The Concept of Windows 365 Boot

The Concept of Windows 365 Boot

In this blog post, I will explore the concept of Windows 365 Boot, a unique feature that complements Windows 365 Frontline well. Windows 365 Boot became generally available (GA) in September 2023 and is revolutionizing the way users can access their Cloud PCs.

The Concept of Windows 365 Boot.

Source: Microsoft Designer

So, buckle up for my next venture, and let’s look at what this relatively new feature is all about and which use cases it covers. Also, let me show you how to configure Windows 365 Boot and how we can restrict user access on the physical Windows 365 Boot device.

In this post, I’ll cover the following topics.

Prerequisites and Requirements

  • Windows 11-based devices (Pro & Enterprise).
  • The physical device (and Cloud PCs) must be running Windows 11 version (22621.2361 or later).
  • You must have a valid and working Microsoft Entra and Intune tenant.
  • You must have a Windows 365 Cloud PC license to access the Windows 365 Boot guided scenario.
  • You must use Microsoft Intune to manage your Windows 365 Boot devices and policies.
  • Microsoft Intune Administrator rights.

What is Windows 365 Boot?

Windows 365 Boot lets IT admins configure Windows 11 physical devices so that users can sign in directly to their Cloud PC from the physical device’s Windows 11 login screen, making it the primary Windows experience on the device with no additional steps. Signing out of the Cloud PC will return the physical device to the Windows 11 login screen – ready for the next user. This makes the Windows 365 Boot a great feature, especially when combined with Windows 365 Frontline, and for users who work shifts and share physical devices.

– So, we are basically turning the physical device into some sort of a thin client based on Windows 11.

What’s New for Windows 365 Boot

Microsoft announced these new features when Windows 365 Boot was made generally available:

Bluetooth
Multiple Cloud PCs
Windows 365 Frontline Cloud PCs
Max Connection Timeout Preferences
Security Baseline Profiles

Source: Windows 365 Boot is now generally available!

Upcoming Features and Improvements for Windows 365 Boot

The following improvements are beginning to roll out for Windows 365 Boot:

Dedicated mode for Windows 365 Boot
Customized company logo and name for Windows 365 Boot
Fail fast mechanism for Windows 365 Boot
Manage local PC settings through Windows 365 Boot

Source: Announcing Windows 11 Insider Preview Build 22635.2915 (Beta Channel)

The Use Cases of Windows 365 Boot

Who would benefit from the Windows 365 Boot feature? Well, I could definitely see this as an ideal solution for hospitals, retail stores, or call centers, especially when combined with Windows 365 Frontline.

Why, you ask? – It’s because Windows 365 Boot targets the same type of workers, such as nurses, salespeople, and other professionals who share company physical devices. Such kinds of workers might frequently switch between physical tasks and computer-based interactions. Windows 365 Boot lets them bypass the lengthy startup process and boot directly into their Cloud PC to continue their work right where they left off.

How to Configure Windows 365 Boot

Now that you know the concept behind Windows 365 Boot let me show you how to set this up using the guided scenario in Microsoft Intune. We start by creating a security group for our Windows 365 Boot devices. Next, we’ll create the resources required for Windows 365 Boot to work via the guided scenario and prepare each physical device for the transition.

Windows 365 Boot Guided Scenario

Go to https://intune.microsoft.com
In the left pane, select Groups.

Create a new Microsoft Entra ID security group for the Windows 365 Boot devices. – The group can be based on direct or dynamic membership.

Next, select Devices Windows 365 (under Provisioning) to start the Windows 365 Boot guided scenario.

Click Next to begin the guided scenario.

Fill in the required Device name and Resource prefix name field on the Basics page.
Click Next.

Keep the Windows update settings as is and click Next.

Select your preferred Language (Region) for the Windows Autopilot deployment profile.
Set the Max Connection Timeout to a value of your choice.
Click Next.

Next, we’ll assign my newly created Windows 365 Boot security group to these resources.
Click Next.

Review that everything is correct and click Save.

Once ready, we can move our attention to the preparation of the physical device.

The Windows 365 Boot Physical Device Setup

Let’s move on to preparing the physical devices, which requires adding them to our security group, a device wipe from Microsoft Intune, and Windows Autopilot registration.

Go to https://intune.microsoft.com
In the left pane, select Groups.

Select the newly created Windows 365 Boot security group.
Click + Add members, choose a device, and click Select.

Next, select Devices Windows (under By platform), choose the device you added to the Windows 365 Boot security group, and select Wipe. – Don’t select any of the boxes in the wipe confirmation box!
Click Wipe.

From the Out-of-Box-Experience (OOBE) stage, use Shift+F10 to open a command prompt.

Run the following commands:

PowerShell.exe
Set-ExecutionPolicy Bypass
Install-Script -Name Get-WindowsAutopilotInfo -Force
Get-WindowsAutopilotInfo.ps1 -Online
Restart-Computer

When prompted, sign in with a user that has the Intune Administrator role. After sign-in, the device is automatically enrolled in Microsoft Intune. – Wait a few minutes and then reboot the device.

Now, complete the Out-of-Box-Experience (OOBE) as you would with any user.

It runs through the Enrollment Status Page (ESP)

The Windows Autopilot provisioning is complete when you see the Windows 11 login screen.

Test and Verification

The user signs in with their Microsoft account on the Windows 11 login screen.

Once the credentials are validated, the user seamlessly connects to their Windows 365 Cloud PC.

I’m often asked if signing in locally to the physical device is possible, and the answer is NO! However, users are not completely restricted in accessing specific resources on the physical device. – In the next section, I will show you how to restrict access to specific resources with a few additional policies from Microsoft Intune.

Restrict User Access

The purpose of Windows 365 Boot physical devices is to let users interact directly with their Windows 365 Cloud PCs without the ability to access specific resources on the physical device. – However, IT admins must configure a few additional policies to achieve this goal.

Let’s remove the ability to access the Task Manager and Change a password.

Go to https://intune.microsoft.com
Select Devices Windows (under By platform) | Configuration profiles
Click + New Policy, choose Windows 10 and later, and the Settings catalog, and click Create.

Fill in the required Name field on the Basics page.

Click + Add settings on the Configuration settings page. In the Settings picker, search for Del Options.

Choose Administrative Templates\System\Ctrl+Alt+Del Options and select the following two settings:

  • Remove Change Password (User)
  • Remove Task Manager (User)

Close the Settings picker.

Enable both settings and click Next.

Select Scope tags if needed and click Next.

On the Assignments page, assign the Windows 365 Boot security group to this policy and click Next.

Review that everything is correct and click Create.

Verification

End users will no longer be able to access the Task Manager or Change a password on the physical device.

Summary

In this blog post, you learned about the concept of Windows 365 Boot and why it complements Windows 365 Frontline so well. I shared my view on use cases and took you through the guided scenario in Microsoft Intune.

In addition, you also learned that Windows 365 Boot doesn’t fully restrict end users from accessing specific resources on the physical device and what you can do to restrict access to those resources.

I hope you enjoyed this post and that you found it helpful. – To learn more about Windows 365, please visit our Windows 365 category.

That’s it, folks. Happy testing, and Merry Christmas!🎄🎅
If you have any questions regarding this topic, please feel free to reach out to us.

Table of Contents

Share this post
Search blog posts
Search
Authors
Modern Workplace consultant and a Microsoft MVP in Enterprise Mobility.
Modern Workplace consultant and a Microsoft MVP in Windows and Devices for IT.

Infrastructure architect with focus on Modern Workplace and Microsoft 365 security.

Cloud & security specialist with focus on Microsoft backend products and cloud technologies.

Cloud & Security Specialist, with a passion for all things Cybersecurity

Cloud and infrastructure security specialist with background in networking.

Infrastructure architect with focus on design, implementation, migration and consolidation.

Infrastructure consultant with focus on cloud solutions in Office365 and Azure.

follow us in feedly
Categories

Follow on SoMe