In this part of the series I show you how to get Windows 365 Enterprise up and running fast. Part 1 was more blah blah and general stuff, part 2 was about Windows 365 Business.
This blog series contains the following articles (the links will be updated, once the articles are released).
- Is Windows 365 a gamechanger?
- Setup Windows 365 Business
- Setup Windows 365 Enterprise (this article)
- Using Windows 365
- Administrating Windows 365
- Windows 365 Security
- Real world examples for Windows 365
In this article I cover the following topics:
To be able to use Windows 365 Enterprise, make sure you meet these requirements. If not, go fulfil them first or it will be very unfunny.
- Your users need a qualified license, taht means: Windows 10 Enterprise E3 + EMS E3 or Microsoft 365 F3/E3/E5/Business Premium
- If your users do NOT have one of these, they need Windows VDA E3 + EMS E3 or Microsoft 365 F3/E3/F5/Business Premium
- Active (paid or payable) Azure Subscription. The guy that sets up all the Windows 365 stuff, needs permissions of course -> Subscription owner. I recommend to place Windows 365 PCs in a separate subscription with separated permissions.
Having setup DNS, you need to make sure, that there is a line of sight with your Domain(s)! So make sure you enter correct IP addresses in the networking section.
You need to make sure that your external DNS serves the requirements from Network endpoints for Microsoft Intune | Microsoft Docs and Azure Virtual Desktop required URL list – Azure | Microsoft Docs.
- Virtual network inside the subscription with routable DNS to on-prem AD or AAD. This network will be your gateway to the internet.
- an on-prem AD must be in sync with AAD for hybrid identity.
- Intune permissions for setup, e.g. Intune Admin or Global Admin.
Prepare Azure environment
Of course you can use any existing subscription. If you already have decided to use Windows 365 productive, that may be a good idea. If you plan to test Windows 365, I highly recommend to perform all tests in a new pay-as-you-go subscription.
I created a new subscription that is bound to my credit card, so I can shut down everything related to Windows 365 at any time and reduce the cost if it is not needed. Inside this subscription, there is a VNET. My environment uses the default setting of 10.0.0.0/16 and all other defaults. In your environment this may be different, e.g. because you are connected via VPN Gateway to your on-premises environment. So take care, this matches your requirements. If you want to test in an encapsulated environment continue to configure everything like I describe in this article.
Make sure to set your DNS server settings to fit your needs as well. In my case I let Azure control the DNS settings because I don’t have an on-prem connection. If you have an on-prem DNS, you may need to anter a value like 10.0.5.167 or 192.168.0.1 here – or whatever the IP address of your DNS server is:
Purchase a license for Windows 365 Enterprise
Purchasing a license can be done several ways. One of them is using the Windows 365 Website. I bet, nearly no one will do it that way, most customers will use the admin portal. The way is the same like purchasing a Windows 365 Business license. Here head straight forward to Billing > Purchase Services after signing in with a Global Administrator or a Billing Administrator. Here you can easily find the Windows 365 Enterprise license (sorry for my bad skills with Paint 😉 ):
You may realize that there is a big difference between Windows 365 Business and Enterprise licenses. Enterprise is only availably in 1 edition, Business in 2. The reason is, that MS assumes that Enterprise PCs are already installed with the appropriate Windows license. Enterprises often make use of Windows features like Credential Guard and BitLocker, which require an appropriate Windows license. Small customers often or sometimes have “non-Pro” and “non-Ent” licenses, that’s why there is the split into 2 license types for Windows 365 Business and not for Enterprise.
So after choosing the right Windows 365 Enterprise license that fits for you (haha), you need to finalize the order. Microsoft needs to know, which hardware you need inside your CloudPC. Have a close look at the available options and choose the size that fits you need. Microsoft gives you some advise under Windows 365 size recommendations | Microsoft Docs. In general I can advise you to follow Microsofts recommendation here and do not buy the same size like you would by in a new laptop or Desktop PC. Windows 365 has a much better performance compared to a stationary PC. Because it runs on Azure you can also trust in the efficiency of the PC.
Compared to Business, there is more to do with Enterprise. After purchasing the license, you can assign it to a user and that’s it. With Enterprise you need to assign the license, too, of course. Windows 365 offers much more capabilities to fit into an Enterprise architecture. I show you, which ones.
Prepare your network
Like often, you need to make sure, your Firewall allows the traffic. Follow these links and adjust your Firewall and network settings in a way that you have a working and supported environment:
- Network endpoints for Microsoft Intune | Microsoft Docs
- Azure Virtual Desktop required URL list – Azure | Microsoft Docs
To understand why you need to prepare anything, you need to understand that you will want to be able to manage your CloudPCs. So you need them in your on-prem AD (if applicable) and of course in Endpoint Manager. If you are lucky and already have a very modern cloud-only environment with all your applications migrated to AAD with better security and that stuff, you do not have to do so much of course. You can say to yourself “ha! I did everything right and now I have less work and can go home early”.
To be able to configure ANYTHING, make sure you have purchased a license and waited approximately 30 minutes (that’s how long it took for me). Now you can go to Endpoint Manager and start to configure your CloudPC(s):
The further configuration takes place within that wizard. Thank you Microsoft to make us not “Admincenter-hoppers” like it currently is with the Compliance-, Security- and Security&Compliance Center. Back to topic: You are ready to configure, you have your network and yiur subscription as well as your license. Now it is time to provision the CloudPC itself.
Select network connection & Azure image
In the Windows 365 Admin Center, create a network connection that points to the newly created Azure VNET:
Here you must create a new connection, give it a name, select your Resource Group, VNET and Subnet that you created inside Azure before:
In any case, the wizard wants to know about the AD Domain integration:
Finally review the settings and go back to adjust them (if necessary):
You see, that the wizard will create a service account, that will be granted permissions in the subscription and the network configuration. That is another good reason to put Windows 365 into a separate Azure subscription!
Well, that is the point from where I cannot continue showing "real" examples, because my Azure spending limit is reached and I don't have another on-premises test domain. The Enterprise setup requires an on-premises Active Directory. If you don't have one, you cannot continue. You must use the Windows 365 Business Edition.
Next thing you have to do is to set up your provisioning policies. Microsoft explains this very good in this article: Create provisioning policies for Windows 365 | Microsoft Docs
Now head over to the menu Device images:
This is pretty straight forward – just upload your images you need to use. Somes screenshots about that can be found here: Get started with Windows 365 Enterprise – Microsoft Tech Community
Setup Hybrid Azure AD Join
Additionally, you must configure your ADConnect for Hybrid Join. I recommend doing that even before the other setup tasks, maybe you already have it in place. Enabling the setting is a really easy task:
Windows 365 Enterprise looks really nice and there are many scenarios where it can play out its strong sides. On the other hand I am a little worried that an AD is a requirement. Okay it makes sense for management, but it increases the administrative overhead extremely. What if you do not have an Active Directory and need 300+ Windows 365 VMs? In this case you would need another tenant and I don’t want to start a discussion about what this means as additional overhead. Multi-tenant is the worst thing you can do to an administrator (besides certificate management).