VMware Horizon on Microsoft Azure

 VMware Horizon on Microsoft Azure is a cloud-based virtual desktop infrastructure (VDI) solution that enables organizations to deploy, manage, and scale virtual desktops and applications on Microsoft Azure. It combines VMware's industry-leading Horizon platform with the flexibility, scalability, and global reach of Azure.

This solution allows businesses to securely deliver virtual desktops and applications to users from Azure regions worldwide, reducing the need for on-premises infrastructure. With features like cloud bursting, hybrid deployments, and integration with VMware Cloud Universal, it provides a seamless experience for end users while simplifying IT management.

Key benefits include:

• Scalability: Quickly expand or reduce desktop capacity based on business needs.
• Security: Leverages Azure security features and VMware’s built-in policies.
• Flexibility: Supports hybrid and multi-cloud deployments.
• Cost Optimization: Pay-as-you-go pricing and efficient resource utilization.

VMware Horizon on Azure is ideal for organizations looking to modernize their workspace while maintaining control, security, and performance.

Thant Zin Phyo@Cracky (MCT, MCE, MVP)

Custom images

 You can use custom images (also referred to as a golden image) if desired. To do so, you need to pre- load your images via Azure as a Managed Image or the Shared Image Gallery. To learn more about creating custom images with Windows 365, see https://learn.microsoft.com/en-us/windows-365/ enterprise/add-device-images.

To get the benefits, like simple and unified management options of modern management, we strongly recommend using the gallery images included in Windows 365 and using Intune to install applications. While in VDI, you may have updated your image on a weekly basis, using a gallery image eliminates the challenge of repeatedly updating your custom image whenever a single component changes. All images will be updated monthly by Microsoft at patch Tuesday. We recommend customers use Win- dows Autopatch to simplify Windows Updates in conjunction with Windows 365.

Figure : Selecting Windows 365 images

Thant Zin Phyo@Cracky (MCT, MCE, MVP)

The transition to modern management with Microsoft Intune

 Microsoft Intune is an integrated solution that simplifies management across multiple OSs, cloud, on-premises, mobile, desktop, and virtualized endpoints including Cloud PCs, and it lowers the Total Cost of Ownership (TCO). It empowers organizations to provide data protection and endpoint com- pliance that supports a Zero-Trust security model. This unified management tool brings together device visibility, endpoint security, and data-driven insights to increase IT efficiency and improve user experiences in any work environment.

Figure : The path to modern IT

Thant Zin Phyo@Cracky (MCT, MCE, MVP)

Microsoft Intune device limit restrictions for Windows

In this article, we will learn how to limit the restrictions for a device. Let’s get started.

To configure the enrollment restriction for Windows, follow these steps:

1.  In the Microsoft Intune admin center, go to Home | Devices | Windows | Windows Enrollment | Device limit restriction and Create restriction:

•  Name: Enter Device limit restriction – HR

 Figure : Microsoft Intune admin center – Device limit restriction

2. You can set Device limit to a number from 1 to 15. The default in Microsoft Intune is a limit of 5:

Figure : Microsoft Intune admin center – Device limit restriction

3. For the Assignments step, select HR Department.

When you are creating a custom enrollment restriction, you can scope it to apply to specific user groups in your organization, departments, countries, and so on:

Figure: Microsoft Intune admin center – Device limit restriction – Assignments

4. In the following screenshot, you can see an overview of the default device limit restrictions.

Figure : Microsoft Intune admin center – Enrollment restriction – an overview

If you have restricted personal enrollment, your end users will be met with the Something went wrong screen if the devices are Entra joined and the devices are not in the Windows Autopilot service:

Figure : Windows 11 – an OOBE error

In the Something went wrong screenshot, note the error code 80180014; this means that you are blocked from MDM enrolling your devices. However, as you have configured automatic MDM enrolment for your devices, Intune enrolment restriction will cover you here and ensure that your end users are only able to enrol corporate-owned Windows devices. If the error message came from Entra ID when joining the device, it would have been a different message.

Thant Zin Phyo@Cracky (MCT, MCE, MVP)

Microsoft Intune device restrictions for Windows

 In this article, we will see how to create enrollment restrictions for Windows devices:

1.  Sign in to the Microsoft Intune admin center (intune.microsoft.com). 

2.  Select Devices | Enrollment device platform restrictions:

Figure : Admin center – Enrollment device platform restrictions

3.  Create a restriction. Enter Device type restriction – HR as the name:

Figure : Admin center – enrollment restrictions

4.  Select the block and allow both for MDM and personally owned devices to allow or block Windows enrollment.

If you are allowing Windows (MDM) platform enrollment, you can block personal devices; see the following section to understand what blocking personal Windows devices means.

Allow min/max range for the OS version only blocks devices on enrollment and has no effect on devices already enrolled into Microsoft Intune; enrollment restriction is only validated on enrollment.

Figure : Command Prompt – ver

5. For the Assignments step, select HR Department.

When you are creating a custom enrollment restriction, you can scope it to apply to specific user groups in your organization, departments, countries, and so on.

Change the assignment settings to filter, based on any restrictions you want to provide to avoid groups from enrolling into MDM Intune:

Figure : Admin center – enrollment restrictions – Assignments

6. In the following screenshot, you can see an overview of the default device type restrictions:

Figure : Admin center – Windows restrictions

Thant Zin Phyo@Cracky (MCT, MCE, MVP)

Using Azure Virtual Desktop with Microsoft Intune

The following steps are not needed within Windows 365, as the enrolment into Intune happens automatically. Also, make sure that you have followed the previous step (setting MDM user scope to All and MAM user scope to None) before continuing.

Prerequisites:

•  Running Windows 10 Enterprise, version 1809 or later, or running Windows 11.

•  Set up personal remote desktops in Azure.

•  Microsoft Entra hybrid joined and enrolled in Intune in one of the following methods:

            •  Configure Active Directory group policy to automatically enrol devices that are Microsoft Entra                 hybrid joined.

            •  Configuration Manager co-management.

            •  User self-enrollment via Microsoft Entra join.

            •  Microsoft Entra joined and enrolled in Intune by enabling Enroll the VM with Intune in the                        Azure portal. 

Keep in mind that the following Windows 10 desktop device remote actions aren’t supported/recom- mended for Azure Virtual Desktop virtual machines:

•  Autopilot reset

•  BitLocker key rotation 

•  Fresh start

•  Remote lock

•  Reset password

•  Wipe and Retire

Deleting VMs from Azure leaves orphaned device records in Intune. They’ll be automatically cleaned up if the built-in cleanup rules are configured for the tenant.

Let’s get started configuring the GPO that configures automatic MDM enrolment for Hybrid Entra joined devices with a device token:

1.  Log on to your session host.

2.  Open Local Computer Policy and click Administrative Templates | Windows Components | MDM:

Figure : Local group policy – MDM

3. Set the policy to Enabled.

4. Set the credential type to Device Credential:

Figure : Local group policy – MDM

5.  Confirm the MDM enrollment of your session hosts into Entra, which should look like the following examples:

Figure : Admin center – all Windows devices

Thant Zin Phyo@Cracky (MCT, MCE, MVP)

Enabling Windows automatic enrollment

 Automatic MDM enrolment means when a Windows device joins Entra, the device will automatically be enrolled into Intune with the MDM enrollment flow.

To configure automatic Windows enrollment, follow these steps:

1.  In the Microsoft Intune admin center, go to Devices | Windows | Windows enrollment followed by Automatic Enrollment:

Figure : Microsoft Intune admin center – Windows automatic MDM enrollment

User enrollment can also be scoped to a group of users, if all your users have an Intune license assigned. The best option is to leverage Intune enrollment restriction to configure which Windows devices a user can enroll.

2.  Make sure to select All for MDM user scope:

Figure : Microsoft Intune admin center – MDM user scope

Here’s what all the options for MDM user scope mean:

            •  None: MDM automatic enrollment is disabled.

            •  Some: Select the groups that can automatically enroll their Windows devices. 

            •  All: All users can automatically enroll their Windows devices.

For Windows Bring Your Own Device (BYOD) devices (personal enrollment), the Mobile Application Management (MAM) user scope takes precedence if both the MAM user scope and the MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users).

The Windows Information Protection without enrollment scenario in Microsoft Intune is no longer supported, and you are not able to create a new policy for that scenario.

If you encounter a warning like this:

Figure : Microsoft Intune admin center – Automatic MDM enrollment

It means that you do not have an active Entra ID Premium subscribe in your tenant.

Thant Zin Phyo@Cracky (MCT, MCE, MVP)