Share via

Create provisioning policies

Cloud PCs are created and assigned to users based on provisioning policies. These policies hold key provisioning rules and settings that let the Windows 365 service set up and configure the right Cloud PCs for your users. After provisioning policies are created and assigned to the Microsoft Entra user security groups or Microsoft 365 Groups, the Windows 365 service:

  1. Checks for appropriate licensing.
  2. Configures the Cloud PCs accordingly.

To learn more about Windows 365 provisioning concepts, see Provisioning.

A few things to keep in mind:

  • Windows 365 Enterprise

    • If a user in an assigned group doesn’t have a Cloud PC license assigned, Windows 365 won’t provision their Cloud PC.
    • For each Cloud PC license assigned to a user, only one provisioning policy is used to set up and configure the Cloud PC. The Windows 365 service always uses the first assigned policy to provision the Cloud PC.

  • Windows 365 Frontline in dedicated mode

    • If you have more users in your Microsoft Entra user group than the number of Cloud PCs available for the selected size, some users might not receive their Cloud PC.
    • If you remove users from your Microsoft Entra user group, their Cloud PC is automatically moved into a grace period.

  • Windows 365 Frontline in shared mode

    • If you remove users from your Microsoft Entra user group, the user loses access to the Cloud PC.
    • If you remove the Microsoft Entra user group from the assignment, the Cloud PCs are automatically deprovisioned without moving into grace period.

  • Windows 365 Reserve

    • Cloud PCs are provisioned through the "Provision" device action, not automatically when the provisioning policy is created.
    • If you have more users in your Microsoft Entra user group than the number of licenses available in the tenant, some users might not receive their license assignment.
    • For each Cloud PC license assigned to a user, only one provisioning policy is used to set up and configure the Cloud PC. The Windows 365 service always uses the first assigned policy to provision the Cloud PC.

Provide general information

  1. Sign in to the Microsoft Intune admin center, select Devices > Windows 365 (under Device onboarding) > Provisioning policies > Create policy.

  2. On the General page, enter a Name and Description (optional) for the new policy.

    Tip

    Your provisioning policy name can't contain the following characters: < > & | " ^

  3. Choose Experience type:

    • Access a full Cloud PC desktop: Users connect to a full Windows desktop experience. This option is available for all Windows 365 license types.

    • Access only apps which run on a Cloud PC: Users connect to Cloud Apps. This option is only available for Windows 365 Frontline in shared mode.

  4. Choose a License type:

    • Enterprise: Provision Cloud PCs for Windows 365 Enterprise.
    • Frontline: Provision Cloud PCs for Windows 365 Frontline. You must have Windows 365 Frontline licenses to create a provisioning policy for Frontline Cloud PCs. A warning is shown if you lack such licenses when you choose this option.
    • Reserve: Provision Cloud PCs for Windows 365 Reserve.

  5. If you choose Frontline, you must also select a Frontline type:

  6. If you choose Enterprise or Frontline, then you need to select a Join type.

    • Microsoft Entra Join: You have two options for Network:
      • Microsoft hosted network: Select a Geography where you want your Cloud PCs provisioned. Then, for Region, you can select:
        • Automatic (Recommended): The Windows 365 service automatically chooses a region within the selected geography at the time of provisioning. Microsoft strongly recommends using the Automatic option. This automation decreases the chance of provisioning failure.
          • Automatic region is not supported for Frontline in shared mode.
          • Automatic region is the only option for Reserve.
        • A specific region: This option makes sure that your Cloud PCs are only provisioned in the region that you choose.
      • Azure network connection: Select an Azure network connection (ANC) to use for this policy.
    • Hybrid Microsoft Entra join: You must select an ANC to use for this policy.

  7. Lastly, on the General page, you can check the box so that your users Use Microsoft Entra single sign-on.

Tip

For Frontline in shared mode, if you want to make sure that users aren't prompted each time they connect, then Hide consent prompt dialog.

Select an ANC

You must select an ANC for your provisioning policy if you selected either of these two options in the previous section:

  • Join type = Hybrid Microsoft Entra Join
  • Join type = Microsoft Entra join and Network = Azure network connection

To select an ANC, follow these steps:

  1. On the General page, for Azure network connection, select one or more ANCs. For more information about using multiple ANCs, see Alternate ANCs.

  2. If you select more than one ANC, you can set the priority order for those ANCs. To do so, hover over an ANC > select and drag on the three dots > drag the ANC to a different position in the list.

As long as the first ANC in the list is Healthy, it's always used for provisioning Cloud PCs using this policy. If the first ANC isn't healthy, the policy uses the next ANC in the list that is healthy.

Note

For Frontline in shared mode, the ANC must be in the same region.

Select an image

  1. On the Image page, for Image type, select one of the following options:

    • Gallery image: Choose Select > select an image from the gallery > Select. Gallery images are default images provided for your use.
      • For Reserve, the default gallery image is Automatic, where Windows 365 selects the latest image.
    • Custom image: Choose Select > select an image from the list > Select. The page displays the list of images that you uploaded using the Add device images workflow.
    • Optional. If you selected Access only apps for Experience in the previous step, then you can view applications that are discovered in the image and will be available to publish as Cloud Apps after the provisioning policy is created.

  2. Select Next.

Select configurations

  1. On the Configuration page, under Windows settings, choose a Language & Region. The selected language pack is installed on Cloud PCs provisioned with this policy.

  2. Optional. Select Apply device name template to create a Cloud PC naming template to use when naming all Cloud PCs that are provisioned with this policy. This naming template updates the NETBIOS name and doesn't affect the display name of the Cloud PC. When creating the template, follow these rules:

    • Enterprise and Frontline dedicated mode
      • Names must be between 5 and 15 characters.
      • Names can contain letters, numbers, and hyphens.
      • Names can't include blank spaces or underscores.
      • Optional. Use the %USERNAME:X% macro to add the first X letters of the username.
      • Required. Use the %RAND:Y% macro to add a random string of characters, where Y equals the number of characters to add. Y must be 5 or more. Names must contain a randomized string.
    • Frontline in shared mode
      • Names must be exactly 15 characters.
      • Names can contain letters, numbers, and hyphens.
      • Names can't include blank spaces or underscores.
      • Prefix must be 7 or less characters.
      • Required. Use the %RAND:Y% macro to add a random string of characters, where Y equals the number of characters to add. Y must be 8 or more. Names must contain a randomized string.

    Example of custom naming templates:

    • ABCDEF-%RAND:8%

  3. Optional. Under Additional services, choose a service to be installed on Cloud PCs provisioned with this policy:

    • Windows Autopatch is a cloud service that automates updates for Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams on both physical and virtual devices. For more information, see What is Windows Autopatch? and the Windows Autopatch FAQ. The Windows Autopatch option isn't available for Frontline in shared mode.

      • If you already have Windows Autopatch configured to manage your Cloud PCs, this option replaces the existing policy. This replacement might disrupt any dynamic distribution that is already configured in Autopatch.
      • When Windows Autopatch is selected, the system assigns devices to a new ring as the last ring of the Autopatch group.
      • To manually enable dynamic distribution for your Cloud PCs, modify your Autopatch Groups dynamic distribution list to include the Entra ID group to which your Cloud PCs are being added.
      • None. Manage and update Cloud PCs manually.
      • The Autopatch option is not available for Frontline devices in shared mode, however it is possible for Frontline devices in shared mode to be enrolled in Autopatch and receive Windows update policies.

    • Windows Autopilot (Preview) is a cloud service that ensures Intune applications and scripts are installed during initial enrollment and setup. Choose a Device Preparation Profile from the list, or create a new one. Learn more about Autopilot Device Preparation for Cloud PCs.

    • User Experience Sync can be enabled for Windows 365 Frontline Cloud PCs in shared mode. If enabled, Windows 365 stores user-specific Windows and app experience data in central cloud storage and reconnects it whenever the user signs in to the cloud PCs in this provisioning policy. User storage limits are based on Frontline license type and are pooled across all users assigned. Learn more about User Experience Sync.

  4. Select Next.

Create scope tags

  1. Optional. You can create scope tags for your provisioning policy.
  2. Select Next.

Create assignments

  1. On the Assignments page, choose Select groups > choose the groups you want this policy assigned to > Select. Nested groups aren't currently supported.

    • For Windows 365 Frontline in dedicated mode, you must also select a Cloud PC size for each group in the policy. Choose Select one > select a size under Available sizes > Select.

      • Optional. You can create an assignment to reserve licenses for the group members by following these steps:
        1. Under Assignment, enter an Assignment name.
        2. For Number of licenses, enter the number of licenses that you want to reserve for the group. You can also see the number of unassigned licenses.

    • For Windows 365 Frontline in shared mode you must:

      1. Choose Select one > select a size under Available sizes > Select.
      2. Type in a Friendly name > select a Cloud PC number > Next. The Friendly name shows up in the end user's Windows app.

  2. Select Next.

Review and create

On the Review + create page, select Create. If you used Microsoft Entra hybrid join as the join type, it can take up to 60 minutes for the policy creation process to complete. The time depends on when the Microsoft Entra Connect sync last happened.

After the provisioning policy is created and assigned, Windows 365 automatically starts to provision Cloud PCs.

Next steps

  • Last updated on