Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Provisioning in Windows 365 is the automated process that:
- Creates and sets up a Cloud PC virtual machine.
- Completes other tasks that prepare it to be used.
- Adds the user account to the Cloud PC so that the end user can connect.
Admins only need to provide a few configuration details to set up the provisioning process. Then, users who have a Windows 365 license and match the configuration details automatically have a Cloud PC provisioned for them.
Provisioning is a one-time per user and per-license process. Each user can have up to one Cloud PC of each Windows 365 Enterprise SKU, a single Windows 365 Reserve Cloud PC, and multiple Windows 365 Frontline Cloud PCs.
High-level process
At a high level, the full provisioning process looks like this:
- You create a provisioning policy to manage who gets access to Cloud PCs. The provisioning policies build, configure, and make Cloud PCs available to end users. Within a policy, you provide details for the network, the image used to create each Cloud PC, and a Microsoft Entra user group.
- The Windows 365 service checks for appropriate licensing and configures the Cloud PCs accordingly.
- After provisioning completes, the end user can then sign in to the Windows Cloud PC from anywhere.
For more information on what happens during provisioning, see the automated provisioning steps.
Provisioning policy objects
A Windows 365 provisioning policy is an object in the Microsoft Intune admin center that orchestrates the creation of a Cloud PC.
Creating a provisioning policy
As the admin, you provide the following required information when creating a provisioning policy:
- Network: A Microsoft-hosted network or an Azure network connection (ANC) dictates how the device joins Microsoft Entra ID and how its network is managed. Depending on the join type, an ANC may have information detailing:
- The Azure subscription that is associated with the Cloud PC.
- The domain and Organizational Unit (OU) to join.
- The Active Directory credentials to use.
- Image: A Windows image is used as the reference image for all Cloud PCs provisioned with this policy. You can choose either a gallery image or supply your own custom image.
- Configuration: You can optionally control more settings that are configured when the Cloud PC is provisioned.
- Assignment: The assignment identifies one or more Microsoft Entra user groups. Windows 365 automatically provisions Cloud PCs for licensed users in the policy’s Microsoft Entra user groups. If users are later added to the user groups, they also get assigned Cloud PCs.
Without this information, Windows 365 can’t provision the Cloud PCs.
After you create the provisioning policy, Windows 365 handles all of the provisioning process to automatically get licensed users Cloud PCs. After the Cloud PCs are provisioned, you can inform end users that their Cloud PCs are ready for sign-in.
Changing these configurations doesn’t impact any previously provisioned Cloud PCs. However, any newly provisioned (or reprovisioned) Cloud PCs reflect the updated settings.
Changing a provisioning policy
After the provisioning of a Cloud PC is complete, it doesn't reoccur unless you manually perform a reprovision.
Changes made to any part of a provisioning policy don't trigger a reprovision. Such changes aren't applied to previously provisioned Cloud PCs. Changes to a provisioning policy will only be applied to Cloud PCs that are provisioned or reprovisioned after the changes.
If a provisioning policy name is changed, it doesn't update the Cloud PC name under All Cloud PCs, and doesn't update the enrollmentProfileName in Microsoft Entra ID.
Some provisioning policy settings can't be changed after initial creation. These settings include the Experience type, License type, and Frontline type. For Frontline devices in shared mode, you can't change Experience, Entra ID Join type, Network, Geography, or Region settings. If you need to change those properties for Frontline devices in shared mode, then you can create a new policy and remove the old one.
Deleting a provisioning policy
A provisioning policy can only be deleted if it doesn't have an assignment.
Removing the provisioning policy assignment puts the provisioned Cloud PCs into a grace period. When the grace period expires, the Cloud PCs are deleted automatically. For Frontline Cloud PCs in shared mode and Reserve Cloud PCs, there's no grace period, and the Cloud PCs are deleted automatically.
Provisioning policy assignments
Policy assignment involves using groups to assign provisioning policies to your users. There are two ways to assign provisioning policies:
- Discrete (preferred): A dedicated group is created specifically for assigning a provisioning policy. This method is useful for scenarios where certain users or departments need unique configurations for Cloud PCs or access privileges.
- Hybrid: A provisioning policy is assigned directly to the group-based license group. This method can be helpful for smaller deployments, when managing multiple teams with similar requirements with little change expected.
Provisioning policy conflict resolution
Provisioning policies are assigned to user groups, so there’s the possibility of overlapping groups/users.
For Windows 365 Enterprise and Windows 365 Reserve, if a user is assigned to more than one provisioning policy, provisioning honors the first assigned provisioning policy and ignores all others. It’s best practice to avoid any policy targeting overlaps to ensure consistent provisioning.
For Windows 365 Frontline, users can be assigned to multiple provisioning policies, and provisioning honors all policy assignments.
Users with multiple Windows 365 Enterprise licenses
A user may have more than one Windows 365 Enterprise license, which allows them to have more than one Enterprise Cloud PC. If a user has more than one Enterprise license, a Cloud PC with the appropriate specifications is provisioned for each license.
Since provisioning only honors the first assigned provisioning policy, users with multiple Windows 365 Enterprise licenses must be provisioned multiple Cloud PCs using the same provisioning policy. It’s not possible to trigger different provisioning policies for a user with multiple Enterprise licenses.
Provisioning retry
When a Cloud PC provisioning fails, provisioning retries automatically two times. After it fails three times:
- The provisioning process is stopped.
- The Cloud PC is marked as Failed.
- An error message is displayed.
After you resolve the root cause of the error, you can manually trigger a retry of the provisioning process by pressing the Retry button in the error dialog.
Reprovisioning
The Reprovision remote action lets admins reprovision Cloud PCs. This action can be useful when:
- You're testing different Cloud PC configurations.
- Your provisioned Cloud PC is misbehaving.
- The user simply wants to start from a fresh Cloud PC.
The Reprovision action can also be used when a Cloud PC is in a Failed provisioning state in the Windows 365 provisioning node. You can think of reprovisioning as a similar process to resetting a physical device.
When a Cloud PC is reprovisioned, the Cloud PC is deleted and recreated as a new Cloud PC. All user data, applications, customizations, and the like are deleted.
The Cloud PC is reprovisioned to the current configured settings in the provisioning policy that's assigned to the user's Microsoft Entra group. If the image referenced by the policy changed, or if policy changed in any other way, the reprovisioned Cloud PC uses the new settings.
For Frontline Cloud PCs in shared mode, you can bulk reprovision all the Cloud PCs in a provisioning policy. Admins can also select the percentage of Cloud PCs that are available for users to connect without being affected by the reprovisioning process.
For more information, see Reprovision a Cloud PC.
Clean-up
When a Cloud PC provisioning failure occurs, or a Cloud PC is deleted post grace period, Windows 365 cleans up all objects created during the provisioning. The clean-up occurs approximately three hours after the failure.
The following objects are cleaned up:
- Intune objects
- Microsoft Entra device objects
- Azure vNics
Network security groups created for Cloud PCs aren't cleaned up, as there may be other objects relying on those groups.
Any on-premises Microsoft Entra computer accounts that were joined to the domain during provisioning aren't deleted. Windows 365 doesn't have sufficient permissions to delete on-premises computer objects, so instead the redundant computer objects are disabled. We encourage your organization to clean up these disabled computer objects during your regular maintenance process.
Next steps
- Learn more about optimal provisioning of Cloud PCs
- Create a provisioning policy
- Learn more about what happens during provisioning in Automated provisioning steps