AI-Enabled Windows 365 Cloud PCs – Full Automation with PowerShell (Graph REST API – Part 1)

askaresh

23 hours ago

Microsoft recently announced AI-enabled Windows 365 Cloud PCs as part of the Frontier Preview program. These Cloud PCs bring Copilot+ PC features like Improved Windows Search and Click to Do to virtualized environments, without requiring local NPU hardware.

In this blog post, I will demonstrate how to fully automate the deployment of AI-enabled Cloud PCs using PowerShell and Microsoft Graph REST APIs. This includes:

Creating a Provisioning Policy
Creating a Cloud PC Configuration with AI features enabled
Assigning policies to Entra ID groups
Configuring Windows Insider Beta Channel enrollment (GUI Based)

What are AI-Enabled Cloud PCs?

AI-enabled Cloud PCs deliver integrated Windows AI experiences to any device in any location. They combine the power of Windows 365 with AI acceleration, offering:

Improved Windows Search: Semantic search using natural language queries across local files and OneDrive
Click to Do: Instant actions on highlighted text or images (Windows+Q or Windows+Click)
Enterprise Security: All AI processing remains within the customer’s trusted cloud boundary

Cloud PC Requirements

Requirements	Value
vCPU	8 vCPU (minimum)
RAM	32 GB (minimum)
Storage	256 GB (minimum)
OS Version	Windows 11 Enterprise 24H2
Windows Insider	Beta Channel enrollment required
Supported Region	West US 2, West US 3, East US, East US 2, Central US, Central India, South East Asia, Australia East, UK South, West Europe, North Europe
PowerShell	Open PowerShell on the Cloud PC with admin privileges (Run as Administrator) Run the following command: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

The API Discovery

While the Provisioning Policy API is well documented, the Cloud PC Configuration settings (including AI enablement) use an endpoint. By analyzing the Intune admin center network traffic, I discovered the following API:

Endpoint: POST /beta/deviceManagement/virtualEndpoint/settingProfiles

The key setting definition ID for AI enablement is:

W365.CloudPCConfiguration.AI.IsEnabled

Prerequisites

App Registration in Entra ID with the following API permissions (admin consented):
CloudPC.ReadWrite.All
DeviceManagementConfiguration.ReadWrite.All
Group.Read.All
Windows 365 Enterprise licenses (8vCPU/32GB/256GB or higher)
Entra ID Security Group for target users
Users registered with the Windows Insider Program

PowerShell Script: Full Automation

The following PowerShell script automates the entire AI-enabled Cloud PC deployment. It creates:

A Cloud PC Configuration profile with AI features enabled
A Provisioning Policy with the correct image and region
Assignments to your specified Entra ID group

Configuration Section

Update the following variables with your tenant-specific values:

# ==========================

# CONFIGURATION - UPDATE THESE VALUES

# ==========================

$TenantId     = "<Your-Tenant-ID>"

$ClientId     = "<Your-App-Client-ID>"

$ClientSecret = "<Your-Client-Secret>"

$GroupId      = "<Your-Entra-Group-ID>"

$RegionName   = "australiaeast"  # Change to your preferred region

Note: The complete script is provided at the end of this post and is also available on GitHub.

Step-by-Step Breakdown

Step 1: Authentication

The script authenticates using OAuth 2.0 client credentials flow to obtain an access token for Microsoft Graph API.

$TokenEndpoint = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"

$tokenForm = @{

    client_id     = $ClientId

    client_secret = $ClientSecret

    scope         = "https://graph.microsoft.com/.default"

    grant_type    = "client_credentials"

}

Step 2: Create Cloud PC Configuration (AI-Enabled)

This is the key discovery – the Cloud PC Configuration uses the undocumented settingProfiles endpoint:

$configBody = @{

    displayName  = "AI-Enabled-CloudPC-Config"

    description  = "AI features enabled for Cloud PCs"

    profileType  = "template"

    templateId   = "W365.CloudPCConfiguration"

    settings     = @(

        @{

            "@odata.type"       = "#microsoft.graph.cloudPcBooleanSetting"

            dataType            = "boolean"

            settingDefinitionId = "W365.CloudPCConfiguration.AI.IsEnabled"

            platform            = "all"

            isEnabled           = $true

        }

    )

    assignments  = @(@{ groupId = $GroupId; assignType = "group" })

}

Step 3: Create Provisioning Policy

The provisioning policy defines the Cloud PC specifications. For AI features, you need the 8vCPU/32GB configuration:

$policyBody = @{

    "@odata.type"           = "#microsoft.graph.cloudPcProvisioningPolicy"

    displayName             = "AI-Enabled-ProvPolicy"

    description             = "Provisioning policy for AI-enabled Cloud PCs"

    provisioningType        = "dedicated"

    managedBy               = "windows365"

    imageId                 = "microsoftwindowsdesktop_windows-ent-cpc_win11-24h2-ent-cpc-m365"

    imageType               = "gallery"

    enableSingleSignOn      = $true

    domainJoinConfigurations = @(

        @{ type = "azureADJoin"; regionName = $RegionName }

    )

    windowsSettings         = @{ language = "en-US" }

}

Step 4: Assign Provisioning Policy to Group

After creating the provisioning policy, assign it to your Entra ID security group:

$assignBody = @{

    assignments = @(

    )

        @{

            target = @{

                "@odata.type" = "#microsoft.graph.cloudPcManagementGroupAssignmentTarget"

                groupId       = $GroupId

            }

        }

}

Windows Insider Beta Channel Enrollment

For AI features to activate, Cloud PCs must be enrolled in the Windows Insider Beta Channel. This can be done at scale using Intune Update Rings.

Manual Enrollment (Per Device)

Open Settings in the Cloud PC
Navigate to Windows Update > Windows Insider Program
Click Get started and sign in with Microsoft account or Entra ID
Select Beta Channel (Recommended)

Bulk Enrollment via Intune Update Ring

For enterprise deployments, use Intune Update Rings to enroll devices at scale:

Sign in to Microsoft Intune admin center
Navigate to Devices > Windows > Update rings for Windows 10 and later
Create or edit an update ring
Set Enable pre-release builds = Yes
Set Pre-release channel = Beta Channel
Assign to your Cloud PC security group

Complete PowerShell Script

Below is the complete, ready-to-use PowerShell script. Copy this into your PowerShell environment, update the configuration variables, and run.

GitHub Repository: avdwin365mem/aienabledcloudpc at main · askaresh/avdwin365mem

What’s next (Part 2)

We shall validate the AI features within the Cloud PC. Note: I need the higher 8 vCPU/16GB RAM version, and I am still awaiting access. Before the part 2 gets released if you cant wait dont forget to checkout the AI Cloud PC features that Dieter has blog post – Windows 365 blog by Dieter Kempeneers

I hope you find this helpful information for enabling the new AI features in Windows 365 Cloud PC using PowerShell. If I have missed any steps or details, I will be happy to update the post.

Thanks,
Aresh Sarkari