In the Aug 28, 2023 release for Windows 365 Enterprise, the reports for Connected Frontline Cloud PCs were announced. In today’s post, I will showcase how to access and make sure of the new report available within Microsoft Intune.
What does the report offer?
The primary aim of the Connected Frontline Cloud PCs report is to provide clarity on concurrent connections based on each frontline Cloud PC. This is crucial for businesses and IT Admins to understand their usage patterns and ensure they have the correct number of licenses. By analyzing the maximum concurrent connections, we can determine if there’s a need to acquire more licenses. This ensures that end users have uninterrupted access to their Frontline Cloud PCs. You can read more about Frontline Cloud PC provisioning in my previous blog post – PowerShell – Frontline Workers – Create Windows 365 Cloud PC Provisioning Policy | AskAresh
Accessing the report – Connected Frontline Cloud PCs
To view the report in Microsoft Intune portal, you can follow these steps:
If you don’t have the necessary permissions to manage Windows 365. You will also need these two roles to view the report (SharedUseLicenseUsageReport and SharedUseServicePlans)
Go to Devices > Overview > Cloud PC performance (preview) > You will find the report name Connected Frontline Cloud PCs. > Select View report
I have two licenses for Windows 365 Frontline Cloud PCs in my lab. I have four provisioned Cloud PCs. However, the maximum Cloud PCs that can be connected and worked upon simultaneously are two.
Scenario 1 – One Frontline Cloud PC connected out of my total two licenses
There is no warning here when one frontline Cloud PC is connected.
Scenario 2 – Two Frontline Cloud PC connected out of my total two licenses
You can see a warning stating you have reached the concurrency limit. The third session of frontline cloud PC will not be allowed.
Concurrent Frontline Cloud PC Connections
This is how the overall report looks when you click on the Cloud PC Size. The report aggregates data for the last 28 days and showcases:
The current number of connected Frontline Cloud PCs.
The maximum number of connected Frontline Cloud PCs for each day within the selected range (either 7 or 28 days).
The maximum concurrency limit.
Warnings when nearing or reaching the maximum concurrency limit.
It’s worth noting that this report is tailored for Windows 365 Frontline. If a business hasn’t purchased any Windows 365 Frontline licenses, the report will remain empty.
I hope you will find this helpful information for estimating and tracking the frontline worker concurrent usage via this report. Please let me know if I have missed any steps or details, and I will be happy to update the post.
I have a blog post about creating a Windows 365 Cloud PC Provisioning Policy using PowerShell. In this post blog, I will demonstrate how to create the provisioning policy using PowerShell and MS Graph API with beta modules for Windows 365 Cloud PC – Frontline Workers.
Example – Each Windows 365 Frontline license can be shared with up to three employees. This means that if you have 30 employees, you only need to purchase 10 licenses to provision the CloudPC for all 30 employees with access over the day. However, note you are buying the frontline license based on the active sessions. You must purchase the license accordingly if you have more than 10 active workers in a shift.
What happens when license are exhausted?
In my demo tenant, I have two licenses for Frontline workers. When I try to log in to the third one (Note I have already logged into 2 active sessions and running them.) Get the following message.
Connect to MS Graph API
Step 1 – Install the MS Graph Powershell Module
#Install Microsoft Graph Beta Module
PS C:WINDOWSsystem32> Install-Module Microsoft.Graph.Beta
Step 2 – Connect to scopes and specify which API you wish to authenticate to. If you are only doing read-only operations, I suggest you connect to “CloudPC.Read.All” in our case, we are creating the policy, so we need to change the scope to “CloudPC.ReadWrite.All”
#Read-only
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.Read.All" -NoWelcome
Welcome To Microsoft Graph!
OR
#Read-Write
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.ReadWrite.All" -NoWelcome
Welcome To Microsoft Graph!
Permissions for MS Graph API
Step 3 – Check the User account by running the following beta command.
If you are doing on-premise network integration (Azure Network Connection) , then the following additional property and value is required. In my lab, I am leveraging the Microsoft Managed Network, so this is not required.
I hope you will find this helpful information for creating a frontline worker provisioning policy using PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.
Alternate ANCs (Azure Network Connections) are secondary or backup connections to the Microsoft Azure network used to provide redundancy and high availability for Windows 365 Cloud PC provisioning of new desktops. Alternate ANCs can be used when a primary connection fails or experiences connectivity issues, ensuring access to Windows 365 Cloud Provisioning continues for the desktops uninterrupted using the backup ANC.
Introduction
Alternate ANCs can be used when a primary region availability fails, ensuring access to Windows 365 Cloud Provisioning continues for the new desktops uninterrupted using the backup ANC. As long as the first ANC in the list is Healthy, it will always be used for provisioning Cloud PCs using this policy. If the first ANC is not healthy, the policy will use the next ANC in the list that is healthy.
My Scenario
I have an Azure VNET in the region (Australia East) and a dedicated subnet for the Windows 365 Cloud PC desktops in my environment. Now imagine a scenario if the Azure region Australia East had issues. It will directly impact the provisioning of the new Cloud PC desktops.
How will we increase HA/DR capability during Cloud PC Provisioning Issues
Create a backup VNET in different region (Asia Pacific East Asia – HK)
Go to you Azure Portal and create a new VNET in a different region of you choice (Azure Portal — Virtual Networks – Create Network)
Create a dedicated subnet for Windows 365 Cloud PC
Go into the newly created VNET – W365-Bckup-VNET01 and select Subnet and click + Subnet and create a dedicated subnet for the Windows 365 Cloud PC.
Add the additional Azure Network Connection in Intune Portal
Type – There are two types we are selecting Azure AD join – azureADJoin
Resource Group ID – The resource group within Azure – W365-AVD-RG01
Virtual Network ID – The VNET within Azure – W365-Bckup-VNET01
Subnet ID – The subnet for W365 within VNET – Win365-ASE-Bac-Sub01
Cloud Provisioning Policy
Go into your Cloud PC Provisioning Policy and select Edit. Under the Azure Network Connection you will be able to see the newly added ANC – Win365-Bckup-ANC01 make sure you choose that. It will automatically assign the priority as 2 and will come into effect during network outages in the region.
In the above scenario, at all times, it will use the ANC-W365-Sub01 (Priority 1) network for provisioning all Cloud PC. If there is a contention or issues with the primary ANC, then the backup Win365-Bckup-ANC01 (Priority 2) network will kick in and continue provisioning the new desktops in that region/network.
Note
At the time of writting this blogpost, when i tried to create the backup VNET in Australia SouthEast and Australia Cental it said unsupported region when adding the Azure Network Connection. This was the reason i selected the Asiapacifc East (Honkong) region as the second best choice. I am sure at somepoint in time it will be fixed and I would be able to create a backup ANC within the country.
I hope you will find this helpful information for creating an Alternate Azure Network Connection for increasing the HA and DR on the cloud pc provisioning of new desktops. Please let me know if I have missed any steps or details, and I will be happy to update the post.
Search Highlight is a feature in Windows 11 (Enterprise\Multi-session) that highlights search results in the Start menu and taskbar search box. While this feature can be helpful for some users, others may find it distracting or unnecessary. Fortunately, it is possible to disable the Search Highlight feature in Windows 11 using Microsoft Intune. Plenty of information is available on disabling the Windows 11 Search Highlight using Group policy, Registry and UI. However, we will leverage Custom OMA-URI settings from Microsoft Intune in this blog post.
Search – CSP Details
The Search – Policy configuration service provider enables the enterprise to configure policies on Windows 11. Following are the details on the one we are using for disabling the search highlights:
How to disable Search Highlights in Microsoft Endpoint Manager
To disable the Search Highlight feature in Windows 11 (Enterprise/Multi-session) using Microsoft Intune, follow these steps:
For Profile type, select Templates > Custom and select Create.
Enter a Name – DisableSearchHighlight and description and choose Next
Under the OMA-URI Settings, clicks on Add
Enter the Name, Description, and OMA-URI fetched in the references from the MS CSP link below. The value is an integer based on the documentation, and as we disable the setting, the value is 0.
Remember the MS documentation called out this setting only applies to Devices. In the case of Assignments, we will target Windows 365 Device Group and Azure Virtual Desktop Session Host Pools.
Click on Review and Save
Validate the Policy is applying
After 10-15 mins of waiting, go into the newly configured configuration profiles policy, and you will start seeing it getting applied to the targeted devices (MEM Portal > Devices > Configuration Profiles > DisableSearchHighlights)
Cloud PC – Within Windows 11
Login to the Windows 365 Cloud PC, and now when you click on Search, the advertisements and search highlights are gone.
I hope you will find this helpful information towards disabling the annoying Search Highlights on Windows 365, AVD environment and physical endpoints using Microsoft Endpoint Manager. Please let me know if I have missed any steps or details, and I will be happy to update the post.
In today’s world, online security has become more important than ever, especially for businesses. As more and more companies shift their workloads to the cloud, the need for effective security measures has increased. One of the most critical aspects of security is web content filtering. Microsoft Defender for Endpoint is an excellent solution for protecting your Windows 365 Cloud PC and Azure Virtual Desktop environments. If you haven’t see my previous blog post on – Microsoft Defender for Endpoint (MDE) – Getting started for Windows 365 Cloud PC and Azure Virtual Desktop check that first.
Usecase
Web content filtering is a critical aspect of online security that can be used in many different scenarios. Here are some common use cases for web content filtering:
Business Security: Blocking access to malicious websites and other dangerous content, web content filtering helps prevent cyber attacks and data breaches.
Compliance: Many organizations are required to comply with industry-specific regulations and standards, such as HIPAA or PCI-DSS. Web content filtering can help ensure that employees are not accessing websites or content that violates these regulations.
Employee Productivity: Web content filtering can also be used to enhance employee productivity by blocking access to non-work-related websites, such as social media or gaming sites.
Education: Educational institutions can use web content filtering to prevent students from accessing websites that are not educational or age-appropriate.
Guest Wi-Fi: Businesses that offer guest Wi-Fi can use web content filtering to protect their network and guests from online threats.
Overall, web content filtering is a versatile tool that can be used in a variety of settings to enhance online security, productivity, and compliance.
Pre-requisites
To use Microsoft Defender for Endpoint web content filtering on Windows 365 Cloud PC and Azure Virtual Desktop, there are a few prerequisites that you need to meet:
I hope you will find this helpful information towards web content filtering journey to secure your Windows 365 and AVD environments using Microsoft Defender for Endpoint. Please let me know if I have missed any steps or details, and I will be happy to update the post.
If you are using Windows 365 Cloud PC and Azure Virtual Desktop, the Microsoft Defender for Endpoint (MDE) is a security solution designed for protecting endpoints, such as Windows 11/Windows 11 Mutli-Session computers, servers, Azure Virtual Desktops and more from various types of cyber threats. The main reason it’s evident to use MDE is that it seamlessly integrates with the solution with minimal to less effort compared to other solutions. This blog post will discuss how to get started with Microsoft Defender for Endpoint in the Windows 365 Cloud and Azure Virtual Desktop.
Prerequisites
Rights to use and deploy Windows 365 Cloud PC and Azure Virtual Desktop and the ncessary licenses
Microsoft Defender for Endpoint Plan 1 or Plan 2 depending upon the requirements and $$$.
Make sure the license is available and listed Microsoft admin center
Enable MDE in Microsoft 365 Security Portal/Intune
To enable Microsoft Defender for Endpoint (MDE) in the Microsoft Defender Security Center, you need to follow these steps:
Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
Navigate to Settings and select Endpoints
Click on On for Microsoft Intune Connection & Device Discovery
Scroll to the bottom and select Save Preferences
We will manage the endpoints via Intune, so all the rest of the actions and fun will be within the https://endpoint.microsoft.com/ and Endpoint Security. After a brief period of 10-15 mins, you can see the connection status being Available and synchronized.
Create the Endpoint detection and response policy (onboarding)
Our environment is managed via Modern Management, and we don’t have the overhead of legacy setup. We will use the Intune Endpoint detection response (EDR) policy to onboard the devices. This is the simplest method as it doesn’t involve installing the agent manually or via GPOs.
Sign in to the Microsoft Endpoint Manager admin center.
On the onboarded device, go and run the following command to verify the status
Get-MpComputerStatus
Device Compliance Policy (Update)
I already have my existing Windows 10/11 compliance policy after enabling MDE, and I will go ahead and update the compliance policy to accommodate the changes further. This will allow reporting within the tenant on what device compliance level the endpoints are on and whether corporate governance is maintained.
Create Antivirus Policy in Intune
The next step is creating the Antivirus (AV) Policy with the options that your organization demands. I am starting with a few, but remember most choices will require nailing out with internal security/endpoint/governance teams.
Below configurations are not an exhaustive list – Consult with the endpoint/security teams to meet the organization’s requirements.
Sign in to the Microsoft Endpoint Manager admin center.
For Platform, select Windows 10, Windows 11, and Windows Servers.
For Profile type, select Microsoft Defender Antivirus, and then select Create.
Enter a Name – W365-AVD-AV-P01 and description and choose Next
Under the Configuration Settings
Configuration Settings
Status (Value)
Allow Archive Scanning (Scanning through zip and cab files)
Allowed
Allow Behaviour Monitoring
Allowed
Allow Cloud Protection (Joining Microsoft MAPS Community)
Allowed
Allow Email Scanning (Very useful if you are using Microsoft 365)
Allowed
Allow Full Scan Removable Drive Scanning (Scanning of Pen Drives)
Allowed
Allow Intrusion Prevention System
Allowed
Allow scanning of all downloaded files and attachments
Allowed
Allow Realtime Monitoring
Allowed
Cloud Block Level
High
Allow Users UI Access (Defender Client)
Allowed
Enable Network Protection
Enabled (Audit mode)
Avg CPU Load Factor
Enabled (30%)
Schedule Quick Scan Time
Enable (120)
Signature Update Interval
Enable (8 hours)
Next, the most critical part is the target assignments. I am explicitly creating this policy to target Windows 365 Cloud PC and Azure Virtual Desktop
Review and Create the policy and it will go ahead and enable AV across the fleet.
After sometime all your devices will show whether they are onboarded or not.
Create Attack surface reduction (ASR) Policy in Intune
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation. This set of capabilities also includes network protection and web protection, which regulate access to malicious IP addresses, domains, and URLs. In my case I am starting with few, but remember most of the options will require nailing out with internal security/endpoint/governeance teams.
Below configurations are not an exhaustive list – Consult with the endpoint/security teams to meet the organization’s requirements. Here I would like to take the approach of Audit mode first, followed by adding exclusions to refine the block rules (production).
Sign in to the Microsoft Endpoint Manager admin center.
Next step, I plan to write a few blog posts on specific topics like URLs, Networks etc, blocking (TikTok, Facebook etc,) concerning MDE. I hope you will find this helpful information towards your journey to secure your Windows 365 and AVD environments using Microsoft Defender for Endpoint. Please let me know if I have missed any steps or details, and I will be happy to update the post.
Numerous scripts and vendor optimizers (VMware, Citrix and Microsoft) remove the default pre-installed Windows applications that come within the operating system, aka bloatware. You can get rid of all unnecessary applications using the Microsoft Store app (new) within Microsoft Intune.
I attended the Microsoft 365 Modern Management Meetup, and our very own Steven Hosking demonstrated the uninstall of default applications via Intune. I got inspired and thought about blogging and socializing this trick with everyone.
For my Windows 365 Cloud PC endpoint, I use the Azure image Gallery – Windows 11 22H2 + Cloud PC Optimized image, and for this example, we will uninstall Xbox pre-installed application.
Fetch the Application ID (MS Store)
In specific scenarios, when you try to search the application with the repository, it will not show, and the alternate method is to search via the ID.
Navigate to App — Windows – Click on Add and select App type as – Microsoft Store app (new) and hit select
Under Application Information, click on Select App and in my case, I will enter the Application ID I copied in the previous step.
Make sure all the application details that it has fetched (auto-populated) look good, and select Next
The critical step on the Assignments as we are going to Uninstall it from the environment, we will select Un-install and specify the device group, in this case, Windows 365 Cloud (AAD – Dynamic Device Group)
It is adviced you also leverage Filtering for targeting specifc device types within the environment.
Last step review and Create the Uninstall of the default Application
Rinse & Repeat for other applications
Using the above method, you can add other applications of your choice. Note the effort is one-time, so put it in and reap the benefits for all future versions of Windows.
Advantages of using Intune for Default App Removal
Lets take a look at the advantages of using this method:
There is no need of using 3rd party scripts posted by unknown sources.
You will still have to use the vendor optimizers for other things but you can setup these once within the Intune Portal and it will works for the current and future version of Windows.
The Intune method is not very socialized on removing bloatware from the default operating system.
I hope you will find this helpful information for removal of default applications from the Intune Portal. Please let me know if I have missed any steps or details, and I will be happy to update the post.
With the slightest effort, do you want to perform a disk cleanup operation? In this blogpost, we are setting up the Storage Sense to cleanup Temporary Files & Empty recycle bin on Windows 365 Cloud PC & AVD Multi-session host. Note by no means is Storage Sense a replacement for the detailed cleanmgr.exe tool, which can perform disk cleanup options in a much more granular manner. The below method is a quick method to get you started and later on improvise on your disk cleanup strategy.
What is Storage Sense?
Storage Sense is a feature in Microsoft Windows 11 that helps users free up space on their device by automatically deleting unnecessary files. It can delete temporary files, files in the recycle bin, and files that have not been accessed in a certain period of time. It also helps users to see what is taking up space on their device and gives them the option to delete specific files or move files to an external storage device.
What features are available within Storage Sense?
Storage Sense in Microsoft Windows 11 has the following features:
Automatic cleanup: Storage Sense can automatically delete temporary files, files in the recycle bin, and files that have not been accessed in a certain period of time.
Storage usage: It helps users to see what is taking up space on their device, and gives them the option to delete specific files or move files to an external storage device.
Storage sense can move files to external storage device
Storage sense can compress files to save space
Storage sense can move files to the cloud
Storage sense can delete files that are no longer needed
Storage sense can free up space by uninstalling apps
Storage sense can show you the storage usage of each app
Storage sense can help you to free up storage by cleaning up your downloads folder
What Configurations are available within Intune (MEM Portal)?
There are many ways to setup Storage Sense. However, the method we are going to opt is inline with the modern workplace management solution using Microsoft Intune (Microsoft Endpoint Manager admin center)
Setting Name
Details
Allow Disk Health Model Updates
Allows disk health model updates to predict disk hardware failure.
Allow Storage Sense Global
Storage Sense can automatically clean some of the user’s files to free up disk space. By default, Storage Sense is automatically turned on when the machine runs into low disk space and is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the
Allow Storage Sense Temporary Files Cleanup
When Storage Sense runs, it can delete the user’s temporary files that are not in use. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, Storage Sense will delete the user’s temporary files that are not in use.
Config Storage Sense Cloud Content Dehydration Threshold
When Storage Sense runs, it can dehydrate cloud-backed content that hasn’t been opened in a certain amount of days. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, you must provide the minimum number of days a cloud-backed file can remain unopened before Storage Sense dehydrates it. Supported values are: 0–365. If you set this value to zero, Storage Sense will not dehydrate any cloud-backed content. The default value is 0, which never dehydrates cloud-backed content
Config Storage Sense Downloads Cleanup Threshold
When Storage Sense runs, it can delete files in the user’s Downloads folder if they haven’t been opened for more than a certain number of days. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, you must provide the minimum number of days a file can remain unopened before Storage Sense deletes it from the Downloads folder. Supported values are: 0-365. If you set this value to zero, Storage Sense will not delete files in the user’s Downloads folder
Config Storage Sense Recycle Bin Cleanup Threshold
When Storage Sense runs, it can delete files in the user’s Recycle Bin if they have been there for over a certain amount of days. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, you must provide the minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it. Supported values are: 0–365
Removable Disk Deny Write Access
If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting “Deny write access to drives not protected by BitLocker,” which is located in “Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives.”
What policies are we applying?
In this scenario, we only focus on the deletion of temporary files, Recycle Bin, Moving the files to the OneDrive Known Folder (if configured) and checking the disk hardware.
What is the target of this policy?
We aim to kill two birds with one stone, and this policy configuration is not only applicable for Windows 10/11 based Windows 365 Cloud PC, it also works well for Windows 10/11 Multi-session host for Azure Virtual Desktop. This filter is critical to identifying whether the configuration setting will apply to your device type.
Assignments
We are assiging the policy to the Windows 365 AAD device group and add the Azure Virtual Desktop AAD device group here.
I hope you will find this helpful information for performing disk clean-up on Temporary & Recycle for Windows 365 Cloud PC & AVD. Please let me know if I have missed any steps or details, and I will be happy to update the post.
I have written various individual blog posts on PowerShell creation of all configurational task for Windows 365 Cloud PC under Microsoft Endpoint Portal (MEM).
Based on public demand, I want to create a consolidated post for all the scripts and configuration items that can get you started with Windows 365 Cloud PC using PowerShell: (Of course all the below features can also be configured using the UI, however below is the guidance strictly using PowerShell)
PowerShell links to my blog post
Following are the links to my blog post for each and individual task:
I promise you once you have done the hard work, you can get up and running in a few hours using all the above PowerShell scripts with Windows 365 Cloud PC.
GitHub Link
Here is the repo with all the scripts and more – askaresh/avdwin365mem (github.com). A big thanks to Andrew Taylor for collabrating and updating the Provisioning policy script with the SSO details that was release in late Nov 2022.
I hope you will find this helpful information for all things PowerShell w.r.t Windows 365 Cloud PC. I will update the post if I publish or update more information.
If you want to establish a network connection that allows communication between the Windows 365 Cloud PC and the existing Azure Virtual Network (ANC), then keep following this post. Today, I will demonstrate the Powershell method of creating the Azure Network Connection (ANC). Note that we need information from the Azure Portal to make sure you have all the necessary information handy or/or involve the necessary teams who can provide you with the information on Azure Networking.
Overview
Create the ANC first before creating the Win365 – Cloud Provisioning Policy (CPP)
If the ANC precreated then during the cloud provisioning of the Cloud PC desktops it will create them on the Azure VNET on your desired subnet
Make sure you have a working DNS configured on the VNET which can communicate with your on-premise network using express route or other Azure VNETs
Open necessary firewall ports based on your requirements on the NSG or Azure Firewall for the communication to your on-premise network using express route or other Azure VNETs
Permissions
Intune Administrator in Azure AD
Cloud PC Administrator
Global Administrator
If you decide to alter or change the ANC, you will have to reprovision the Cloud PC, and it’s a destructive activity. Make sure you architect it properly
You can delete your ANC however, you will have to update your cloud provisioning policy with the new ANC first, and then you can delete the existing ANC.
Connect to MS Graph API
Step 1 – Install the MS Graph Powershell Module
#Install Microsoft Graph Module
PS C:WINDOWSsystem32> Install-Module Microsoft.Graph.Beta
Step 2 – Connect to scopes and specify which API you want to authenticate. If you are only doing read-only operations, I suggest you connect to “CloudPC.Read.All” in our case, we are creating the ANC, so we need to change the scope to “CloudPC.ReadWrite.All”
#Read-only
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.Read.All" -NoWelcome
Welcome To Microsoft Graph!
OR
#Read-Write
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.ReadWrite.All" -NoWelcome
Welcome To Microsoft Graph!
Step 3 – Check the User account by running the following beta command.
#Beta User
PS C:WINDOWSsystem32> Get-MgBetaUser -UserId admin@wdomain.com
Connect to Azure & Grab Details (Variable Region)
We are logging into Azure to grab all the details regarding to Resource Group, Subscription ID/Name, VNET and Subnets
Connect to the Azure Portal using the necessary credentials
Select the Azure Subscription that holds all the networking information
A display name of the Azure Network Connection – ANC – (ANC-W365-Sub01)
What is the join type of the ANC of the golden image virtual machine (azureADJoin)
Resource Group ID of the existing resource group. You will have to enter the resource group name (W365-AVD-RG01), and it will get us the ID we need.
Name of the existing subnet within the vNET (W365Workload-Sub01), and it will get us the ID we need.
Name of the existing VNET used for the connection. You will have to enter the VNET name (W365-AVD-VNET01), and it will get us the ID we need.
Connection to the MS Graph API and ensure you have the necessary write permissions.
We are using the beta API for Cloud PC
# Connect to the Azure Subcription
Connect-AzAccount
# Get existing context
$currentAzContext = Get-AzContext
# Your subscription. This command gets your current subscription
$subscriptionID = $currentAzContext.Subscription.Id
# Your subscription. This command gets your current subscription name
$subscriptionName = $currentAzContext.Subscription.Name
# ANC Display Name
$ancdname = "ANC-W365-Sub01"
# Join Ype for the Azure Network Connection
# Two types Azure AD and Hyrbird "azureADJoin" or "hybridAzureADJoin"
$ancjointype = "azureADJoin"
# Get your Win365 Resouce Group id for RG Name - W365-AVD-RG01
# Put your RG Name
$win365RGID = Get-AzResourceGroup -Name "W365-AVD-RG01" | Select-Object -ExpandProperty ResourceId
# Get your Azure VNET id used for Windows 365 Cloud PC
# Put your VNET Name
$win365VNETID = Get-AzVirtualNetwork -Name "W365-AVD-VNET01" | Select-Object -ExpandProperty Id
# Get your Subnet ID within the Azure VNET for Windows 365 Cloud PC
# Put your VNET Name
$win365VNET = Get-AzVirtualNetwork -Name "W365-AVD-VNET01"
# Enter your Subnet Name
$win365SubID = Get-AzVirtualNetworkSubnetConfig -Name "W365Workload-Sub01" -VirtualNetwork $win365VNET | Select-Object -ExpandProperty Id
# Connec to MS Graph for Cloud PC W365
Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"
We shall pass the above variable into the final ANC creation.
Create the Azure Network Connection
We are creating a Azure Network Connection that includes the following:
Display Name of the network – $ancdname
Azure Subscription ID – $subscriptionID
Azure Subscription Name – $subscriptionName
Type – There are two types we are selecting Azure AD join – azureADJoin
Resource Group ID – The resource group within Azure – $win365RGID
Virtual Network ID – The VNET within Azure – $win365VNETID
Subnet ID – The subnet for W365 within VNET – $win365SubID
# Create the ANC for Windows 365 with AAD join type
try
{
write-host "Create the ANC for Windows 365 with AAD join type"
$params = @{
displayName = "$ancdname"
subscriptionId = "$subscriptionID"
type = "$ancjointype"
subscriptionName = "$subscriptionName"
resourceGroupId = "$win365RGID"
virtualNetworkId = "$win365VNETID"
subnetId = "$win365SubID"
}
New-MgBetaDeviceManagementVirtualEndpointOnPremiseConnection -BodyParameter $params -Debug
}
catch
{
Write-Host $_.Exception.Message -ForegroundColor Yellow
}
# Import module Az and MS Graph
Import-Module Az.Accounts
Install-Module Microsoft.Graph
# Connect to the Azure Subcription
Connect-AzAccount
# Get existing context
$currentAzContext = Get-AzContext
# Your subscription. This command gets your current subscription
$subscriptionID = $currentAzContext.Subscription.Id
# Your subscription. This command gets your current subscription name
$subscriptionName = $currentAzContext.Subscription.Name
# ANC Display Name
$ancdname = "ANC-W365-Sub01"
# Join Ype for the Azure Network Connection
# Two types Azure AD and Hyrbird "azureADJoin" or "hybridAzureADJoin"
$ancjointype = "azureADJoin"
# Get your Win365 Resouce Group id for RG Name - W365-AVD-RG01
# Put your RG Name
$win365RGID = Get-AzResourceGroup -Name "W365-AVD-RG01" | Select-Object -ExpandProperty ResourceId
# Get your Azure VNET id used for Windows 365 Cloud PC
# Put your VNET Name
$win365VNETID = Get-AzVirtualNetwork -Name "W365-AVD-VNET01" | Select-Object -ExpandProperty Id
# Get your Subnet ID within the Azure VNET for Windows 365 Cloud PC
# Put your VNET Name
$win365VNET = Get-AzVirtualNetwork -Name "W365-AVD-VNET01"
# Enter your Subnet Name
$win365SubID = Get-AzVirtualNetworkSubnetConfig -Name "W365Workload-Sub01" -VirtualNetwork $win365VNET | Select-Object -ExpandProperty Id
# Connec to MS Graph for Cloud PC W365
Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"
# Create the ANC for Windows 365 with AAD join type
try
{
write-host "Create the ANC for Windows 365 with AAD join type"
$params = @{
displayName = "$ancdname"
subscriptionId = "$subscriptionID"
type = "$ancjointype"
subscriptionName = "$subscriptionName"
resourceGroupId = "$win365RGID"
virtualNetworkId = "$win365VNETID"
subnetId = "$win365SubID"
}
New-MgBetaDeviceManagementVirtualEndpointOnPremiseConnection -BodyParameter $params -Debug
}
catch
{
Write-Host $_.Exception.Message -ForegroundColor Yellow
}
I hope you will find this helpful information for creating Azure Network Connection using PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.
Recent Comments