Examine Cloud PC Management options
The remote management options that are available for Windows 365 Cloud PCs vary depending upon the edition. Let's review the remote management actions that are available for each Windows 365 edition.
Windows 365 Business
Note
Windows 365 Business troubleshooting information is available here.
You can remotely manage Windows 365 Business Cloud PCs by using the Microsoft 365 admin center or Windows 365 portal. Each supports several remote management actions. To use these remote actions, you must have the appropriate Microsoft Entra role-based access roles, described in the following table:
| Admin actions | Roles required for windows365.microsoft.com | Roles required for Microsoft 365 admin center |
|---|---|---|
| Windows 365 Business remote management actions (like reset, restart, and so on) | - Microsoft Entra Global Administrator or - Windows 365 Administrator |
- Microsoft Entra Global Administrator or - Windows 365 Administrator and Global Reader (this grants access to the admin center) |
| License administration (assignment and removal of licenses from a user) | - Microsoft Entra Global Administrator or - Windows 365 Administrator and License Administrator |
- Microsoft Entra Global Administrator or - License Administrator |
Note
You can grant remote action permissions to another user by assigning the Windows 365 Administrator role to them through the Microsoft 365 admin center, Windows 365 portal, or Microsoft Entra ID.
Microsoft 365 admin center and Windows 365 portal
The following remote actions are available in the Microsoft 365 admin center and Windows 365 portal:
Change account type: Change the role of a user on their Cloud PC. Options include Standard User and Local Administrator. For the role change to take effect, the user must sign out of Windows on their Cloud PC and sign back in. Alternatively, the admin can remotely restart the Cloud PC, but the user might lose any unsaved data.
Rename: Change the Cloud PC name that users see on windows365.microsoft.com.
Reset: If a user is having trouble with their Cloud PC, admins can reset the Cloud PC for them. This action:
- Reinstalls Windows (with the option to choose between Windows 11 and Windows 10).
- Removes all apps and locally stored files.
- Removes changes made to settings.
It’s not possible to upgrade Windows 365 Business Cloud PCs from Windows 10 to Windows 11 and retain the user's data and settings. To upgrade from Windows 10 to Windows 11, you must use the Reset remote action and choose Windows 11. Reset is a destructive action that removes all the user's data and settings from their Cloud PC.
Windows 365 portal only
The following management options are available only in the Windows 365 portal:
User, license, apps, and device management:
Select Your organization's Cloud PCs in the Windows 365 portal to display a list of users in your organization and their assigned licenses. Select individual users to access the management options available for the user, including password reset, license and apps management, and device management.
Note
While you can perform Windows 365 Business license management in the Windows 365 portal, use the Microsoft 365 admin center for full Microsoft 365 license management.
Change organizational default settings:
Select Your organization’s Cloud PCs > Update organization settings to view or change the following settings:
- Account type: Standard User or Local Administrator (default = Standard User).
- Operating system: Windows 11 or Windows 10 (default = Windows 11).
- Language and region: Sets the display language, time/date formats, and automatically installs any Features on Demand like text-to-speech and speech recognition (default = English).
- Enroll new Cloud PCs in Intune: Select this option to automatically enroll new Cloud PCs in Intune (default = Off).
This option is only visible if you have the Global Administrator or Windows 365 Administrator role and also have:- An Intune license subscription. For more information, see Microsoft Intune licensing.
- Set the Intune Mobile Device Management Authority to Intune MDM Authority. For more information, see Set the mobile device management authority.
Note
By default, each user is a Standard User on their Cloud PC. Standard users can restart, reset, rename, and troubleshoot their Cloud PCs at windows365.microsoft.com or in the Windows 365 app.
Intune
If the organization and users have the required licenses, Windows 365 Business Cloud PCs can be enrolled and managed in Intune the same as other Windows 10/11 machines. For more information, see: Enroll Windows 10/11 devices in Intune.
Note
Enrolling Windows 365 Business Cloud PCs into Intune won't grant access to the Cloud PC creation page in Intune. Nor will enrollment grant access to any Windows 365 Enterprise-specific features like connection reports in Endpoint Analytics, custom images, or provisioning policies.
Windows 365 Enterprise, Frontline, and Government
Note
Windows 365 Enterprise, Frontline, and Government troubleshooting information are available here.
You manage your Windows 365 Enterprise, Frontline, and Government Cloud PCs starting from the Overview tab in the Microsoft Intune admin center. For more information, see: Device management overview for Cloud PCs.
Note
Intune GCC High is used to manage Windows 365 Government GCC High in the Microsoft Azure Government Cloud.
Windows 365 Enterprise, Frontline, and Government Cloud PCs support the following remote management actions:
- Restart
- Power On
- Power Off
- Sync
- Rename
- Quick Scan
- Full Scan
- Update Windows Defender
- Reprovisioning
- Resize
- Collect diagnostics
- Place Cloud PC Under Review
Some of the remote actions can be performed in bulk on multiple Cloud PCs. You can access the bulk actions tab in the Intune portal by going to Devices > All devices > Bulk device actions.
Note
By default, each user is a Standard User on their Cloud PC. Standard users can restart, reset, rename, and troubleshoot their Cloud PCs at windows365.microsoft.com or in the Windows 365 app.
Reprovision a Cloud PC
The Reprovision remote action lets admins reprovision Cloud PCs, which is similar to to resetting a physical device. This action can be useful when:
- You're testing different Cloud PC configurations.
- Your provisioned Cloud PC is having issues.
- The user simply wants to start from a fresh Cloud PC.
To Reprovision a Cloud PC, it must have a status of Failed or Provisioned in the Windows 365 provisioning node.
When a Cloud PC is reprovisioned, the Cloud PC is deleted and recreated as a new Cloud PC. All user data, applications, customizations, etc. are deleted.
The Cloud PC is reprovisioned to the current configured settings in the provisioning policy that is targeting the user's Microsoft Entra group. If the image referenced by the policy has changed, or if any other changes to the policy have been made, the reprovisioned Cloud PC uses the new settings.
Resize a Cloud PC
The Resize remote action, which preserves user and disk data, lets you:
- Upgrade the RAM, CPU, and storage size of a Cloud PC.
- Downgrade the RAM and CPU of Cloud PC. Resizing doesn't let you downsize disk space.
These operations don't require reprovisioning of the Cloud PC.
You might consider resizing a Cloud PC when a user needs:
- Higher RAM and VCPU cores to run CPU intensive applications.
- More disk space for file storing.
- Less RAM and vCPU cores to run their current workload applications.
Resizing supports:
- Both direct and group-based licenses.
- Bulk and single device operations.
Important
Resizing automatically disconnects the user from their session and any unsaved work might be lost.
For more information about the Resize remote action, see: Resize a Cloud PC.
Restore a Cloud PC
Point-in-time restore lets an administrator restore a Cloud PC to the exact state it was at an earlier point in time. You can configure restore points to be automatically created at regular intervals for groups of Cloud PCs. You can also create on-demand restore points for specific times. Admins can also give users permission to restore their own Cloud PCs.
There are three different types of restore points that can be applied to a single Cloud PC or groups of Cloud PCs (using bulk actions):
- Short-term restore points - can be configured to save a restore point every 4, 8, 12, 16, or 24 hours, last 10 restore points are saved.
- Long-term restore points - saved every seven days, not configurable.
- On-demand manual restore points - administrators can create a manual restore point for any time they choose, and each Cloud PC can have only one manual restore point at a time.
Note
For short- and long-term restore points, the oldest restore point is removed as time passes and a new restore point is added. Manual restore points expire in approximately 28 days if not overwritten sooner by a new manual restore point.
Point-in-time restore can be configured in a new or existing user setting in Intune. All users in groups assigned to the user setting have permission to use the point-in-time restore feature. For more information, see: Configure point-in-time restore settings and Create on-demand manual restore points for Cloud PCs.
Cloud PCs can be restored individually or in groups, using bulk actions. You can also grant end users permissions to restore their own Cloud PCs.
For more information, see: Restore a single Cloud PC to a previous state and Restore multiple Cloud PCs in bulk.
Cloud PC restore points can also be shared to a storage account both individually and in bulk.
For more information on sharing Cloud PC restore points, see: Share Cloud PC restore points to an Azure Storage Account.
You might want to share (move or copy) a Cloud PC and its contents to:
- Create a geographically distributed copy of a Cloud PC.
- Make a copy of a cloud PC during the off-boarding process.
- Get a historical view of a Cloud PC (vs current) for eDiscovery.
- Create a VHD that can be mounted on a physical device.
Move a Cloud PC
You can move existing Cloud PCs from their current region or Azure network connection (ANC) to a new one by editing a provisioning policy. Cloud PCs are shut down during the move process, so you should notify your users before the move so they can save their work and sign out. New Cloud PCs created by the edited provisioning policy are assigned to the new region or ANC.
For the steps to move a Cloud PC, see: Move a Cloud PC.
Alerts
The Windows 365 Alerts system notifies you when specific events occur in your Cloud PC environment, like connection, provisioning, or image upload failures. By default, these alerts appear in the Microsoft Intune admin center as pop-up notifications (you can also turn on email notifications). You can customize the following built-in alert rules:
- Set conditions and thresholds for triggering alerts.
- Define the severity of alerts.
- Turn each alert rule on or off.
- Configure each alert to notify you in the console and/or by email.
For more information about Windows 365 alerts, see: Alerts in Windows 365.
Cloud PC Profiles and Policies
Device profiles in Microsoft Intune allow you to add and configure settings then push the settings to devices in your organization, including Cloud PCs. You can target groups of Cloud PCs using dynamic device groups or filters for the following categories:
- All Cloud PCs: This category is useful for applying policies and configurations to all Cloud PCs in your organization.
- All Cloud PCs from a specific provisioning policy: This category is useful for applying policies and configurations to Cloud PCs based on the same image and location.
- All Cloud PCs with a specific configuration: This category is useful for applying policies and configurations to Cloud PCs based on computing power (vCPU and RAM) or internal storage.
After creating the dynamic device groups and/or filters based on the categories you specified, you can use Intune to configure and apply device configuration profiles to those Cloud PCs.
For the steps to create dynamic device groups for your Cloud PCs, see: Create a dynamic device group containing your Cloud PCs.
For the steps to create filters for your Cloud PCs, see: Create a filter for Cloud PCs.
For more information about using filters in Intune, see: List of platforms, policies, and app types supported by filters in Microsoft Intune.
For the steps to create device configuration profiles in Intune, see: Create a device profile in Microsoft Intune.
For an example of creating and applying a device configuration profile to Cloud PCs in a dynamic device group or a filter, see: Create device configuration profile.
For more information about configuration profiles in Intune, see: Apply features and settings on your devices using device profiles in Microsoft Intune.
For more information about the Windows 10/11 policy settings that are available in Intune, see: Use Windows 10/11 templates to configure group policy settings in Microsoft Intune.
Manage Cloud PC user settings
The Windows 365 User settings page in Microsoft Intune lets administrators manage the following settings for the user:
- Enable local admin: If enabled, each user in the assigned groups is elevated to a local administrator of each of their own Cloud PCs. These permissions apply at the user level.
- Enable users to reset their Cloud PCs: If enabled, a Reset option is shown in the Windows 365 app and portal for users in the assigned groups. Resetting wipes and reprovisions the Cloud PC, deleting all user data and apps.
- Allow user to initiate restore service: If enabled, each user in the assigned groups can restore their own Cloud PCs to any available backup version.
When managing settings, keep the following points in mind:
- The settings can be applied before or after a Cloud PC is assigned.
- Changes to the settings take effect when the user logs on. If the user is currently logged on, they must sign out and then sign in again to see the change.
For the steps to add, edit, or delete User settings, see: User settings.
Manage RDP device redirections
Remote Desktop Protocol (RDP) can be used to create device redirections that let users connect to physical peripherals (like cameras, USB drives, and printers) from within a remote desktop environment, including a Cloud PC. These redirections are enabled by default for Cloud PCs but can be configured according to your needs and security requirements.
The following table shows the client features that are supported per endpoint device:
The following redirections can be managed by using the appropriate setting:
| Redirection | Setting/Group policy |
|---|---|
| Audio input | Allow audio recording redirection |
| Audio output | Allow audio and video playback redirection |
| Cameras | Do not allow video capture redirection |
| Clipboard | Do not allow Clipboard redirection |
| COM ports | Do not allow COM port redirection |
| Drives | Do not allow drive redirection |
| Location | Do not allow location redirection |
| Printers | Do not allow client printer redirection |
| Smartcards | Do not allow smart card device redirection |
| USB drives | Do not allow supported Plug and Play device redirection |
There are two ways to manage these redirections:
- Settings Catalog: Use a device configuration policy in Microsoft Intune. Supports both Microsoft Entra join and Microsoft Entra hybrid join Cloud PCs.
- Group Policy Object (GPO): Use GPOs in Windows Server Active Directory. Supports Microsoft Entra hybrid join Cloud PCs only.
For the steps to manage RDP device redirection settings, see: Manage RDP device redirections for Cloud PCs.
Microsoft Graph
You can use the Microsoft Graph APIs to manage all editions of Windows 365 Cloud PCs. You can provision Cloud PCs, manage device images, create and run health checks on Azure network connections, create and assign provisioning policies, and more with the Microsoft Graph API. For more information, see Overview for Windows 365 Cloud PC on Microsoft Graph.