Thursday, May 16, 2024

w365 - Enable watermarking inside windows 365 cloud pc

As businesses continue to adopt Windows 365 Cloud PCs, ensuring data security and compliance becomes increasingly critical. One effective security measure is the implementation of watermarking, which can display QR codes on the screen to deter data leakage and track information access. This blog will guide you through the steps to enable watermarking in Windows 365 Cloud PCs using Microsoft Intune.

What is Watermarking?

Watermarking involves overlaying a visual mark, such as a QR code, on the screen. This can help prevent unauthorized sharing of sensitive information by making it easily identifiable. QR codes can also be used to embed tracking information, enhancing the traceability of data access and distribution.

 Benefits of Watermarking

- Deterrence: Visible watermarks discourage users from capturing and sharing sensitive information.

Traceability:QR codes can contain metadata that helps track when and where the information was accessed.

Compliance: Helps organizations! meet regulatory requirements for data protection.

How to enable watermarking inside cloud pc:

  1. Sign in to the Microsoft Intune admin center.

  2. Create a configuration profile for Windows 10 and later devices, with the Settings catalog profile type.

  3. In the settings picker, browse to Windows Components > Remote Desktop Services > Remote Desktop Session Host > Azure Virtual Desktop

 



4. Select the Enable watermarking. Don't select the deprecated one.

5. On the Assignments tab, select the group containing the computers then select Next and On the Review + create tab, review the settings, then select Create.

6. Once done, on the cloud pc, open company portal app and click sync button in settings or restart the cloud pc for watermarking to take effect.

After you enable watermarking, you can find more details from the session host by following these steps:

  1. Scan the QR code and make a note of the Device ID GUID.
  2. Sign in to the Microsoft Intune admin center.
  3. Select Devices > All devices.
  4. In the search box, enter the Device ID GUID to find the device details.

Supported clients:
  • The following clients support watermarking:

    • Remote Desktop client for:

    • Windows App for:

      • Windows
      • macOS
      • Web browser

Wednesday, May 15, 2024

w365: Managing Cloud pc frequent disconnects due to idle session timeout


Recently, many of our users started complaining that their cloud pc’s are getting disconnected very often and it’s disrupting their work. 

We see that the cloud pc gets disconnected if their session was idle with no activity for 15 mins. 

Managing Frequent Disconnects and Session Timeouts in Windows 365 Cloud PC:

Windows 365 Cloud PC is a robust platform that enables seamless access to a personalized Windows experience from anywhere. However, users might occasionally face issues with frequent disconnects and session timeouts due to inactivity. This can be frustrating, especially if you are in the middle of an important task. In this blog, we will explore the causes of these disconnects and provide solutions to manage session timeouts effectively.

Understanding Session Timeouts and Disconnects

Idle and Inactivity Timeout

Windows 365 Cloud PC sessions might disconnect after 15 minutes of inactivity. This is a default setting to optimize resource usage and ensure security. Inactivity here means no user input (keyboard or mouse) is detected.

Session Timeout

Additionally, sessions may have a 15-minute session timeout. This means that even if the session is active, it will disconnect after a certain period if no user input is detected.

Causes of Disconnects

1. Idle Timeout:

   - If you leave your Cloud PC idle without any interaction for 15 minutes, the session will automatically disconnect.

2. Session Timeout:

   - Even if the session is active, without any user interaction for 15 minutes, the session will timeout.

Adjusting Timeout Settings

To prevent frequent disconnects, you can adjust the timeout settings through Microsoft Endpoint Manager (Intune). Here’s how:

1. Log into Microsoft Endpoint Manager:

2. Navigate to Configuration Profiles:

   Go to Devices > Configuration profiles

3. Create a New Profile:

   - Click on Create profile

   - Choose Windows 10 and later as the platform.

   - Select settings catalog 

4. Configure Timeout Settings:

   - In the settings picker, browse to Administrative templates > Windows Components> Remote Desktop Services > Remote Desktop Session Host > Session Time Limits

   - Configure the following settings: Toggle to Enable the Set time limit for active but idle Remote Desktop Services sessions option.

     - Set the Idle session limit (Device) to your desired duration.

     - Select next


5. Assign the Profile:

   - Assign this profile to the group of users or devices using Windows 365 Cloud PCs.

   - Ensure the profile is applied to all relevant users.

6. Review and Create:

   - Review the settings and click Create.

   - The profile will be pushed to the assigned devices and users, adjusting the timeout settings accordingly.

To avoid disconnects due to inactivity, consider these practices:

1. Regular Interaction:

   - Make sure to interact with your Cloud PC regularly. Even minimal interactions like moving the mouse can prevent idle timeouts.

2. Keep Applications Running:

   - Some applications can simulate activity. For instance, running a presentation or a video can help keep the session active.

By increasing the idle and session timeout durations, and ensuring regular interaction with the Cloud PC, you can significantly reduce the frequency of disconnects and maintain a seamless working experience.

By following these steps, you can ensure that your Windows 365 Cloud PC remains active and responsive, minimizing interruptions and maximizing productivity.

Reference: https://learn.microsoft.com/en-in/windows-365/enterprise/frontline-cloud-pc-session-time-limits

Update: This might also be caused because of screensaver settings which I will be testing shortly. 

Friday, May 10, 2024

w365: One way clipboard redirection

Due to security measures, organisations will want to restrict clipboard restrictions (copy-paste) from the cloud pc to base laptop but allow copy-paste to work from base laptop to cloud pc. In this case, how can we achieve this??

  • Session hosts(cloud pc) running Windows 11 Insider Preview Build 25898 or the most recent version of Windows Insider Build (Dev Channel). You must join the Windows Insider Program to activate the Dev Channel Preview Build. 

  • The “Do not allow clipboard redirection” setting must be set to disabled. Else this settings will not work.


How to block clipboard redirection from session host (cloud pc) to client laptop:

There are 3 ways to block clipboard redirection from cloud pc to the client laptop. They are,

1. Intune configuration policy

2. GPO

3. Registry

Below, I will share steps to configure through Intune portal.

  1. Open Intune and Create a profile with custom settings for Windows 10 and later devices, with the Templates profile type and the Custom profile template name.

  2. For the Configuration settings tab, select Add

  3. In the Add row pane, do the following 

    • To configure the clipboard from session host to client:

      • Name: Block copy paste from Session host to client

      • Description: enter description

      • OMA-URI./Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitServerToClientClipboardRedirection

      • Data typeString

      • Value

        <![CDATA[<enabled/><data id="TS_SC_CLIPBOARD_RESTRICTION_Text" value="0"/>]]>

        This will block clipboard redirection from session host (cloudpc) to base laptop alone.



Respective Registry keys:

Users can however copy-paste items from base laptop to cloud pc but copy-paste from cloud pc to base laptop will be restricted using this method.


PowerShell Scripts:

Wednesday, May 8, 2024

Intune - Linux Intune app shows disk not encrypted and still checking issue and status unknown

Intune app in ubuntu 22.04 shows disk not encrypted and still checking issue and status unknown even when the disk is actually encrypted using Luks.

Image
solution:
Run below command in terminal.
sudo usermod -a -G disk <username>
sudo rm -Rf /home/[username]/.config/intune
Reboot and then open app and see.

Update:
This issue is actually fixed with latest update