The Concept of Windows 365 Boot
24-12-2023 11:47 AM
BEFORE YOU BEGIN
Disclaimer: All information and content in this blog post is provided without any warranty whatsoever. The entire risk of using this information or executing the provided content remains with you. Under no circumstances should the mentioned persons or vendors, the author, or anyone else involved in creating these blog posts be held liable for any damage or data loss.
In this blog post, I will explore the concept of Windows 365 Boot, a unique feature that complements Windows 365 Frontline well. Windows 365 Boot became generally available (GA) in September 2023 and is revolutionizing the way users can access their Cloud PCs.
So, buckle up for my next venture, and let's look at what this relatively new feature is all about and which use cases it covers. Also, let me show you how to configure Windows 365 Boot and how we can restrict user access on the physical Windows 365 Boot device.
In this post, I'll cover the following topics.
Prerequisites and Requirements
Windows 11-based devices (Pro & Enterprise).
The physical device (and Cloud PCs) must be running Windows 11 version (22621.2361 or later).
You must have a valid and working Microsoft Entra and Intune tenant.
You must have a Windows 365 Cloud PC license to access the Windows 365 Boot guided scenario.
You must use Microsoft Intune to manage your Windows 365 Boot devices and policies.
Microsoft Intune Administrator rights.
What is Windows 365 Boot?
Windows 365 Boot lets IT admins configure Windows 11 physical devices so that users can sign in directly to their Cloud PC from the physical device's Windows 11 login screen, making it the primary Windows experience on the device with no additional steps. Signing out of the Cloud PC will return the physical device to the Windows 11 login screen - ready for the next user. This makes the Windows 365 Boot a great feature, especially when combined with Windows 365 Frontline, and for users who work shifts and share physical devices.
- So, we are basically turning the physical device into some sort of a thin client based on Windows 11.
What's New for Windows 365 Boot
Microsoft announced these new features when Windows 365 Boot was made generally available:
Source: Windows 365 Boot is now generally available!
Upcoming Features and Improvements for Windows 365 Boot
The following improvements are beginning to roll out for Windows 365 Boot:
Source: Announcing Windows 11 Insider Preview Build 22635.2915 (Beta Channel)
The Use Cases of Windows 365 Boot
Who would benefit from the Windows 365 Boot feature? Well, I could definitely see this as an ideal solution for hospitals, retail stores, or call centers, especially when combined with Windows 365 Frontline.
Note: Want to learn more about Windows 365 Frontline? See The Concept of Windows 365 Frontline.
Why, you ask? – It’s because Windows 365 Boot targets the same type of workers, such as nurses, salespeople, and other professionals who share company physical devices. Such kinds of workers might frequently switch between physical tasks and computer-based interactions. Windows 365 Boot lets them bypass the lengthy startup process and boot directly into their Cloud PC to continue their work right where they left off.
How to Configure Windows 365 Boot
Now that you know the concept behind Windows 365 Boot let me show you how to set this up using the guided scenario in Microsoft Intune. We start by creating a security group for our Windows 365 Boot devices. Next, we’ll create the resources required for Windows 365 Boot to work via the guided scenario and prepare each physical device for the transition.
Windows 365 Boot Guided Scenario
Go to https://intune.microsoft.com In the left pane, select Groups.
Create a new Microsoft Entra ID security group for the Windows 365 Boot devices. – The group can be based on direct or dynamic membership.
Next, select Devices | Windows 365 (under Provisioning) to start the Windows 365 Boot guided scenario.
Click Next to begin the guided scenario.
Fill in the required Device name and Resource prefix name field on the Basics page. Click Next.
Tip: Although the Description field is optional, I recommend filling it out. Leaving some breadcrumbs is always a great idea, so others know precisely why someone created the configuration profile(s).
Keep the Windows update settings as is and click Next.
Select your preferred Language (Region) for the Windows Autopilot deployment profile. Set the Max Connection Timeout to a value of your choice. Click Next.
Note: Besides Language (Region) and Max Connection Timeout, you also have the option to select a VPN profile, a Wi-Fi profile, and a Security Baseline profile.
Next, we’ll assign my newly created Windows 365 Boot security group to these resources. Click Next.
Review that everything is correct and click Save.
Once ready, we can move our attention to the preparation of the physical device.
The Windows 365 Boot Physical Device Setup
Let’s move on to preparing the physical devices, which requires adding them to our security group, a device wipe from Microsoft Intune, and Windows Autopilot registration.
Go to https://intune.microsoft.com In the left pane, select Groups.
Select the newly created Windows 365 Boot security group. Click + Add members, choose a device, and click Select.
Next, select Devices | Windows (under By platform), choose the device you added to the Windows 365 Boot security group, and select Wipe. – Don’t select any of the boxes in the wipe confirmation box! Click Wipe.
Note: Skip this section if the device is already registered with Windows Autopilot.
From the Out-of-Box-Experience (OOBE) stage, use Shift+F10 to open a command prompt.
Run the following commands:
When prompted, sign in with a user that has the Intune Administrator role. After sign-in, the device is automatically enrolled in Microsoft Intune. – Wait a few minutes and then reboot the device.
Now, complete the Out-of-Box-Experience (OOBE) as you would with any user.
It runs through the Enrollment Status Page (ESP)
The Windows Autopilot provisioning is complete when you see the Windows 11 login screen.
Test and Verification
The user signs in with their Microsoft account on the Windows 11 login screen.
Once the credentials are validated, the user seamlessly connects to their Windows 365 Cloud PC.
I’m often asked if signing in locally to the physical device is possible, and the answer is NO! However, users are not completely restricted in accessing specific resources on the physical device. – In the next section, I will show you how to restrict access to specific resources with a few additional policies from Microsoft Intune.
Restrict User Access
The purpose of Windows 365 Boot physical devices is to let users interact directly with their Windows 365 Cloud PCs without the ability to access specific resources on the physical device. – However, IT admins must configure a few additional policies to achieve this goal.
Note: Windows 365 Boot doesn’t fully restrict end users from accessing specific resources on the physical device. You should review the configuration policies you can apply to your Windows 365 Boot devices to meet your organization’s security needs for preventing access to the physical device. For more information, see Restrict user access to Windows 365 Boot physical device.
Let’s remove the ability to access the Task Manager and Change a password.
Go to https://intune.microsoft.com Select Devices | Windows (under By platform) | Configuration profiles Click + New Policy, choose Windows 10 and later, and the Settings catalog, and click Create.
Fill in the required Name field on the Basics page.
Tip: Although the Description field is optional, I recommend filling it out. Leaving some breadcrumbs is always a great idea, so others know precisely why someone created the configuration profile(s).
Click + Add settings on the Configuration settings page. In the Settings picker, search for Del Options.
Choose Administrative Templates\System\Ctrl+Alt+Del Options and select the following two settings:
Remove Change Password (User)
Remove Task Manager (User)
Close the Settings picker.
Enable both settings and click Next.
Select Scope tags if needed and click Next.
On the Assignments page, assign the Windows 365 Boot security group to this policy and click Next.
Review that everything is correct and click Create.
Verification
End users will no longer be able to access the Task Manager or Change a password on the physical device.
Summary
In this blog post, you learned about the concept of Windows 365 Boot and why it complements Windows 365 Frontline so well. I shared my view on use cases and took you through the guided scenario in Microsoft Intune.
In addition, you also learned that Windows 365 Boot doesn’t fully restrict end users from accessing specific resources on the physical device and what you can do to restrict access to those resources.
That’s it, folks. Happy testing, and Merry Christmas!🎄🎅 If you have any questions regarding this topic, please feel free to reach out to me.
Last updated