W365:Accessing Windows 365 Cloud PC in a Web Browser to Render High Resolution

Imagine you’re working remotely on a high-resolution display, like a 4K or UHD monitor, and need to access your Windows 365 Cloud PC through your web browser. By default, the web client might not fully utilize the native resolution of your physical device, making your Cloud PC appear slightly blurry or less sharp. This is where the High DPI setting comes in handy.

Let’s walk through a scenario where you enable this setting for optimal clarity.

Scenario:

You’ve just connected to your Windows 365 Cloud PC through your web browser to work on a graphic design project. You're using a 4K monitor, and you notice that the display doesn’t seem as sharp as it should be. Text appears slightly fuzzy, and the fine details in your design are not as clear as you'd like them to be.

Instead of struggling with the display, you can easily improve the experience by turning on the High DPI setting. Here’s how:

1.Log in to Windows 365 Cloud PC

Open your preferred web browser and log in to your Windows 365 Cloud PC account.

2. Access the Settings Menu

Once you're connected to your Cloud PC, locate the gear icon (settings menu) at the top-right corner of your screen. Click on it to access the display settings.

3. Enable High DPI 

In the settings menu, look for the High DPI toggle. Simply turn it on. This setting will adjust the display resolution to match your device's native resolution, making use of the higher pixel density available on your monitor.

4. Experience Crisp Display

After enabling High DPI, your Windows 365 Cloud PC will render at the native resolution of your 4K or UHD monitor. You’ll immediately notice the difference: text becomes sharper, images clearer, and your overall experience more precise.

Why Use High DPI?

The High DPI feature is particularly useful for users with high-resolution screens. Without it, the web client might downscale the display resolution, resulting in a less crisp interface. When turned on, this feature optimizes your viewing experience by taking full advantage of your monitor’s capabilities.

This simple adjustment is especially beneficial for tasks that demand visual precision, such as graphic design, video editing, or even reading large amounts of text.

With this feature, you can enjoy a crisp, clear, and efficient experience in web browser when accessing your windows 365 cloud pc, just like you would on a physical PC.

AVD: Can’t connect due to low virtual memory - Solution

Multiple Users started getting the below error while accessing AVD from the Remote Desktop client.

Microsoft has confirmed that it is a known issue and also confirmed that Microsoft's Product Group Team is working on this.

Solution:

1. End all Remote Desktop client Related Tasks from Task Bar and try re-opening again.

2. Install the new Remote Desktop Client App version 1.2.5699(Insider).

W365: Wrong error message when screen capture protection is enabled in Browser is Fixed now

When Screen capture protection is enabled for the windows 365 cloud pc’s and accessed through browsers, it was showing a wrong error message as "you need to enable the screen capture protection", where as it should actually say to disable the screen protection to access cloud pc in the browser session. 

I earlier had raised a Windows 365 cloud pc Feedback request about this bug and also reported in Twitter in their Intune Support Team handle. Thanks to the Microsoft Intune Support Team who have took up this issue and fixed it recently.

Microsoft has fixed the error message with the screen capture protection enabled and accessed through  browsers.

Now, when you access the cloud pc through browsers, it should show you the below error message properly when screen capture  protection is enabled for them.

Thanks once again Microsoft Intune Team 🙏

W365: Fix Latency issue when accessing cloud pc through browsers

 If you are facing any latency issue when accessing the windows 365 cloud pc through browser URL - https://windows365.microsoft.com, the check the below settings to fix the issue.

Option 1:

When you open the cloud pc in bowser, you will be prompted with the below initial screen. click on the show Advanced Settings and turn on the "Use hardware acceleration" option if it has been turned off. By default this will be set to ON only.

Option 2:

After opening the cloud pc through browser, in the top right side check for the gear icon. click the gear icon and select the "Use Hardware acceleration" option. This will improve by decreasing the network latency.

W365: Enable winget inside windows sandbox from windows 365 cloud pc

To enable winget feature inside a windows sandox from the host windows 365 cloud pc, follow the below steps. 

Note: Make sure windows sandbox feature is enabed in add or remove features. If not enable it in add or remove features option or by running the below command in powershell. 

Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online

Reference: https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview

Open Powershell as normal user and run the below command

"winget configure https://aka.ms/sandbox.dsc.yaml"

This should enable the winget inside the sandbox.

You can verify this by running "winget -v" in powershell inside windows sandbox.

Demo:

W365: New windows App features refresh button & SSO Lock Screen experience

 The latest Windows App version 1.3.278.0 has been released recently which has two important features like the refresh button and the new SSO Lock Screen experience among other features.

What’s new in Windows App:

Refresh Button:

The Refresh button is used to clear the local cache and refresh to pull the new device assignments from the Intune.User can click on the refresh button that can be found next to the device name in the Windows App to manually trigger the refresh and clear the cache.

SSO Lock Screen Experience:

The Latest version now provides an Improved experience for the single sign-on SSO Lock Screen dialogs.

Microsoft have released a new feature that shows the Lock Screen when the session is timed out due to inactivity or screen saver lock when SSO is enabled. Earlier windows 365 used to show the disconnect screen and prompt user for reconnect or cancel. 

More information can be checked about the latest SSO Lock Screen in my previous blog  here

W365 - Configure the session lock behaviour for the cloud Pc when SSO is enabled in Intune

Configure the session lock behaviour for the cloud Pc when SSO is enabled in Intune:

When single sign-on is enabled for the windows 365 provisioning policy and a remote session gets locked due to session inactivity for 15mins or screensaver settings enabled for 15mins then the session will get disconnected, and a notification will appear informing the user of the disconnection and show Reconnect or Ok to disconnect options like below.

Users can then select the Reconnect option from the dialog whenever they are ready to re-establish the session. It will not ask to re-enter the credentials again and will open the session immediately.

This was a known issue and many users were complaining about this - W365 Known Issue

However Microsoft has released a new feature that enables the remote lock screen experience even when SSO is enabled and when the session gets locked due to inactivity or screen saver settings - What's New in W365

PreReq for Win 11:

• Windows 11 single or multi-session with the 2024-05 Cumulative Updates for Windows 11 (KB5037770) or later installed.

Steps to configure the session lock behaviour on session hosts using Intune:

1. Open Microsoft Intune admin center.

2. Select Devices > Manage devices > Configuration > Create > New policy.

3. Select Platform as Windows 10 and later and Profile type as Settings catalog.

4. In Basics, enter the Name and valid Description.

5. In Configuration settings, select Add settings. Then:

   1. In the settings picker, expand Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.

   2. Select the Disconnect remote session on lock for Microsoft identity platform authentication setting.

   3. Close the settings picker.

       6. Configure the setting to "Disabled" to show the remote lock screen when the session locks.

      7. Select Next.

      8. Add the Scope tags and Assignments and select Create.

      9. Once the policy configuration is created, the setting will take effect after the session hosts sync              with Intune and users initiate a new session or restart the cloud pc.

Alternatively this can be done using the below registry keys.

Value Data	Description
0	Show the remote lock screen.
1	Disconnect the session.

Enable Screen Lock:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fdisconnectonlockmicrosoftidentity"=dword:00000000

Disconnect the session:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fdisconnectonlockmicrosoftidentity"=dword:00000001

PowerShell Scripts:

You can find the automated scripts in my GitHub Repo - Windows365-Scripts/SSO-RemoteLockScreen at main · app2pack/Windows365-Scripts · GitHub

Microsoft recommendation:

Microsoft recommends to use the default disconnect when using the SSO due to its security benefits, which are highly recommended and expected by many customers:

• Consistent sign-in experience through Microsoft Entra ID when needed.
• Single sign-on experience and reconnection without authentication prompt when allowed by conditional access policies.
• Supports passwordless authentication like passkeys and FIDO2 devices, contrary to the remote lock screen.

• The Conditional access policies, including multifactor authentication and sign-in frequency, are re-evaluated when the user reconnects to their session.

• Can require multi-factor authentication to return to the session and prevent users from unlocking with a simple username and password.

Especially, When using the new Remote lock screen it won't re-evaluate Conditional access policies.

So for e.g. if the sign-in frequency has already timed out, it won't be checked again until the user is disconnected but this won't happen when using the default disconnect on lock feature.

W365: Case study 2 - Resize windows 365 cloud pc during Grace Period

Continuation from Case Study 1

Scenario 2:

• The cloud pc is placed under Grace period.
• Click on the cloud pc and click on resize option and choose another higher SKU.

• Click on Resize and it shows a notification that it failed with the below reason.

• The cloud pc doesn’t move to resize pending license state.
• The cloud pc gets deprovisioned and cloud pc is removed once grace period reaches its end time.
• The operating system and data are deleted from the Cloud PC. The Cloud PC is no longer available.
• Resize failed to proceed in this scenario.

Detailed background information:

If a Windows 365 Cloud PC is in a grace period and you attempt to resize it to a higher SKU, the operation will not work as intended. During the grace period, the Cloud PC is in a state where it's essentially marked for deprovisioning, and resizing is not allowed with below error message.

When a Windows 365 Cloud PC is in the grace period and you attempt to resize it to a higher SKU, the following typically happens:

1. Resize Operation Fails: The Cloud PC does not move to a "resize pending license" state because it is already in a grace period, which restricts such operations. The resize request is likely to fail since the Cloud PC is marked for deprovisioning due to issues like an expired or suspended license.

2. Cloud PC Status Remains Unchanged: The Cloud PC remains in the grace period, and no changes are made to its configuration. The system will not attempt to apply the resize until the underlying issue causing the grace period is resolved.

3. Action Required: To successfully resize the Cloud PC, you need to reinstate the user to the older SKU license or replace with a different policy, the Cloud PC will be reprovisioned with the settings in the new policy. Once the Cloud PC is out of the grace period, you can then apply the resize operation.

Note: If in Grace period, if you assign the user to higher SKU group, without going for resize option then the cloud pc will be reprovisioned with the settings in the new policy.

To ensure a smooth transition when resizing a Cloud PC, the device should not be in the grace period. If you need to resize the Cloud PC, you must first reinstate the license. This process helps to avoid any potential conflicts or issues with the Cloud PC's provisioning and ensures that the operation proceeds correctly.

Intune & macOS: .app .pkg .dmg file is blocked by Gatekeeper

Understanding Gatekeeper in macOS and How to Bypass Its Prompts

Gatekeeper is a security feature in macOS designed to protect your system from untrusted software by verifying the source of apps, PKG, and DMG files. When you try to open a file from an unverified source, macOS may show a Gatekeeper prompt, even if the file is legitimate.

What is Gatekeeper?

Gatekeeper controls what software can be installed on your Mac, ensuring that apps are from the App Store or identified developers. It checks for a digital signature to verify that the app hasn’t been tampered with and is safe to run.

How to Resolve Gatekeeper Prompts:

If you encounter a Gatekeeper prompt despite the file being genuine, you can bypass it by checking and removing the quarantine attribute, which Gatekeeper uses to track downloaded files.

1. Check for Quarantine Attribute:

   Run the following command in Terminal to see if the file is quarantined:

xattr /path/to/App.dmg

2. Remove the Quarantine Attribute:

   If the quarantine attribute (`com.apple.quarantine`) is present, remove it by running:

xattr -dr com.apple.quarantine /path/to/App.dmg
   

   

This command removes the quarantine attribute from the file, allowing it to open without Gatekeeper blocking it.

Applying This Solution to .app, .pkg, and .dmg Files

The same process can be applied to any app, PKG, or DMG file. Simply replace the file path in the commands with the appropriate file's path on your system. This method helps bypass Gatekeeper's restrictions when you know the file is safe but still encounter warnings.

W365: Case study 1 - Resize windows 365 cloud pc during Grace Period

In a recent discussion within the Microsoft Management Customer Community Program (MCCP) regarding Windows 365, a question was raised: which takes precedence, a license's grace period on its final day or a resize pending license? This blog explores the answer through various scenarios.

You can read more about this topic, which was highlighted by Dieter Kempeneers, on his blog site.

Before to exploring the case study, kindly check the resize flow chart which Microsoft have released.

Scenario 1:

• The cloud pc is placed under Grace period.
• On the last day i.e 7th day morning,assign back to the sku group and then after some time click on the cloud pc and click on resize option and choose another higher SKU.

• When you click on resize, it shows what exactly will happen and what needs to be done so that resize will happen successfully.

• Click resize so that the cloud pc is placed under Resize pending license state.
• By default, the resize pending license state will last for 48 hrs. But this doesn’t mean that the resize pending license will extend the grace period to another 2 days. It still honours the 7 days grace period. 

          Grace period will take precedence always.

          Grace Period > Resize pending license

• Remove the user from older sku group and Add the user to the higher SKU license group now.
• The provisioning will begin once the entra group is synced.
• The cloud pc now shows resizing state.
• The resizing will take around 20-30 mins.
• The resizing completes successfully.

Since we initiated the resize on the last day morning of the Grace period, the resizing have completed successfully without any issues. 

Detailed explanation of the background process:

If a Windows 365 Cloud PC is in the grace period and you reassign the user to the original SKU license group during the last 7th day of the grace period and then click on resize, here's what typically happens:

1. Reassignment to Original SKU: When you add the user back to the original SKU license group, this action should reinstate the license for that Cloud PC. If the license is reinstated successfully before the end of the grace period, the Cloud PC should return to its active state.

2. Exiting the Grace Period: Once the license is reinstated, the Cloud PC exits the grace period. The Cloud PC will no longer be marked for deprovisioning and will return to normal operation with the original SKU settings.

3. Attempt to Resize: After the license is reinstated and the Cloud PC is no longer in the grace period, you can then attempt to resize it to a higher SKU.

 

    - If the conditions are met (i.e., the Cloud PC is active and has a valid license), the resize operation should initiate normally.

    - The Cloud PC would enter a "Resize pending license" state only if there’s a delay in processing the resize due to the assiging license to the higher sku group. 

In summary, if you reassign the user to the original license group before the grace period ends, and then attempt to resize, the resize should proceed as long as the Cloud PC is no longer in the grace period. If the Cloud PC exits the grace period and is active, the resize should move forward without issues.

In our next blog, we will see the scenario for our case study 2. 

Stay Tuned 🔜

Update 20/08/2024  - Continue to case study 2 🚀🚀

Intune & macOS - Comparison between macOS Line Of Business LOB PKG vs Non-managed PKG

Here's a comprehensive comparison between the requirements for deploying PKG as Line of Business LOB apps or Unmanaged macOS PKG apps.

Feature/Requirement	Unmanaged macOS PKG	Line of Business PKG Apps
Non-flat Packages	Supported: Hierarchical structure, typically a directory with package components inside	Supported
Component Packages	Supported: Allows multiple independent components to be installed separately	Supported: Component package or package containing multiple packages
Unsigned Packages	Supported	Not Supported (must be signed with "Developer ID Installer" certificate)
Packages Without a Payload	Supported	Not Supported (must contain a payload). without payload, re-install will happen in loop till the app is unassigned from the group
Packages Installing Outside `/Applications/`	Supported	Not Supported
Custom Packages with Scripts	Supported	Supported
Contain Bundles, Disk Images, or `.app` Files	Supported	Not Supported
Signing Requirement	None	Must be signed with a "Developer ID Installer" certificate

Intune - Install Intune app in Red Hat Enterprise Linux RHEL 8,9

Install Microsoft Edge

First, install Microsoft Edge by running the following commands:

sudo dnf config-manager --add-repo https://packages.microsoft.com/yumrepos/edge
sudo dnf install microsoft-edge-stable
sudo reboot

Sign in to Microsoft Edge

Open Microsoft Edge browser and sign in first.

Install the Intune App

Next, install the Intune app using the following commands:

sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc
sudo dnf config-manager --add-repo https://packages.microsoft.com/yumrepos/microsoft-rhel9.0-prod

curl -sSL -O https://packages.microsoft.com/config/rhel/9.0/packages-microsoft-prod.rpm
sudo rpm -i packages-microsoft-prod.rpm
sudo dnf install intune-portal

Upgrade the Intune App

sudo dnf update
or
sudo dnf update intune-portal

Uninstall the Intune App

sudo dnf remove intune-portal

w365: Clipboard redirection now available in the settings catalog

Due to security measures, organisations will want to restrict clipboard restrictions (copy-paste) from the cloud pc to base laptop but allow copy-paste to work from base laptop to cloud pc. In this case, how can we achieve this??

The Intune July update (service release 2407) now supports the Clipboard redirection in the settings catalog.

What is Clipboard redirection?

Clipboard redirection in windows 365 cloud pc's permits users to copy and paste various types of content, such as text, images, and files, between their local device and the remote session in both directions. To enhance security and prevent potential data leaks or the transfer of harmful files, you might consider restricting the clipboard functionality for users/Device.

Administrators have the flexibility to control clipboard usage by determining whether data can be transferred from the session host(windows 365) to the client or from the client to the session host, and also specifying the types of content to be allowed. 

Pre-Reqs: Configure the clipboard transfer direction in Azure Virtual Desktop | Microsoft Learn

To do this, open Intune portal and navigate to Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Settings catalog.

In the settings catalog, open Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection

The below settings options are available for both Device and User.

1. Restrict clipboard transfer from server to client - (w365 to base device)
2. Restrict clipboard transfer from server to client (User)
3. Restrict clipboard transfer from client to server - (Base device to w365)
4. Restrict clipboard transfer from client to server (User)

If you do not enable or configure these settings, then users can copy contents from device to cloud pc and vice-versa.

1. Restrict clipboard transfer from server to client/(User)- (w365 to base device) - Not configured or enabled, users can copy paste from w365 cloud pc to the base device.
2. Restrict clipboard transfer from client to server/(User) - (Base device to w365) - Not configured or enabled, users can copy paste from the base device to the w365 cloud pc.

If you select the User settings, then it will be applied to the user scope alone. If you select the device settings, then it will be applied to the device scope.

Note: If you have selected both the User and device settings, then the most strict restrictions will be applied to the endpoint.

In this example, we have selected the device settings alone.

1. Restrict clipboard transfer from server to client
2. Restrict clipboard transfer from client to server

Once you toggle the Enabled button, you can see the below options in the drop-down for both.

1. Disable clipboard transfers from session host to client, client to session host, or both.
2. Allow plain text only.
3. Allow plain text and images only.
4. Allow plain text, images, and Rich Text Format only.
5. Allow plain text, images, Rich Text Format, and HTML only.

Now, you can select the desired options  from above and assign it to the user/device/groups in the Assignments section.

Once assigned, in the windows 365 cloud pc (Session Host), sync the device and reboot for the settings to take effect.

Powershell scripts:

https://github.com/app2pack/Windows365-Scripts

Reference: Configure the clipboard transfer direction in Azure Virtual Desktop | Microsoft Learn

If you are interested in understanding how redirection works between client 💻  and ☁  cloud pc's 💻 then check this detailed article.

https://learn.microsoft.com/azure/virtual-desktop/redirection-remote-desktop-protocol

W365: cloud pc’s getting disconnected at User first login - Solution

When user logs in for the first time in their windows 365 cloud pc using windows app, it logs in and within few seconds the session gets disconnected and goes to retry counter and keeps on trying to reconnect. After closing the windows app and retrying again, the cloud pc gets connected fine. When checked, this was caused by the zScaler VPN. 

Below article explains in depth as why zScaler and other VPN cause this issue at first cloud pc login.

Reference: https://techcommunity.microsoft.com/t5/windows-365/optimizing-rdp-connectivity-for-windows-365/m-p/3554327

Download the Powershell script from here and run it to fetch the Ip addresses in a csv format as per the article.

After that copy the Ip addresses from the csv file and In the Zscaler Client Connector Portal go to ‘App Profiles’ then choose the policy to be applied to the Cloud PCs and click Edit 

In the App Profile, paste the IP addresses from the csv into the ‘HOSTNAME OR IP ADDRESS BYPASS FOR VPN GATEWAY’ field and click the plus sign and the IP addresses should be successfully added to the configuration.

Also add the below two IP that is used for critical communication to the Azure fabric in the configuration too.

169.254.169.254 - Azure Instance Metadata Service endpoint
168.63.129.16  - Cloud PC Health Monitoring

Once done, on the zScaler client connector go to More - About - click on update policy. Once done, the new app profile policy will be applied. 

After this, when you close and reopen the windows app and connect to the windows 365 cloud pc, the disconnects at first login should be disappeared and the connection should be constant.

Major point to note is that the Gateway address changes once in every month and so we have to run the script to obtain any new IP address and add it again to the ZScaler App profile policy.

Reference: https://techcommunity.microsoft.com/t5/windows-365/optimizing-rdp-connectivity-for-windows-365/m-p/3554327

https://community.zscaler.com/s/question/0D54u0000AA0livCQB/windows-365-cloud-pc-disconnecting-on-first-login-after-reboot

W365: Screensaver policy cause of frequent disconnects in cloud pc's

Earlier in my previous blog w365: Managing Cloud pc frequent disconnects due to idle session timeout 

I have explained about the frequent disconnections if the cloud pc is idle without any activity for 15mins and how to overcome it using the settings catalog and setting the idle session limit for Device.

Even after increasing the limit, our users started to complain again that they are seeing their cloud pc's are disconnecting if they leave them idle with no activity for 15mins.

Upon checking with the policies applied,  we found that it may be caused by the screen saver policy which was set to 900s and applied to all devices including the w365 cloud pc's.

Also the Interactive Logon Machine Inactivity Limit is set to 900s (15minutes)

Solution: We created an group for the w365 cloud pc's and added it to the exclusion group in the screensaver policy that had 900s.

Created a separate policy that has 1800s (30 minutes) as inactivity limit and added the group that has the w365 cloud pc's. 

Thanks to Marius Muntean for pointing out about my previous blog and asked to check out other settings like device idle lock/Screensaver settings which might be the cause of the frequent disconnection if session is idle with inactivity for 15mins.

Reference: https://gpsearch.azurewebsites.net/#100

W365: Display Crowdstrike affected cloud pc Report in Intune

In this blog post,  we will see how to check report that shows the windows 365 cloud pc's that are affected by the Crowdstrike update issue. 

Open Intune and navigate to Devices and in the overview page you can see the cloud PC Performance. Under that there is a report named Devices with connection Issues. Here all the cloud pc's that are having connectivity issues will be listed. Also the cloud pc's that are affected by the Crowdstrike update will also be listed here.

You can check this by checking the Host Health status. If it shows as "ErrorResourceUnavailable" or "ErrorResourceUnavailable_CustomerInitiatedActions" , then at present the cause will be the Crowdstrike issue. This may not be all the time, but at present we can guess that CS might be causing this connectivity issue.

PowerShell script: Windows365-Scripts/Windows365-Report/Crowdstrike_affected_Unhealthy_cloudpc's.ps1 at main · app2pack/Windows365-Scripts · GitHub -**kindly test before use**

Once you have the cloud pc's identified, you can perform the restore option which I have detailed in my previous blog - W365 : Recovery from Crowdstrike BSOD using restore points | Windows 365 & Intune Management (app2pack.blogspot.com)

Reference : 

Cloud PCs that aren't available report for Windows 365 | Microsoft Learn

Connectivity health checks in Windows 365 | Microsoft Learn

W365 : Recovery from Crowdstrike BSOD using restore points

Now that crowdstrike update have caused a huge caos around the world,  Windows 365 cloud pc's were also impacted. Though 2-3 restarts fixed for most cloud pc's,  some couldn't recover and started displaying below error when accessing. 

"We couldn't connect because there are currently no available resources. Try again later or if this keeps happening ask your admin or tech support for help"

Restoring your Windows 365 Cloud PC to a previous known working state can be a lifesaver when troubleshooting issues or undoing unwanted changes. With Intune, managing and restoring to a specific restore point is straightforward. Follow these steps to utilize up to 14 available restore points for your Windows 365 Cloud PC.

Prerequisites

- Ensure you have administrative access to Intune.

- Verify that your Windows 365 Cloud PC has restore points created.

Step-by-Step Guide

1. Log in to the Intune Admin Center

2. Select Your Device

   - Go to Devices > Windows 365.

   - Select the specific Cloud PC you want to restore.

3. Access the Restore Points

   - In the device overview pane, click on Restore tab

   - You will see a list of available restore points. Note that up to 14 restore points may be available, depending on the device's configuration and usage.

4. Choose the Restore Point

   - Review the restore points by date and description to find the desired state prior to CS impact. 

   - Select the restore point you want to use.

5. Initiate the Restore Process

   - Click on Restore

   - Confirm your choice when prompted. This will start the restoration process to the selected point.

6. Monitor the Restoration

   - The Cloud PC will undergo the restoration process. This might take some time, depending on the size of changes and data involved.

   - You can monitor the progress through the Intune admin center.

7. Verify the Restoration

   - Once the process is complete, log in to the Cloud PC to verify that it has been restored to the desired state.

Important Considerations

Data Loss: Restoring to a previous point will undo changes made after that point. All apps,  data will be lost during this restore to previous state. 

Official source - https://learn.microsoft.com/en-us/windows-365/enterprise/restore-overview

CS BSOD recovery tool

CS BSOD recovery tool

This tool  from Microsoft will avoid the manual steps that we do in cmd prompt. This will also require bitlocker recovery key. 


This tool can be used in to speed up the recovery by just omitting the manual cmd commands.

w365: Windows installer repair now prompts for UAC

Recently there have been a change in behaviour for Windows Installer application repair option. It started prompting for UAC. Earlier this doesn't use to happen.

So what happened?

In the July 2024 OS updates for Windows 10/11

July 9, 2024—KB5040427 (OS Builds 19044.4651 and 19045.4651) - UAC is now required for windows installer repair option and applicable to below 

Windows 10, version 21H2 editions

Windows 10 Enterprise LTSC 2021 and 

Windows 10 IoT Enterprise LTSC 2021

Earlier when you click on a Windows installer application for repair, the User Account Control (UAC) does not prompt for your credentials.

After you install this update, the UAC will prompt for users.

To turn off the UAC prompt, set the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\DisableLUAInRepair registry value to 1.

Update (14/07/24): This also seems to impact windows 11

https://support.microsoft.com/en-gb/topic/july-9-2024-kb5040435-os-build-26100-1150-954078e3-6c6b-4b6d-885e-f5aa534524a6

https://support.microsoft.com/en-gb/topic/july-9-2024-kb5040442-os-builds-22621-3880-and-22631-3880-0864308e-61cc-413b-8194-0294331aba52

w365 - How to allow local admin access inside windows 365 cloud pc

Enable Local Admin user settings:

Open Intune and navigate to Devices>Windows 365>User settings and click on Add button and turn on Enable Local admin settings to Yes and assign it to the group that contains the cloud pc's for which local admin access needs to be enabled.

PowerShell Scripts:

Windows365-Scripts/W365-AdminPrompt at main · app2pack/Windows365-Scripts · GitHub

Windows365-Scripts/W365-AdminPrompt-SystemContext.ps1 at main · app2pack/Windows365-Scripts · GitHub

Intune & macOS management - Couldn't add your device. Your IT support doesn't allow OSX devices to be added to management

After creating Apple MDM push certificate in Intune portal and while testing in the macOS device, after you install the company portal and login and try to enrol, the app shows error as 

"Couldn't add your device.

Your IT support doesn't allow OSX devices to be added to management." 

First step is to check in Intune portal - devices - enrollment - monitor - enrollment failure for any entry for the affected user.

In this scenario, the issue was due to the device type restrictions that was blocking the macOS devices.

Solution:

Open intune portal -  Devices - Enrollment - click Apple.

Select device platform restrictions and switch to MacOS restrictions tab.

Your administrator would have created a device restriction to block the enrollment of MacOS earlier. If there are multiple restrictions created for devices open one by one and make sure the macOS platform is allowed for enrollment. 

When you edit the restrictions and go to the properties and under platform settings, you can find out whether the macOS devices are allowed to enroll or if they are blocked.