Tag Archives: Microsoft Graph

PowerShell – Report – Get Cloud PC Windows 365 with low utilization

24 Nov

In my previous post, I had demonstrated the new reports (in-preview) Windows 365 Cloud PC – New Reports – Connection quality & Low Utilization. Today, I will showcase how to generate the report of “Cloud PCs with low utilization” using PowerShell and MS Graph API with beta modules on Windows 365 Cloud PC.

Connect to MS Graph API

Step 1 – Install the MS Graph Powershell Module

#Install Microsoft Graph Module
PS C:WINDOWSsystem32> Install-Module Microsoft.Graph

Step 2 – Connect to scopes and specify which API you want to authenticate. If you are only doing read-only operations, I suggest you connect to “CloudPC.Read.All” in our case, we are creating the policy, so we need to change the scope to “CloudPC.ReadWrite.All”

#Read-only
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.Read.All"
Welcome To Microsoft Graph!

OR

#Read-Write
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"
Welcome To Microsoft Graph!

Step 3 – Choose between v1.0 (Generally Available) and Beta API versions. Note for Windows 365 Cloud PC, the API calls are BETA.

#Beta APIs
PS C:WINDOWSsystem32> Select-MgProfile -Name "beta"

OR

#Production APIs (Not Applicable)
PS C:WINDOWSsystem32> Select-MgProfile -Name "v1.0"

Generate the report – Low Utilization

We are generating a report that will showcase the low utilization of the Cloud PC within your environment. This can help you decide to decommission the Cloud PC or send a notification to the end-user etc. – https://github.com/askaresh/avdwin365mem/blob/main/report-lowutilz-cloudpc

  • Building the bodyparameters:
    • Top – How many records you want to return (In the current example its 25)
    • Skip – Number of records to skip ((In the current example its 0)
  • Filter
    • In my example, as its a demo tenant and to generate the report I am using the following – TotalUsageInHour le 40 (Usage less than 40 hours)
  • It will provide the details of the Cloud PC Name, UPN, Total time connected and Days since last sign-in.
$params = @{
	Top = 25
	Skip = 0
	Filter = "(TotalUsageInHour le 40)"
	Select = @(
		"CloudPcId"
		"ManagedDeviceName"
		"UserPrincipalName"
		"TotalUsageInHour"
		"DaysSinceLastSignIn"
	)
}

Get-MgDeviceManagementVirtualEndpointReportTotalAggregatedRemoteConnectionReport -BodyParameter $params

Note – You will have to enter the OutFile path where you want to save the report in my example C:\Temp\abc.csv

The actual report in the Intune Portal looks like the following – The same result is now available within the Value section of the CSV (Note – The formatting of the output is terrible, some excel work will be required to format the data properly)

I hope you will find this helpful information for generating low utilization report for Cloud PC using PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

PowerShell – Create and Assign Windows 365 Cloud PC – User Settings

8 Nov

There are numerous posts that talk about creating the Windows 365 Cloud PC – User Settings. In this blog post, I will demonstrate how to create user settings using PowerShell and MS Graph API with beta modules on Windows 365 Cloud PC.

Connect to MS Graph API

Step 1 – Install the MS Graph Powershell Module

#Install Microsoft Graph Module
PS C:WINDOWSsystem32> Install-Module Microsoft.Graph

Step 2 – Connect to scopes and specify which API you want to authenticate. If you are only doing read-only operations, I suggest you connect to “CloudPC.Read.All” in our case, we are creating the policy, so we need to change the scope to “CloudPC.ReadWrite.All”

#Read-only
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.Read.All"
Welcome To Microsoft Graph!

OR

#Read-Write
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"
Welcome To Microsoft Graph!
Permissions for MS Graph API

Step 3 –  Choose between v1.0 (Generally Available) and Beta API versions. Note for Windows 365 Cloud PC, the API calls are BETA.

#Beta APIs
PS C:WINDOWSsystem32> Select-MgProfile -Name "beta"

OR

#Production APIs (Not Applicable)
PS C:WINDOWSsystem32> Select-MgProfile -Name "v1.0"

Create User Settings

We are creating a provisioning policy that involves the following: (avdwin365mem/win365CreateUsrSetting at main · askaresh/avdwin365mem (github.com))

  • Display Name of the setting – CPC-UserSettings01
  • Local Admin – No (#Highly recommend not to enable local admin on Cloud PCs)
  • Allow user to initiate restore service – Yes (#This will allow them to restore from Winodws365 App/Browser)
  • Frequency of backup – 6 hours (#Set whatever your requirements call out)
  • Note – Post creation of user settings, you need to add the assignment AAD group
$params = @{
	"@odata.type" = "#microsoft.graph.cloudPcUserSetting"
	DisplayName = "CPC-UserSettings02"
	SelfServiceEnabled = $false
	LocalAdminEnabled = $false
	RestorePointSetting = @{
		FrequencyInHours = 6
		UserRestoreEnabled = $true
	}
}

New-MgDeviceManagementVirtualEndpointUserSetting -BodyParameter $params

Powershell Output

Settings will show up in the MEM/Intune Portal

Assign User Settings

Now that we have the User Settings created, it’s time to assign it to an AAD group. We need to follow the following procedure

AAD Group (Copy – Object ID)

I have an existing AAD (Azure Active Directory) group called “Win365-Users” and I plan to use this group for assignment to this User Settings. The important step here is to make a note of the “Object ID” of the AAD group you are planning to assign. Please make sure you copy this ID.

User Settings (Copy ID)

Copy the ID of the previously created User Settings. We need to copy this ID for the assignment. Use the command – Get-MgDeviceManagementVirtualEndpointUserSetting | FT. Note if multiple CPC user settings, select the relevant ID.

Assign the AAD Group to the User Settings

We are assigning the provisioning policy that involves the following: (avdwin365mem/win365AssignUsrSetting at main · askaresh/avdwin365mem (github.com))

  • ID – The existing Cloud PC User Settings ID
  • GroupID – The Azure AD group which has the end-users/license to be assigned to the policy
  • Within the variable, enter the value of User Settings ID $cloudPcUserSettingId
$cloudPcUserSettingId = "ed7271e3-8844-XXXX-XXXX-9bc8bd70da4c"

$params = @{
	Assignments = @(
		@{
			Id = "ed7271e3-8844-XXXX-XXXX-9bc8bd70da4c"
			Target = @{
				"@odata.type" = "microsoft.graph.cloudPcManagementGroupAssignmentTarget"
				GroupId = "01eecc64-c3bb-XXXX-XXXX-bafb18feef12"
			}
		}
	)
}

Set-MgDeviceManagementVirtualEndpointUserSetting -CloudPcUserSettingId $cloudPcUserSettingId -BodyParameter $params

AAD group assigned within MEM Portal

I hope you will find this helpful information for creating/assigning the user settings using PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

PowerShell – Unassign/Delete the Windows 365 Cloud PC Provisioning Policy

14 Oct

Please check out my earlier blog post on PowerShell – Create Windows 365 Cloud PC Provisioning Policy and PowerShell – Assign a AAD group to the Windows 365 Cloud PC Provisioning Policy. This is the last part in the series where we will delete the Windows 365 Cloud PC Provisioning Policy via PowerShell.

A safety feature within MEM Portal – Windows 365 Cloud PC – Provisioning Policies that within the UI when you try to delete the policy, it will be grey out. The only way to delete the policy is to remove the Assignment Group (AAD Group assigned to the policy) and then delete the provisioning policy within UI. The motive of this blog series is PowerShell actions, and we will perform the two actions using that method.

Provisioning Policy (Copy ID)

We need the Windows 365 Provisioning Policy – ID to perform the AAD (Azure Active Directory) group un-assignment and delete operation. We need to copy this ID. Simply use the commandlet – Get-MgDeviceManagementVirtualEndpointProvisioningPolicy. Note if multiple CPC policy, select the ID that is relevant for deletion.

Un-assign AAD Group from the Provisioning Policy

The only way to delete the CPC – Provisioning policy is to remove the AAD group assignment, and it involved the following: avdwin365mem/win365DeleteProvPolicy at main · askaresh/avdwin365mem (github.com)

  • ID – The existing Cloud PC Provisioning Policy ID
  • Load the $params variable first before running the Set-MgDeviceManagementVirtualEndpointProvisioningPolicy commandlet
  • Copy/Paste the Prov policy ID within -CloudPcProvisioningPolicyId
$params = @{
	"@odata.type" = "#microsoft.graph.cloudPcProvisioningPolicyAssignment"
	Assignments = @(
		@{
			Id = "6d54435b-74cd-XXXX-XXXX-7d9b5cc0a78d"
		}
	)
}
Set-MgDeviceManagementVirtualEndpointProvisioningPolicy -CloudPcProvisioningPolicyId "6d54435b-74cd-XXXX-XXXX-7d9b5cc0a78d" -BodyParameter $params

Delete the Provisioning Policy

Now that the AAD Group has been un-assigned it’s time to delete the Cloud PC Provisioning Policy.

Remove-MgDeviceManagementVirtualEndpointProvisioningPolicy -CloudPcProvisioningPolicyId "6d54435b-74cd-4722-9ab7-7d9b5cc0a78d"

I hope you will find this helpful information for the un-assignment & deletion of the CloudPC provisioning policy using PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

PowerShell – Assign a AAD group to the Windows 365 Cloud PC Provisioning Policy

12 Oct

If you haven’t looked at my previous blog on PowerShell – Create Windows 365 Cloud PC Provisioning Policy, please check that out first. After creating the Cloud PC provisioning policy, the next step is to assign the Azure AD Group, which has the end-users and Windows 365 license assigned.

AAD Group (Copy – Object ID)

I have an AAD (Azure Active Directory) group called “Win365-Users” and assigned the Windows 365 Cloud PC Enterprise license. The important step here is to make a note of the “Object ID” of the AAD group you are planning to assign. Please make sure you copy this ID.

AAD Group

Provisioning Policy (Copy ID)

In the previous blog, when we created the Cloud PC provisioning policy, Azure will assign an ID. We need to copy this ID for the assignment. Simply use the commandlet – Get-MgDeviceManagementVirtualEndpointProvisioningPolicy. Note if multiple CPC policy, select the ID that is relevant.

PowerShell Output

Assign Provisioning Policy

We are assigning the provisioning policy that involves the following: (avdwin365mem/win365AssignProvPolicy at main · askaresh/avdwin365mem (github.com))

  • ID – The existing Cloud PC Provisioning Policy ID
  • GroupID – The Azure AD group which has the end-users/license to be assigned to the policy
  • Copy/Paste the Prov policy ID within -CloudPcProvisioningPolicyId
$params = @{
	"@odata.type" = "#microsoft.graph.cloudPcProvisioningPolicyAssignment"
	Assignments = @(
		@{
			Id = "6d54435b-74cd-XXXX-XXXX-7d9b5cc0a78d"
			Target = @{
				"@odata.type" = "microsoft.graph.cloudPcManagementGroupAssignmentTarget"
				GroupId = "01eecc64-c3bb-XXXX-XXXX-bafb18feef12"
			}
		}
	)
}

Set-MgDeviceManagementVirtualEndpointProvisioningPolicy -CloudPcProvisioningPolicyId "6d54435b-74cd-XXXX-XXXX-7d9b5cc0a78d" -BodyParameter $params

Assignment is created

I hope you will find this helpful information for the assignment of the AAD group to a CloudPC provisioning policy using PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

PowerShell – Create Windows 365 Cloud PC Provisioning Policy

11 Oct

There are a significant amount of posts that talk about creating the Windows 365 Cloud PC Provisioning Policy. In this blog post, I will demonstrate how to create the provisioning policy using PowerShell and MS Graph API with beta modules on Windows 365 Cloud PC.

Connect to MS Graph API

Step 1 – Install the MS Graph Powershell Module

#Install Microsoft Graph Module
PS C:\WINDOWS\system32> Install-Module Microsoft.Graph

Step 2 – Connect to scopes and specify which API you wish to authenticate to. If you are only doing read-only operations, I suggest you connect to “CloudPC.Read.All” in our case, we are creating the policy, so we need to change the scope to “CloudPC.ReadWrite.All”

#Read-only
PS C:\WINDOWS\system32> Connect-MgGraph -Scopes "CloudPC.Read.All"
Welcome To Microsoft Graph!

OR

#Read-Write
PS C:\WINDOWS\system32> Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"
Welcome To Microsoft Graph!
Permissions for MS Graph API

Step 3 –  Choose between v1.0 (Generally Available) and Beta API versions. Note for Windows 365 Cloud PC the API calls are BETA.

#Beta APIs
PS C:\WINDOWS\system32> Select-MgProfile -Name "beta"

OR

#Production APIs (Not Applicable)
PS C:\WINDOWS\system32> Select-MgProfile -Name "v1.0"

Create Provisioning Policy

We are creating a provisioning policy that involves the following: (avdwin365mem/win365CreateProvPolicy at main · askaresh/avdwin365mem (github.com))

  • Azure AD Joined Cloud PC desktops
  • The region for deployment – Australia East
  • Image Name – Windows 11 Ent + Optimization (from the Gallery)
  • Language & Region – English (United States)
  • Note – Post provisioning, you need to add the assignment AAD group to this policy
$params = @{
	"@odata.type" = "#microsoft.graph.cloudPcProvisioningPolicy"
	Description = "Hi Test Powershell Prov Deployment"
	DisplayName = "CloudPC-ProvPshell01"
	DomainJoinConfiguration = @{
		DomainJoinType = "azureADJoin"
        regionName = "australiaeast"
	}
	ImageDisplayName = "Windows 11 Enterprise + OS Optimizations 22H2"
	ImageId = "MicrosoftWindowsDesktop_windows-ent-cpc_win11-22h2-ent-cpc-os"
	ImageType = "gallery"
	WindowsSettings = @{
		Language = "en-US"
	}
}

New-MgDeviceManagementVirtualEndpointProvisioningPolicy -BodyParameter $params

Powershell Output

Policy will show up in the MEM Portal

Optional Properties

If you are doing on-premise network integration (Azure Network Connection) , then the following additional property and value is required. In my lab, I am leveraging the Microsoft Managed Network, so this is not required.

OnPremisesConnectionId = "4e47d0f6-6f77-44f0-8893-c0fe1701ffff"

I hope you will find this helpful information for creating a provisioning policy using PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari