When configuring Windows 365 CloudPC’s we have to set a provisioning policy. These policies have settings and provisioning rules for the Microsoft backend of the Windows 365 service to configure the right Cloud PCs for your users. After provisioning policies are created and assigned to the Azure AD user security groups. The security groups can be Dynamic security user group .
What we are seeing for best performances in Windows 365 and best practice from Microsoft you have to provision the CloudPC nearest to the users regions datacenter. For one of our customers we had to create a solution because they are based all over the world.
How to solve this!
What we want to do.
After checking the provisioning policy it set to a user security group and can be a dynamic group. After looking at some expressions possible with dynamic groups Rules for dynamically populated groups membership – Azure AD | Microsoft Docs we have to look at a possibility to use a rule to get all the users for a specific datacenter in region and only those having a CloudPC license
What’s going on in the backend.
We want to have two things to create a rule, the CloudPC license and the location
Step 1 find the Cloud license.
Go too the graph explorer Graph Explorer – Microsoft Graph and signed in
Go to the beta section and place https://graph.microsoft.com/beta/deviceManagement/virtualEndpoint/cloudPCs, keep mind that if you want to do it yourself you have to consent permissions for CloudPC.Read.All
Goto Modify permissions and consent CloudPC.Read.All
After running the query check the outcome of the query there you will see something like the picture below.
Here we can see serviceplanId: 2de9c682-ca3f-4f2b-b360-dfc4775db133 and stands for a 4CPU 16 GB 128GG. After checking an other user with a other license it has assigned to him : 3efff3fe-528a-4fc5-b1ba-845802cc764f
Because the provisioning policy doesn’t decide which type of CloudPC the user should get but the license is, we want to create a simple dynamic group what should not be carrying all the rules of every ServiceplanID there are in the CloudPC range so the hunt of all the id’s keeps on going.
Dynamic expression hunting.
When you run the following expression (user.assignedPlans -any (assignedPlan.service -eq “2de9c682-ca3f-4f2b-b360-dfc4775db133” -and assignedPlan.capabilityStatus -eq “Enabled”)) and validate a user with the license assigned you can see some magic going on
What we see here the service name CloudPC-MX, let’s see what happens after giving this name a try in the following expression (user.assignedPlans -any (assignedPlan.service -eq “CloudPC-MX” -and assignedPlan.capabilityStatus -eq “Enabled”))
And this is the result for all user who have a Windows 365 license assigned.
Step 1 in the pocket 🥳
Step 2 connect users to a region of the datacenter.
For Windows 365 there are several possibilities to choose from when coming to datacenters
In our case we want to use 2 datacenters and specific countries:
- West-Europe
- Asia South-east
But if you want to narrow it down it is possible
After checking we want to create a expression with all the specific countries for a specific Azure region. Below are the countries in the West-Europe region
West-Europe:
- (user.usageLocation -eq “NL”)
- (user.usageLocation -eq “BE”)
- (user.usageLocation -eq “LU”)
- (user.usageLocation -eq “FR”)
- (user.usageLocation -eq “ES”)
- (user.usageLocation -eq “PT”)
- (user.usageLocation -eq “MC”)
- (user.usageLocation -eq “DE”)
- (user.usageLocation -eq “AT”)
- (user.usageLocation -eq “DK”)
- (user.usageLocation -eq “IT”)
- (user.usageLocation -eq “NO”)
- (user.usageLocation -eq “SE”)
- (user.usageLocation -eq “CZ”)
- (user.usageLocation -eq “GR”)
- (user.usageLocation -eq “HR”)
- (user.usageLocation -eq “FI”)
- (user.usageLocation -eq “PL”)
- (user.usageLocation -eq “SK”)
- (user.usageLocation -eq “CH”)
- (user.usageLocation -eq “GB”)
- (user.usageLocation -eq “IE”)
Asia South-east:
- (user.usageLocation -eq “HK”)
- (user.usageLocation -eq “IN”)
- (user.usageLocation -eq “BD”)
- (user.usageLocation -eq “KE”)
Let’s mix things up
Because we want to create one expression in the dynamic group we have to mix the two steps together in one expression. keep mind sometimes some closing characters fall of when creating the expression
For the West-Europe and Asian regions we created a specific group for our customer, but keep in mind there a regions in Windows 365 CloudPC wich are more specific like France and Germany. but we wanted to create a more simpler form for now. But we are creating different dynamic groups in the near future and then a update on this post will happen. After digging into the expression we came to the conclusion that it didn’t work because we hit a limit on the expressions so we created 4 different Dynamic groups
Dynamic Group West-Europe:
(user.assignedPlans -any assignedPlan.service -eq “CloudPC-MX” -and assignedPlan.capabilityStatus -eq “Enabled”) and (user.usageLocation -in [“GB”,”IE”,”NL”,”BE”,”LU”,”FR”,”ES”,”PT”,”MC”,”DE”,”AT”,”DK”,”IT”,”NO”,”SE”,”CZ”,”GR”,”HR”,”FI”,”PL”,”SK”,”CH”])
Dynamic Group Asia South-east:
(user.assignedPlans -any assignedPlan.service -eq “CloudPC-MX” -and assignedPlan.capabilityStatus -eq “Enabled”) and (user.usageLocation -in [“HK”,”IN”,”BD”,”KE”])
Now we created the dynamic groups and ready with the basics. now we have to get these dynamic group to get to work for our Window 365 environment.
Create Provisioning policy.
In Endpoint Manager go to Devices Provisioning Windows 365
Click on Provisioning policies.
Click on Create policy
Fill in Name and perhaps Description, we will be using this CloudPC as a Cloud only device so we choose Azure AD Join. For the network we choose Microsoft hosted network (for hybrid Azure AD Join you are required to assign a Azure network connection)
Now the next drop down menu is a important one, this has to do with overall performance to the CloudPC over the network, choose the region. In this case it’s (Europe) West Europe
Click next
Select image custom or gallery we will choose gallery click select and select the image you want to give the users in this region. In our case Windows 11
Click select
Click next
Select the preferred language and Region or country for your Cloud PCs. Your selection will be configured on this and any future Cloud PCs. We will select English (United States)
Now this is the part where we want to assign the created dynamic groups for West-Europe and click Next
Review all the settings and click Create
Final
Repeat this these steps for every region you would like to facilitate. We preferred to set the user settings to the same groups we created. This is it for all the magic to happen to getting user the best experience to the Windows 365 Cloudpc have lots of fun with it.