Windows 365 Cloud PC

Archive | Windows 365 Cloud PC RSS feed for this section

Windows 365 Cloud PC – Alert Monitoring – Get your alerts in a Microsoft Teams Channel using Azure Logic Apps

If you’re managing Windows 365 Cloud PCs, keeping track of alerts can be a daunting task. Fortunately, Azure Logic Apps can help automate this process by sending alerts directly to your Microsoft Teams channel. In this blog post, we’ll explore how to set up this integration, so you can stay on top of your Windows 365 environment without constantly checking the portal or notifications within the Intune portal.

Note – Within the Microsoft Intune admin center portal you can already send notifications via email.

Set up your Microsoft Teams channel

To start, you’ll need to create a Microsoft Teams channel where you want to receive alerts. If you don’t have one already, create a new channel and name it something like “Windows365Alerts.”

Next, within the newly created channel, add the Connector – Incoming Webhook

Click on Configure of the Incoming Webhook connectors by entering the Name – Win365Alerts and custom image. Why not use the Windows 365 Cloud PC Logo and click on create.

Please copy the link and save it for all future reference purposes. We will be using this URL within the Azure Logic Apps.

https://blahblahblahblah.webhook.office.com/webhookb2/9cd8bac0-XXXX-4e30-XXXX-00700XXXX0@XXXX-d8f4-4c55-XXXX-0eec698XXXXXX/IncomingWebhook/3aXXXXXXXXbed497fbc4d9857XXXXX/57cadd96-b493-4bf6-a665-b0e9XXXXXXX

Azure Active Directory Enterprise App (MS Graph API)

Let’s pre-create the application ID and client secret we will use to connect and leverage the Microsoft Graph APIs via Powershell

Connect to Azure Portal and go to Azure Active Directory
Click on App Registrations and select – New Registration
Give the App a Name – GraphAPI-App

You will get two important information created for later use within Powershell
- Application ID
- Tenant ID

Now let’s grant this App GraphAPI-App Permission. Click on Add a permission and select MS Graph and search for Cloud PC– CloudPC.ReadAll and select read permissions and Add Permissions
Select Grant admin consent for domain

We are using client secret so now lets enable that. Click on Certificates & Secrets – Client Secrets and select New client secret\
Give it a name (Deviceconfig_secret) and expiry date (12 months)
Copy the Secret Value

Azure Key Vault – (Store the Secret)

This is an optional step, and I highly recommend this step for all production environments as the secret is stored within the Azure Key Vault, and within the Azure Logic Apps, you will call this secret.

After creating the value, go to Secret and click on Generate/Import, and under manual, enter a name and paste the secret key we created in the above step.

Additionally, I will dedicate a service account(svc_kv_api) specifically for this secret retrieval for the Azure Logic Apps. Let’s add the service account with the necessary permissions under the Access Policies and give it Get and List permissions.

Create an Azure Logic App

Next, you’ll need to create an Azure Logic App. In the Azure portal, search for “Logic Apps” and click “Create.” Give your Logic App a name and select your desired subscription, resource group, and location. Then click “Review + Create” and “Create” to create your Logic App.

Configure your Logic App

Once your Logic App is created, click “Logic App Designer” and select blank logic app template and add the other operations shown below:

Step 1 – Recurrence (A schedule that will be triggered)

Depending upon your SLA agreements, put a trigger. In this example, I have selected every 3 min.

Step 2 – Fetch the Secret from the Azure Key Vault

In the earlier step, we created the Azure Key vault and stored the secret there. In this step, we will make the Azure Logic Apps Fetch the Secret

Tenant ID – Copy from the above steps
KeyVault Name – Copy from the above steps
Click on Sign and use the dedicated service account to fetch this Secret

Step 3 – HTTP Get the Alerts for Windows 365 Using MS Graph API

We shall create the HTTP request using the Windows 365 Alert API – List and authenticate the call using the secret. Enter all the information shown in the screenshot.

https://graph.microsoft.com/beta/deviceManagement/monitoring/alertRecords

Step 4 – We shall Parse the JSON output from the above API GET request

Create the Parse JSON operation, and we will enter the below sample JSON output. Note I have run the GET and got the output from the API. Paste the below code into the schema example. It will auto-generate the below output for your use without values inside.

{
    "properties": {
        "@@odata.context": {
            "type": "string"
        },
        "value": {
            "items": {
                "properties": {
                    "alertImpact": {
                        "properties": {
                            "aggregationType": {
                                "type": "string"
                            },
                            "value": {
                                "type": "integer"
                            }
                        },
                        "type": "object"
                    },
                    "alertRuleId": {
                        "type": "string"
                    },
                    "alertRuleTemplate": {
                        "type": "string"
                    },
                    "detectedDateTime": {
                        "type": "string"
                    },
                    "displayName": {
                        "type": "string"
                    },
                    "id": {
                        "type": "string"
                    },
                    "lastUpdatedDateTime": {
                        "type": "string"
                    },
                    "resolvedDateTime": {
                        "type": "string"
                    },
                    "severity": {
                        "type": "string"
                    },
                    "status": {
                        "type": "string"
                    }
                },
                "required": [
                    "id",
                    "displayName",
                    "status",
                    "severity",
                    "alertRuleId",
                    "alertRuleTemplate",
                    "detectedDateTime",
                    "resolvedDateTime",
                    "lastUpdatedDateTime",
                    "alertImpact"
                ],
                "type": "object"
            },
            "type": "array"
        }
    },
    "type": "object"
}

Step 5 – Post the Alert to Microsoft Teams using the HTTP operation

Create the HTTP Operation, select POST, enter the webhook URL from the above step on MS Teams, and paste it within the URL. With the Headers add Content-Type: application/json and paste the below body code.

{
  "text": "**Alert name:** @{items('For_each')?['displayName']} \n\n **Status:** @{items('For_each')?['status']} \n\n **Severity:** @{items('For_each')?['severity']} \n\n **Detect Date:** @{items('For_each')?['detectedDateTime']} \n\n **Resolved Date:** @{items('For_each')?['resolvedDateTime']} \n\n **Alert Rule Template:** @{items('For_each')?['alertRuleTemplate']} \n\n **Alert Impact:** @{items('For_each')?['alertImpact']}",
  "title": "Windows 365 Cloud PC Alerts  with status and Severity "
}

Step 6 – Run the workflow

The above will now start running the Azure Logic Apps every 3 mins and keep sending the alerts to Microsoft teams

I need help filtering the alerts based on specific Status and Severity. If you manage to get to that, please message me, and I will happily include those bits in the blog post.

I hope you will find this helpful information for enabling Windows 365 Alerts within the MS Teams using the Azure Logic Apps. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: AAD, Azure, Azure Active Directory, Azure KeyVault, Azure Logic Apps, MEM, Microsoft, Microsoft Endpoint Manager, Microsoft Graph, Microsoft Intune, Microsoft Teams, MSIntune

Comments 2 Comments
Categories Azure, Azure Active Directory, Microsoft Graph, Microsoft Intune, Windows 365 Cloud PC

Alternate Azure Network Connection for Windows 365 Cloud PC

15 Mar

Alternate ANCs (Azure Network Connections) are secondary or backup connections to the Microsoft Azure network used to provide redundancy and high availability for Windows 365 Cloud PC provisioning of new desktops. Alternate ANCs can be used when a primary connection fails or experiences connectivity issues, ensuring access to Windows 365 Cloud Provisioning continues for the desktops uninterrupted using the backup ANC.

Introduction

Alternate ANCs can be used when a primary region availability fails, ensuring access to Windows 365 Cloud Provisioning continues for the new desktops uninterrupted using the backup ANC. As long as the first ANC in the list is Healthy, it will always be used for provisioning Cloud PCs using this policy. If the first ANC is not healthy, the policy will use the next ANC in the list that is healthy.

My Scenario

I have an Azure VNET in the region (Australia East) and a dedicated subnet for the Windows 365 Cloud PC desktops in my environment. Now imagine a scenario if the Azure region Australia East had issues. It will directly impact the provisioning of the new Cloud PC desktops.

How will we increase HA/DR capability during Cloud PC Provisioning Issues

Create a backup VNET in different region (Asia Pacific East Asia – HK)

Go to you Azure Portal and create a new VNET in a different region of you choice (Azure Portal — Virtual Networks – Create Network)

Create a dedicated subnet for Windows 365 Cloud PC

Go into the newly created VNET – W365-Bckup-VNET01 and select Subnet and click + Subnet and create a dedicated subnet for the Windows 365 Cloud PC.

Add the additional Azure Network Connection in Intune Portal

I have a previous blog post on creating the the PowerShell – Create Azure Network Connection (ANC) for Windows 365 Cloud PC you can either use that or create one in the Microsoft Intune admin center. We are creating an Azure Network Connection that includes the following:

Display Name of the network – Win365-Bckup-ANC01
Azure Subscription Name – Azure subcription 1
Type – There are two types we are selecting Azure AD join – azureADJoin
Resource Group ID – The resource group within Azure – W365-AVD-RG01
Virtual Network ID – The VNET within Azure – W365-Bckup-VNET01
Subnet ID – The subnet for W365 within VNET – Win365-ASE-Bac-Sub01

Cloud Provisioning Policy

Go into your Cloud PC Provisioning Policy and select Edit. Under the Azure Network Connection you will be able to see the newly added ANC – Win365-Bckup-ANC01 make sure you choose that. It will automatically assign the priority as 2 and will come into effect during network outages in the region.

In the above scenario, at all times, it will use the ANC-W365-Sub01 (Priority 1) network for provisioning all Cloud PC. If there is a contention or issues with the primary ANC, then the backup Win365-Bckup-ANC01 (Priority 2) network will kick in and continue provisioning the new desktops in that region/network.

Note

At the time of writting this blogpost, when i tried to create the backup VNET in Australia SouthEast and Australia Cental it said unsupported region when adding the Azure Network Connection. This was the reason i selected the Asiapacifc East (Honkong) region as the second best choice. I am sure at somepoint in time it will be fixed and I would be able to create a backup ANC within the country.

I hope you will find this helpful information for creating an Alternate Azure Network Connection for increasing the HA and DR on the cloud pc provisioning of new desktops. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: Azure, Azure Network Connection, Cloud PC, MEM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, W365, Windows 365 Cloud PC

Comments 2 Comments
Categories Azure, Microsoft Intune, Windows 365 Cloud PC

Disable Search Highlights on Windows 365 Cloud PC and Azure Virtual Desktop using Microsoft Intune

24 Feb

Search Highlight is a feature in Windows 11 (Enterprise\Multi-session) that highlights search results in the Start menu and taskbar search box. While this feature can be helpful for some users, others may find it distracting or unnecessary. Fortunately, it is possible to disable the Search Highlight feature in Windows 11 using Microsoft Intune. Plenty of information is available on disabling the Windows 11 Search Highlight using Group policy, Registry and UI. However, we will leverage Custom OMA-URI settings from Microsoft Intune in this blog post.

Search – CSP Details

The Search – Policy configuration service provider enables the enterprise to configure policies on Windows 11. Following are the details on the one we are using for disabling the search highlights:

How to disable Search Highlights in Microsoft Endpoint Manager

To disable the Search Highlight feature in Windows 11 (Enterprise/Multi-session) using Microsoft Intune, follow these steps:

Login to the MEM Portal – https://endpoint.microsoft.com/
Select Devices > Configuration Profiles > Create Profile.
For Platform, select Windows 10 and later.
For Profile type, select Templates > Custom and select Create.
Enter a Name – DisableSearchHighlight and description and choose Next
Under the OMA-URI Settings, clicks on Add

Enter the Name, Description, and OMA-URI fetched in the references from the MS CSP link below. The value is an integer based on the documentation, and as we disable the setting, the value is 0.

Remember the MS documentation called out this setting only applies to Devices. In the case of Assignments, we will target Windows 365 Device Group and Azure Virtual Desktop Session Host Pools.

Click on Review and Save

Validate the Policy is applying

After 10-15 mins of waiting, go into the newly configured configuration profiles policy, and you will start seeing it getting applied to the targeted devices (MEM Portal > Devices > Configuration Profiles > DisableSearchHighlights)

Cloud PC – Within Windows 11

References & Useful Links

Useful Links	Credits
Search – CSP Policy – https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search	Microsoft
5 Unique Ways to Disable Search Highlights on Windows 11	Prajwal Desai
Disable Enable Search Highlights in Windows 11	Jitesh Kumar

I hope you will find this helpful information towards disabling the annoying Search Highlights on Windows 365, AVD environment and physical endpoints using Microsoft Endpoint Manager. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: AVD, Azure Virtual Desktop, Cloud PC, MEM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, MSIntune, W365, Windows 11, Windows 11 Multi-session, Windows 365 Cloud PC

Comments 4 Comments
Categories Azure Virtual Desktop, Microsoft Intune, Windows 365 Cloud PC

Microsoft Defender for Endpoint – Web Content Filtering for Windows 365 Cloud PC and Azure Virtual Desktop

22 Feb

In today’s world, online security has become more important than ever, especially for businesses. As more and more companies shift their workloads to the cloud, the need for effective security measures has increased. One of the most critical aspects of security is web content filtering. Microsoft Defender for Endpoint is an excellent solution for protecting your Windows 365 Cloud PC and Azure Virtual Desktop environments. If you haven’t see my previous blog post on – Microsoft Defender for Endpoint (MDE) – Getting started for Windows 365 Cloud PC and Azure Virtual Desktop check that first.

Usecase

Web content filtering is a critical aspect of online security that can be used in many different scenarios. Here are some common use cases for web content filtering:

Business Security: Blocking access to malicious websites and other dangerous content, web content filtering helps prevent cyber attacks and data breaches.
Compliance: Many organizations are required to comply with industry-specific regulations and standards, such as HIPAA or PCI-DSS. Web content filtering can help ensure that employees are not accessing websites or content that violates these regulations.
Employee Productivity: Web content filtering can also be used to enhance employee productivity by blocking access to non-work-related websites, such as social media or gaming sites.
Education: Educational institutions can use web content filtering to prevent students from accessing websites that are not educational or age-appropriate.
Guest Wi-Fi: Businesses that offer guest Wi-Fi can use web content filtering to protect their network and guests from online threats.

Overall, web content filtering is a versatile tool that can be used in a variety of settings to enhance online security, productivity, and compliance.

Pre-requisites

To use Microsoft Defender for Endpoint web content filtering on Windows 365 Cloud PC and Azure Virtual Desktop, there are a few prerequisites that you need to meet:

Portal Access to Microsoft 365 Defender Portal
Windows Defender SmartScreen Enabled on all Browsers (Edge, Chrome etc.)
Network Protection must be enable on the endpoint devices
Microsoft Defender for Endpoint (MDE) Plan 1 or 2
MDE for Business
Windows 10/11 or Multi-session Operating System

Enable Web Content Filtering

To enable Web Content Filtering in Microsoft Defender for Endpoint (MDE), you need to follow these steps:

Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
Navigate to Settings and select Endpoints
Click on Advance Features and enable Web Content Filtering

Create Device Group for Windows 365 & AVD in Microsoft 365 Defender Portal

To assign the policy to particular devices such as Windows 365 Cloud and Azure Virtual Desktop Session, we will create the Device Groups:

Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
Navigate to Settings and select Endpoints
Under Permissions, click on Device Groups
Select Add device group and give it a name – Win365Devices
The Cloud PC start with CPC, I will be using that along with OS type – Windows 11
For the Azure Virtual Desktop – My Session host start with AVD-, I will use that as the device group along with OS Type – Windows 11

Enable Network Protection under Microsoft Endpoint Portal (Intune)

Under the Enpoint Secruity – Antivirus policy we will enable the configuration:

Login to the MEM Portal – https://endpoint.microsoft.com/
Select Endpoint security > Antivirus > Create Policy.
For Platform, select Windows 10, Windows 11, and Windows Servers.
For Profile type, select Microsoft Defender Antivirus, and then select Create.
Enter a Name – W365-AVD-AV-P01 and description and choose Next
Under the Configuration Settings
Enable Network Protection – Enable (Block Mode)

In my previous blog post on getting started, I enabled Network Protect and other configurations. Here I am trying to give you a quick config guidance.

Enable Smart Screen under Microsoft Edge Browser via Intune

I want to use the security baseline around Microsoft Edge for enabling global configuration across all the endpoints:

Login to the MEM Portal – https://endpoint.microsoft.com/
Select Endpoint security > Security Baseline > Microsoft Endge Baseline.
Click on Create a profile and give it a name – MSEdge-Sbaseline-01
Enable the SmartScreen config
I am applying this security baseline to All Devices

Note you can enable them via configuration profiles too. In this scenario, I prefer using the security baselines.

Enable Smart Screen for Google Chrome Browser via Intune

To enable Smart Screen on Google Chrome, follow these steps:

Login to the MEM Portal – https://endpoint.microsoft.com/
Select Devices > Configuration profiles > Create profile
Under Platform – Windows 10 & Later
Profile Type – Templates and Select Administrative Templates
Give the policy a name – GoogleChrome-SmartScreen-CP01
Under Computer – Select Configure the list of force-installed apps and extensions
Click on Enable and enter the below URL for extension
Further assign the policy to the target devices
Click on Review and Save

bkbeeeffjjeopflfhgeknacdieedcoml;https://clients2.google.com/service/update2/crx

Create policy for Web Content Filtering

To create a web content filtering policy in Microsoft Defender for Endpoint, follow these steps:

Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
Navigate to Settings and select Endpoints
Under Rules > Web Content Filtering > Add Item
- Policy Name – Stop Social Media
- Block Categories > Leisure > Social Networking & Instant Messaging & Professional Networking
- Scope – Select the Windows 365 Device Group & AVD Device Group (Session Host VMs), as its a targeted policy
Wait for approx. 40 mins for the policy to implement for your endpoints

Validate the URLs within Windows 365 Cloud PC

Before going ahead and checking the URLs within the browser verify the following on the virtual desktop or endpoints:

SmartScreen

Open the browser and type edge://policy and make sure the Smart Screen is enabled

Network Protection

Open the Powershell and check if network protection is enable (Value 1) block mode

Microsoft Edge

Open Microsoft Edge and open https:\\www.facebook.com or https:\\www.snapchat.com

Google Chrome

Check reports in Defender Portal

Under the Microsoft Defender Portal go to Reports > Web Protection > Web content filtering categories details

References & Useful Links

Useful Links	Credits
Web content filtering – https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/web-content-filtering?view=o365-worldwide	Microsoft
How to configure Microsoft Defender SmartScreen via Microsoft Intune? – Endpoint Cave	Rene Laas
Enabling web filtering with Microsoft Defender for Endpoint – CIAOPS	Robert Crane

I hope you will find this helpful information towards web content filtering journey to secure your Windows 365 and AVD environments using Microsoft Defender for Endpoint. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: Azure, Azure Virtual Desktop, Cloud PC, MDE, MEM, Microsoft, Microsoft Defender for Endpoint, Microsoft Endpoint Manager, Microsoft Intune, MSIntune, W365, Web Content filtering, Windows 365 Cloud PC

Comments 4 Comments
Categories Azure Virtual Desktop, Microsoft Intune, Windows 365 Cloud PC

Microsoft Defender for Endpoint (MDE) – Getting started for Windows 365 Cloud PC and Azure Virtual Desktop

16 Feb

If you are using Windows 365 Cloud PC and Azure Virtual Desktop, the Microsoft Defender for Endpoint (MDE) is a security solution designed for protecting endpoints, such as Windows 11/Windows 11 Mutli-Session computers, servers, Azure Virtual Desktops and more from various types of cyber threats. The main reason it’s evident to use MDE is that it seamlessly integrates with the solution with minimal to less effort compared to other solutions. This blog post will discuss how to get started with Microsoft Defender for Endpoint in the Windows 365 Cloud and Azure Virtual Desktop.

Prerequisites

Rights to use and deploy Windows 365 Cloud PC and Azure Virtual Desktop and the ncessary licenses
Microsoft Defender for Endpoint Plan 1 or Plan 2 depending upon the requirements and $$$.
Make sure the license is available and listed Microsoft admin center

Enable MDE in Microsoft 365 Security Portal/Intune

To enable Microsoft Defender for Endpoint (MDE) in the Microsoft Defender Security Center, you need to follow these steps:

Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
Navigate to Settings and select Endpoints
Click on On for Microsoft Intune Connection & Device Discovery
Scroll to the bottom and select Save Preferences

We will manage the endpoints via Intune, so all the rest of the actions and fun will be within the https://endpoint.microsoft.com/ and Endpoint Security. After a brief period of 10-15 mins, you can see the connection status being Available and synchronized.

Create the Endpoint detection and response policy (onboarding)

Our environment is managed via Modern Management, and we don’t have the overhead of legacy setup. We will use the Intune Endpoint detection response (EDR) policy to onboard the devices. This is the simplest method as it doesn’t involve installing the agent manually or via GPOs.

Login to the MEM Portal – https://endpoint.microsoft.com/
Select Endpoint security > Endpoint detection and response > Create Policy.
For Platform, select Windows 10, Windows 11, and Windows Servers.
For Profile type, select Endpoint detection and response, and then select Create.
Enter a Name – W365-AVD-EDR-P01 and description and choose Next
Under the Configuration Settings
- MDE client configuration package type – Auto from connector (We are a 100% modern managed environment we can leverage this simple option)
- Sample Sharing – Not configured
- Telemetry Reporting Frequency – Expedite (We want reporting to be lightning-fast)

Next, the most critical part is the target assignments. I am explicitly creating this policy to target Windows 365 Cloud PC and Azure Virtual Desktop

Review and Create the policy and it will go ahead and enable MDE on the fleet.
After sometime all your devices will show whether they are onboarded or not.

Many ways to carry out the onboarding. This is just one way and the most straightforward. Read more options here – https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/onboarding-endpoint-manager?view=o365-worldwide

On the onboarded device, go and run the following command to verify the status

Get-MpComputerStatus

Device Compliance Policy (Update)

I already have my existing Windows 10/11 compliance policy after enabling MDE, and I will go ahead and update the compliance policy to accommodate the changes further. This will allow reporting within the tenant on what device compliance level the endpoints are on and whether corporate governance is maintained.

Create Antivirus Policy in Intune

The next step is creating the Antivirus (AV) Policy with the options that your organization demands. I am starting with a few, but remember most choices will require nailing out with internal security/endpoint/governance teams.

Below configurations are not an exhaustive list – Consult with the endpoint/security teams to meet the organization’s requirements.

Login to the MEM Portal – https://endpoint.microsoft.com/
Select Endpoint security > Antivirus > Create Policy.

For Platform, select Windows 10, Windows 11, and Windows Servers.
For Profile type, select Microsoft Defender Antivirus, and then select Create.
Enter a Name – W365-AVD-AV-P01 and description and choose Next
Under the Configuration Settings

Configuration Settings	Status (Value)
Allow Archive Scanning (Scanning through zip and cab files)	Allowed
Allow Behaviour Monitoring	Allowed
Allow Cloud Protection (Joining Microsoft MAPS Community)	Allowed
Allow Email Scanning (Very useful if you are using Microsoft 365)	Allowed
Allow Full Scan Removable Drive Scanning (Scanning of Pen Drives)	Allowed
Allow Intrusion Prevention System	Allowed
Allow scanning of all downloaded files and attachments	Allowed
Allow Realtime Monitoring	Allowed
Cloud Block Level	High
Allow Users UI Access (Defender Client)	Allowed
Enable Network Protection	Enabled (Audit mode)
Avg CPU Load Factor	Enabled (30%)
Schedule Quick Scan Time	Enable (120)
Signature Update Interval	Enable (8 hours)

Next, the most critical part is the target assignments. I am explicitly creating this policy to target Windows 365 Cloud PC and Azure Virtual Desktop

Review and Create the policy and it will go ahead and enable AV across the fleet.
After sometime all your devices will show whether they are onboarded or not.

Create Attack surface reduction (ASR) Policy in Intune

The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation. This set of capabilities also includes network protection and web protection, which regulate access to malicious IP addresses, domains, and URLs. In my case I am starting with few, but remember most of the options will require nailing out with internal security/endpoint/governeance teams.

Below configurations are not an exhaustive list – Consult with the endpoint/security teams to meet the organization’s requirements. Here I would like to take the approach of Audit mode first, followed by adding exclusions to refine the block rules (production).

Login to the MEM Portal – https://endpoint.microsoft.com/
Select Endpoint security > Antivirus > Create Policy.

For Platform, select Windows 10, Windows 11, and Windows Servers.
For Profile type, select Attack Surface Reduction Rules, and then select Create.
Enter a Name – W365-AVD-ASR-P01 and description and choose Next
Under the Configuration Settings

Configuration Settings	Status (Value)
Block Adobe Reader from creating child processes	Audit
Block execution of potentially obfuscated scripts	Audit
Block Win32 API calls from office macros	Audit
Block credential stealing from the Windows local security authority subsystem	Audit
Block JavaScript or VBScript from launching downloaded executable content	Audit
Block process creatons originating from PSExec and WMI commands	Audit
Block untrusted and unsigned processes that run from USB	Audit
Block abuse of exploited vulnerable signed drivers (Devices)	Audit

Next, the most critical part is the target assignments. I am explicitly creating this policy to target Windows 365 Cloud PC and Azure Virtual Desktop

Review and Create the policy and it will go ahead and enable ASR across the fleet.
After sometime all your devices will show whether they are onboarded or not.

References & Useful Links

Useful Links	Credits
Microsoft Defender for Endpoint series – Tips and tricks/ common mistakes – Part10 (jeffreyappel.nl) – The most mind blowing and detailed blog post series on MDE. I think I only scratch the surface here however, Jeffrey takes an indept approach.	Jeffrey Appel
Configure Microsoft Defender for Endpoint in Intune	Microsoft
Defend Cloud PCs against threats with Microsoft Defender for Endpoint \| Windows in the Cloud – YouTube	Christiaan Brinkhoff \| LinkedIn and Paul Huijbregts \| LinkedIn

Next step, I plan to write a few blog posts on specific topics like URLs, Networks etc, blocking (TikTok, Facebook etc,) concerning MDE. I hope you will find this helpful information towards your journey to secure your Windows 365 and AVD environments using Microsoft Defender for Endpoint. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: Antivirus, Azure, Azure Virtual Desktop, Cloud PC, Endpoint Detection and Response, MDE, MEM, Microsoft, Microsoft Defender for Endpoint, Microsoft Endpoint Manager, Microsoft Intune, MSIntune, W365, Windows 365 Cloud PC

Comments 4 Comments
Categories Azure Virtual Desktop, Microsoft Intune, Windows 365 Cloud PC

Remove built-in (default) Windows applications from the Windows 365 Cloud PC endpoints

8 Feb

Numerous scripts and vendor optimizers (VMware, Citrix and Microsoft) remove the default pre-installed Windows applications that come within the operating system, aka bloatware. You can get rid of all unnecessary applications using the Microsoft Store app (new) within Microsoft Intune.

I attended the Microsoft 365 Modern Management Meetup, and our very own Steven Hosking demonstrated the uninstall of default applications via Intune. I got inspired and thought about blogging and socializing this trick with everyone.

For my Windows 365 Cloud PC endpoint, I use the Azure image Gallery – Windows 11 22H2 + Cloud PC Optimized image, and for this example, we will uninstall Xbox pre-installed application.

Fetch the Application ID (MS Store)

In specific scenarios, when you try to search the application with the repository, it will not show, and the alternate method is to search via the ID.

Go to the link – https://apps.microsoft.com/
In the search box type the application name – Xbox
Copy the application id

Application Removal Steps (Intune Portal)

Here we will look at all the detailed steps involved in removing the applications from the operating system and Windows endpoints:

Login to the Intune Portal – Microsoft Endpoint Manager admin center
Navigate to App — Windows – Click on Add and select App type as – Microsoft Store app (new) and hit select

Under Application Information, click on Select App and in my case, I will enter the Application ID I copied in the previous step.

Make sure all the application details that it has fetched (auto-populated) look good, and select Next

The critical step on the Assignments as we are going to Uninstall it from the environment, we will select Un-install and specify the device group, in this case, Windows 365 Cloud (AAD – Dynamic Device Group)

It is adviced you also leverage Filtering for targeting specifc device types within the environment.

Last step review and Create the Uninstall of the default Application

Rinse & Repeat for other applications

Using the above method, you can add other applications of your choice. Note the effort is one-time, so put it in and reap the benefits for all future versions of Windows.

Advantages of using Intune for Default App Removal

Lets take a look at the advantages of using this method:

There is no need of using 3rd party scripts posted by unknown sources.
You will still have to use the vendor optimizers for other things but you can setup these once within the Intune Portal and it will works for the current and future version of Windows.
The Intune method is not very socialized on removing bloatware from the default operating system.

I hope you will find this helpful information for removal of default applications from the Intune Portal. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: Cloud PC, MEM, Microsoft, Microsoft App Store, Microsoft Endpoint Manager, Microsoft Intune, MSIntune, W365, Windows 365 Cloud PC

Comments 4 Comments
Categories Microsoft Intune, Windows, Windows 365 Cloud PC

Windows 365 Cloud PC & Azure Virtual Desktop – Disk Cleanup using Storage Sense – Intune Configuration Policies

23 Jan

With the slightest effort, do you want to perform a disk cleanup operation? In this blogpost, we are setting up the Storage Sense to cleanup Temporary Files & Empty recycle bin on Windows 365 Cloud PC & AVD Multi-session host. Note by no means is Storage Sense a replacement for the detailed cleanmgr.exe tool, which can perform disk cleanup options in a much more granular manner. The below method is a quick method to get you started and later on improvise on your disk cleanup strategy.

What is Storage Sense?

Storage Sense is a feature in Microsoft Windows 11 that helps users free up space on their device by automatically deleting unnecessary files. It can delete temporary files, files in the recycle bin, and files that have not been accessed in a certain period of time. It also helps users to see what is taking up space on their device and gives them the option to delete specific files or move files to an external storage device.

What features are available within Storage Sense?

Storage Sense in Microsoft Windows 11 has the following features:

Automatic cleanup: Storage Sense can automatically delete temporary files, files in the recycle bin, and files that have not been accessed in a certain period of time.
Storage usage: It helps users to see what is taking up space on their device, and gives them the option to delete specific files or move files to an external storage device.
Storage sense can move files to external storage device
Storage sense can compress files to save space
Storage sense can move files to the cloud
Storage sense can delete files that are no longer needed
Storage sense can free up space by uninstalling apps
Storage sense can show you the storage usage of each app
Storage sense can help you to free up storage by cleaning up your downloads folder

What Configurations are available within Intune (MEM Portal)?

There are many ways to setup Storage Sense. However, the method we are going to opt is inline with the modern workplace management solution using Microsoft Intune (Microsoft Endpoint Manager admin center)

Setting Name	Details
Allow Disk Health Model Updates	Allows disk health model updates to predict disk hardware failure.
Allow Storage Sense Global	Storage Sense can automatically clean some of the user’s files to free up disk space. By default, Storage Sense is automatically turned on when the machine runs into low disk space and is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the
Allow Storage Sense Temporary Files Cleanup	When Storage Sense runs, it can delete the user’s temporary files that are not in use. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, Storage Sense will delete the user’s temporary files that are not in use.
Config Storage Sense Cloud Content Dehydration Threshold	When Storage Sense runs, it can dehydrate cloud-backed content that hasn’t been opened in a certain amount of days. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, you must provide the minimum number of days a cloud-backed file can remain unopened before Storage Sense dehydrates it. Supported values are: 0–365. If you set this value to zero, Storage Sense will not dehydrate any cloud-backed content. The default value is 0, which never dehydrates cloud-backed content
Config Storage Sense Downloads Cleanup Threshold	When Storage Sense runs, it can delete files in the user’s Downloads folder if they haven’t been opened for more than a certain number of days. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, you must provide the minimum number of days a file can remain unopened before Storage Sense deletes it from the Downloads folder. Supported values are: 0-365. If you set this value to zero, Storage Sense will not delete files in the user’s Downloads folder
Config Storage Sense Recycle Bin Cleanup Threshold	When Storage Sense runs, it can delete files in the user’s Recycle Bin if they have been there for over a certain amount of days. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, you must provide the minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it. Supported values are: 0–365
Removable Disk Deny Write Access	If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting “Deny write access to drives not protected by BitLocker,” which is located in “Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives.”

What policies are we applying?

In this scenario, we only focus on the deletion of temporary files, Recycle Bin, Moving the files to the OneDrive Known Folder (if configured) and checking the disk hardware.

What is the target of this policy?

We aim to kill two birds with one stone, and this policy configuration is not only applicable for Windows 10/11 based Windows 365 Cloud PC, it also works well for Windows 10/11 Multi-session host for Azure Virtual Desktop. This filter is critical to identifying whether the configuration setting will apply to your device type.

Assignments

We are assiging the policy to the Windows 365 AAD device group and add the Azure Virtual Desktop AAD device group here.

Worth a mention, Jannik Reinhard has published a remediation method via cleanmgr.exe and PowerShell – Use Endpoint Analytics to clean up the disk – Modern Device Management (jannikreinhard.com) and is also a great resource if you decide to go into phase 2 strategy of disk clean-up.

I hope you will find this helpful information for performing disk clean-up on Temporary & Recycle for Windows 365 Cloud PC & AVD. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: Azure, Azure Virtual Desktop, Cloud PC, MEM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, MSIntune, Storage Sense, W365, Windows 365 Cloud PC

Comments 3 Comments
Categories Azure Virtual Desktop, Microsoft Intune, Windows, Windows 365 Cloud PC

Consolidated Scripts – All configurational task via PowerShell for Windows 365 Cloud PC under Microsoft Intune Portal (MEM)

18 Jan

I have written various individual blog posts on PowerShell creation of all configurational task for Windows 365 Cloud PC under Microsoft Endpoint Portal (MEM).

Based on public demand, I want to create a consolidated post for all the scripts and configuration items that can get you started with Windows 365 Cloud PC using PowerShell: (Of course all the below features can also be configured using the UI, however below is the guidance strictly using PowerShell)

PowerShell links to my blog post

Following are the links to my blog post for each and individual task:

PowerShell – Create Windows 365 Cloud PC Provisioning Policy https://askaresh.com/2022/10/11/powershell-create-windows-365-cloud-pc-provisioning-policy/

PowerShell – Assign a AAD group to the Windows 365 Cloud PC Provisioning Policy
https://askaresh.com/2022/10/12/powershell-assign-a-aad-group-to-the-windows-365-cloud-pc-provisioning-policy/

PowerShell – Unassign/Delete the Windows 365 Cloud PC Provisioning Policy
https://askaresh.com/2022/10/14/powershell-unassign-delete-the-windows-365-cloud-pc-provisioning-policy/

PowerShell – Create a custom Windows 11 Enterprise (22H2) + Microsoft 365 Apps golden image for Windows 365 Cloud PC using Marketplace Image
https://askaresh.com/2022/12/01/powershell-create-a-custom-windows-11-enterprise-22h2-microsoft-365-apps-golden-image-for-windows-365-cloud-pc-using-marketplace-image/

PowerShell – Create Azure Network Connection (ANC) for Windows 365 Cloud PC
https://askaresh.com/2023/01/16/powershell-create-azure-network-connection-anc-for-windows-365-cloud-pc/

PowerShell – Create and Assign Windows 365 Cloud PC – User Settings
https://askaresh.com/2022/11/08/powershell-create-and-assign-windows-365-cloud-pc-user-settings/

PowerShell – Report – Get Cloud PC Windows 365 with low utilization
https://askaresh.com/2022/11/24/powershell-report-get-cloud-pc-windows-365-with-low-utilization/

I promise you once you have done the hard work, you can get up and running in a few hours using all the above PowerShell scripts with Windows 365 Cloud PC.

GitHub Link

Here is the repo with all the scripts and more – askaresh/avdwin365mem (github.com). A big thanks to Andrew Taylor for collabrating and updating the Provisioning policy script with the SSO details that was release in late Nov 2022.

I hope you will find this helpful information for all things PowerShell w.r.t Windows 365 Cloud PC. I will update the post if I publish or update more information.

Thanks,
Aresh Sarkari

Tags: API, Cloud PC, MEM, Microsoft, Microsoft Endpoint Manager, Microsoft Graph, Microsoft Intune, PowerShell, Scripts, W365, Windows 365 Cloud PC

Comments 4 Comments
Categories Azure, Microsoft Intune, PowerShell, Scripts-API, Windows 365 Cloud PC

PowerShell – Create Azure Network Connection (ANC) for Windows 365 Cloud PC

16 Jan

If you want to establish a network connection that allows communication between the Windows 365 Cloud PC and the existing Azure Virtual Network (ANC), then keep following this post. Today, I will demonstrate the Powershell method of creating the Azure Network Connection (ANC). Note that we need information from the Azure Portal to make sure you have all the necessary information handy or/or involve the necessary teams who can provide you with the information on Azure Networking.

Overview

Create the ANC first before creating the Win365 – Cloud Provisioning Policy (CPP)
If the ANC precreated then during the cloud provisioning of the Cloud PC desktops it will create them on the Azure VNET on your desired subnet
Make sure you have a working DNS configured on the VNET which can communicate with your on-premise network using express route or other Azure VNETs
Open necessary firewall ports based on your requirements on the NSG or Azure Firewall for the communication to your on-premise network using express route or other Azure VNETs
Permissions
- Intune Administrator in Azure AD
- Cloud PC Administrator
- Global Administrator
If you decide to alter or change the ANC, you will have to reprovision the Cloud PC, and it’s a destructive activity. Make sure you architect it properly
You can delete your ANC however, you will have to update your cloud provisioning policy with the new ANC first, and then you can delete the existing ANC.

Connect to MS Graph API

Step 1 – Install the MS Graph Powershell Module

#Install Microsoft Graph Module
PS C:WINDOWSsystem32> Install-Module Microsoft.Graph

Step 2 – Connect to scopes and specify which API you want to authenticate. If you are only doing read-only operations, I suggest you connect to “CloudPC.Read.All” in our case, we are creating the ANC, so we need to change the scope to “CloudPC.ReadWrite.All”

#Read-only
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.Read.All"
Welcome To Microsoft Graph!

OR

#Read-Write
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"
Welcome To Microsoft Graph!

Step 3 – Choose between v1.0 (Generally Available) and Beta API versions. Note for Windows 365 Cloud PC, the API calls are BETA.

#Beta APIs
PS C:WINDOWSsystem32> Select-MgProfile -Name "beta"

OR

#Production APIs (Not Applicable)
PS C:WINDOWSsystem32> Select-MgProfile -Name "v1.0"

Connect to Azure & Grab Details (Variable Region)

We are logging into Azure to grab all the details regarding to Resource Group, Subscription ID/Name, VNET and Subnets

Connect to the Azure Portal using the necessary credentials
Select the Azure Subscription that holds all the networking information
A display name of the Azure Network Connection – ANC – (ANC-W365-Sub01)
What is the join type of the ANC of the golden image virtual machine (azureADJoin)
Resource Group ID of the existing resource group. You will have to enter the resource group name (W365-AVD-RG01), and it will get us the ID we need.
Name of the existing subnet within the vNET (W365Workload-Sub01), and it will get us the ID we need.
Name of the existing VNET used for the connection. You will have to enter the VNET name (W365-AVD-VNET01), and it will get us the ID we need.
Connection to the MS Graph API and ensure you have the necessary write permissions.
We are using the beta API for Cloud PC

# Connect to the Azure Subcription
Connect-AzAccount

# Get existing context
$currentAzContext = Get-AzContext

# Your subscription. This command gets your current subscription
$subscriptionID = $currentAzContext.Subscription.Id

# Your subscription. This command gets your current subscription name
$subscriptionName = $currentAzContext.Subscription.Name

# ANC Display Name
$ancdname = "ANC-W365-Sub01"

# Join Ype for the Azure Network Connection
# Two types Azure AD and Hyrbird "azureADJoin" or "hybridAzureADJoin"
$ancjointype = "azureADJoin"

# Get your Win365 Resouce Group id for RG Name - W365-AVD-RG01
# Put your RG Name
$win365RGID = Get-AzResourceGroup -Name "W365-AVD-RG01" | Select-Object -ExpandProperty ResourceId

# Get your Azure VNET id used for Windows 365 Cloud PC
# Put your VNET Name
$win365VNETID = Get-AzVirtualNetwork -Name "W365-AVD-VNET01" | Select-Object -ExpandProperty Id

# Get your Subnet ID within the Azure VNET for Windows 365 Cloud PC
# Put your VNET Name
$win365VNET = Get-AzVirtualNetwork -Name "W365-AVD-VNET01"

# Enter your Subnet Name
$win365SubID = Get-AzVirtualNetworkSubnetConfig -Name "W365Workload-Sub01" -VirtualNetwork $win365VNET | Select-Object -ExpandProperty Id

# Connec to MS Graph for Cloud PC W365
Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"

# Select Beta Profile for Cloud PC APIs
Select-MgProfile -Name "beta"

We shall pass the above variable into the final ANC creation.

Create the Azure Network Connection

We are creating a Azure Network Connection that includes the following:

Display Name of the network – $ancdname
Azure Subscription ID – $subscriptionID
Azure Subscription Name – $subscriptionName
Type – There are two types we are selecting Azure AD join – azureADJoin
Resource Group ID – The resource group within Azure – $win365RGID
Virtual Network ID – The VNET within Azure – $win365VNETID
Subnet ID – The subnet for W365 within VNET – $win365SubID

# Create the ANC for Windows 365 with AAD join type
try
{
write-host "Create the ANC for Windows 365 with AAD join type"
$params = @{
    displayName = "$ancdname"
    subscriptionId = "$subscriptionID"
    type = "$ancjointype"
    subscriptionName = "$subscriptionName"
    resourceGroupId = "$win365RGID"
    virtualNetworkId = "$win365VNETID"
    subnetId = "$win365SubID"
}

New-MgDeviceManagementVirtualEndpointOnPremisesConnection -BodyParameter $params -Debug
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

Final Script

Here I will paste the entire script block for seamless execution in single run. Following is the link to my Github for this script – avdwin365mem/win365CreateANC at main · askaresh/avdwin365mem (github.com)

# Import module Az and MS Graph
Import-Module Az.Accounts
Install-Module Microsoft.Graph

# Connect to the Azure Subcription
Connect-AzAccount

# Get existing context
$currentAzContext = Get-AzContext

# Your subscription. This command gets your current subscription
$subscriptionID = $currentAzContext.Subscription.Id

# Your subscription. This command gets your current subscription name
$subscriptionName = $currentAzContext.Subscription.Name

# ANC Display Name
$ancdname = "ANC-W365-Sub01"

# Join Ype for the Azure Network Connection
# Two types Azure AD and Hyrbird "azureADJoin" or "hybridAzureADJoin"
$ancjointype = "azureADJoin"

# Get your Win365 Resouce Group id for RG Name - W365-AVD-RG01
# Put your RG Name
$win365RGID = Get-AzResourceGroup -Name "W365-AVD-RG01" | Select-Object -ExpandProperty ResourceId

# Get your Azure VNET id used for Windows 365 Cloud PC
# Put your VNET Name
$win365VNETID = Get-AzVirtualNetwork -Name "W365-AVD-VNET01" | Select-Object -ExpandProperty Id

# Get your Subnet ID within the Azure VNET for Windows 365 Cloud PC
# Put your VNET Name
$win365VNET = Get-AzVirtualNetwork -Name "W365-AVD-VNET01"

# Enter your Subnet Name
$win365SubID = Get-AzVirtualNetworkSubnetConfig -Name "W365Workload-Sub01" -VirtualNetwork $win365VNET | Select-Object -ExpandProperty Id

# Connec to MS Graph for Cloud PC W365
Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"

# Select Beta Profile for Cloud PC APIs
Select-MgProfile -Name "beta"

# Create the ANC for Windows 365 with AAD join type
try
{
write-host "Create the ANC for Windows 365 with AAD join type"
$params = @{
    displayName = "$ancdname"
    subscriptionId = "$subscriptionID"
    type = "$ancjointype"
    subscriptionName = "$subscriptionName"
    resourceGroupId = "$win365RGID"
    virtualNetworkId = "$win365VNETID"
    subnetId = "$win365SubID"
}

New-MgDeviceManagementVirtualEndpointOnPremisesConnection -BodyParameter $params -Debug
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

I hope you will find this helpful information for creating Azure Network Connection using PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: API, Cloud PC, MEM, Microsoft, Microsoft Endpoint Manager, Microsoft Graph, Microsoft Intune, PowerShell, W365, Windows 365 Cloud PC

Comments 3 Comments
Categories Azure, Microsoft Intune, PowerShell, Windows 365 Cloud PC

A comprehensive guide on placing a Windows 365 Cloud PC under review + Azure Storage Account details

19 Dec

In the current security landscape, it’s pretty standard you will have to put your Windows 365 Cloud PC for digital forensic investigations. The security team or 3rd party vendor would ask you (the PC Ownership team) for a backup or snapshot of the Cloud PC to run security tools or skim through the files. This blog post intends to get you 100% ready to help and collaborate with security teams on the Cloud PC forensic review.

Fingerprint search png sticker, technology

Pre-requsites

To put the Windows 365 Cloud PC for review you will need the following:

Azure Subscription with Storage Account Configured. Additionally, the Azure subscription is linked between Microsoft Intune (MEM Portal)
Permission Storage Account Contributor for the Windows 365 Application
A Windows 365 Cloud Enterprise license
The snapshot stored within the Containers in Azure Storage account – The AAD account, needs to have Storage Blob Data Reader or Storage Blob Data Contributor

Azure Storage Account for Windows 365

I already created the storage account within the Azure Subscription linked with my MEM portal. However, I encountered the below issue as I missed out on the RBAC permissions.

Issue

The storage account selection will be grey out when you try to put the Windows 365 Cloud PC in Review

Solution

Provide the Windows 365 Application Storage Account Contributor access. Once I added the permission, the storage account would be listed within the Cloud PC review blade.

The overall permissions within the storage account to store the snapshot and to see the snapshot you will need these two permissions:

Place a Cloud PC in review

Login to the Microsoft Endpoint Manager admin center portal and go to Devices – All Devices and select the device starting with CPC-***** and then click on the three dots and select “Place Cloud PC under review.”

Select the Azure subcription, the storage account and further depending upon the secruity incident you will choose allow or deny access to the Cloud PC

After approx 10 mins, you will see the following within the Device actions status

View Snapshot in Azure Storage Account

The Cloud PC snapshot will be listed under the Azure Storage Account – Containers

Snapshot details it’s a *.vhd disk, and the disk size matches the Cloud PC SKU size.

Provide the snapshots to the security teams for analysis. Optionally there is a download button if you wish to download the snapshot (*.vhd) and take it outside the Azure environment for analysis. Post the review, depending upon the outcome, the SOC team will guide you. Note as an admin you must attest that the digital evidence provided demonstrates a valid Chain of Custody (CoC). I am showing the next step of removing the Cloud PC from review.

Remove Cloud PC from Review

Login to the Microsoft Endpoint Manager admin center portal and go to Devices – All Devices and select the device starting with CPC-*****, which you previously kept under review and the notifications

After approx 3 mins, you will see the following within the Device actions status as completed

I hope you will find this helpful information for putting the Cloud PC under secruity review. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: Azure, Azure Storage Account, Cloud PC, Forensic, MEM, Microsoft, Microsoft Endpoint Manager, MSIntune, VDI, W365, Windows 365 Cloud PC, Windows365

Comments 1 Comment
Categories Azure, Windows 365 Cloud PC

← Older Entries

	Weekly Newsletter –… on Windows 365 Cloud PC – A…
	Intune Newsletter -… on Windows 365 Cloud PC – A…
	Weekly Newsletter –… on Alternate Azure Network Connec…
	Intune Newsletter -… on Alternate Azure Network Connec…
	Enabling and Deployi… on PowerShell Enable Remote Help…

Search

AskAresh

Windows 365 Cloud PC – Alert Monitoring – Get your alerts in a Microsoft Teams Channel using Azure Logic Apps

Set up your Microsoft Teams channel

Azure Active Directory Enterprise App (MS Graph API)

Azure Key Vault – (Store the Secret)

Create an Azure Logic App

Configure your Logic App

Recent Posts

Follow me on Twitter

Categories

Archives

Recent Comments

Meta