Windows 365 Boot – Booting Physical devices directly into Cloud PC

WME Article on Windows 365 Boot - Booting Physical Devices Directly into Cloud PC

Windows 365 Boot:

Microsoft has designed Windows 365 Boot solution to boot physical devices directly into Windows 365 cloud PC whereas the users are not required to sign into physical devices.

This solution is commonly used in shared PC scenarios and multiple users can sign into the same physical device to log in to their Windows Cloud PC.

Shift workers can pass the physical device to another employee once the shift is over, the next employee directly login to their cloud PC and it is most useful for nursing, call centers, and salespeople.

How to Restrict the User Access to Windows 365 Boot Physical Device:

When the user interacts with a cloud PC from a physical device, we need to perform some additional configurations to prevent the users to interact with the physical device. Based on the organization’s requirement, the admin can review and implement the below CSPs.

Prevent access to physical device’s Task Manager
Using DisableTaskMgr CSP policy, the admin can prevent the users/admins to access Task Manager on the physical device and there is a disadvantage to implementing this, it will be difficult for admins to troubleshoot the physical device.

Prevent users from changing the physical device’s password

With the DisableChangePassword CSP policy, changing user passwords can be disabled in Windows 365 boot physical devices.

Set default credential provider:

Windows 365 boot requires a username and password authentication method and there are organizations that might be using different authentication methods so DefaultCredentialProvider CSP policy can be used to set username and password authentication by default.

Remove Notifications and Action Center from the taskbar
The users can interact with physical devices using notifications. So, you can use the DisableNotificationCenter CSP policy to remove notifications on the physical device.

Prevent physical device notifications:
Use the NoToastNotification CSP policy to disable physical device notifications over Cloud PC sessions.

Prevent automatic launch of apps during user sign-in:
There are some applications that launch automatically on the sign-in screen so we can configure the DisableExplorerRunLegacy_1 CSP policy to prevent the applications to launch.

Improve sign-in on touchscreen devices:
Windows 365 boot touch screen devices require a touch screen keyboard, and we can improve the sign-in experience using the “Enable Touch Keyboard Auto-Invoke In Desktop Mode” CSP policy.

Deploy Windows 365 Boot to Physical devices:

You can deploy Windows 365 Boot to physical devices so that the users can directly login into the cloud PC without signing into Physical devices.

The Physical devices must be running with Windows 11 Professional or Enterprise and the admin should have Intune Service Administrator role.

You would need to define:

  • Autopilot device name templates and resource name profiles
  • Windows update settings
  • VPN profile, Wi-Fi profile and language settings
  • Group assignments to physical devices.

Use Intune to Deploy Windows 365 Boot

  • Login into Microsoft Intune Admin Center, go to Devices -> Windows 365(under Provisioning) -> Windows 365 Boot (Windows 365 guides), and click Next on the introduction page.
  • On the Basics page, the Autopilot device name template will enroll the devices into Windows Autopilot and select Apply device name template option to create a unique pattern to name the devices.
    The names:

    • Must be 15 characters or less.
    • Can include letters (a-z, A-Z), numbers (0-9), and hyphens.
    • Cannot only be numbers and can’t include a blank space.
    • Can use the %SERIAL% macro to add a hardware-specific serial number.
    • Can use the %RAND:x% macro to add a random string of characters, where x equals the number of characters to add.
    • Specify the resource name prefix so that when the resources are created and deployed, all resources will be created with the specified prefix in the beginning.
    • Select Next: Endpoint Updates to proceed with the next steps.

Windows Updates Settings

On the Endpoint updates page, specify Windows update settings for physical devices to receive the updates automatically without any manual intervention.

Configure Update deferral update settings for the number of days the update deferred from the Microsoft release and using User experience settings, you can configure active hour start and end time.

During the period, the reboot will not happen due to the update installation. Configure Update deadline settings to install updates automatically after a number of days.

Configure Settings to Finally Deploy Windows 365 Boot

  • Click on Next: Settings.
  • On the Settings page, choose the VPN & Wi-Fi profile to connect to the corporate network and choose the language option to use a specific language instead of the default language in the physical devices.
  • Click on Next: Assignments.
  • On the assignments page, select the new or existing devices group you want to deploy this policy. The device group includes physical devices.
  • On the Review + Create page, review the configured settings and click Create. If there are any changes required in the previous tab, you can go back and modify the settings. Once the devices are connected to the network, the policy will be applied, and Windows Boot 365 feature will be activated.

Known Issues that May Arise During Windows 365 Boot

No support for VPNs:

Windows 365 boot does not support application-based VPN Clients because the user cannot interact with a VPN client on such device.

No support for Wireless Devices:

Only wired peripheral devices are supported (like headphones, keyboard, and mouse) and wireless devices are not supported.

No support for Kiosk mode:

This windows is not supported in Kiosk mode on Windows.

Default PC Sign-ins

If the user is assigned multiple Cloud PC and when they sign in, it will automatically sign into the available Cloud PC and they cannot choose the PC of their choice to sign in.

Limited Sign-in Methods

Only Username and password sign-in method is supported because Windows 365 boot PC is configured with shared PC configuration service provider (CSP). Windows Hello of Business and PIN sign-in method can be turned off using Microsoft Intune.

More Issues with Windows 365 Boot

  • Windows 365 Boot uses a clean-state Win 11 device and if there are any pre-configured applications or settings, you can reset the device to a clean state.
  • Users experience a back screen when they disconnect, sign out, or lock from Cloud PC.
  • Camera access is denied in Cloud PC, and you need to grant camera permissions to the Azure Virtual Desktop (Hostapp) application to use Windows 365 Boot device camera in teams.
  • Users will be disconnected from Cloud PC if the screen is idle for a long time.
  • If the user sees the following error message “You need to be assigned a Cloud PC”, they need Windows 365 cloud PC to be provisioned for them.
  • If the user needs to reset the password, they need to reset it on another non-windows 365 boot device and cannot reset it on the Windows 365 boot device.

Troubleshooting Windows 365 Boot Problems:

  • If the user cannot access the cloud PC from Windows 365 Boot physical device, try to access it from the browser at windows365.
  • Microsoft.com or Windows 365 application from a non-windows 365 boot device. If you can access a cloud PC from a browser or app then there is an issue with such device.
  • Verify if the physical device is configured correctly and the policy is applied or else, run Device Sync to apply the policy asap and restart the service.

The below registry keys are related to Windows 365 boot and verify if it created as per below.

Registry key nameRegistry value nameRegistry value
HKLM\Software\Microsoft\PolicyManager\current\device\CloudDesktopBootToCloudMode1
HKLM\Software\Microsoft\PolicyManager\current\device\WindowsLogonOverrideShellProgram1
HKLM\Software\Microsoft\Windows\CurrentVersion\SharedPC\NodeValues181
HKLM\Software\Microsoft\Windows\CurrentVersion\SharedPC\NodeValues11

Try Removing & Adding again the Windows 365 Boot from the device

  1. Sign into Microsoft Intune Admin Center and Group -> All Groups -> look at Windows 365 Boot device group and go to the member and remove the physical device.
  2. Run sync to complete the removal.
  3. Now, add the physical device to Windows 365 Boot group, Click Add member to add the device back to the group.
  4. The device will again set up for Windows 365 boot.

Collect the Following Logs to Analyze the Issue for Troubleshooting

  • C:\Users\{username}\AppData\Local\Temp\DiagOutputDir\Windows365\Logs
  • C:\Users\{username}\AppData\Local\Temp\DiagOutputDir\RdClientAutoTrace

Use Azure Virtual Desktop Application

Windows 365 Boot requires a specific version of Windows 365 and Azure Virtual Desktop application. Run the below Powershell command to see which versions are installed.

Get-AppxPackage –AllUsers -name *MicrosoftCorporationII*

The following versions should be installed in order to work Windows 365 Boot properly:

  • Windows 365 app version 1.1.162.0 or later.
  • Azure Virtual Desktop (HostApp) app version 1.2.4159. or later.

Wrapping it Up:

Windows 365 Boot is a game-changing solution for secure and seamless remote work. With the ability to boot physical devices directly into the Windows 365 cloud PC, it offers enhanced flexibility and productivity for shared PC scenarios.

By leveraging Microsoft 365 Professional services from WME, your organization can fully optimize and deploy this innovative solution. Upgrade your remote work experience today with Windows 365 Boot and empower your workforce like never before.

You can also email us by clicking here:

Share:

Facebook
Twitter
LinkedIn

Contact Us

=
On Key

More Posts

WME Security Briefing 27 May 2024

Kinsing Hacker Group Exploits Docker Vulnerabilities Overview Recent investigations have shown that the hacker group Kinsing is actively exploiting Docker vulnerabilities to gain unauthorized access to systems. The modified hacker group targets misconfigured Docker API ports deployed with cryptocurrency mining malware.

Read More »
WME Cybersecurity Briefings No. 010
Cyber Security

WME Security Briefing 20 May 2024

Advanced Persistent Threats: North Korean Hackers Launch Golang Malware Overview A new malware strain, called Titan Stealer, is currently actively circulating in the threat landscape, targeting a variety of personal data and linked to North Korean state-sponsored cyber espionage

Read More »
WME Cybersecurity Briefings No. 009
Cyber Security

WME Security Briefing 08 May 2024

Exploitable vulnerability in Microsoft Internet Explorer, used to deploy VBA Malware Overview Cybersecurity researchers discovered a severe exploitation targeting a bug that had already been patched in the Microsoft Internet Explorer browser. Their report added that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=