This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .
With Windows 365 Boot, you can log directly into your Windows 365 Cloud PC as the primary Windows experience on the device. When you power on your device, Windows 365 Boot will take you to your Windows 11 login experience. After login, you will be directly connected to your Windows 365 Cloud PC with no additional steps. This is a great solution for shared devices, where logging in with a unique user identity can take you to your own personal and secure Cloud PC.
Last week, we announced Microsoft Copilot, your everyday companion, including Copilot in Windows, and the coming general availability of Windows 365 Boot and Windows 365 Switch. Today, Windows 365 Boot is generally available, delivering new features with support for Bluetooth, multiple Cloud PCs, Windows 365 Frontline Cloud PCs, max timeout preferences, and security baseline profiles:
- Bluetooth support: Now, users can seamlessly fine-tune their Bluetooth settings straight from their Windows 11 device with Windows 365 Boot.
- Multiple Cloud PC support: End users have the power to handpick their Cloud PC of choice, making personalization a breeze.
- Support for Windows 365 Frontline: IT admins can configure Windows 365 Boot with their Windows 365 Frontline licenses.
- Support for max time-out preferences: IT admins can now set the max connection timeout between 5 and 20 minutes based on their needs.
- Support for security baseline profiles: IT admins can now configure their security baseline profile on the Boot device recommended by Microsoft as part of their Guided Scenario
How to deploy Windows 365 Boot to your endpoints
Deployment guidance no longer requires Windows Inspire Program as the public preview did. Let's take a look at how to deploy the Windows 365 Boot components to your Windows 11 endpoints with Microsoft Intune:
- Windows 11-based endpoints (Windows 11 Pro and Enterprise)
- Update your device to the latest Windows 11 version (22621.2361 or later)
- Microsoft Intune Administrator rights
- Windows 365 Cloud PC license (See Create provisioning policies for the Enterprise edition or Add a user and assign licenses in Windows 365 Business for guidance on how to create Cloud PCs.)
Pushing Windows 365 Boot settings to your endpoints with Intune
- Go to Devices > Provisioning > Windows 365 and open the “Windows 365 Boot guide.” This initiates Windows 365 Boot guided setup.
Note: To move forward, you need to have at least Group and Intune Administrator rights.
- Select Next: Basics to start the configuration. The following setting is optional, but it can be extremely useful to rename your endpoints to start with a prefix to identify endpoints remotely, as shown in the example below.
- Enter a Resource prefix name and Description. This will help you find resources after you've created them and when you want to modify them. Select Next: Endpoint updates. As shown in the screenshot below, the setup wizard will create the following resources:
- <prefix> Windows 365 App Boot
- <prefix> Azure Virtual Desktop (HostApp) Boot
- <prefix> Windows 365 Boot Enrollment Status Page Profile Boot
- <prefix> Windows 365 Boot Autopilot Profile Boot
- <prefix> Windows 365 Boot Device Configuration Policy Boot
- <prefix> Windows 365 Boot Windows Update Policy Boot
- <prefix> Windows 365 Boot Shared PC Device Configuration Policy Boot
- Next, specific preferred settings related to Windows updates:
As there is no local Windows UI/shell available to the user, and it could be a shared PC, it is important that you proactively take steps to ensure that Windows remains secure. These include:
- Update deferral settings. Designate (in days) how soon monthly security updates and Windows feature updates are applied after they are released.
- User experience settings. Customize active hours so that restarts occur only when it will not disturb the productivity of the end user.
- Update deadline settings. The last setting sets a time box for updates, so they are being installed and applied in a certain amount of time to ensure end users are always using Windows secure when connecting to their Cloud PC.
Note: Windows 365 Boot also supports Windows Autopatch so you can delegate patch management for your Windows 365 Cloud PCs.
- Once you have saved your Windows update preferences, you can pre-configure a VPN profile or Wi-Fi profile for your endpoints. These settings are optional.
- Use the optional Language setting if there is a local language you prefer to use on the endpoint and areas like the Windows login screen. All languages supported by Windows 11 are configurable.
- Use the optional Security Baseline Profile setting if there is a security baseline profile in your tenant that you would like to use for the Windows 365 Boot physical devices.
- Use the maximum connection timeout setting to configure a different timeout value for Windows 365 Boot. The operating system will wait for connection until the selected timeout value has been reached. The default value for this setting is 5 minutes.
For more information about connection timeout policy, see CloudDesktop Policy CSP.
- Finally, under Assignments, either create a new group or assign an existing Azure AD group to the set of resources.
Then, simply review all of your settings on the Review + create page and proceed.
We recommend assigning your settings to both Windows 11 endpoints that received a device wipe and new endpoints out of the box. If you deploy Windows 365 Boot to existing Windows 11 endpoints, we recommend you remotely wipe the endpoint after finishing this configuration.
Once ready, all your endpoints in the Azure AD group you attached or created will receive the resources assigned and Windows 365 Boot will be enabled in a couple of hours.
The Windows 365 Boot login experience
Once Windows 365 Boot is activated, the user's lock screen will be the Windows 11 screen.
The user logs in with their Microsoft account on the lock screen.
Once the credentials are validated, the user seamlessly connects straight to their Cloud PC!
When a user logs off from within the Cloud PC, the state of the Cloud PC will reflect the local Windows login screen, meaning they can directly login again or another person can use the same machine to connect to their own Cloud PC.
Users can connect to their Bluetooth devices from their Windows 365 Cloud PC by going to Quick Settings > Bluetooth tile. Clicking on this will launch the local PC Settings app where users can pair and connect to their preferred Bluetooth device.
If the user has no license assigned, the following error will be shown.
If your users need to connect to their Wi-Fi connection, they will be able to do this from the Windows lock screen.
Announcing Windows 365 Boot with updated CSP, now in public preview
As we announce Windows 365 Boot general availability, we have also taken into account the valuable feedback we received during the public preview period and have created a new configuration service provider (CSP) policy that incorporates these feedback and allows IT Admins to configure an endpoint into Windows 365 Boot mode with several optimization already built-in.
By following the steps below, you can convert the policies set up by Windows 365 Boot’s Guided Scenario to use the new Windows 365 Boot CSP with several enhanced optimizations tailored for the Windows 365 Boot experience.
Note: The steps below are temporary workaround steps to enable the new CSP. We expect to have the new CSP built into our Guided Scenario within the next few months.
Here are the optimizations in the new CSP:
- DisableTaskMgr Policy (Ctrl + Alt + Del screen will not show the option of Task Manager)
- DisableChangePassword Policy (Ctrl + Alt + Del screen will not show the option of changing the password)
- DefaultCredentialProvider Policy (set default credentials provider as password provider)
- DisableNotificationCenter Policy
- NoToastNotification Policy
- DisableExplorerRunLegacy_1 and DisableExplorerRunLegacy_2 Policy (Disable auto start-up apps, user list & machine list)
- EnableTouchKeyboardAutoInvokeInDesktopMode Policy
Prerequisites for Windows 365 Boot
- You have completed the Windows 365 Boot Guided Scenario and have created the necessary resources for Windows 365 Boot.
- We recommend that you execute the Guided Scenario again and use a new security group for device assignment. Once you apply the changes below to the newly created resources by the Guided Scenario, you can then use this security group to add new devices to use the updated Boot policy.
- Alternatively, you can remove all devices currently assigned to an existing security group used in the Windows 365 Boot Guided Scenario so the devices will exit the existing Boot mode and return to normal mode before applying the below changes to the Windows 365 Boot related resources. After applying the changes below, you can add the device again to the security group.
Tip: Identify existing policies
- Sign-in to the Microsoft Intune admin center as a user with the Intune Service Administrator or Global Administrator role.
- Select Devices > Configuration Profiles.
- Find the 2 Configuration Profile created by the Windows 365 Boot Guided Scenario. You should be able to find it using the prefix set in Guided Scenario or the suffix we attach to the resources. Here are the name suffixes it should have been created with:
Windows 365 Boot Device Configuration Policy
Windows 365 Boot Shared PC Device Configuration Policy
Tip: Modifying policies
Modify the Windows 365 Boot Device Configuration Policy
- Open the policy whose name contains: Windows 365 Boot Device Configuration Policy.
- Navigate to the “Configuration Settings” section and click on the “Edit” button.
- Remove the following configuration settings:
- Boot To Cloud Mode (Windows Insiders only)
- Override Shell Program (Windows Insiders only)
- Add configuration settings with the following names. You will find both the settings under the Cloud Desktop category:
- Enable Boot To Cloud Shared PC Mode
- Set Max Connection Timeout (Default is 5 minutes but you can set it to a value between 5 and 20 minutes).
- Save the policy. You should now see the content below in the “Configuration settings” section.
Remove Shared PC Device Configuration from the Policy Set
- Navigate - Home > Devices > Configuration Profiles and open the policy whose name contains: “Windows 365 Boot Shared PC Device Configuration Policy”. (the one that you just created in the Windows 365 Boot Guided Scenario)
- Navigate to the “Assignments” section and click on the “Edit” button.
- Remove the Windows 365 Boot security group from the list of included groups. This should be the security group created by or selected in the Windows 365 Boot Guided Scenario. This step is required because the new “Enable Boot To Cloud Shared PC Mode” policy also contains the shared pc policy. Hence, there is no need for a separate policy assignment.
- Save the policy.
- You should see the policy no longer has any included groups now.
Enroll or re-enroll devices into Windows 365 Boot
- Add your devices back to the security group used in the Windows 365 Boot Guided Scenario.
- Test your device, it should now have the new optimizations.
Policy configuration by checking Registry key
Boot to Cloud Configuration CSP:
Boot to Cloud Connect to CloudPC Timeout Value:
Value set in Intune shall reflect against this key
- Once you have enrolled or re-enrolled your device, you can try the following test cases against the new Boot to Cloud CSP if you wish:
- If any app is pre-configured to auto-launch on startup on local PC, this app should not auto-start on local PC anymore.
- On the sign-in screen, the default credential provider should be Password provider.
- If you are using a touch device, remove the keyboard and put focus on the credential text box in sign-in screen. Touch keyboard should automatically launch for typing in credentials.
- Once you are connected to Cloud PC, Press Ctrl+Alt+Del, it will open secured options UI. Users should no longer see the ‘Task Manager’ and ‘Change Password’ options.
- Once you are connected to Cloud PC, hover on the top of the screen and click on the network icon on the connection bar. Press Win+I, it should open Local PC Settings, users should be able to update the device through Windows Updates in setting if there are any updates available.
- Users should no longer see toast notifications at the bottom right corner of their device from Local PC.
- Once you are connected to Cloud PC, hover on the top of the screen and click on the network icon on the connection bar. Pressing Ctrl+Shft+Esc should not open Task manager.
- When user is at “Connecting to Cloud PC” screen, pressing Win+G should perform no action on the device.
- When user is connected to Cloud PC, Pressing Win+G should open Gamebar of the Cloud PC only. The local PC Gamebar should not appear.
To learn more about the latest Windows 11 innovations, check out these recent announcements:
- Announcing Microsoft Copilot, your everyday AI companion
- Announcing Microsoft 365 Copilot general availability and Microsoft 365 Chat
- Copilot in Windows and new Cloud PC experiences coming to Windows 11
- Windows 365 Switch is now generally available!
- View the September 26th episode of Windows in the Cloud
- See Microsoft docs for more details What is Windows 365 Boot?
Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro on X/Twitter for updates. Looking for support? Visit Windows on Microsoft Q&A.