Microsoft just launched Windows 365 Cloud PC on August 2nd. This is an important new service as, unlike Azure Virtual Desktop (AVD), the desktop you’ll be consuming is charged at a flat price each month. With Azure Virtual Desktop, you pay per consumption which can be scary as it may not be predictable.
While AVD historically has required setup of a Site to Site VPN and Active Directory, Cloud PC’s Business SKU only needs Azure Active Directory – no VPN or on-prem AD expected. While you may have needed profile management solutions like FSLogix for Azure Virtual Desktop and those non-persistent use cases, Cloud PC is persistent with no profile management required.
There’s a Business SKU and Enterprise SKU. I mentioned that the Business SKU can work just fine simply with Azure AD. The Business SKU is recommended for 300 or fewer users. Enterprise is for 300+.
As of writing, Enterprise requires a full Active Directory Domain that is Azure AD Hybrid Join enabled. You can set up a VNET to connect through to your on-prem DC or possibly to your Active Directory Domain Controllers hosted in Azure. You can use Microsoft Endpoint Manager to deploy your custom images, deploy applications, set policies and more.
Unfortunately, at least for now, the Windows 365 MEM integration doesn’t work for Business. There’s a Windows 365 menu in MEM that doesn’t open when using the Business SKU. You can enroll your Business desktops, and everything in MEM appears to work for managing the desktops other than desktop provisioning, but it’s unclear at this time if it’s supported for Business at all.
For my testing, I went with a Business Desktop because the idea of having a desktop that only requires Azure AD and potentially no other Azure resources is the most appealing to me as I discussed extensively in this article.
Pricing
Personally, I find the pricing of Cloud PC to be pretty steep. Just for a middle of the road desktop, e.g. 2 vCPU, 8GB RAM and 128GB of storage, you can expect to pay 30 euros per month. On top of that, I also need to have a valid 365 license too and potentially pay monthly for a Windows OS license that I’ll explain further.
made a few changes, version 3 so to say. Added all the CPU sizes and either DC in Azure (why why??) and S2S/ER choices.. it’s an interesting puzzle for a Friday evening.. now time for a glass of wine and some nuts pic.twitter.com/PaE0qNDh8R
— Rob Beekmans (@robbeekmans) August 13, 2021
For a rough idea of how much the Enterprise SKU might cost you check out Rob Beekmans’ excellent chart mentioned in his Tweet above. Please note, the Business SKU doesn’t require any of the consumption or optional resources and Analytics specifically is not available for Business right now. While MEM does appear to work for the Business SKU, it may not be supported either.
When just looking at the price of the desktop. I tried to compare it with my high-end Alienware laptop, which I paid 2,300 euros for. The average life of my laptops is usually about 6-7 years. That could work out at about 30 euros per month, BUT my Alienware has a great graphics card, a much larger and faster disk, more memory, and the OS included. It also works offline.
License
I find the license requirements quite confusing. It’s not enough to just provide a desktop; the user also has to have a 365 license, and if they don’t use Windows 10 Pro or Enterprise on their primary work device, you need to pay about 4 euros extra a month, at least when using the Business Edition. That’s really annoying and turns me off the service.
There have been multiple reports from people trying the Business Desktop who had the correct 365 license but received an activation error when they logged into the desktop. This appeared to be due to the desktop using Shared Activation, which requires a premium license.
I hope they just roll everything into the service in future for a single cheaper flat fee.
Onboarding
Onboarding and setup of the desktop within Windows 365 was a breeze. Selecting the type of desktop and size I’d like using a UI wizard was a fantastic experience, and I had my desktop ready for use within an hour. Others reported significant delays, but I would guess that was due to the huge demands on the service as it launched.
Performance
The desktop itself works pretty well. It’s not a dazzling world-beater, but I could easily see myself doing most of my day-to-day browsing and work on it. If you choose the lowest spec desktop designed for task workers – beware! You’ll be very limited in what you can do. That desktop has 1vCPU and 2GB of memory. They say it’s for those who only need a browser, but they could feel a pinch with a few too many tabs open even then. Also, when it comes time to patch those desktops, it could take a long time. In my experience, Windows Updates don’t go so well with a single vCPU.
On the desktop I selected, the disk was the only area of concern. It worked fine, and I only noticed issues a couple of times with opening directories taking several seconds, but it was still concerning.
While I can do most of what I need on my Cloud PC, I wouldn’t try recording or rendering video on it or playing Flight Simulator any time soon. You just have to appreciate the limits or pay a lot of money for a high end desktop spec but even if you do, as of this writing there is no vGPU option available.
The fact the desktops are running in Microsoft’s high-performance data centres means the download and upload speeds achieved on the desktops are enterprise-class. Someone working from home on a 40Mbps connection can still get up to 10GBps download speeds on these desktops and the protocol is good enough that their limited home connection should not cause any user experience problems so to them they will get the experience of working with that high speed connection without disruptions and connection drops which is pretty awesome.
For more information on performance, check out Ryan Mangan’s awesome blog post about performance.
Security
Would you like to try to dump your #Windows365 Azure passwords in the Web Interface too?
A new #mimikatz 🥝release is here to test!
(Remote Desktop client still work, of course!)cc: @awakecoding @RyMangan pic.twitter.com/hdRvVT9BtG
— 🥝🏳️🌈 Benjamin Delpy (@gentilkiwi) August 7, 2021
Benjamin Delpy, the creator of Mimikatz shared some worrying demos showing his ability to retrieve passwords in plain text with the command line utility he created on a base Cloud PC. Microsoft highlighted their Zero Trust architecture for the service, but that appears to only apply to some of the infrastructure components that the service is built on and definitely not the desktop itself. The actual OS is not locked down or secured any more than a base Windows 10 desktop. In fact, it’s probably less secure than the typical laptop or PC you’d buy from a vendor – since security features are usually enabled in their BIOS and/or in the OS when you boot up the first time.
When my desktop was provisioned, the first thing I noticed was that I had Windows Updates pending install which was surprising. I had thought the provisioned desktop would at least be up to the most current patch level but it was not. Don’t forget, once you have your desktop provisioned, you will need to ensure it is patched and maintained going forward. This is after all just like having a PC in the cloud.
If you opt for the Enterprise SKU, you can use MEM to set some policies, configure and manage Defender and more, but you should certainly consider adding extra protection like Credential Guard and PolicyPak.
For more info on security recommendations for the service, check out Ryan and Benjamin’s suggestions.
Management
I’ve only tested the Business SKU. This is on purpose on my part. I don’t see myself using Enterprise in deployments, and at this point, I’m guessing that AVD will make more sense for larger deployments where always-on desktops aren’t required.
I had expected to be able to manage my Business desktops with MEM, and I can, to a certain point. I can deploy policies, manage Defender and deploy applications after enrolling desktops once they’ve been provisioned via the Windows 365 web UI. Running Defender scans, for example, is relatively quick, but deploying applications seems painfully slow, with simple Line of Business app deployments taking between 15-30 minutes with frequent Sync attempts (due to me not being very patient).
While I’ve got MEM working for my Cloud PC, the Windows 365 menu in MEM doesn’t work unless you have Enterprise. As far as I understand right now, MEM is also not supported for the Business desktops. I’m sure that will change, but as of right now, I don’t see how these desktops are manageable, at least if you’re relying on Microsoft tooling. You should also note that the Endpoint Analytics appears to only be accessible when using the Enterprise SKU and the Desktop Analytics available within MEM won’t work with the Business Desktop at least, as it requires you to setup to an Azure Workspace.
You can assign a Business desktop to a user in your AAD via the web UI. It will provision it, and you can then enroll it in MEM. It should work for the most part, but you may not get support. You may need to turn to 3rd party tools like PolicyPak, AppCure, Numecent Cloudpaging and others. If PDQ will support Cloud PC, perhaps that’s an option too. In this regard, I feel the service was launched a few weeks prematurely.
The fact that Cloud PCs are persistent 1:1 machines means profile management isn’t a necessity. It also makes other areas of management simpler. Though in reality, if the management tools aren’t up to the task, then resetting a desktop and trying to get everything back in place may be difficult. Also, with a persistent machine that’s deployed with a set baseline image and which requires monthly patching with MEM, it could be a slow, painful process, in my opinion. It won’t be as slick as deploying the updated image with AVD, Citrix MCS & PVS and via VMware Horizon snaps/clones.
While I personally prefer the update and maintenance cycle in VDI, a recent article by PCMag in the UK quoted Microsoft’s Scott Manchester as saying: “We kept hearing that these partners had much more on-hand staff expertise in endpoint management than they had skilled experts in virtualization.” So while I perceive it as a negative, it may very well act as a major selling point for why some organizations will select Windows 365 over Azure Virtual Desktop.
One extra point about apps. Currently, MSIX Packages in AVD require a file share hosted in Azure to work. MEM does not appear to have an MSIX App Attach option, at least not for Business. If you’d like to deploy these types of apps, you’ll either have to get very creative with a scripted solution or use a 3rd party product.
The above video shows Cloudpaging working in an Azure Virtual Desktop and we have successfully tested successfully in Cloud PC.
For my app deployments, I tested deploying MSI and MSIX packages via MEM, and they worked. I turned to Cloudpaging for most of my apps which works amazingly well in this scenario – it’s even easier than usual since there are no additional settings required for the agent. You don’t even have to deploy the Cloudpaging Player. It’s put down on the machine the 1st time you launch a published app and persists thereafter. The apps also persist since the desktop is persistent. No cache management settings are required. For fun, I also tried using Windows Package Manager, which also worked well.
Conclusion
The onboarding is a dream come true. It’s awesome. AADJ is the future of DaaS. Selfishly, I am all about app virtualization and AVD, Cloud PC, and all DaaS makes app virtualization all the more powerful and relevant again.
The performance on the desktop is ok. The protocol is no longer a million miles off the pace of ICA/HDX, and it should be suitable for most workers. It is great to have such an amazing download speed when using the desktops. With that said, the performance for the price you’re paying and the value factor is another story. You should perhaps compare everything you have in place plus on-prem today, including what you pay for power, data centre, network, security etc., vs what you’d pay for this service. Security of the desktop has major question marks over it right now. You certainly don’t just want to use the base desktop you get when provisioning the Business Desktop without a custom image. You’ll also need to layer in your own security.
In the same PC Mag article I mentioned earlier, Melissa Grant from Microsoft is quoted suggesting the Business version is the best option if you need something turnkey. That statement is a little troubling to me. It certainly is turnkey as far as getting you a very basic virtual machine provisioned and available for your users BUT do not expect to just let your users onto those desktops without doing some further configuration and locking down of the machine first. As I said, when I logged into my Business Desktop on August 2nd, it had pending updates ready for install. As pointed out by Benjamin and Ryan, there are also other security concerns you should address too. You could let users be admins and install their own apps but that’s a terrible idea. Also remember that while the machine is persistent, if you ever have to reset it any apps that were installed or data put on that machine is going to be wiped. It would be best to manage the apps, data and security. How you achieve all of that on the Business Desktop is unclear to me at this time since MEM is not necessarily supported for this SKU and even if it was, the time it takes for app deployments to sync is too slow for my tastes.
Manageability of the Business Desktop is up in the air – Enterprise is a bit better, and from what Microsoft has said, an Azure AD only Enterprise option should be coming in the future. Based on how slow MEM appears to be, as already stated, I don’t think I’d rely on it for app deployments. At least not for most apps and definitely not in a fast-paced, reactive environment, such as healthcare, for example.
Finally, the licensing is super confusing. I really hope they simplify it in future.
Update: After publishing this article, I found out that AADJ for the Enterprise SKU should be available this calendar year, as should MEM integration and support for the Business SKU with vGPUs coming soon.
All in all, I think there are enough positive takeaways to be very excited about the service. Congratulations to the Microsoft team. If you haven’t already, you should check it out in a lab Azure tenant.
