Windows 365 – Technical Overview

Windows 365 is Microsoft’s new Cloud PC ‘as a service’ offering. It differs from the Azure Virtual Desktop service because:

  • W365 offers dedicated, one to one desktops only. AVD offers both dedicated and shared desktops, as well as remote application streaming.
  • W365 desktops are charged at a monthly flat-fee per-user. AVD is charged on a pay-as-you-use basis, but users must also have an M365 licence.
  • W365 is offered in Business (capped at 300 seats) and Enterprise licencing tiers, with varying feature sets. AVD has a standard feature set.
  • W365 Enterprise offers automatic point-in-time backup and restore capabilities as part of the cost. With AVD, this must be configured manually.
  • W365 Enterprise and AVD allow you to create and use custom images for your devices if required. W365 Business does not support this feature.

The key difference between the W365 Business and Enterprise tier is manageability. W365 Business is designed to provide a simple desktop experience, with devices provisioned using default configuration settings. Some limited remote management functionality is available if the user has a Microsoft Intune licence. W365 Enterprise desktops are designed to be managed using the Microsoft Endpoint Manager (MEM) cloud management service, this includes policy assignment, update management and troubleshooting.

Microsoft offers an excellent comparison of the feature sets at this link, which I have included extracts from below.

As you can see, W365 Business simplifies the deployment process by using a Microsoft-Managed network, there is no support for Azure VNet joins, meaning no access to any legacy domains or services. This device is deigned to be used with Cloud or SaaS based services, such as Office 365.

W365 Enterprise however supports Hybrid AAD and native AAD join operations with VNet support, which allows for access to existing domain services if required. It also allows administrators to manage the network for the device, including Azure Firewall and NSG configuration.

The Administrative Comparisons table really lets us drill into the limitations of the Business product. I have highlighted all the areas where services or functions are not supported, however one that is not listed (and should be) is the apparent absence of the ability to backup your W365 Business desktop using the point-in-time restore service – details here.

For W365 Business, we can see that Policy Management, Monitoring, Troubleshooting and the cloud-based Universal Print service are all unsupported. Application Delivery, Windows Update and some elements of Device management are supported, but only if your users are assigned in InTune licence. Crucially, W365 Business devices cannot be managed via the dedicated Windows 365 blade in the Microsoft Endpoint Manager console.

So it would seem that the W365 Business product offers a very limited management experience. However, it is important to remember that both the Enterprise and Business products require an InTune licence to allow for cloud based management.

So if you are a sub-300 seat organisation who already uses InTune to manage your devices, and you are not concerned about backing these up or using the InTune W365 provisioning blade, it may be that W365 Business meets your requirements. All you are really losing compared to the Enterprise product is the W365 provisioning blade within InTune, however Configuration Profiles, Compliance Policies and Managed Applications can still be assigned from InTune if you have the correct licences in place.

User Experience

Users can access their desktop from the W365 portal –

From here, they can access any desktops which have been provisioned for them via the web client, or download the full Remote Desktop client to provide a richer desktop experience.

In my case, all devices are configured to automatically enrol in InTune, so after login we are presented with the Enrolment Status Page (ESP), much like a user setting up an AutoPilot device would be.

Conditional Access and MFA are supported for this process, so if you wish to mandate MFA for this process, you can. InTune enrolment can also be excluded from MFA policies to provide a simpler process for users.

That’s it. Post enrolment, I have the Company Portal application deployed as a required application within InTune, therefore any optional apps may be installed by users from here.

If you do need to recover your W365 enterprise device, this can be achieved from the W365 portal, as long as the correct policy is in place. The same menu exists for W365 Business devices, however if you click the Restore button, you’ll be greeted with an error.

Although point-in-time backups are not supported for the W365 Business product, there’s nothing stopping you from using 3rd party data backup tools, although the caveat here is that the device would need to be on and contactable to process a recovery action.

For my part, I tested out the OG Windows System Restore tool on a W365 Business desktop. Again, you aren’t going to be able to access this via WinPE if the system is not booting, but if you have broken an application or setting, it can be very useful.

And look at that, after a mandatory restart, it worked. I’ll add here that I doubt very much this is supported functionality!

Feature wise, W365 offers a compelling alternative toa physical device. One which can be kept ‘evergreen’ and supported through a simple monthly subscription cost.

This service allows organisations to avoid costly hardware update cycles, and end users could potentially access this service from their own devices or older corporate laptops.

Tools such as Nerdio Manager for Enterprise can also help to manage the cost by reclaiming unused licences, and even intelligently removing inactive users to avoid excess charges.