Windows 365 – How To Build An Excellent and Secure User Experience


The same day Windows 365 was released I bought myself a Windows 365 Enterprise 2 vCPU / 4GB / 64GB Cloud PC for $31 per month. I started out with Windows 10 and later reprovisioned the Cloud PC with Windows 11. In my honest opinion the price is a steal compared to an Azure Bastion host costing close to $130 per month which doesn’t even come with MFA out of the box.

The reason why I compared it to Azure Bastion host is the fact that Windows 365 Cloud PC is the PERFECT instant replacement for any RDP solution open to the internet. Yeah I had to scream that out loud, because I was hacked myself in less than 3 hours covered in this blog post.

Windows 365 Enterprise supports Intune, but you need a separate license for that. Luckily as an Action Pack subscriber I get 5 licenses for MEM.

I’m using my Cloud PC daily running PowerShell scripts, testing Win32App apps, mRemoteNG for RDP access to my VMs and randomly checking mail and Teams notifications. Windows 365 Enterprise Basic supports Teams chat and audio calls only, so if you want video you need to go for Standard which is $41 per month.

I have to say that I’m REALLY surprised by the performance of this low spec VM, not to mention the performance of running 720k videos on YouTube. This coming from a guy working daily on customer provided VM with 8 vCPU and 16GB as default spec.

Since I’m testing tons of Win32Apps I normally reprovision my Cloud PC when I leave my office on Friday evening. It’s way faster than uninstalling all the apps, and that’s the topic of this blog post.

Out Of The Box Experience

To learn Intune the right way, I’ve got all Group Policies blocked on the Organization Unit containing my Cloud PCs. This is leading practices which everyone building a greenfield solution should follow. I have 3 profiles configured for Edge, OneDrive and Outlook.

At first time logon a request is sent to my Microsoft Authenticator app to verify 2FA. The Autopilot enrollment process takes around 5 minutes.

This is where an Intune Managed Cloud PC shines compared to whatever other solution. You have Single Sign On (SSO) out of the box, and no pops for providing username and password for OneDrive and Outlook like you have Onprem or when your user profile is deleted.

I find it amazing how the Start Menu remembers all the recently opened applications and documents. As for Edge I would really like it to just bypass the wizard (maybe there’s a setting for that) but it’s cool how my LastPass plugin follows my Edge profile.

From my last blog post I showed you how easy it is to automatically create Win32App applications and the user experience is awesome as I have CMtrace and others applications automatically installed (required assignment).

When provisioning a Cloud PC it’s using the Microsoft provided Image Gallery you defined in your Provisioning Policy, mine is Windows 11 Enterprise + Microsoft 365 Apps 21H2. The image is mostly up to date, but to secure the deployment even more I have a PowerShell script that automatically patches the OS. You can find the script here on my Github repo, and I’m using this at all my customers.

The file type extension has already been registered to CMtrace.

And from the PSWindowsUpdate.log file you can see that the Cloud PC has been fully patched during deployment.

Uninstall Teams for Home

This one is VERY important, because based upon Teams only, the users will rather love or hate their new Windows 365 solution. Imaging logging in, but then being unable to sign into Teams because it’s the Home version?

Luckily the fix is pretty straight forward, download the MSIX and add it as a required uninstall for all devices as covered by my colleague MVP Adam Gross here. I’m using the same method to uninstall most Windows Store Apps.

Resize Experience

As I said I started out with Basic, but I wanted to test the resize experience. First you’ll need to purchase a new payment plan for the size you want to use in Admin Center. After that head over Azure Active Directory in the Azure Portal and assign the new license to the user and unassign the old one. Then head back to Admin Center and cancel the old license plan. Now with the new license in place you should be able to Resize (Preview). That didn’t work for me, but I did notice that a new Cloud PC was provisioned to me.


Automation Framework Community Edition

The fastest way to build your lab environment.

Virtual Expo

Friday 30th of September 2022

4 thoughts on “Windows 365 – How To Build An Excellent and Secure User Experience”

  1. You don’t need to assign the new Windows 365 license manually – you just need to ensure you have a spare license available to resize, you then do the resize on the endpoint in MEM and it will auto resize the VM and re-allocate the licenses correctly.

  2. Hello Eirik:

    I am just starting with Windows 365 and found your blog – really appreciate your content. Keep up the good work!

    I wonder if you would be willing to share your script to install CMTrace? I found solutions from other bloggers but they seem to have either have typos or still prompt to make CMTrace the default log viewer. I have spent an embarrassing amount of time on this and for now settling on copying the exe to a known location and advising our admins who actually use it that it is there for them.



Leave a Comment