Known issues: Windows 365 Enterprise

The following items are known issues for Windows 365 Enterprise.

Missing start menu and taskbar when using iPad and the Remote Desktop app to access a Cloud PC

When non-local admin users sign in to a Cloud PC by uinsg an iPad and the Microsoft Remote Desktop app, the start menu and task bar might be missing from the Windows 11 user interface.

Troubleshooting steps: Make sure that you have the latest version of Remote Desktop Client as found here. In addition, you can also sign in to the Cloud PC by using

Restore and automatic rolling credentials

Many devices registered with Active Directory might have a machine account password that is automatically updated. By default, these passwords are updated every 30 days. This automation applies to hybrid joined PCs but not Azure Active Directory Native PCs.

The machine account password is maintained on the Cloud PC. If the Cloud PC is restored to a point that has a previous password stored, the Cloud PC won't be able to sign onto the domain.

For more information, see Machine Account Password Process.

Cursor visible location offset from actual position

In a remote desktop session, when you select one position in a text file, the cursor in the Cloud PC has some offset with the real position.

Possible cause: In high DPI mode, both the server and Cloud PC browser scale the cursor. This conflict results in an offset between the visible cursor position and the actual cursor focus.

Troubleshooting steps: Turn off high DPI mode.

Outlook only downloads one month of mail

Outlook only downloads one month of previous mail and this can't be changed in Outlook settings.

Troubleshooting steps:

  1. Launch registry editor.
  2. Remove the syncwindowsetting regkey under the path \HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\outlook\cached mode.
  3. Add the syncwindowsetting regkey with the value 1 under the path HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Cached Mode.

After you complete these steps, the default will be one month. However, the download period can be changed in Outlook settings.

Windows doesn’t scan for software updates until the first time a user signs in

While a Windows PC (physical or Cloud PC) sits idle before the first user signs in, Windows Update doesn’t scan for or install monthly quality patches. Without such scans, the PC might miss important security updates. Without the latest security updates, the device is exposed to security vulnerabilities.

Troubleshooting steps: Make sure that a user signs in to new Cloud PCs as soon as possible.

In-place Windows upgrade may change computer name

Upgrading an existing Cloud PC between release versions of Windows 10 to Windows 11 may cause the computer name to be changed to a name with a prefix of "pps" while leaving the Intune device name unchanged.

Troubleshooting steps: Find and manage the Cloud PC in Microsoft Endpoint Manager by using the unchanged Intune device name, either through the Devices > All devices list or the Devices > Windows 365 > All Cloud PCs list.

Windows 365 provisioning fails

Windows 365 provisioning failures may occur because both:

  • the Desired State Configuration (DSC) extension isn't signed and
  • the PowerShell Execution policy is set to Allsigned in the Group Policy Object (GPO)

Troubleshooting steps:

  1. Did the Azure network connection (ANC) fail with the following error: "An internal error occurred. The virtual machine deployment timed out."?
  2. If yes, review the related GPO. Is PowerShell Execution set to AllSigned?
  3. If it is, either remove the GPO or reset the PowerShell Execution to Unrestricted.
  4. Retry the ANC health check. If the check succeeds, retry provisioning.

Cloud PC reports as not compliant for compliance policy

The following device compliance settings report as Not applicable when being evaluated for a Cloud PC:

  • Trusted Platform Module (TPM)
  • Require encryption of data storage on device.

The following device compliance settings may report as Not Compliant when being evaluated for a Cloud PC:

  • Require BitLocker
  • Require Secure Boot to be enabled on the device. Cloud PC support for Secure boot functionality is now available to all customers.

Troubleshooting steps to enable secure boot on the Cloud PC:

  1. Reprovision the specific Cloud PC.

Troubleshooting steps to remove not compliant settings:

  1. Create a filter for all Cloud PCs.
  2. For any existing device compliance policies that both evaluate to a Cloud PC and contain either of the Not Compliant settings, use this new filter to exclude Cloud PCs from the policy assignment.
  3. Create a new device compliance policy without either of the Not Compliant settings and use this new filter to include Cloud PCs for the policy assignment.

Single sign-on users see a dialog to allow remote desktop connection during the connection attempt

When using single sign-on, you'll currently be prompted to authenticate to Azure AD and allow the Remote Desktop connection when launching a connection to a new Cloud PC. Azure AD remembers up to 15 devices for 30 days before prompting again. If you see this dialog, select Yes to connect.

Single sign-on user connections are being denied through Azure AD Conditional Access

Possible cause: To log in through single sign-on, the remote desktop client requests an access token to the Microsoft Remote Desktop app in Azure AD which may be the cause of the failed connection.

Troubleshooting: Follow the steps to troubleshoot sign-in problems.

Single sign-on users are immediately disconnected when the Cloud PC locks

When single sign-on is not used, users have the option to see the Cloud PC lock screen and enter credentials to unlock their Windows session. However, when single sign-on is used, the Cloud PC fully disconnects the session so that the user can re-launch the connection through the remote desktop client and perform the Azure AD-based single sign-on authentication flow.

Single sign-on users are not asked to re-authenticate to Azure AD when connecting from an unmanaged device

When using single sign-on, all authentication behavior (including supported credential types and sign-in frequency) are driven through Azure AD.

Troubleshooting: To enforce periodic re-authentication through Azure AD, create a Conditional Access policy using the sign-in frequency control.

Next steps

Troubleshoot Windows 365 Enterprise Cloud PC