Note – The best method of assigning the DNS Servers is through the DHCP server. If you are setting the IP using DHCP, always make sure you add/remove additional DNS Client Servers from there. In my situation, there was no DHCP server, hence the detailed blog post.
Prerequsites
We are going to implement this configuration via Microsoft Intune using the Scripts:
The necessary Microsoft Intune permissions to create, the PowerShell Scripts.
A device group available within Microsoft Entra with all the devices you want to target this change.
PowerShell Script for DNSClient (Additional DNS Servers)
Save the below script and place on the desktop and we shall be uploading it to Microsft Intune portal – “AddDNSClient.ps1″
Please enter the proper DNS Server Address within the script based on your environment and requirement. In the example below the existing two DNS servers are 8.8.8.8 and 8.8.8.4. We are adding additional two DNS Servers 9.9.9.9 and 9.9.9.4.
Select Devices > Scripts > Add > Windows 10 and later.
In Basics, enter the following properties, and select Next:
Name: AddDNSClientServers
Description: Additional DNS Server 3 & 4
In Script settings, enter the following properties, and select Next:
Script location: Browse to the PowerShell script. saved previously and upload it (AddDNSClient.ps1)
Run this script using the logged on credentials: Select No.
Enforce script signature check: Select No
Run script in 64-bit PowerShell host: Select Yes to run the script in a 64-bit PowerShell host on a 64-bit client architecture.
Select Assignments > Select groups to include. Add the AAD group “Win11-P-DG”
Wait for approx. 15-20 minutes and the policy will apply to the managed devices. (Machine Win11-Intune-15)
Managed Device
You can validate that the settings have been applied to the client by going to the path – C:\ProgramData\Microsoft\IntuneManagementExtension\Logs and opening the file IntuneManagementExtension.txt. I copied the policy ID – cf09649b-78b7-4d98-8bcc-b122c29e5527 from the Intune portal hyperlink and searched within the log file. We can see the policy has been applied successfully.
I hope you will find this helpful information for applying additional DNS servers via Intune – Scripts and PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.
I have a blog post about creating a Windows 365 Cloud PC Provisioning Policy using PowerShell. In this post blog, I will demonstrate how to create the provisioning policy using PowerShell and MS Graph API with beta modules for Windows 365 Cloud PC – Frontline Workers.
Example – Each Windows 365 Frontline license can be shared with up to three employees. This means that if you have 30 employees, you only need to purchase 10 licenses to provision the CloudPC for all 30 employees with access over the day. However, note you are buying the frontline license based on the active sessions. You must purchase the license accordingly if you have more than 10 active workers in a shift.
What happens when license are exhausted?
In my demo tenant, I have two licenses for Frontline workers. When I try to log in to the third one (Note I have already logged into 2 active sessions and running them.) Get the following message.
Connect to MS Graph API
Step 1 – Install the MS Graph Powershell Module
#Install Microsoft Graph Beta Module
PS C:WINDOWSsystem32> Install-Module Microsoft.Graph.Beta
Step 2 – Connect to scopes and specify which API you wish to authenticate to. If you are only doing read-only operations, I suggest you connect to “CloudPC.Read.All” in our case, we are creating the policy, so we need to change the scope to “CloudPC.ReadWrite.All”
#Read-only
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.Read.All" -NoWelcome
Welcome To Microsoft Graph!
OR
#Read-Write
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.ReadWrite.All" -NoWelcome
Welcome To Microsoft Graph!
Permissions for MS Graph API
Step 3 – Check the User account by running the following beta command.
If you are doing on-premise network integration (Azure Network Connection) , then the following additional property and value is required. In my lab, I am leveraging the Microsoft Managed Network, so this is not required.
I hope you will find this helpful information for creating a frontline worker provisioning policy using PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.
If you’re managing Windows 365 Cloud PCs, keeping track of alerts can be a daunting task. Fortunately, Azure Logic Apps can help automate this process by sending alerts directly to your Microsoft Teams channel. In this blog post, we’ll explore how to set up this integration, so you can stay on top of your Windows 365 environment without constantly checking the portal or notifications within the Intune portal.
Note – Within the Microsoft Intune admin center portal you can already send notifications via email.
Set up your Microsoft Teams channel
To start, you’ll need to create a Microsoft Teams channel where you want to receive alerts. If you don’t have one already, create a new channel and name it something like “Windows365Alerts.”
Next, within the newly created channel, add the Connector – Incoming Webhook
Click on Configure of the Incoming Webhook connectors by entering the Name – Win365Alerts and custom image. Why not use the Windows 365 Cloud PC Logo and click on create.
Please copy the link and save it for all future reference purposes. We will be using this URL within the Azure Logic Apps.
Azure Active Directory Enterprise App (MS Graph API)
Let’s pre-create the application ID and client secret we will use to connect and leverage the Microsoft Graph APIs via Powershell
Connect to Azure Portal and go to Azure Active Directory
Click on App Registrations and select – New Registration
Give the App a Name – GraphAPI-App
You will get two important information created for later use within Powershell
Application ID
Tenant ID
Now let’s grant this App GraphAPI-App Permission. Click on Add a permission and select MS Graph and search for Cloud PC– CloudPC.ReadAll and select read permissions and Add Permissions
Select Grant admin consent for domain
We are using client secret so now lets enable that. Click on Certificates & Secrets – Client Secrets and select New client secret\
Give it a name (Deviceconfig_secret) and expiry date (12 months)
Copy the Secret Value
Azure Key Vault – (Store the Secret)
This is an optional step, and I highly recommend this step for all production environments as the secret is stored within the Azure Key Vault, and within the Azure Logic Apps, you will call this secret.
After creating the value, go to Secret and click on Generate/Import, and under manual, enter a name and paste the secret key we created in the above step.
Additionally, I will dedicate a service account(svc_kv_api) specifically for this secret retrieval for the Azure Logic Apps. Let’s add the service account with the necessary permissions under the Access Policies and give it Get and List permissions.
Create an Azure Logic App
Next, you’ll need to create an Azure Logic App. In the Azure portal, search for “Logic Apps” and click “Create.” Give your Logic App a name and select your desired subscription, resource group, and location. Then click “Review + Create” and “Create” to create your Logic App.
Configure your Logic App
Once your Logic App is created, click “Logic App Designer” and select blank logic app template and add the other operations shown below:
Step 1 – Recurrence (A schedule that will be triggered)
Depending upon your SLA agreements, put a trigger. In this example, I have selected every 3 min.
Step 2 – Fetch the Secret from the Azure Key Vault
In the earlier step, we created the Azure Key vault and stored the secret there. In this step, we will make the Azure Logic Apps Fetch the Secret
Tenant ID – Copy from the above steps
KeyVault Name – Copy from the above steps
Click on Sign and use the dedicated service account to fetch this Secret
Step 3 – HTTP Get the Alerts for Windows 365 Using MS Graph API
We shall create the HTTP request using the Windows 365 Alert API – List and authenticate the call using the secret. Enter all the information shown in the screenshot.
Step 4 – We shall Parse the JSON output from the above API GET request
Create the Parse JSON operation, and we will enter the below sample JSON output. Note I have run the GET and got the output from the API. Paste the below code into the schema example. It will auto-generate the below output for your use without values inside.
Step 5 – Post the Alert to Microsoft Teams using the HTTP operation
Create the HTTP Operation, select POST, enter the webhook URL from the above step on MS Teams, and paste it within the URL. With the Headers add Content-Type: application/json and paste the below body code.
{
"text": "**Alert name:** @{items('For_each')?['displayName']} \n\n **Status:** @{items('For_each')?['status']} \n\n **Severity:** @{items('For_each')?['severity']} \n\n **Detect Date:** @{items('For_each')?['detectedDateTime']} \n\n **Resolved Date:** @{items('For_each')?['resolvedDateTime']} \n\n **Alert Rule Template:** @{items('For_each')?['alertRuleTemplate']} \n\n **Alert Impact:** @{items('For_each')?['alertImpact']}",
"title": "Windows 365 Cloud PC Alerts with status and Severity "
}
Step 6 – Run the workflow
The above will now start running the Azure Logic Apps every 3 mins and keep sending the alerts to Microsoft teams
I need help filtering the alerts based on specific Status and Severity. If you manage to get to that, please message me, and I will happily include those bits in the blog post.
I hope you will find this helpful information for enabling Windows 365 Alerts within the MS Teams using the Azure Logic Apps. Please let me know if I have missed any steps or details, and I will be happy to update the post.
Alternate ANCs (Azure Network Connections) are secondary or backup connections to the Microsoft Azure network used to provide redundancy and high availability for Windows 365 Cloud PC provisioning of new desktops. Alternate ANCs can be used when a primary connection fails or experiences connectivity issues, ensuring access to Windows 365 Cloud Provisioning continues for the desktops uninterrupted using the backup ANC.
Introduction
Alternate ANCs can be used when a primary region availability fails, ensuring access to Windows 365 Cloud Provisioning continues for the new desktops uninterrupted using the backup ANC. As long as the first ANC in the list is Healthy, it will always be used for provisioning Cloud PCs using this policy. If the first ANC is not healthy, the policy will use the next ANC in the list that is healthy.
My Scenario
I have an Azure VNET in the region (Australia East) and a dedicated subnet for the Windows 365 Cloud PC desktops in my environment. Now imagine a scenario if the Azure region Australia East had issues. It will directly impact the provisioning of the new Cloud PC desktops.
How will we increase HA/DR capability during Cloud PC Provisioning Issues
Create a backup VNET in different region (Asia Pacific East Asia – HK)
Go to you Azure Portal and create a new VNET in a different region of you choice (Azure Portal — Virtual Networks – Create Network)
Create a dedicated subnet for Windows 365 Cloud PC
Go into the newly created VNET – W365-Bckup-VNET01 and select Subnet and click + Subnet and create a dedicated subnet for the Windows 365 Cloud PC.
Add the additional Azure Network Connection in Intune Portal
Type – There are two types we are selecting Azure AD join – azureADJoin
Resource Group ID – The resource group within Azure – W365-AVD-RG01
Virtual Network ID – The VNET within Azure – W365-Bckup-VNET01
Subnet ID – The subnet for W365 within VNET – Win365-ASE-Bac-Sub01
Cloud Provisioning Policy
Go into your Cloud PC Provisioning Policy and select Edit. Under the Azure Network Connection you will be able to see the newly added ANC – Win365-Bckup-ANC01 make sure you choose that. It will automatically assign the priority as 2 and will come into effect during network outages in the region.
In the above scenario, at all times, it will use the ANC-W365-Sub01 (Priority 1) network for provisioning all Cloud PC. If there is a contention or issues with the primary ANC, then the backup Win365-Bckup-ANC01 (Priority 2) network will kick in and continue provisioning the new desktops in that region/network.
Note
At the time of writting this blogpost, when i tried to create the backup VNET in Australia SouthEast and Australia Cental it said unsupported region when adding the Azure Network Connection. This was the reason i selected the Asiapacifc East (Honkong) region as the second best choice. I am sure at somepoint in time it will be fixed and I would be able to create a backup ANC within the country.
I hope you will find this helpful information for creating an Alternate Azure Network Connection for increasing the HA and DR on the cloud pc provisioning of new desktops. Please let me know if I have missed any steps or details, and I will be happy to update the post.
Remote Help in Microsoft Intune works by enabling IT administrators to remotely control a user’s mobile device, allowing them to view the device’s screen and interact with it in real-time. This enables administrators to quickly diagnose and fix issues on the device, without needing to be physically present with the user.
To use Remote Help in Microsoft Intune, IT administrators first need to enable the feature in the Intune console. Once enabled, administrators can initiate a remote session with a user’s device by sending an invitation link to the user via email or text message. The user then clicks on the link to join the remote session, allowing the administrator to remotely control the device.
In the blog post I will showcase how to enable this feature via PowerShell instead of the Microsoft Intune admin center portal.
Pre-requsites
An active Microsoft Intune subscription.
An Azure AD (Active Directory) subscription with administrative access.
The Azure AD application registration credentials, including client ID and secret.
Permissions to access and manage Microsoft Intune and Microsoft Graph API resources.
PowerShell and AzureAD PowerShell module installed on the local machine to run PowerShell scripts.
A valid Azure AD authentication token to authenticate and authorize Microsoft Graph API requests.
Create the Client Secret for MS Graph
Let’s pre-create the application ID and client secret we will use to connect and leverage the Microsoft Graph APIs via Powershell
Connect to Azure Portal and go to Azure Active Directory
Click on App Registrations and select – New Registration
Give the App a Name – MSGraph-DeviceMgmt-Secret
You will get two important information created for later use within Powershell
Application ID
Tenant ID
Now let’s grant this App MSGraph Permission. Click on Add a permission and select MS Graph and search for Device – DeviceManagementConfiguration and select read-write permissions and Add Permissions
Select Grant admin consent for domain
Note that RemoteSettings, aka Remote Help, falls under Device Management Configurations. We will use that for the permissions (read-write)
We are using client secret so now lets enable that. Click on Certificates & Secrets – Client Secrets and select New client secret\
Give it a name (Deviceconfig_secret) and expiry date (12 months)
Copy the Secret Value
Variable Region
Delcare all the variable within this section. Lets take a look at what we are declaring within the script:
GraphEndpoint and resource URL if you notice we are using the remoteAssistanceSettings
# Define the Graph API endpoint and resource URL
$graphEndpoint = "https://graph.microsoft.com"
$resourceUrl = "$graphEndpoint/beta/deviceManagement/remoteAssistanceSettings"
# Define the authentication parameters
$clientId = "XXXXXXXX-6f08-XXXXX-a6ff-XXXXXXXXXXXXX"
$clientSecret = "Q-D8Q~XXXXXXXXXXXXXXXXXXXXXXXXXXX"
$tenantId = "XXXXXXXXXX-d8f4-4c55-XXXXX-XXXXXXXXXXX"
$authority = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$scope = "https://graph.microsoft.com/.default"
# Authenticate to the Graph API and obtain an access token
$tokenResponse = Invoke-RestMethod -Method Post -Uri $authority `
-Body @{
client_id = $clientId
client_secret = $clientSecret
scope = $scope
grant_type = "client_credentials"
} `
-Headers @{
"Content-Type" = "application/x-www-form-urlencoded"
}
$accessToken = $tokenResponse.access_token
# Define the payload for the PATCH request
$payload = @{
"@odata.type" = "#microsoft.graph.remoteAssistanceSettings"
"remoteAssistanceState" = "enabled"
"allowSessionsToUnenrolledDevices" = $false
"blockChat" = $false
} | ConvertTo-Json
# Send a PATCH request to the remoteAssistanceSettings resource with the updated payload
$headers = @{
"Authorization" = "Bearer $accessToken"
"Content-Type" = "application/json"
"Content-length" = $payload.Length
}
Invoke-RestMethod -Method Patch -Uri $resourceUrl -Headers $headers -Body $payload
Validations
After running the powershell script now check the portat it will be enabled
Overall, Remote Help in Microsoft Intune is a powerful tool for IT administrators, enabling them to quickly diagnose and fix issues on mobile devices, improving productivity and reducing downtime. If you’re using Microsoft Intune, be sure to take advantage of this powerful feature to improve your device management capabilities.
I hope you will find this helpful information for enabling Remote Help using PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.
Search Highlight is a feature in Windows 11 (Enterprise\Multi-session) that highlights search results in the Start menu and taskbar search box. While this feature can be helpful for some users, others may find it distracting or unnecessary. Fortunately, it is possible to disable the Search Highlight feature in Windows 11 using Microsoft Intune. Plenty of information is available on disabling the Windows 11 Search Highlight using Group policy, Registry and UI. However, we will leverage Custom OMA-URI settings from Microsoft Intune in this blog post.
Search – CSP Details
The Search – Policy configuration service provider enables the enterprise to configure policies on Windows 11. Following are the details on the one we are using for disabling the search highlights:
How to disable Search Highlights in Microsoft Endpoint Manager
To disable the Search Highlight feature in Windows 11 (Enterprise/Multi-session) using Microsoft Intune, follow these steps:
For Profile type, select Templates > Custom and select Create.
Enter a Name – DisableSearchHighlight and description and choose Next
Under the OMA-URI Settings, clicks on Add
Enter the Name, Description, and OMA-URI fetched in the references from the MS CSP link below. The value is an integer based on the documentation, and as we disable the setting, the value is 0.
Remember the MS documentation called out this setting only applies to Devices. In the case of Assignments, we will target Windows 365 Device Group and Azure Virtual Desktop Session Host Pools.
Click on Review and Save
Validate the Policy is applying
After 10-15 mins of waiting, go into the newly configured configuration profiles policy, and you will start seeing it getting applied to the targeted devices (MEM Portal > Devices > Configuration Profiles > DisableSearchHighlights)
Cloud PC – Within Windows 11
Login to the Windows 365 Cloud PC, and now when you click on Search, the advertisements and search highlights are gone.
I hope you will find this helpful information towards disabling the annoying Search Highlights on Windows 365, AVD environment and physical endpoints using Microsoft Endpoint Manager. Please let me know if I have missed any steps or details, and I will be happy to update the post.
In today’s world, online security has become more important than ever, especially for businesses. As more and more companies shift their workloads to the cloud, the need for effective security measures has increased. One of the most critical aspects of security is web content filtering. Microsoft Defender for Endpoint is an excellent solution for protecting your Windows 365 Cloud PC and Azure Virtual Desktop environments. If you haven’t see my previous blog post on – Microsoft Defender for Endpoint (MDE) – Getting started for Windows 365 Cloud PC and Azure Virtual Desktop check that first.
Usecase
Web content filtering is a critical aspect of online security that can be used in many different scenarios. Here are some common use cases for web content filtering:
Business Security: Blocking access to malicious websites and other dangerous content, web content filtering helps prevent cyber attacks and data breaches.
Compliance: Many organizations are required to comply with industry-specific regulations and standards, such as HIPAA or PCI-DSS. Web content filtering can help ensure that employees are not accessing websites or content that violates these regulations.
Employee Productivity: Web content filtering can also be used to enhance employee productivity by blocking access to non-work-related websites, such as social media or gaming sites.
Education: Educational institutions can use web content filtering to prevent students from accessing websites that are not educational or age-appropriate.
Guest Wi-Fi: Businesses that offer guest Wi-Fi can use web content filtering to protect their network and guests from online threats.
Overall, web content filtering is a versatile tool that can be used in a variety of settings to enhance online security, productivity, and compliance.
Pre-requisites
To use Microsoft Defender for Endpoint web content filtering on Windows 365 Cloud PC and Azure Virtual Desktop, there are a few prerequisites that you need to meet:
I hope you will find this helpful information towards web content filtering journey to secure your Windows 365 and AVD environments using Microsoft Defender for Endpoint. Please let me know if I have missed any steps or details, and I will be happy to update the post.
If you are using Windows 365 Cloud PC and Azure Virtual Desktop, the Microsoft Defender for Endpoint (MDE) is a security solution designed for protecting endpoints, such as Windows 11/Windows 11 Mutli-Session computers, servers, Azure Virtual Desktops and more from various types of cyber threats. The main reason it’s evident to use MDE is that it seamlessly integrates with the solution with minimal to less effort compared to other solutions. This blog post will discuss how to get started with Microsoft Defender for Endpoint in the Windows 365 Cloud and Azure Virtual Desktop.
Prerequisites
Rights to use and deploy Windows 365 Cloud PC and Azure Virtual Desktop and the ncessary licenses
Microsoft Defender for Endpoint Plan 1 or Plan 2 depending upon the requirements and $$$.
Make sure the license is available and listed Microsoft admin center
Enable MDE in Microsoft 365 Security Portal/Intune
To enable Microsoft Defender for Endpoint (MDE) in the Microsoft Defender Security Center, you need to follow these steps:
Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
Navigate to Settings and select Endpoints
Click on On for Microsoft Intune Connection & Device Discovery
Scroll to the bottom and select Save Preferences
We will manage the endpoints via Intune, so all the rest of the actions and fun will be within the https://endpoint.microsoft.com/ and Endpoint Security. After a brief period of 10-15 mins, you can see the connection status being Available and synchronized.
Create the Endpoint detection and response policy (onboarding)
Our environment is managed via Modern Management, and we don’t have the overhead of legacy setup. We will use the Intune Endpoint detection response (EDR) policy to onboard the devices. This is the simplest method as it doesn’t involve installing the agent manually or via GPOs.
Sign in to the Microsoft Endpoint Manager admin center.
On the onboarded device, go and run the following command to verify the status
Get-MpComputerStatus
Device Compliance Policy (Update)
I already have my existing Windows 10/11 compliance policy after enabling MDE, and I will go ahead and update the compliance policy to accommodate the changes further. This will allow reporting within the tenant on what device compliance level the endpoints are on and whether corporate governance is maintained.
Create Antivirus Policy in Intune
The next step is creating the Antivirus (AV) Policy with the options that your organization demands. I am starting with a few, but remember most choices will require nailing out with internal security/endpoint/governance teams.
Below configurations are not an exhaustive list – Consult with the endpoint/security teams to meet the organization’s requirements.
Sign in to the Microsoft Endpoint Manager admin center.
For Platform, select Windows 10, Windows 11, and Windows Servers.
For Profile type, select Microsoft Defender Antivirus, and then select Create.
Enter a Name – W365-AVD-AV-P01 and description and choose Next
Under the Configuration Settings
Configuration Settings
Status (Value)
Allow Archive Scanning (Scanning through zip and cab files)
Allowed
Allow Behaviour Monitoring
Allowed
Allow Cloud Protection (Joining Microsoft MAPS Community)
Allowed
Allow Email Scanning (Very useful if you are using Microsoft 365)
Allowed
Allow Full Scan Removable Drive Scanning (Scanning of Pen Drives)
Allowed
Allow Intrusion Prevention System
Allowed
Allow scanning of all downloaded files and attachments
Allowed
Allow Realtime Monitoring
Allowed
Cloud Block Level
High
Allow Users UI Access (Defender Client)
Allowed
Enable Network Protection
Enabled (Audit mode)
Avg CPU Load Factor
Enabled (30%)
Schedule Quick Scan Time
Enable (120)
Signature Update Interval
Enable (8 hours)
Next, the most critical part is the target assignments. I am explicitly creating this policy to target Windows 365 Cloud PC and Azure Virtual Desktop
Review and Create the policy and it will go ahead and enable AV across the fleet.
After sometime all your devices will show whether they are onboarded or not.
Create Attack surface reduction (ASR) Policy in Intune
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation. This set of capabilities also includes network protection and web protection, which regulate access to malicious IP addresses, domains, and URLs. In my case I am starting with few, but remember most of the options will require nailing out with internal security/endpoint/governeance teams.
Below configurations are not an exhaustive list – Consult with the endpoint/security teams to meet the organization’s requirements. Here I would like to take the approach of Audit mode first, followed by adding exclusions to refine the block rules (production).
Sign in to the Microsoft Endpoint Manager admin center.
Next step, I plan to write a few blog posts on specific topics like URLs, Networks etc, blocking (TikTok, Facebook etc,) concerning MDE. I hope you will find this helpful information towards your journey to secure your Windows 365 and AVD environments using Microsoft Defender for Endpoint. Please let me know if I have missed any steps or details, and I will be happy to update the post.
Numerous scripts and vendor optimizers (VMware, Citrix and Microsoft) remove the default pre-installed Windows applications that come within the operating system, aka bloatware. You can get rid of all unnecessary applications using the Microsoft Store app (new) within Microsoft Intune.
I attended the Microsoft 365 Modern Management Meetup, and our very own Steven Hosking demonstrated the uninstall of default applications via Intune. I got inspired and thought about blogging and socializing this trick with everyone.
For my Windows 365 Cloud PC endpoint, I use the Azure image Gallery – Windows 11 22H2 + Cloud PC Optimized image, and for this example, we will uninstall Xbox pre-installed application.
Fetch the Application ID (MS Store)
In specific scenarios, when you try to search the application with the repository, it will not show, and the alternate method is to search via the ID.
Navigate to App — Windows – Click on Add and select App type as – Microsoft Store app (new) and hit select
Under Application Information, click on Select App and in my case, I will enter the Application ID I copied in the previous step.
Make sure all the application details that it has fetched (auto-populated) look good, and select Next
The critical step on the Assignments as we are going to Uninstall it from the environment, we will select Un-install and specify the device group, in this case, Windows 365 Cloud (AAD – Dynamic Device Group)
It is adviced you also leverage Filtering for targeting specifc device types within the environment.
Last step review and Create the Uninstall of the default Application
Rinse & Repeat for other applications
Using the above method, you can add other applications of your choice. Note the effort is one-time, so put it in and reap the benefits for all future versions of Windows.
Advantages of using Intune for Default App Removal
Lets take a look at the advantages of using this method:
There is no need of using 3rd party scripts posted by unknown sources.
You will still have to use the vendor optimizers for other things but you can setup these once within the Intune Portal and it will works for the current and future version of Windows.
The Intune method is not very socialized on removing bloatware from the default operating system.
I hope you will find this helpful information for removal of default applications from the Intune Portal. Please let me know if I have missed any steps or details, and I will be happy to update the post.
Microsoft Intune Compliance Policy can be used to manage the security and compliance of Azure Virtual Desktop (AVD) Session Host virtual machines. The policy can enforce specific configuration settings such as password complexity, security updates, and device encryption to ensure that the virtual machines meet the organization’s security and compliance requirements.
To set up an Intune Compliance Policy for an AVD Session Host virtual machine, the virtual machine must be enrolled with Intune. Then, the policy can be created in the Intune portal and assigned to the virtual machine. The policy settings will be enforced on the virtual machine and monitored for compliance.
Note: The Intune Compliance Policy is just one of the ways to manage the security and compliance of AVD Session Host virtual machines. Other tools such as Azure Security Center and Azure Policy can also be used.
Why create the azure virtual desktop session host compliance policy?
There are several reasons why organizations create Azure Virtual Desktop (AVD) Session Host Compliance Policies:
Security: Compliance policies help ensure that the AVD Session Host virtual machines are configured with the necessary security measures to protect sensitive data and prevent unauthorized access. This includes enforcing encryption, password policies, and software updates.
Compliance: Compliance policies help organizations meet regulatory requirements, such as HIPAA, PCI, and SOC, by ensuring that the AVD Session Host virtual machines are configured in accordance with these regulations.
Consistency: Compliance policies help ensure that all AVD Session Host virtual machines are configured consistently and meet the same standards. This makes it easier for administrators to manage the environment and ensures that all users have a consistent and secure experience.
Monitoring: Compliance policies provide ongoing monitoring of the AVD Session Host virtual machines, so administrators can quickly identify and address any deviations from the desired configuration.
By creating an AVD Session Host Compliance Policy, organizations can ensure that their virtual machines are secure, compliant, consistent, and properly monitored, which can help reduce the risk of security breaches and regulatory violations.
What compliance policies are supported with Azure Virtual Desktop?
The following compliance policies are supported on Windows 10 or Windows 11 Enterprise multi-session VMs:
Minimum OS version
Maximum OS version
Valid operating system builds
Simple passwords
Password type
Minimum password length
Password Complexity
Password expiration (days)
Number of previous passwords to prevent reuse
Microsoft Defender Antimalware
Microsoft Defender Antimalware security intelligence up-to-date
Firewall
Antivirus
Antispyware
Real-time protection
Microsoft Defender Antimalware minimum version
Defender ATP Risk score
Note in my sceanrio I am not using all of the above only a few based on the configuration of my environment. You will need a Azure AD device group containing all the session host for AVD to apply this policy.
What am I configuring?
I am only configuring two things. However, I urge if you to leverage Microsoft Defender and make sure you use the Antivirus and Antimalware settings (Another blog post later day for Defender integrations):
Minimum OS version – 10.0.22621.963
Firewall – Require
The above is not an extensive list, but I am trying to give you an idea here.
Click on Create Policy and Select Platform Windows 10 and later
Give the policy a name and description
Configure the above two parameters
An assignment is the most critical aspect, here, you want an Azure AD Dynamic Device Group that will make sure all the AVD Session hosts are covered.
My current AAD Dynamic Group query is as follows, I am working towards getting a more refine query to make it understand Multi-session(I have raised a query internally within MS)
Device Compliance (AVD Session Host VMs)
After waiting for 15 mins you will start noticing all your AVD Session host VM’s will now begin to show as compliant.
I hope you will find this helpful information for creating a compliance policy for your AVD Session host VMs. Please let me know if I have missed any steps or details, and I will be happy to update the post.
Recent Comments