This post is all about Windows 10 in Cloud Configuration that Microsoft recently announced to help empower the IT Admin team of organizations to simplify, streamline and standardize the deployment and management of Windows 10 endpoints for users with focused or specific workflow needs.
Let’s begin.
Table of Contents
What is Windows 10 in Cloud Configuration?
You can consider Windows 10 in Cloud Configuration as a Microsoft recommended set of standard device configuration for cloud-first Windows 10 endpoints, intended to meet the simplified requirements of specific personas such as the frontline workers, remote workers, and other personas within the organization without compromising on the security and the Windows 10 experience.
It can be used to pre-configure new devices, or to repurpose existing hardware to extend its lifetime. It works on any Windows 10 Pro, Enterprise, or Education device, and can be deployed using Microsoft Endpoint Manager today without additional device purchases.
It further simplifies troubleshooting and device replacements the event of a fault or theft, due to the fact that every endpoint
- gets the same standard set of configurations, and
- is enabled with OneDrive Known Folder Redirection which makes restoring user files easy to the new device.
Check out this MS Tech Community post to know more about it.
Understanding use-case
In most organizations, you will find IT users such as the frontline workers, remote workers, and other personas with simplified needs, such as to use the Microsoft productivity apps for work, maybe some Line-of-Business apps and browsing the internet.
A heavily-configured and managed Windows 10 endpoint for such users add overhead to the IT Admin and Support team.
This is where Windows 10 in Cloud Configuration comes in, a standardized easy-to-manage set of configurations that can be applied to devices (new and existing) running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education deployed from Microsoft Endpoint Manager.
As Microsoft mentions, Windows 10 Cloud Configuration is perfectly suited for users who
- use devices that do not require complex settings configurations or custom agents.
- have no dependency on on-premises infrastructure to be successful in their role.
- use a focused set of apps curated by IT for their workflow needs, like email, Microsoft Teams, Microsoft Edge, and maybe a few essential line-of-business apps.
IT can deliver apps both directly from MEM and/or through desktop/app virtualization. Cloud Config works with any app that can run on a Windows 10 Pro, Enterprise, or Education device.
Licensing requirements
It is to be noted that Windows 10 in Cloud Configuration is NOT a new Windows 10 SKU or a new MS product in any sense, but only a set of standardized configurations to help easily deploy and manage Windows 10 endpoints for users with simplified needs.
Microsoft’s minimum recommendation is the use of Enterprise Mobility + Security E3 and Office 365 E3 with Windows 10 devices running Windows 10 Pro.
However, with Microsoft 365 E3 you can get a more complete experience since other than the services mentioned above, it also includes Windows 10 Enterprise license.
The bare minimums, if you are looking for individual licenses, are
- Azure Active Directory Premium P1
- Microsoft Intune
- Microsoft Teams
- OneDrive for Business
- Windows 10 Pro
How to use Microsoft Endpoint Manager to set up Windows 10 in Cloud Configuration
At the time of writing this, it requires a manual set of actions to set up Cloud Config from MEM as documented in the Setup and Overview guide.
Below are the list of task that needs to be performed:
- Create an Azure AD group
- Configure device enrollment
- Deploy a script to configure Known Folder Move and remove built-in apps
- Deploy apps
- Deploy endpoint security settings
- Configure Windows Update settings
- Deploy a Windows 10 compliance policy
- Additional optional configurations
You can follow the guide to get Cloud Config setup in your tenant. Microsoft will periodically update the guide with the latest guidance on recommended configurations.
Microsoft is continually looking at ways to improve on the experience to make it even easier to configure and deploy Windows 10 in Cloud Configuration. As such, a guided scenario being made available from the MEM portal in the near future may not be that far-fetched to think off.
Windows 10 Cloud Config Device Provisioning Options
Windows Autopilot user-driven enrollment (recommended)
For new devices, Microsoft’s recommendation is to register devices with Autopilot service to provide end-users with a streamlined device provisioning experience.
Autopilot enrollment coupled with Enrollment Status Page provides a consistent end-user experience by displaying a status page during device setup while cloud-config is fully applied.
Microsoft recommended Autopilot profile configuration
Bulk enrollment using a provisioning package
Alternate enrollment option which allows IT to provision Windows 10 endpoints by creating a provisioning package using the Windows Imaging and Configuration Designer tool.
For devices that are provisioned with a provisioning package, Microsoft recommends that IT verify that devices have settings and apps delivered before distributing devices to users.
Enrollment via Azure AD sign-in in the Out-of-box Experience (OOBE)
Another alternate enrollment option that allows users to enroll devices by simply signing in with their Azure AD accounts during OOBE. Requires MDM Auto-enrollment to be enabled in your environment.
Azure AD join makes the end-user account used for the Azure AD sign-in also the local admin account on the endpoint unless restricted otherwise (via Autopilot) and this is by design.
As such, for this enrollment method, Microsoft recommends configuring a custom profile using Microsoft Endpoint Manager to restrict local administrators on devices. Check Policy CSP – LocalUsersAndGroups – Windows Client Management
As mentioned in Microsoft notes, it is not required to wipe existing Windows 10 devices and start fresh to take advantage of Windows 10 in cloud config, but it is recommended since reset/re-enroll will remove all extraneous apps, user accounts, and files from the device for maximum performance. Enrolling the device in Windows Autopilot and performing a Windows Autopilot reset is the preferred method, but it is not required.
The End
Well that was all for today.
Do check my other blog posts on this site and if you like the content, do subscribe and be a follower!