Before I start, a simple disclaimer I am no Johan van Amersfoort aka expert in all things VDI. Despite all of that, I am here today to provide details on my PoC/evaluation of Windows 365. Yes, I had to look how to spell his name up. Even though I am an expert at speaking Dutch as I proved recently on YouTube:
With that in mind, today we will provide an overview of Windows 365 and its current capabilities, showcase some of the great things its doing today, and some of my perceived gaps for a traditional VDI customer. Let’s dig in and talk about this new exciting desktop replacement known as Windows 365. This is going to be part 1 of a two part series. This week we will cover some basic overviews and the good and bad of Windows 365. Next week, we will take a deeper look into the Windows 365 Capabilities.
Windows 365 Overview
We will start by covering a short overview of what Windows 365 is from a feature perspective and its resulting architecture.
What is Windows 365?
As you can read on Microsoft’s site, Windows 365 is basically a new cloud-based offering that automatically creates “Cloud PCs” for users. They’re persistent (fully-dedicated) virtual desktops. They offer two different options with Business and Enterprise. We will be focusing on Enterprise today. Here’s a basic comparison:
|Features||Windows 365 Business||Windows 365 Enterprise|
|License Requirements||No set requirements||Requires Windows Enterprise, MEM, and Azure AD P1|
|Networking||Egress provided based on VM size up to 70 GB per month for a 32-GB RAM machine||Same as business, but you can use your own network|
|Provisioning||Deploys via a Standard Image and Configurations||Supports Standard Image, Custom Image, Granting Local Admins, and Deploy Policy by AD Group|
|Policy Management||Not Supported||Leveraging MEM|
|App Deployment||Supported with an Intune License||Supported (Leverages Intune App Deployments Capabilities)|
|Windows Updates||Uses Windows Update for Business||Managed in MEM leveraging Windows Autopatch *(Requires Windows Enterprise E3 Licenses)|
|Device Management||Limited, managed like a regular windows device if you have Intune.||MEM admin center provides image management, on-premise resourcing, policy management, resizing Cloud PCs, and more|
|Other Enterprise Features||Not Supported||Endpoint Analytics, troubleshooting capabilities, MSP support, Security Baselines, Native Defender integration, and Universal Print|
Windows 365 Architecture
From an architecture perspective, we can look at a few different areas:
- Microsoft Endpoint Manager (MEM) integration
- Directory Services
- User Experience
Let’s check out each of these areas so we have a good idea of what the platform offers.
Windows 365 Networking
From a networking perspective, you have two options:
- Leveraging Azure AD Join and a Microsoft-hosted network
- Using your network via an Azure Network Connection (ANC)
I’m no expert on ANC and my PoC was mainly focused on option 1, but the gist is the ANC will give your Cloud PC the information needed to connect to network-based resources. When you use Hybrid Azure AD Join, you must provide the ANC with connectivity to your AD environment and domain details.
The ANCs are used at two times:
- When the Cloud PC is provisioned
- When Windows 365 checks the on-prem connection to ensure a good user experience
The good thing about ANC is you can leverage it to extend access between your Azure regions and those supported by Windows 365 leveraging Azure peering or Virtual WAN. A few features are also introduced when using your own networks like:
- Azure Network Security Groups
- User Defined Routing (Traffic Routing)
- Azure Firewall
- Network Virtual Appliances (examples include WAN optimizers or SD-WAN to name a few)
Regardless of what you do, Microsoft Defender is an absolute must as I talked about in my article here so you can ensure you limit potential DLP issues and the attack surface as a whole.
Microsoft Endpoint Manager Integration
MEM plays a major role with Windows 365. You can see below how it is directly integrated into MEM:
The Windows 365 blade in MEM is where you will go to manage your fleet, build your provisioning policies, custom images, Azure network connection, and customize specific user settings. Beyond that, you will manage your devices within MEM like a regular PC.
The interesting concept is that you will be doing all Cloud PC enforcement at a UEM-level essentially. You will use security baselines to secure devices, leverage configuration profiles to secure and deliver experiences to these devices, and deliver value with a number of end user capabilities.
Overall, the point is that this makes life significantly easier and creates synergy by allowing your MEM team to manage your Cloud PCs without changing much about their day-to-day.
With Windows 365, you can leverage either Azure AD, Azure AD-DS, or AD-DS for user authentication, device identity services, and domain joining capabilities via AAD-Join or Hybrid.
Azure AD Conditional Access is also brought into the fold to provide additional features:
- Location-based restrictions
- Login/Sign-in risk management
- Session Limiting capabilities
- Device Compliance controls
The User Experience is the most important part of this by far. The actual access to a Cloud PC is driven by Azure Virtual Desktop. The connections to the actual machine are made to AVD endpoints ideally through the Windows 365 Desktop Client or Windows365.microsoft.com (their web portal). The AVD architecture looks similar to this below and you can read more about it here:
We will cover some additional user experience capabilities next week when we talk about the features available currently in Windows 365.
What does Windows 365 Get Right?
Windows 365 in my opinion does many things really well. So, the things that I love about it are:
- Super easy to rollout, deploy, and manage with ease
- Leverages gallery images or custom images with minimal effort
- Uses the same capabilities as MEM that allows you to manage Cloud PCs just like physical PCs
- Provides endpoint analytics similar to full DEEM solutions
- Users can be given local admin rights by AD group
- Users can now do their on point-in-time restores, which are automatically captured every 4-24h
- Uses the Windows Autopatch Service to automate patching much better than Windows Update for Business
- Legal hold capabilities
- Support for Cloud PC Security Baselines
- Support for Remote Management
In general, I think they do a really nice job with this offering. Do I think it’s a replacement for VDI? Let’s get into that more!
What can Windows 365 Improve?
In fairness, Windows 365 is barely a year old. It’s important to keep an eye on their release notes.
Some of the gaps that I have as a VDI guy that I see as gaps currently are:
- No Mobile App
- It takes ~1 hour for new VMs to deploy.
- The pricing is not a good fit as a VDI replacement, but is more fitting of a PCaaS replacement in my opinion.
- App Deployments are fairly slow when compared to other solutions like AppVolumes.
- Non-MSI app deployments take a ton of time, which we will look into next week.
- All data is local and doesn’t use any profile technologies e.g., FSLogix. It’s debatable whether that’s a problem or not.
- NVIDIA cards don’t tend to play too well with Microsoft clients for AVD or Windows 3675. G-Sync had to be disabled to get rid of flickering issues
My overall opinion on Windows 365 is that it is a GREAT option for some companies. It’s a perfect fit for Small and Medium Business, but I just don’t see it as an Enterprise VDI replacement. Azure Virtual Desktop is probably a closer fit in that regard. Many of us in Horizon and other technologies have been trying to get away from Persistent VDI for quite some time if possible.
Additionally, Windows 365 is significantly better than I expected it to be. You never know how the first year of a product is going to go, but I really love it as a medium business. It’s an actually achievable business outcome that doesn’t require a rocket scientist to deliver. I look forward to revisiting it in 2023 and I hope it becomes faster and more efficient from an administrative perspective. Users are excited about it, and I definitely see some potential.