Share via

Use Cloud PC pool for computer use runs (preview)

[This article is prerelease documentation and is subject to change.]

Cloud PC pools provide virtual machines for your Copilot Studio agents to perform computer-based tasks without a need to set up and manage physical machines. If you're building agents that need to interact with Windows applications (like opening files, using software, or navigating websites), a Cloud PC pool handles the infrastructure for you.

Powered by Windows 365 for Agents, Cloud PC pools offer scalable, secure compute resources. This article explains what Cloud PC pools are, how to set them up, licensing requirements, and answers to common questions.

Tip

Get started for free: You can create up to two Cloud PC pools in a tenant without requiring a Windows 365 for Agents billing plan in your Power Platform environment. Cloud PC pool usage isn't billable when triggered from embedded test chat, and each tenant is provided with 50 hours of free Cloud PC pool usage for published agents running autonomously.

Watch this video for an overview of the benefits of Cloud PC pool for computer use.

Important

This article contains Microsoft Copilot Studio preview documentation and is subject to change.

Preview features aren't meant for production use and may have restricted functionality. These features are available before an official release so that you can get early access and provide feedback.

If you're building a production-ready agent, see Microsoft Copilot Studio Overview.

How to set up Cloud PC pools in Copilot Studio

Before you use Cloud PC pools for the first time, complete the following tasks:

  1. Understand what Cloud PC pools are and who should use them
  2. Create a Cloud PC pool
  3. Configure technical prerequisites

Understand Cloud PC pools

A Cloud PC pool is a scalable group of virtual machines (VMs) hosted in Microsoft's cloud that are Microsoft Entra joined and Intune enrolled. This setup enables your organization to fully manage the Cloud PC pool to ensure it meets your requirements and compliance policy.

Key features

Here are some of the key features of Cloud PC pool:

  • Run the computer use tool as part of your agent in Copilot Studio without needing to bring your own machine.

  • Auto scale the number of Cloud PCs in your Cloud PC pool based on current workloads.

  • Work or school account integration enables access to resources that are linked to your organization, such as Microsoft 365, SharePoint, and Azure.

  • Microsoft Entra joined and Intune enrolled enables full governance of the Cloud PC pool, ensuring that it's always in compliance with your organization's policy.

Watch this video for a step by step instruction on how to setup your Cloud PC pool for computer use in Copilot Studio.

Licensing requirements

Cloud PC pool uses a consumptive pay-as-you-go meter that bills your Azure subscription by using Azure meters. For more information, see Set up a pay-as-you-go plan.

Trials for evaluation

To evaluate the Cloud PC pool, you can create up to two Cloud PC pools in a tenant without requiring a Windows 365 for Agents billing plan in your Power Platform environment.

Cloud PC pool usage isn't billable when triggered from embedded test chat, and each tenant is provided with 50 hours of free Cloud PC pool usage for published agent running autonomously.

Create a Cloud PC pool

If you're new to Copilot Studio, review the following guidance to get started:

  1. Get access to Copilot Studio

  2. Create and deploy an agent

  3. Add computer use to your agent

To create a Cloud PC pool for computer use in Copilot Studio:

  1. Go to the Machines section in your computer use tool.

  2. Select the machine drop-down. Under the Cloud PC pool section, select Add new.

  3. Enter the Name and Description of your Cloud PC pool.

  4. Configure if you want to enable run-only access for all users in this environment.

  5. Select Create.

Provisioning a Cloud PC pool can take up to 30 minutes. You can select the Refresh button in the Machines section to check on the status of your Cloud PC pool provisioning.

Note

As single sign-on (SSO) is enabled based on Windows sign-in, review the best practices for securing machines and configure access control when you add computer use to your agent.

Manage Cloud PC pools

You can view and manage your Cloud PC pools in the Power Automate portal by using one of the following methods:

  • Select See machine details when you select a Cloud PC pool in the Machines section of a computer use tool.

  • Sign in to the Power Automate portal. Then go to Monitor > Machines > Machine groups.

After you create your Cloud PC pool in an environment, you can view its details in the Power Automate portal.

Share a Cloud PC pool

You can share a Cloud PC pool with other users in your organization and give those users specific permissions to access it.

  1. On the Cloud PC pool details page in the Power Automate portal, select Manage access.

  2. Select Add people and enter the name of the person in your organization with whom you want to share the machine.

  3. Select the name of the person to choose which permissions they can access the machine with.

  4. Select Save.

When managing access to your machine, you can assign two levels of permissions:

  • Co-owner: This access level gives full permissions to that machine. Co-owners can run computer use on the machine, share it with others, edit its details, and delete it.

  • User: This access level only gives permission to run computer use on the machine. No edit, share, or delete permissions are possible with this access.

Delete a machine

You can delete a Cloud PC by selecting Delete machine on the Cloud PC pool details page in the Power Automate portal.

Monitor run queue

You can view the run queue and queue events by selecting the Run queue and Queue events tabs on the Cloud PC pool details page in the Power Automate portal. By using this feature, you can view all computer use sessions that are queued on the target Cloud PC pool.

Configure technical prerequisites (for IT administrators)

If you're an agent builder or developer without IT administrator privileges, share this section with your IT administrator to complete the setup.

Cloud PC pools require specific Microsoft Entra and Intune configurations to function properly. Your IT administrator might need to configure your tenant to enable Cloud PC pools. Complete these prerequisites before creating your first Cloud PC pool to avoid provisioning errors.

Prerequisites checklist for IT administrators

Before creating a Cloud PC pool, ensure the following prerequisites are met:

  • ✅ A valid and working Intune and Microsoft Entra tenant
  • ✅ Intune device type enrollment restrictions configured
  • ✅ Microsoft Entra authentication for RDP enabled
  • ✅ Consent prompt dialog hidden for target device groups
  • ✅ Required service principals created (Windows 365 and Azure Virtual Desktop)

Microsoft Entra and Intune requirements

  • A valid and working Intune and Microsoft Entra tenant.

  • Ensure that Intune device type enrollment restrictions are set to Allow Windows (MDM) platform for corporate enrollment.

For more information about the Microsoft Entra and Intune requirements, see Windows 365 requirements.

Cloud PC pools run by creating a local remote desktop (RDP) session on the Cloud PC using a Microsoft Entra ID account. An admin must configure your tenant to allow Windows sign-in for Cloud PC pools.

Note

If enabling Microsoft Entra authentication for RDP isn't feasible, you can choose to disable Network Level Authentication (NLA) for Cloud PCs by using Intune policies. This approach is supported but isn't the preferred configuration. In this architecture, the security risk remains low since all RDP traffic is blocked on the Microsoft Hosted Network (MHN).

Steps to enable Microsoft Entra authentication for RDP

Set the isRemoteDesktopProtocolEnabled property to true on the service principal's remoteDesktopSecurityConfiguration object for the following Microsoft Entra application:

  • Microsoft Remote Desktop: a4a365df-50f1-4397-bc59-1a1564b8bb9c

To configure the service principal, use the Microsoft Graph PowerShell SDK to create a new remoteDesktopSecurityConfiguration object on the service principal and set the property isRemoteDesktopProtocolEnabled to true. You can also use the Microsoft Graph API with a tool such as Graph Explorer.

  1. Configure the following prerequisites.

  2. Open Azure Cloud Shell in the Azure portal with the PowerShell terminal type, or run PowerShell on your local device.

  3. Make sure you installed the Microsoft Graph PowerShell SDK, then import the Authentication and Applications Microsoft Graph modules and connect to Microsoft Graph with the Application.Read.All and Application-RemoteDesktopConfig.ReadWrite.All scopes by running the following commands:

    Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Applications

Connect-MgGraph -Scopes "Application.Read.All","Application-RemoteDesktopConfig.ReadWrite.All"

  4. Get the object ID of the Microsoft Remote Desktop service principal by running the following command:

    $MSRDspId = (Get-MgServicePrincipal -Filter "AppId eq 'a4a365df-50f1-4397-bc59-1a1564b8bb9c'").Id

  5. Check if the remoteDesktopSecurityConfiguration object exists by running the following command.

    If ((Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId) -ne $true) {
    Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId -IsRemoteDesktopProtocolEnabled
}

    There's no output from this command.

  6. Confirm the isRemoteDesktopProtocolEnabled property is set to true by running the following command:

    Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId

    The output should be:

    Id IsRemoteDesktopProtocolEnabled
-- ------------------------------
id True

  1. Create a dynamic group in Microsoft Entra ID containing your Cloud PC pools:

    1. Sign in to the Microsoft Entra admin center.

    2. Go to Identity > Groups > All groups.

    3. Select New group and configure the following settings:

      • Group type: Security
      • Group name: Enter a name for your group (for example, "Cloud PC Pools")
      • Membership type: Dynamic Device

    4. Select Add dynamic query and enter the following rule syntax to include all Cloud PC pools:

      (device.enrollmentProfileName -startsWith "CPCPool_")

    5. Select Save to create the group.

    6. Make note of the Object ID of the group for the next step.

    Tip

    Use a dynamic group with membership rules for all your Cloud PC pools. The rule (device.enrollmentProfileName -startsWith "FlsGroup_") automatically includes all Cloud PC pool devices.

  2. Create a targetDeviceGroup object by running the following commands. Replace <Group object ID> with the object ID of the group you created and <Group display name> with a display name for the group:

    $tdg = New-Object -TypeName Microsoft.Graph.PowerShell.Models.MicrosoftGraphTargetDeviceGroup
$tdg.Id = "<Group object ID>"
$tdg.DisplayName = "<Group display name>"

  3. Add the group to the targetDeviceGroup object by running the following command:

    New-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $MSRDspId -BodyParameter $tdg

    The output should be similar to:

    Id                                   DisplayName
--                                   -----------
12345678-abcd-1234-abcd-1234567890ab Intune-Cloud-PC-Group

  4. To add more groups, repeat steps 2 and 3. You can add up to 10 groups.

  5. (Optional) To later remove a device group from the targetDeviceGroup object, run the following command. Replace <Group object ID> with the object ID of the group you want to remove:

    Remove-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $MSRDspId -TargetDeviceGroupId "<Group object ID>"

Note

Dynamic groups require a Microsoft Entra ID P1 license or Intune for Education license. The group membership normally updates within 5-10 minutes, but it can take up to 24 hours for large tenants.

The computer use run fails with an MSEntraRemoteDesktopAppConsentRequired error if consent isn't granted.

Windows 365 Cloud PC and Azure Virtual Desktop service principal

Note

The Windows 365 and Azure Virtual Desktop service principals are automatically created in your tenant. You can skip this step, unless you face an error with service principals not created in your tenant when you provision the hosted machine.

  1. Check if the Windows 365 service principal exists:

    1. Sign in to the Azure portal.

    2. Go to Microsoft Entra > Enterprise applications > All applications.

    3. Remove the filter Application type == Enterprise Applications.

    4. Enter the Windows 365 application ID 0af06dc6-e4b5-4f28-818e-e78e62d137a5 in the filter Application ID starts with.

      If the service principal exists in your Microsoft Entra, you don't need to perform any extra steps. If the application isn't listed, create the service principal.

  2. Create the Windows 365 service principal.

    You can create an Azure service principal by using the az ad sp create command from the Azure Command-Line Interface (CLI).

    az ad sp create --id 0af06dc6-e4b5-4f28-818e-e78e62d137a5

  3. Create other service principals related to Azure Virtual Desktop.

    To create a hosted machine, you must create the following Azure Virtual Desktop services in your tenant.

    Application name Application ID
    Azure Virtual Desktop 9cdead84-a844-4324-93f2-b2e6bb768d07
    Azure Virtual Desktop Client a85cf173-4192-42f8-81fa-777a763e6e2c
    Azure Virtual Desktop ARM Provider 50e95039-b200-4007-bc97-8d5790743a63

    Follow the same instruction as for creating the Windows 365 application to check and create the service principals.

Administrative controls

Administrators can control the availability of the Cloud PC pool feature. To enable or disable the Cloud PC pool in an environment:

  1. Go to the Power Platform admin center.

  2. In the navigation pane select Copilot and then select Settings.

  3. Select Computer Use. A list of environment groups and environments appears.

  4. Select the environments to update and then select Add.

  5. Check or uncheck Cloud PC, then select Save.

Limitations and known issues

The following limitations and known issues affect Cloud PC pools:

  • Only a Microsoft Entra user account can execute computer use. Additionally, the signed-in Microsoft Entra user must be the same account that owns the computer use connection.

  • When you attempt to create a Cloud PC pool, you might encounter the following error: "The creation of RPA Box on (us) is disabled outside the tenant location." To resolve this issue, enable cross-geo support for hosted machines in the Power Platform admin center:

    1. Open the Power Platform admin center.

    2. Select Manage > Environments, and select the environment.

    3. Select Settings > Features.

    4. Under Hosted RPA, select the toggle for Enable cross-geo support for hosted machines to enable this feature.

Frequently asked questions (FAQ)

What OS and network connectivity does the Cloud PC pool use?
Cloud PC pools run on Windows 11 Enterprise 24H2 with Microsoft Edge operating system and use the Microsoft Hosted Network.

Where is the Cloud PC pool located?
Cloud PC pools are hosted in the same geography as your Power Platform environment.

What is the maximum number of VMs in a Cloud PC pool?
You can create up to five Cloud PC pools in an environment, and each Cloud PC pool can automatically scale up to 10 Cloud PCs.

Can I use Cloud PC pool for non-computer use runs?
No. Cloud PC pool is only for the computer use tool in a Copilot Studio agent.

How do I know if my trial is finished and how do I view consumptive reports for Cloud PC pool?
You can download the usage consumption report in the Power Platform admin center by following the instructions for view usage and billing for pay-as-you-go plan.

Is a Windows license required?
No. Cloud PC pool doesn't require a separate Windows license.

Is a Microsoft 365 Unattended license required?
No. Cloud PC pool usage for the computer use tool in a Copilot doesn't require a Microsoft 365 Unattended license.

  • Last updated on