Tag Archives: MSIntune

PowerShell – Report – Get Cloud PC Windows 365 with low utilization

24 Nov

In my previous post, I had demonstrated the new reports (in-preview) Windows 365 Cloud PC – New Reports – Connection quality & Low Utilization. Today, I will showcase how to generate the report of “Cloud PCs with low utilization” using PowerShell and MS Graph API with beta modules on Windows 365 Cloud PC.

Connect to MS Graph API

Step 1 – Install the MS Graph Powershell Module

#Install Microsoft Graph Module
PS C:WINDOWSsystem32> Install-Module Microsoft.Graph

Step 2 – Connect to scopes and specify which API you want to authenticate. If you are only doing read-only operations, I suggest you connect to “CloudPC.Read.All” in our case, we are creating the policy, so we need to change the scope to “CloudPC.ReadWrite.All”

#Read-only
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.Read.All"
Welcome To Microsoft Graph!

OR

#Read-Write
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"
Welcome To Microsoft Graph!

Step 3 – Choose between v1.0 (Generally Available) and Beta API versions. Note for Windows 365 Cloud PC, the API calls are BETA.

#Beta APIs
PS C:WINDOWSsystem32> Select-MgProfile -Name "beta"

OR

#Production APIs (Not Applicable)
PS C:WINDOWSsystem32> Select-MgProfile -Name "v1.0"

Generate the report – Low Utilization

We are generating a report that will showcase the low utilization of the Cloud PC within your environment. This can help you decide to decommission the Cloud PC or send a notification to the end-user etc. – https://github.com/askaresh/avdwin365mem/blob/main/report-lowutilz-cloudpc

  • Building the bodyparameters:
    • Top – How many records you want to return (In the current example its 25)
    • Skip – Number of records to skip ((In the current example its 0)
  • Filter
    • In my example, as its a demo tenant and to generate the report I am using the following – TotalUsageInHour le 40 (Usage less than 40 hours)
  • It will provide the details of the Cloud PC Name, UPN, Total time connected and Days since last sign-in.
$params = @{
	Top = 25
	Skip = 0
	Filter = "(TotalUsageInHour le 40)"
	Select = @(
		"CloudPcId"
		"ManagedDeviceName"
		"UserPrincipalName"
		"TotalUsageInHour"
		"DaysSinceLastSignIn"
	)
}

Get-MgDeviceManagementVirtualEndpointReportTotalAggregatedRemoteConnectionReport -BodyParameter $params

Note – You will have to enter the OutFile path where you want to save the report in my example C:\Temp\abc.csv

The actual report in the Intune Portal looks like the following – The same result is now available within the Value section of the CSV (Note – The formatting of the output is terrible, some excel work will be required to format the data properly)

I hope you will find this helpful information for generating low utilization report for Cloud PC using PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Windows 365 Cloud PC – Microsoft Intune – Disable Chat Icon + PowerShell Uninstall MS Teams

23 Nov

When you deploy your Windows 365 Cloud PC, you can use a Microsoft Gallery Image or a Custom Image from Azure. The Microsoft Gallery image is a good starting point for most deployments, as it’s already optimized for Cloud PC. In my scenario, I have leveraged the Windows 11 Enterprise + OS Optimizations – 22H2 gallery image.

Note – These steps are only applicable in situations where-in you are not using Microsoft Teams.

Microsoft Teams is an excellent collaboration tool if the organization leverages it.

Post the Cloud PC Provisioning, the end-users see the Chat Icon for MS Team and the Microsoft Teams applications are installed within the Apps & Features. In this scenario, I am not using Microsoft Teams hence I have decided to Disable the Icon & Uninstall MS Team from the Cloud PC fleet.

Disable Chat Icon – Intune

Let’s see how to disable the Chat Icon gracefully for all end-users using Microsoft Intune

  • Login to the Microsoft Intune Portal – https://endpoint.microsoft.com/
  • Go to Devices and then scroll down to Configuration Profiles
  • Click on Create New Profile
    • Select Platform – Windows 10 and later
    • Profile type – Settings Catalog
    • Enter a Name – Disable Win11ChatIcon
    • Settings picker type – configure chat icon
    • Category select – Experience
    • Results select – Configure Chat Icon
  • Set the value as disable
  • Assign the policy to the AAD group – In my case, I have assigned to the “Win365-DeviceGroup”

Set the Configure Chat Icon – Disabled

After the sync-up, I noticed the Chat Icon from the taskbar disappeared on all Windows 365 Cloud PC devices.

Un-install MS Team – Scripts Intune

Within the Microsoft gallery image, you will notice the Microsoft Team is installed by default, and we want to uninstall the software using Powershell Scripts. A quick check within Apps & Features shows that Microsoft Teams is already installed.

  • Login to the Microsoft Intune Portal – https://endpoint.microsoft.com/
  • Go to Devices and then scroll down to Scripts
  • Click on Add
    • Select Platform – Windows 10 and later
    • Enter a Name – Uninstall-MSTeams
    • Upload the script – Snippet below
    • No to the rest of the settings
  • Assign to the policy to the AAD group – In my case I have assigned to the “Win365-DeviceGroup”
# Remove Teams Application

try {
    $fetchteamsapp = @(Get-AppxPackage -name '*teams' -ErrorAction stop)
}
catch {
    $ErrorMessage = $_.Exception.message
    write-error ('Error getting the teams app ' + $ErrorMessage)
    Exit
}
if ($fetchteamsapp -ne $null) {
    $uninstallteamsapp = @(remove-appxpackage -package "MicrosoftTeams_22287.702.1670.9453_x64__8wekyb3d8bbwe" -ErrorAction stop)
}
else { 
    write-host 'Successfully un-install the MS Teams.'
    exit
}

Note – Replace your MS Team version with whatever you have within your environment

I hope you will find this helpful information for disabling icon and uninstalling Microsoft teams using Intune + Powershell scripts. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Windows 365 Cloud PC – Policy Conflict – Security Baseline VS RDP Device Restrictions

1 Nov

In my previous post, I showcased the RDP device restrictions available for the Windows 365 Cloud PC – Microsoft Intune – Configuration Profiles – Settings Catalog – Windows 365 Cloud PC RDP Device Restrictions. After enabling the general settings such as “Block drive redirection” with my Configuration Profiles Policy, I started observing a conflict.

Upon further digging, the conflict is caused because of the out-of-the-box Windows 365 Security Baseline. which includes a similar policy under Remote Desktop Services.

Go to the Device (CPC-aresh-eo0fg) of concern and navigate into the Device configuration. We can see there is a conflict between the previously created RDP Device Redirection (config profiles) and the out-of-the-box Windows 365 Security Baseline (Preview)

Fix forward

I kept the Windows 365 Security Baseline untouched, changed the Configurations Profiles, edited the policy, and removed the duplicate setting on “Block drive redirection”. This resolved the conflict situation

I hope you will find this helpful information for troubleshooting a conflict of policies VS baselines. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh

Microsoft Intune – Configuration Profiles – Settings Catalog – Windows 365 Cloud PC RDP Device Restrictions

31 Oct

In this post, we will look into the Windows 365 Cloud PC RDP Device Restrictions. The reason we apply these settings is to control pheripherals like Camera, USB Drives Printers etc. We have a few settings which we can fine-tune to derive the best possible end-user and security outcome for the Cloud PC devices.

We have the following settings to enable/disable within using the RDP Device redirections settings. We can apply them using ADMX or Intune – Settings Catalog. In this post, we shall be looking into Intune – Settings Catalog.

RDP Device Redirection Settings – Win365 Cloud PC

Enable these Setting in Intune

Navigate to Microsoft Itune Portal — Devices — Configuration profiles

Select Create a Profile

  • Platform – Windows 10 and later
  • Profile type – Settings catalog
  • Name – CloudPCDeviceRedirection
  • Optional – Description

Click on — Add Settings

I want to emphasize using Filters for the Settings you are implementing as few can be for Multi-user, Devices or Users and knowing which one we are targeting is significant

Choosing the Scope Device within your filter as the RDP Redirection policies are device-based

Now using the search function, we will search for – Printer Redirection (We have 4 settings for devices)

Next using the search function, we will search for – Device and Resource Redirection (We have 12 settings for devices)

Overall the following settings can be tweaked for Device & Remote Desktop Redirection

Depending on your requirements, you can enable and disable all the above settings, such as Clipboard, USB, and TimeZone redirection. Assign the policy to the User or groups of your choice within assignments.

I hope you will find this helpful information for the RDP device restrictions of the CloudPC using Configuration profiles. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh

Windows 365 Cloud PC – New Reports – Connection quality & Low Utilization

13 Oct

With the recent Windows 365 Cloud PC announcements in MS Ignite 2022, a couple of new reports that were introduced and in this post we shall take a sneak peek into them..

Cloud PC Performance Reports

The overall view of the Performance (Utilization & Connection) for the entire Cloud PC deployed is available in MEM Portal -> Devices -> Overview -> Cloud PC performance

Cloud PC with connection quality issues

Overall, devices within the environment will be listed along with the connection quality details of all the Cloud PC. The categories classified are Good, Average and High. Metric includes RTT – Round Trip latency (lower values provide a better end-user experience), Remote Sign-in (time taken for an end-user to complete the sign-in to the Cloud PC) and Available Bandwidth (Internet bandwidth during the end-users connection attempt to the Cloud PC).

Cloud PC utilization

Overall, devices are listed within the environment to gauge the end-users utilization into High, Average and low categories. Depending upon the outcome, a business decision can be made on whether to resize the Cloud PC or decommission it. (Cost Savings!)

Session Performance

This report is essentially showing you the sign-in and sign-out time of the Cloud PC, along with the overall session length. This will show you how much time the end-user is spending on their Cloud PC.

Connection quality

On a specific device level, you can further deep dive into the metric. The breakdown of the RTT/Bandwidth and Sign-in time on a daily basis for the last 7 days.

Aggregated daily trends – The median average of the daily trends for a specific Cloud PC device

Reference Links

I hope you will find this helpful information for the fetch reports from your Windows 365 Cloud PC deployments and providing an excellent end-user experience. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari