Unlock Windows 365 Link Setup | Simplifying Intune & SSO!

Microsoft’s Windows 365 Link is a purpose-built device that makes accessing Windows 365 Cloud PCs simple and secure. If you’re an IT admin or tech enthusiast looking for a streamlined way to connect users to their Cloud PCs without the complexity of managing a full desktop locally, this post and video is for you. We’ll explore what Windows 365 Link is, why it matters, and walk through the steps to configure your environment and log in for the first time.

What is Windows 365 Link?

Windows 365 Link is not a traditional PC. It’s a lightweight, secure endpoint designed exclusively for connecting to Windows 365 Cloud PCs. Unlike a standard computer, you can’t install apps, run scripts, or store user data locally. This design reduces risk and simplifies management.

Windows 365 Link Device

Security is a major focus. The device includes Microsoft Defender’s endpoint detection and response sensor, TPM 2.0, Secure Boot, BitLocker drive encryption, and strict application control policies. There’s no local admin account, no local storage, and security baselines are enabled by default. These features make Windows 365 Link ideal for organizations prioritizing zero-trust principles.

Physically, the device is compact and portable. It offers one USB-C port, three USB-A ports, DisplayPort, HDMI, Ethernet, Wi-Fi 6E, and Bluetooth 5.3. It supports up to two 4K monitors, cameras, FIDO2 passkeys for passwordless authentication, and more. While it’s well-equipped, some users may wish for additional features like front-facing USB-C ports or support for Azure Virtual Desktop, but Microsoft has positioned this device squarely for Windows 365 Cloud PCs.

Why Use Windows 365 Link?

Organizations adopting Cloud PCs often face challenges with secure access and device management. Windows 365 Link solves these by providing a locked-down endpoint that integrates seamlessly with Microsoft Intune and Entra ID. It reduces attack surfaces, simplifies compliance, and ensures users have a consistent experience without the overhead of managing local operating systems.

Configuring Windows 365 Link: High-Level Steps

Before starting, ensure you have elevated rights and an existing Cloud PC provisioned for the user. Here’s a detailed overview of the steps covered in the video.

Verify Windows 365 SSO

Single Sign-On is required for Windows 365 Link. Use PowerShell in Azure Cloud Shell to confirm SSO is enabled for your tenant. The process of enabling SSO for Windows 365 is the same as AVD. A video with a detailed walkthrough can be found here. This step ensures users can log in without repeated credential prompts, improving security and user experience.

Create a Dynamic Group for Cloud PCs

In Entra ID, create a dynamic device group that automatically includes all Windows 365 Cloud PCs. This group helps manage trusted devices and simplifies administration. By using dynamic membership rules, new Cloud PCs are added automatically, reducing manual effort.

Hide the Consent Prompt

By default, users see a consent prompt when connecting to a Cloud PC for the first time and every 30 days. To streamline the experience, configure settings so trusted devices skip this prompt. Use PowerShell commands to add the previously created dynamic group to the trusted devices list. This small change significantly improves usability.

Enable Automatic Intune Enrollment

Windows 365 Link devices must be enrolled in Intune to be managed. Verify that users have rights to auto-enroll devices. Check enrollment settings in the Entra Admin Center under Mobility. Ensure the correct scope is applied, either all users or specific groups. Misconfigured enrollment can block device setup, so this step is critical.

Create an Intune Filter (Optional)

Filters in Intune allow you to target policies to specific device types. Create a filter for Windows 365 Link devices using the operating system SKU property. This is optional but useful for applying conditional access or compliance policies tailored to these devices.

Enable SSO in the Provisioning Policy

SSO must be enabled on the Cloud PCs to use with Windows 365 Link. Enable SSO in the Cloud PC provisioning policy. This ensures new or reprovisioned Cloud PCs support seamless sign-in. Existing Cloud PCs won’t be updated automatically, so plan accordingly if you need this feature across your environment.

Logging Into Windows 365 Link

Once the prerequisites are complete, power on the device and connect to the network. Accept the license agreement, sign in with a user account that has the correct licenses and permissions, and let the device enroll in Intune. The first login may take some time while the user profile is created. This is normal and only happens at the first login. Subsequent logins are much faster.

During the demo, the device connected to Wi-Fi, accepted the license agreement, and signed in with an account licensed for Windows 365 and configured for auto-enrollment. After setup, the user accessed the Cloud PC desktop. Restarting the device showed a streamlined login experience, confirming the configuration worked as expected.

Why This Matters

Windows 365 Link simplifies secure access to Cloud PCs without the complexity of managing a full operating system locally. With Intune integration, Entra ID for identity, and Windows 11 security features, it’s a great solution for organizations looking to streamline remote work and reduce risk.

LInks:

Zero to Hero with Azure Virtual Desktop
https://www.udemy.com/course/zero-to-hero-with-windows-virtual-desktop/?referralCode=B2FE49E6FCEE7A7EA8D4

A Beginner’s Guide to the AZ-900
https://www.udemy.com/course/beginners-guide-az-900/?referralCode=C74C266B74E837F86969

Hybrid Identity with Windows AD and Azure AD
https://www.udemy.com/course/hybrid-identity-and-azure-active-directory/?referralCode=7F62C4C6FD05C73ACCC3

Windows 365 Enterprise and Intune Management
https://www.udemy.com/course/windows-365-enterprise-and-intune-management/?referralCode=4A1ED105341D0AA20D2E

Video: Discover the Power of AVD SSO: What You Must Know!

Windows 365 Link deployment
https://learn.microsoft.com/en-us/windows-365/link/deployment-overview?WT.mc_id=AZ-MVP-5004159

Create a dynamic device group containing your Cloud PCs
https://learn.microsoft.com/en-us/windows-365/enterprise/create-dynamic-device-group-all-cloudpcs?WT.mc_id=AZ-MVP-5004159

PowerShell Commands
https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-single-sign-on?WT.mc_id=AZ-MVP-5004159#hide-the-consent-prompt-dialog

Get command used to verify SSO:

Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $WCLspId

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.
Youtube
Click Here!

About Auther

Travis Roberts is a Cloud Infrastructure Architect, author, and speaker based in Minneapolis, Minnesota.

Contact Info

  • Email
  • 5123 W 98th St #1392 Minneapolis, MN 55437

© copyright 2022. All Rights Reserved.

Scroll to Top