Explore Windows 365 Boot
Note
The following information doesn't apply to Windows 365 Business edition.
The Windows 365 Boot feature lets admins configure Windows 11 physical devices so users can sign-in directly to their Windows 365 Cloud PC on a physical device without signing in to the physical device. This can be a good solution for workers such as nursing, salespeople, call centers, etc. who share physical devices. Windows 365 Boot lets them bypass the lengthy startup process and boot directly into their secure Cloud PC to pick up right where they left off. When the user signs out of their Windows 365 Cloud PC, the device returns back to the Windows 11 sign-in screen, ready for the next user to sign in.
Requirements for Windows 365 Boot:
- Windows 11 Professional or Windows 11 Enterprise endpoints (version 22621.2361 or later).
- Microsoft Intune Administrator rights.
- Windows 365 Enterprise or Frontline Cloud PC license(s).
The following tasks are required to set up Windows 365 Boot:
- Configure Windows 365 Boot settings in Intune.
- Configure physical devices for Windows 365 Boot.
Configure Windows 365 Boot settings in Intune
Perform the steps in Guided scenario - deploy Windows 365 Boot to shared physical devices to configure Windows 365 Boot in Intune.
Important
Since there's no local Windows user interface available to the user, it's important that you carefully configure the Windows update settings in the Endpoint updates portion of the guided scenario to ensure that Windows remains secure.
Windows 365 Boot also supports Windows Autopatch to automate patch management to Windows 365 Boot physical devices but it must be configured outside the guided scenario.
Review device configurations
Review the configuration policies in Intune that can be applied to your Windows 365 Boot devices to meet your organization’s security needs for preventing access to the physical device. Make sure they're appropriate for a device that only directly connects to a Windows 365 Cloud PC. Unassign unnecessary apps and configuration profiles to make sure the Windows 365 Boot connection is a seamless connection experience.
To restrict end users from accessing certain resources on the physical device, you must first set some Configuration Service Provider (CSP) policies in Intune. The following CSP policies are available, with others periodically being added to enhance Windows 365 Boot capabilities:
- DisableTaskMgr Policy (Ctrl + Alt + Del screen won't show the option of Task Manager).
- DisableChangePassword Policy (Ctrl + Alt + Del screen won't show the option of changing the password).
- DefaultCredentialProvider Policy (set default credentials provider as password provider).
- DisableNotificationCenter Policy (remove Notifications and Action Center from the task bar).
- NoToastNotification Policy (prevent physical device notifications).
- DisableExplorerRunLegacy_1 and DisableExplorerRunLegacy_2 Policy (disable automatic start-up apps, user list & machine list).
- EnableTouchKeyboardAutoInvokeInDesktopMode Policy (improve sign-in on touch screen devices).
At the time of this writing, a description of the most recent CSP is available at the following location: CloudDesktop CSP.
Configure physical devices for Windows 365 Boot
The following steps are required to configure a physical device for Windows 365 Boot:
Note
Each physical device (and Cloud PC) must be running Windows 11 Enterprise or Professional, version 22621.2361 or later.
Enroll the physical device in Intune
To deploy Windows 365 Boot to a physical device, it must be enrolled in Intune. If the device you wish to set up for Windows 365 Boot isn't already enrolled in Intune management, perform the steps in Enroll Windows 10/11 devices in Intune to enroll the device.
Wipe the physical device
Use the Wipe device action in Intune to restore the physical device to its factory default settings. Don't select any of the options in the wipe confirmation box. For more information, see: Remove devices by using wipe, retire, or manually unenrolling the device.
Note
The Wipe action doesn't remove the Autopilot registration from the device.
After you complete the wipe, sign in to the physical device and install all the latest Windows updates from the Windows Update Settings page.
Register the physical device with Windows Autopilot
Note
If the device is already registered with Autopilot, skip this step.
To register the physical device with Windows Autopilot, execute the following PowerShell commands from a command prompt:
PowerShell.exe -ExecutionPolicy Bypass
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Install-Script -name Get-WindowsAutopilotInfo -Force
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Get-WindowsAutopilotInfo -Online
When prompted, sign in with a user that has the Intune Administrator role. After sign-in, the device is automatically enrolled in Intune. Make a note of the serial number. It will be used in the next step, when you add the physical device to the Microsoft Entra group that you designated in the Windows 365 Boot guided scenario.
Add the physical device to the Microsoft Entra group
In the Microsoft Intune admin center, locate the Microsoft Entra group that you designated in the Windows 365 Boot guided scenario, and add the physical devices as a member of the group, using its serial number. When devices are added to the group, and have internet access, they automatically start receiving the resources and policies from the Windows 365 Boot guided scenario.
Now is a good time to confirm that the configuration policies in Intune that are applied to your Windows 365 Boot devices meet your organization’s needs.
Note
You can complete the guided scenario before there are any devices in the group. You can also add preregistered Windows Autopilot devices to the group. Add them to the group before you enroll or apply any policies.
Sign in to the physical device
Complete the Out-of-Box-Experience (OOBE) for the physical device and restart the device to complete the Windows 365 Boot configuration. When a licensed user signs in to the device, they're taken directly to their Windows 365 Cloud PC.