Archive | January, 2023

Windows 365 Cloud PC & Azure Virtual Desktop – Disk Cleanup using Storage Sense – Intune Configuration Policies

23 Jan

With the slightest effort, do you want to perform a disk cleanup operation? In this blogpost, we are setting up the Storage Sense to cleanup Temporary Files & Empty recycle bin on Windows 365 Cloud PC & AVD Multi-session host. Note by no means is Storage Sense a replacement for the detailed cleanmgr.exe tool, which can perform disk cleanup options in a much more granular manner. The below method is a quick method to get you started and later on improvise on your disk cleanup strategy.

What is Storage Sense?

Storage Sense is a feature in Microsoft Windows 11 that helps users free up space on their device by automatically deleting unnecessary files. It can delete temporary files, files in the recycle bin, and files that have not been accessed in a certain period of time. It also helps users to see what is taking up space on their device and gives them the option to delete specific files or move files to an external storage device.

What features are available within Storage Sense?

Storage Sense in Microsoft Windows 11 has the following features:

  • Automatic cleanup: Storage Sense can automatically delete temporary files, files in the recycle bin, and files that have not been accessed in a certain period of time.
  • Storage usage: It helps users to see what is taking up space on their device, and gives them the option to delete specific files or move files to an external storage device.
  • Storage sense can move files to external storage device
  • Storage sense can compress files to save space
  • Storage sense can move files to the cloud
  • Storage sense can delete files that are no longer needed
  • Storage sense can free up space by uninstalling apps
  • Storage sense can show you the storage usage of each app
  • Storage sense can help you to free up storage by cleaning up your downloads folder

What Configurations are available within Intune (MEM Portal)?

There are many ways to setup Storage Sense. However, the method we are going to opt is inline with the modern workplace management solution using Microsoft Intune (Microsoft Endpoint Manager admin center)

Setting NameDetails
Allow Disk Health Model UpdatesAllows disk health model updates to predict disk hardware failure.
Allow Storage Sense GlobalStorage Sense can automatically clean some of the user’s files to free up disk space. By default, Storage Sense is automatically turned on when the machine runs into low disk space and is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the
Allow Storage Sense Temporary Files CleanupWhen Storage Sense runs, it can delete the user’s temporary files that are not in use. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, Storage Sense will delete the user’s temporary files that are not in use.
Config Storage Sense Cloud Content Dehydration ThresholdWhen Storage Sense runs, it can dehydrate cloud-backed content that hasn’t been opened in a certain amount of days. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, you must provide the minimum number of days a cloud-backed file can remain unopened before Storage Sense dehydrates it. Supported values are: 0–365. If you set this value to zero, Storage Sense will not dehydrate any cloud-backed content. The default value is 0, which never dehydrates cloud-backed content
Config Storage Sense Downloads Cleanup ThresholdWhen Storage Sense runs, it can delete files in the user’s Downloads folder if they haven’t been opened for more than a certain number of days. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, you must provide the minimum number of days a file can remain unopened before Storage Sense deletes it from the Downloads folder. Supported values are: 0-365. If you set this value to zero, Storage Sense will not delete files in the user’s Downloads folder
Config Storage Sense Recycle Bin Cleanup ThresholdWhen Storage Sense runs, it can delete files in the user’s Recycle Bin if they have been there for over a certain amount of days. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, you must provide the minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it. Supported values are: 0–365
Removable Disk Deny Write AccessIf you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting “Deny write access to drives not protected by BitLocker,” which is located in “Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives.”

What policies are we applying?

In this scenario, we only focus on the deletion of temporary files, Recycle Bin, Moving the files to the OneDrive Known Folder (if configured) and checking the disk hardware.

What is the target of this policy?

We aim to kill two birds with one stone, and this policy configuration is not only applicable for Windows 10/11 based Windows 365 Cloud PC, it also works well for Windows 10/11 Multi-session host for Azure Virtual Desktop. This filter is critical to identifying whether the configuration setting will apply to your device type.

Assignments

We are assiging the policy to the Windows 365 AAD device group and add the Azure Virtual Desktop AAD device group here.

Worth a mention, Jannik Reinhard has published a remediation method via cleanmgr.exe and PowerShell – Use Endpoint Analytics to clean up the disk – Modern Device Management (jannikreinhard.com) and is also a great resource if you decide to go into phase 2 strategy of disk clean-up.

I hope you will find this helpful information for performing disk clean-up on Temporary & Recycle for Windows 365 Cloud PC & AVD. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Consolidated Scripts – All configurational task via PowerShell for Windows 365 Cloud PC under Microsoft Intune Portal (MEM)

18 Jan

I have written various individual blog posts on PowerShell creation of all configurational task for Windows 365 Cloud PC under Microsoft Endpoint Portal (MEM).

Based on public demand, I want to create a consolidated post for all the scripts and configuration items that can get you started with Windows 365 Cloud PC using PowerShell: (Of course all the below features can also be configured using the UI, however below is the guidance strictly using PowerShell)

PowerShell links to my blog post

Following are the links to my blog post for each and individual task:

PowerShell – Create Windows 365 Cloud PC Provisioning Policy https://askaresh.com/2022/10/11/powershell-create-windows-365-cloud-pc-provisioning-policy/

PowerShell – Assign a AAD group to the Windows 365 Cloud PC Provisioning Policy
https://askaresh.com/2022/10/12/powershell-assign-a-aad-group-to-the-windows-365-cloud-pc-provisioning-policy/

PowerShell – Unassign/Delete the Windows 365 Cloud PC Provisioning Policy
https://askaresh.com/2022/10/14/powershell-unassign-delete-the-windows-365-cloud-pc-provisioning-policy/

PowerShell – Create a custom Windows 11 Enterprise (22H2) + Microsoft 365 Apps golden image for Windows 365 Cloud PC using Marketplace Image
https://askaresh.com/2022/12/01/powershell-create-a-custom-windows-11-enterprise-22h2-microsoft-365-apps-golden-image-for-windows-365-cloud-pc-using-marketplace-image/

PowerShell – Create Azure Network Connection (ANC) for Windows 365 Cloud PC
https://askaresh.com/2023/01/16/powershell-create-azure-network-connection-anc-for-windows-365-cloud-pc/

PowerShell – Create and Assign Windows 365 Cloud PC – User Settings
https://askaresh.com/2022/11/08/powershell-create-and-assign-windows-365-cloud-pc-user-settings/

PowerShell – Report – Get Cloud PC Windows 365 with low utilization
https://askaresh.com/2022/11/24/powershell-report-get-cloud-pc-windows-365-with-low-utilization/

I promise you once you have done the hard work, you can get up and running in a few hours using all the above PowerShell scripts with Windows 365 Cloud PC.

Here is the repo with all the scripts and more – askaresh/avdwin365mem (github.com). A big thanks to Andrew Taylor for collabrating and updating the Provisioning policy script with the SSO details that was release in late Nov 2022.

I hope you will find this helpful information for all things PowerShell w.r.t Windows 365 Cloud PC. I will update the post if I publish or update more information.

Thanks,
Aresh Sarkari

PowerShell – Create Azure Network Connection (ANC) for Windows 365 Cloud PC

16 Jan

If you want to establish a network connection that allows communication between the Windows 365 Cloud PC and the existing Azure Virtual Network (ANC), then keep following this post. Today, I will demonstrate the Powershell method of creating the Azure Network Connection (ANC). Note that we need information from the Azure Portal to make sure you have all the necessary information handy or/or involve the necessary teams who can provide you with the information on Azure Networking.

Overview

  • Create the ANC first before creating the Win365 – Cloud Provisioning Policy (CPP)
  • If the ANC precreated then during the cloud provisioning of the Cloud PC desktops it will create them on the Azure VNET on your desired subnet
  • Make sure you have a working DNS configured on the VNET which can communicate with your on-premise network using express route or other Azure VNETs
  • Open necessary firewall ports based on your requirements on the NSG or Azure Firewall for the communication to your on-premise network using express route or other Azure VNETs
  • Permissions
    • Intune Administrator in Azure AD
    • Cloud PC Administrator
    • Global Administrator
  • If you decide to alter or change the ANC, you will have to reprovision the Cloud PC, and it’s a destructive activity. Make sure you architect it properly
  • You can delete your ANC however, you will have to update your cloud provisioning policy with the new ANC first, and then you can delete the existing ANC.

Connect to MS Graph API

Step 1 – Install the MS Graph Powershell Module

#Install Microsoft Graph Module
PS C:WINDOWSsystem32> Install-Module Microsoft.Graph

Step 2 – Connect to scopes and specify which API you want to authenticate. If you are only doing read-only operations, I suggest you connect to “CloudPC.Read.All” in our case, we are creating the ANC, so we need to change the scope to “CloudPC.ReadWrite.All”

#Read-only
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.Read.All"
Welcome To Microsoft Graph!

OR

#Read-Write
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"
Welcome To Microsoft Graph!


Step 3 – Choose between v1.0 (Generally Available) and Beta API versions. Note for Windows 365 Cloud PC, the API calls are BETA.

#Beta APIs
PS C:WINDOWSsystem32> Select-MgProfile -Name "beta"

OR

#Production APIs (Not Applicable)
PS C:WINDOWSsystem32> Select-MgProfile -Name "v1.0"

Connect to Azure & Grab Details (Variable Region)

We are logging into Azure to grab all the details regarding to Resource Group, Subscription ID/Name, VNET and Subnets

  • Connect to the Azure Portal using the necessary credentials
  • Select the Azure Subscription that holds all the networking information
  • A display name of the Azure Network Connection – ANC – (ANC-W365-Sub01)
  • What is the join type of the ANC of the golden image virtual machine (azureADJoin)
  • Resource Group ID of the existing resource group. You will have to enter the resource group name (W365-AVD-RG01), and it will get us the ID we need.
  • Name of the existing subnet within the vNET (W365Workload-Sub01), and it will get us the ID we need.
  • Name of the existing VNET used for the connection. You will have to enter the VNET name (W365-AVD-VNET01), and it will get us the ID we need.
  • Connection to the MS Graph API and ensure you have the necessary write permissions.
  • We are using the beta API for Cloud PC
# Connect to the Azure Subcription
Connect-AzAccount

# Get existing context
$currentAzContext = Get-AzContext

# Your subscription. This command gets your current subscription
$subscriptionID = $currentAzContext.Subscription.Id

# Your subscription. This command gets your current subscription name
$subscriptionName = $currentAzContext.Subscription.Name

# ANC Display Name
$ancdname = "ANC-W365-Sub01"

# Join Ype for the Azure Network Connection
# Two types Azure AD and Hyrbird "azureADJoin" or "hybridAzureADJoin"
$ancjointype = "azureADJoin"

# Get your Win365 Resouce Group id for RG Name - W365-AVD-RG01
# Put your RG Name
$win365RGID = Get-AzResourceGroup -Name "W365-AVD-RG01" | Select-Object -ExpandProperty ResourceId

# Get your Azure VNET id used for Windows 365 Cloud PC
# Put your VNET Name
$win365VNETID = Get-AzVirtualNetwork -Name "W365-AVD-VNET01" | Select-Object -ExpandProperty Id

# Get your Subnet ID within the Azure VNET for Windows 365 Cloud PC
# Put your VNET Name
$win365VNET = Get-AzVirtualNetwork -Name "W365-AVD-VNET01"

# Enter your Subnet Name
$win365SubID = Get-AzVirtualNetworkSubnetConfig -Name "W365Workload-Sub01" -VirtualNetwork $win365VNET | Select-Object -ExpandProperty Id

# Connec to MS Graph for Cloud PC W365
Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"

# Select Beta Profile for Cloud PC APIs
Select-MgProfile -Name "beta"

We shall pass the above variable into the final ANC creation.

Create the Azure Network Connection

We are creating a Azure Network Connection that includes the following:

  • Display Name of the network – $ancdname
  • Azure Subscription ID – $subscriptionID
  • Azure Subscription Name – $subscriptionName
  • Type – There are two types we are selecting Azure AD join – azureADJoin
  • Resource Group ID – The resource group within Azure – $win365RGID
  • Virtual Network ID – The VNET within Azure – $win365VNETID
  • Subnet ID – The subnet for W365 within VNET – $win365SubID
# Create the ANC for Windows 365 with AAD join type
try
{
write-host "Create the ANC for Windows 365 with AAD join type"
$params = @{
    displayName = "$ancdname"
    subscriptionId = "$subscriptionID"
    type = "$ancjointype"
    subscriptionName = "$subscriptionName"
    resourceGroupId = "$win365RGID"
    virtualNetworkId = "$win365VNETID"
    subnetId = "$win365SubID"
}

New-MgDeviceManagementVirtualEndpointOnPremisesConnection -BodyParameter $params -Debug
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

Final Script

Here I will paste the entire script block for seamless execution in single run. Following is the link to my Github for this script – avdwin365mem/win365CreateANC at main · askaresh/avdwin365mem (github.com)

# Import module Az and MS Graph
Import-Module Az.Accounts
Install-Module Microsoft.Graph

# Connect to the Azure Subcription
Connect-AzAccount

# Get existing context
$currentAzContext = Get-AzContext

# Your subscription. This command gets your current subscription
$subscriptionID = $currentAzContext.Subscription.Id

# Your subscription. This command gets your current subscription name
$subscriptionName = $currentAzContext.Subscription.Name

# ANC Display Name
$ancdname = "ANC-W365-Sub01"

# Join Ype for the Azure Network Connection
# Two types Azure AD and Hyrbird "azureADJoin" or "hybridAzureADJoin"
$ancjointype = "azureADJoin"

# Get your Win365 Resouce Group id for RG Name - W365-AVD-RG01
# Put your RG Name
$win365RGID = Get-AzResourceGroup -Name "W365-AVD-RG01" | Select-Object -ExpandProperty ResourceId

# Get your Azure VNET id used for Windows 365 Cloud PC
# Put your VNET Name
$win365VNETID = Get-AzVirtualNetwork -Name "W365-AVD-VNET01" | Select-Object -ExpandProperty Id

# Get your Subnet ID within the Azure VNET for Windows 365 Cloud PC
# Put your VNET Name
$win365VNET = Get-AzVirtualNetwork -Name "W365-AVD-VNET01"

# Enter your Subnet Name
$win365SubID = Get-AzVirtualNetworkSubnetConfig -Name "W365Workload-Sub01" -VirtualNetwork $win365VNET | Select-Object -ExpandProperty Id

# Connec to MS Graph for Cloud PC W365
Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"

# Select Beta Profile for Cloud PC APIs
Select-MgProfile -Name "beta"

# Create the ANC for Windows 365 with AAD join type
try
{
write-host "Create the ANC for Windows 365 with AAD join type"
$params = @{
    displayName = "$ancdname"
    subscriptionId = "$subscriptionID"
    type = "$ancjointype"
    subscriptionName = "$subscriptionName"
    resourceGroupId = "$win365RGID"
    virtualNetworkId = "$win365VNETID"
    subnetId = "$win365SubID"
}

New-MgDeviceManagementVirtualEndpointOnPremisesConnection -BodyParameter $params -Debug
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

I hope you will find this helpful information for creating Azure Network Connection using PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari