Before explaining the Windows 365 architecture, we want to jump back in time. Originally, Windows 365 was built under the internal project codename Project Deschutes (Self-Managed), and the architecture diagram was called Host-On-Behalf-Of (HOBO).

This type of architecture means that all the components of the virtual machine and Cloud PC services run in a Microsoft-managed subscription and are managed on behalf of the customer.

In the early days of Windows 365, some of the components couldn’t function individually when not part of a single Azure subscription, for example, Azure Virtual Desktop (AVD) service components. All these things are, of course, fixed and running inside Microsoft’s own managed environment.

As you can see in Figure 2.1, Windows 365 uses AVD as a control plane service. The services mentioned in the Windows 365 Service section are developed specifically for Windows 365 as part of the SaaS-based cloud offering...

Microsoft has done a great job with Windows 365 by simplifying the creation of Cloud PCs for users. Both IT management and the end user experience are very simple to learn about and use. Getting started with deploying Cloud PCs is just a few clicks away and the scalability is very powerful in comparison with AVD. Even though the Windows 365 service is almost a plug-and-play solution, there are a few things you as an organization must manage yourself.

Depending on your domain and network configuration, you can either go full cloud with Entra ID join together with hosted networks or go for Hybrid Entra ID join. The following table helps you understand the level of responsibility per service component:

Figure 2.2: Responsibilities per Windows 365 and AVD service

In the next chapter, we will switch from responsibilities to service components, explaining each of them to ensure you understand...

Entra ID user identities are used everywhere—from logging in to Microsoft 365 to logging in to Windows OS, and it’s no different in Windows 365. A user needs an identity to get and connect to a Cloud PC. A user identity can be created in one of two places: Entra ID or Active Directory (AD). If a user is created in AD, the identity must be synchronized to Entra ID before the user can be assigned a Cloud PC and login. You will be able to synchronize users with Entra ID Cloud Sync or Microsoft Entra Cloud Sync. We will not go into these two synchronization options in depth, but in general, if you need to synchronize devices from AD to Entra ID, you can’t use Microsoft Entra Cloud Sync as it does not support it. When a user exists in both AD and Entra ID, it is what we define as a hybrid user identity.

When a user is created in Entra ID, we define it as a cloud-only user. A cloud-only user does not have any integration into the traditional...

User profiles within Windows 365 are delivered as part of the cloud service, meaning OneDrive, Microsoft 365 settings sync, Enterprise State Roaming, and the high availability of your managed disks delivered with high redundancy, including multiple restore points, are included in all licenses.

Cloud PCs don’t use FSLogix profile containers, as they are designed for non-persistent environments, most likely based on multi-session OSs. In traditional Virtual Desktop Infrastructure (VDI) deployments, all kinds of complex solutions have been used to bring the physical and virtual worlds together. Within Windows 365, we don’t have this challenge as we work with personal profiles and leverage other technology to modernize a user profile while also making personal documents available across all devices.

Even though a Cloud PC is quite like a physical PC, the main difference is a Cloud PC is a virtual device that the user connects to over the internet. This brings a whole new layer of network connectivity compared to physical devices. It’s important to understand how a connection from the user’s physical device to the Cloud PC is established. There are also some requirements that must be in place to ensure the best connectivity for the end user. In this section, you will get to know the essentials of network dataflow in the Windows 365 service.

When a user connects to their Cloud PC, they don’t connect like users normally connect in a Remote Desktop Services (RDS) environment. The connection from the user’s physical device to the Cloud PC is established by utilizing what’s called reverse connect transport.

Reverse connect transport uses outbound connectivity from the physical device to the Windows 365 infrastructure that...

Co-management is a feature of Microsoft Intune/Configuration Manager that allows IT admins to use both Intune and Configuration Manager concurrently for Windows 10 and Windows 11 management. It combines your existing on-premises Configuration Manager environment with the cloud using Intune and other Microsoft 365 cloud services such as Windows 365. You can choose whether Configuration Manager or Intune is the management authority for the seven different workload groups. These groups are:

• Compliance policies
• Windows Update policies
• Resource access policies
• Endpoint Protection
• Device configuration
• Office Click-to-Run apps
• Client apps

As part of Endpoint Manager, co-management uses cloud features, including conditional access. You keep some tasks on-premises while running other tasks in the cloud with Intune. Throughout this book, we will focus on purely Intune management. If you want to learn more about Configuration...

Business Continuity and Disaster Recovery (BCDR) are critical components of any organization’s risk management strategy. Disruptions can occur at any time, whether it’s due to natural disasters, cyber-attacks, or other unexpected events, and without proper planning and preparation, the consequences can be catastrophic. Business continuity is the process of maintaining essential business operations during a disruption, while disaster recovery is the process of restoring critical IT systems and infrastructure after an outage. Both are essential for ensuring that organizations can recover quickly and minimizing the impact of an unexpected event.

As you are aware, BCDR can be a daunting task, particularly when it comes to user desktops. Broadly speaking, the process of business continuity planning involves four key aspects: assessment, planning, capability validation, and communication. Experts from various fields, including...

To administrate a Windows 365 environment, you will need administrative permissions. This is where RBAC roles come into play. With RBAC roles, you will be able to manage specific permissions and actions for each IT user that needs to support your Windows 365 solution.

RBAC roles and structure

This might not be the first time you’ve heard about RBAC roles; it’s also a widely used permission system in Microsoft Azure subscriptions and in Entra ID. When looking inside Entra ID RBAC roles, we will find a Windows 365 dedicated role. So, what is the difference between using RBAC roles from Entra ID and from Microsoft Intune?

With RBAC roles in Microsoft Intune, you’ll be able to choose a specific permission/action for every single aspect. An example of this is that you can turn off the resize feature for some specific administrative users but still give them permission to act on other features. By using RBAC roles in Entra ID, you...

We hope you’re getting warmed up now, as this architecture-focused chapter comes to an end. We explained what services are cloudified, in the Windows 365 architecture section, what services are Microsoft-managed, and what is still your responsibility as a customer. We also took a deep dive into the different connectivity layers and options to optimize your network connectivity from the endpoint to your Cloud PC.

In the next chapter, we will go into overdrive mode and start explaining how you can implement and manage Cloud PCs yourself. We’re pretty sure that it will be the chapter you enjoy the most!

At the end of each chapter, there are three questions you can use to evaluate your learning and challenge yourself. The questions for this chapter are as follows:

1. What is the most important component Windows 365 manages on behalf of the customer that is unique to the service (there is no other solution to do so on the market)?
2. What network port and protocol are used when using Windows 365?
3. For which scenarios is RDP Shortpath important?

If you want to learn more about the subjects covered in this chapter, you can do so by visiting the following websites:

• Documentation of Windows 365 network requirements | Microsoft Learn (https://learn.microsoft.com/en-us/windows-365/enterprise/requirements-network?tabs=enterprise%2Cent)
• Data Resiliency in Microsoft 365 - Microsoft Service Assurance | Microsoft Learn (https://learn.microsoft.com/compliance/assurance/assurance-data-resiliency-overview)
• Some handy tools:
  • Test your Microsoft and Windows 365 connectivity via https://connectivity.office.com
  • Service health in the Microsoft 365 admin center is a great tool for detecting potential service issues, including their scope of impact (https://admin.microsoft.com/#/servicehealth)

Join our community on Discord

Join our community’s Discord space for discussions with the authors and other readers:

https://packt.link/SecNet