I wanted to put this article together as a living document to track any helpful tips for Windows 365. I have been doing some more extensive testing and wanted to share some of my experience.
Business vs Enterprise
Windows 365 business plans have a lightweight deployment where you only need to license users. Cloud PCs are provisioned in about 30 minutes and are accessible to the user. This light deployment comes with a lack of control such as the inability to deploy custom images. Additionally, you do not have as many options for print capabilities because you do not have control over the network. Technologies such as universal print are not supported in the Business plan at this time.
The Business plan also requires you to manually resize cloud PCs if you are looking to move up in CPU, RAM, etc. whereas this is built in natively to the interphase with the Enterprise plans. A key piece to note is that it supports resizing up but not back down. All users are created as local admins on their Cloud PCs by default with the Business plan which isn’t always what you would want. The Business plans also come with a hybrid discount of around 16% when the base system is using Windows 10 Pro. This would mean devices like chromebooks would not be eligible. Lastly for the Business plan, devices are natively joined to Azure AD and enrolled into Intune automatically. This allows you to push out applications, compliance profiles, scripts, and more as soon as the device is provisioned.
On the enterprise side of the house, the setup is much more time intensive and requires that you connect to a local Active Directory environment. Microsoft says they are working on native Azure AD join support like the business plan, but it does not currently exist. For now, you still need an Azure subscription in addition to the licensing so that you can create a Vnet that provides line of sight to your active directory environment. Azure AD domain services is also not supported at this time. The enterprise plans do support custom images and have native resizing support within Endpoint manager admin center.
Plans and Pricing
Overall, the plans and pricing between Business and Enterprise are relatively the same cost. All pricing information can be found here.
If you compare the pricing of roughly ~$30 user/month vs the cost of a laptop of similar specs over a 3 year period, you are not going to find much in the sense of cost savings. For this reason, I think it’s best to pitch the flexibility and security of this solution to customers. If you truly want cost savings you should look at adopting AVD instead. Nerdio put a great comparison together showing a 58% reduction in cost vs Cloud PC if you paired reserved instances, pooled host, and auto-scaling.
I think its also good to note what plans have apps preinstalled as well. These automatically deploy upon provisioning of the cloud PC and sign users in. This is a cool experience for Teams and OneDrive especially.
Setup Time
With the Business plans, all you need to do is assign the appropriate licensing to users and wait for the Cloud PC to provision. It took about 30 minutes for me before it was ready when I went to windows365.microsoft.com. While I was able to sign in at that time, it took about another 30 minutes for it to finishing installing and signing into apps like Teams and OneDrive.
On the enterprise side, there are multiple prerequisites that you may or may not have in place which could greatly increase your onboarding time. Personally, I created a DC, established AD Connect with Hybrid Device Sync, configured a Vnet in Azure, and established the connection in Endpoint manger (so basically everything you would need to do from scratch). This took around 2 hours to complete and another 30 to provision the cloud PC after I was done. You might run into some complex networking configurations though that would make this harder to execute.
Patching
Automated OS updates are built into both plans. If you want to control the patch cycle to devices, you would need to do so in Endpoint manager or via your RMM after deployment.
Intune Considerations
Since you do not have the ability to build custom images with the Business Plans, I would highly recommend adopting Intune if you are not already. Otherwise you are going to have to figure out a new way to get the device under management with your RMM for instance. At the very minimum, you could use Intune to deploy your RMM to the Cloud PC when it is first provisioned. Since the device natively integrates out of the box, I think its a great opportunity to push out compliance policies, configuration profiles, scripts, etc. directly from endpoint manager where the devices are being provisioned. Some additional benefits here would be leveraging Windows Information Protection (WIP) to protect corporate data from being stored/shared to non-trusted 3rd parties like a users personal Google Drive for example.
Data Protection
Windows 365 natively gives users the ability to perform basic management functions against their cloud PC. One of these functions is to reset the device. Doing so would wipe out data on the device not syncing to OneDrive.
In addition, the Business plans do not have native resize capabilities like mentioned earlier. This means if you were needing to move up in size, its possible that a brand new cloud PC would be provisioned and any data not syncing to OneDrive would be lost. I encourage the adoption of the known folder move that is part of the Administrative Templates (configuration profiles) within Endpoint Manger so that users back up the folders on their C drive to OneDrive as well.
Troubleshooting/Errors
Checks Failed for On-Premise Network Connection in Endpoint Manager
Checks can fail for a variety of reasons here but at a very high level I found the following top issues to help when troubleshooting:
- Endpoint connectivity fails because you do not have proper line of sight to the active directory environment => Ensure there are no firewall rules blocking access and that the DNS servers in Azure are set to a custom IP.
- AD Sync is not configured for Hybrid Join or it is not syncing at a minimum of every 60 minutes => Ensure you have configured hybrid join in the AD Connect wizard and have no syncing errors.
- The AD users you entered does not have permissions to join computers to the domain locally => Ensure the AD username you enter for the connection has the necessary permissions on prem to join computers to the domain. The error thrown here might reference a bad username or password but its mostly likely permissions instead.
Example error below is likely a configuration issue with your Vnet and not having line of sight to the active directory environment
This is the final warning you will get before your first cloud PC is provisioned. It will go away after the device is successfully joined.
Microsoft Defender warning about Teams
In my Enterprise deployment, I was getting the following prompt as an end user:
Allowing access requires admin creds. Here is a helpful article to help avoid that for your deployments
Helpful Resources
Here are a collection of links I have found the most helpful:
- Nerdio Breakdown:https://getnerdio.com/academy-enterprise/microsoft-windows-365-vs-azure-virtual-desktop-avd-comparing-two-daas-products/
- Avoiding Defender errors with Teams: https://msendpointmgr.com/2020/03/29/managing-microsoft-teams-firewall-requirements-with-intune/
- Getting Started with Windows 365 Business: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/get-started-with-windows-365-business/ba-p/2595485
- Getting Started with Windows 365 Enterprise:https://techcommunity.microsoft.com/t5/windows-it-pro-blog/get-started-with-windows-365-enterprise/ba-p/2530504
- Plans and Pricing: https://www.microsoft.com/en-us/windows-365/all-pricing
- Troubleshooting On-premise Network Connection: https://docs.microsoft.com/en-us/windows-365/troubleshoot-on-premises-network-connection
- FAQ: https://www.microsoft.com/en-us/windows-365/faq