administrators to capture a secure snapshot of a Cloud PC and store it in a designated Azure Storage account. Once under review, the Cloud PC is paused, isolated from user access, and stored in a forensically sound state, allowing for detailed examination or legal hold.
In this interactive demo, we will walk through creating a new Azure storage account that meets the requirements for placing a Cloud PC under review, assigning the appropriate Azure RBAC roles to the Windows 365 service principal (Storage Account Contributor and Storage Blob Data Contributor), and using the Microsoft Intune admin portal to place a Cloud PC under review.
Select an exercise to continue.
Before placing a Cloud PC under review, you must configure an Azure Storage account within the same tenant as the Cloud PC. For guidance on selecting the appropriate storage account type, refer to the Storage account overview. Microsoft recommends creating a dedicated storage account with tightly scoped access controls specifically for Cloud PC auditing purposes.
To create the account, you can use PowerShell, Azure CLI, Azure Resource Manager Template, or Azure portal. In this exercise, we will begin in the Azure portal.
Starting in the Azure portal, logged in as admin@contoso.com, select the menu button in the upper left to toggle the portal navigation menu, then select Storage accounts.
On the Storage accounts page, select Create.
You can use an existing resource group or create a new one. In this example we will be creating a new resource group – select Create new.
Select the Name field to type, then type or copy/paste contoso_azure_storage and press Enter or click OK.
Next, select the Storage account name field and type or copy/paste westuscloudpc and press Enter.
Leave the region set to West US (to optimize performance – it is recommended to choose the same region as the Cloud PCs you will be managing).
As the primary service – choose Azure Blob Storage or Azure Data Lake Storage Gen 2.
You may choose standard or premium (hot access) performance. Standard performance meets Contoso’s requirements so you can leave the default setting.
You may also choose the level of redundancy that meets your organization’s requirements. For this example, click to expand the Redundancy menu and choose Locally-redundant storage (LRS).
Verify your settings and click Next to continue.
Placing a Cloud PC under review requires the following security settings for your Azure storage account:
- Minimum TLS version: Version 1.2. (the default)
- Confirm Allow blob anonymous access is disabled (the default).
- Disable Enable storage account key access.
Beyond that, you have flexibility to choose the settings that meet your organization’s requirements.
Select the checkbox to de-select Enable storage account key access.
Click anywhere on the screen to scroll down and review the additional settings, then click Next.
Network access must be set to Enable public access from all networks (the default), so leave that setting and select Next.
Optionally, if you require the ability to copy your storage account to immutable storage, select the following under Tracking:
- Select Enable versioning for blobs.
- Click anywhere on the screen to scroll down and then select Enable version-level immutability support.
Verify your settings and then click Next.
Leave the default encryption settings and click Next.
In this example, you will not be specifying any tags – click Next.
Click anywhere on the screen to scroll down and review your settings, then select Create.
You have successfully created an Azure storage account that meets the requirements for placing a Windows 365 Enterprise Cloud PC under review.
Click anywhere on the screen to complete this exercise and continue with the interactive demo.
Congratulations on completing exercise 1. Select exercise 2 to continue.
The minimum permissions required for the Windows 365 service to place a Cloud PC under review are Storage Account Contributor and Storage Blob Data Contributor.
In this exercise you will be assigning those Azure RBAC roles to the Windows 365 service principal using the Azure portal.
Beginning in the Azure portal, signed in as admin@contoso.com, select Storage accounts under Azure services.
On the Storage accounts page, select your newly created account – westuscloudpc.
Select Access control (IAM) in the left navigation.
Under Grant access to this resource, click Add new role assignment.
Select the Search field and type or copy/paste storage account contributor and press Enter.
Select Storage Account Contributor in the results list and click Next.
On the Members tab, click + Select members.
Search for the Windows 365 service principal: select the Search field and then type or copy/paste Windows 365 and press Enter.
Select the Windows 365 application in the search results and click Select.
Verify that Windows 365 is now listed under members and click Next.
Select Review + assign.
You have successfully assigned the Storage Account Contributor Azure RBAC role – now click the X to clear the search field.
Type or copy/paste storage blob data contributor and press Enter.
Select Storage Blob Data Contributor in the results list and click Next.
On the Members tab, click + Select members.
Search for the Windows 365 service principal: select the Search field and then type or copy/paste Windows 365 and press Enter.
Select the Windows 365 application in the search results and click Select.
Verify that Windows 365 is now listed under members and click Next.
You will not be specifying any conditions - click Next to continue.
Select Review + assign.
You have successfully assigned the Storage Blob Data Contributor Azure RBAC role and are now ready to place a Windows 365 Enterprise Cloud PC under review – click anywhere on the screen to complete this exercise.
Congratulations on completing exercise 2. Select exercise 3 to continue.
After setting up an Azure storage account with the required permissions as explained in the previous sections, you can now place a Windows 365 Cloud PC under review using the Microsoft Intune admin center.
Starting in the Microsoft Intune admin center, logged in as admin@contoso.com, select Devices in the left navigation.
On the Devices | Overview page – select Windows 365 in the navigation.
Select the All Cloud PCs tab.
You will be placing Adele Vance’s Cloud PC under review - select CPC-adele-JC0SJ.
The option to place a Cloud PC under review will be in the top toolbar. Depending on your screen resolution and browser zoom – this option may be hidden behind the ellipses on the right side of the toolbar.
Select the ellipses (…) to expand the available actions and choose Place Cloud PC under review.
Click to expand the Subscription menu and choose Contoso Azure Subscription (recall from exercise 1 this was the subscription used during creation of the storage account).
Expand the Storage account menu and select westuscloudpc.
Leave the default settings for Access tier and Access during review and select Place under review.
Note: when you choose Block Access, the Cloud PC will be immediately powered off so the user can't access the Cloud PC, and then the snapshot will be created. This option is useful in cases where you may want to contain a security threat by shutting down the Cloud PC, and then performing analysis of the snapshot later in an isolated environment. If you instead choose Allow Access, the Cloud PC user can continue to use the Cloud PC even as you create a snapshot in the storage account.
Review the dialog text and then click Place under review again.
You have successfully placed Adele’s Cloud PC under review. Based on the disk size of the Cloud PC and storage account destination region, it can range from minutes to a few hours for each snapshot to be saved to the storage account. You may choose to make the snapshot tamper-evident by creating a file hash of the snapshot after it's saved in the storage account. One way of creating the file hash is to use the Get-FileHash cmdlet.
Click anywhere on the screen to complete this exercise and continue with the interactive demo.
Congratulations on completing the interactive demo of how to place a Windows 365 Enterprise Cloud PC under review. You can select an exercise to review or select the home button in the toolbar to return to the beginning of the Windows 365 Enterprise interactive demo.
Select start to continue.
As more organizations adopt Desktop as a Service to enhance security and flexibility, Microsoft is expanding its Cloud PC solution by introducing the first Cloud PC device that connects securely to Windows 365 in seconds. Windows 365 Link – the simple, secure, purpose-built device for Windows 365 – is available now in preview, enabling users to work securely in a familiar Windows desktop with responsive, high-fidelity experiences.
Select continue for a closer look at this new Cloud PC device.
This compact, lightweight, fanless device is convenient to place on a desk or mount behind a monitor, and it is seamless to use with wired or wireless peripherals. It boasts dual 4K monitor support with one HDMI and one DisplayPort, 3 USB-A, 1 USB-C port, a 3.5mm audio port, an Ethernet Port, Wi-Fi 6E, and Bluetooth 5.3.
To learn more about this new Cloud PC device select Continue.
Ideal for organizations with desk-based workers who are using Windows 365 in shared workspaces, let’s take a closer look at how this new device can help:
- Make the most of productive time
- Reduce the attack surface
- Simplify IT management
Select an exercise to continue.
Turn on the device and you’ll land on this sign-in screen within seconds. Notice how you have the option to sign-in securely using a security key or multifactor authentication.
Select the security key option to continue.
Enter your security key PIN.
Select the PIN field to type, then type or copy paste 1234 and press Enter.
After entering your PIN you'll be prompted to touch your security key.
Click anywhere on the screen to simulate touching the security key.
Upon signing in successfully, notice how you are connected directly to your Windows 365 Cloud PC within seconds.
Your Cloud PC is exactly how you left it, for example, here you can see some apps are open from the last time you connected.
Click to join the ongoing meeting in Microsoft Teams.
Windows 365 Link is optimized out-of-the-box to provide high-fidelity video playback and conferencing experiences leveraging local processing.
You have completed this exercise.
Click anywhere on the screen to continue.
Select Exercise 2: Reduce the attack surface to continue.
Click the Power -> Lock button to lock the device.
Notice how it returns back to the sign in experience and no corporate data or account information are stored on the local device. The dataless nature of this device makes it great as a shared use device for hot-desking, contact centers, and more.
Click anywhere on the screen to continue.
The device is secure by design, offering a locked-down experience with security baseline policies enabled by default and security features that cannot be turned off: Trusted Platform Module, Secure Boot, BitLocker drive encryption, Hypervisor Code Integrity, and Microsoft Defender EDR Sensor.
You have completed this exercise. Select Continue.
Select Exercise 3: Simplify IT Management to continue.
The device can be set up in a few simple steps when first turned on - it just needs to be connected to Wi-Fi or a wired Ethernet connection
Select ContosoNetwork5 and then click Next to connect to a network.
Sign in as Elvia Atkins:
- Select the username field to type, then type or copy/paste Elvia.Atkins@contoso.com and press Enter.
- Contoso has configured passwordless authentication for Elvia – click anywhere on the screen to simulate using the Authenticator app to approve the sign in request
After signing in, Elvia's Cloud PC loads, with all of their context and apps just where they left off.
Upon the first sign-in, the device joins with Microsoft Entra and enrolls automatically into the Microsoft Intune environment. The device also automatically stays up to date.
Click anywhere on the screen to switch to the IT experience in Intune.
You are now on the Devices | Overview page in the Microsoft Intune admin center, logged in as Connie Wilson - an administrator for Contoso.
Under Platforms in the Devices page navigation, select Windows to view all of the Windows devices at Contoso.
Notice how Windows 365 Link devices (the highlighted ones with the WCPC prefix in their name) appear alongside other PCs as compliant devices, this is because they have a Windows based OS and the policies you had set for Windows 10 and later devices were automatically applied to them.
Select the Windows 365 Link device at the top of the list (WCPC-328PY43R3) to view more information and management options for that device.
As you can see from the device model, this is a Windows 365 Link device.
Notice how familiar actions are available to manage this device like any other PC e.g. Restart, Restore or Remote Wipe.
Select Wipe to view the experience when wiping the device.
Review the text of the dialog - note that by default, wipe will remove all personal and company data from the device, reset to default settings, and un-enroll from Intune.
When you are ready, click Wipe to execute the action.
The Windows 365 Link device has been successfully wiped.
Beyond the familiar management actions available in Intune - you can also create custom device configuration policies.
Click anywhere on the screen to continue.
Microsoft Intune enables you to create profiles for different devices and different platforms - including Android, iOS/iPadOS, macOS, and Windows.
This Create Profile page shows the final step in creating a new configuration profile for Windows 365 Link devices to prohibit the use of any removeable storage devices
Select Create to finalize the creation of the configuration profile.
Once the profile has been successfully created - external storage devices will no longer be allowed on Windows 365 Link devices at Contoso.
You have completed the interactive demo for Windows 365 Link.
Click anywhere on the screen to continue.
Thank you for completing the Windows 365 Link interactive demo.
You can review any of the demo exercises or select Home in the toolbar to start over.
Visit https://aka.ms/Windows365Link to learn more about this new device which is now available in preview in select markets.