It is essential that the Cloud PCs are kept compliant and updated. LAs will maintain the devices for their organisations’ Cloud PCs. Please access the below links on topics to review and best practice to follow.
Autopatch
Windows Autopatch is a Microsoft-Managed service that automates the deployment and management of updates for select Microsoft Products. LAs will need to review the requirement for their organisations.
Please refer to the Intune Operations Guide section 10 Autopatch where steps are detailed on how to adopt this feature.
Windows Update Rings
Update rings can be used to upgrade your W365 Cloud PCs in Intune.
Intune LAs have the option to use Centralised channels to apply a feature and quality update, however, they are unable to modify the settings. In the Intune Operations Guide, see section 8.7 for more information.
Feature Updates
Microsoft releases updates, LAs need to decide how this will be managed for their organisations. To support this please review the Intune Operations Guide section 4.8 Intune Feature Updates.
Re-Provisioning
Re-Provisioning the Cloud PC maybe required if the end-user experiences some corruption to their device. Before proceeding, LAs must ensure that the user’s data is backed up.
Reprovision a Cloud PC
This action reconfigures the Cloud PC by ‘re-building’ the device to a known configuration, effectively resetting it to its initial provisioning state. To note, user data and restore points are lost after reprovisioning. LA should check that users data is backed up before reprovisioning.
Gather Diagnostics
This action gathers diagnostic information from the Cloud PC for troubleshooting and support.
Defender Quick Scan
This action performs a quick scan for vulnerabilities on the Cloud PC endpoint for Windows Defender.
Defender Full Scan
This action conducts a comprehensive scan of the Cloud PC for malware and other threats.
Defender Security Intelligence
This action ensures that the Cloud PCs antivirus and malware definitions are up to date for enhanced security.
Pre-defined Scripts
These actions execute pre-defined scripts to fix common issues or apply specific configurations (if remediations are available for your organisation).
Run Remediation Script
By selecting “run remediation script”, a list of the different scripts that have been already configured will be displayed.
Security
User Access
All MFA-enabled users accessing a Cloud PC regardless of which model they are deploying will login using NHS.net accounts. The signed in account will authenticate to the Cloud PC and will be prompted for MFA authentication.
Securing Cloud PCs
Local Organisations managing their Cloud PCs will use the Intune Portal to manage configuration and security settings, please refer to links below for further guidance:
- How to manage Security and Compliance to protect Cloud PCs Security Baselines. LAs should check if existing policies conflict with local organisation requirements.
- How to manage Device Compliance – Device Compliance Policies section 4.7 Endpoint Security
- How to manage updates – Windows 11 Update Rings and Windows Autopatch.
LAs are encouraged to review Windows Baseline for NCSC. Existing Baselines can be used along with creating additional security configurations that local organisations require.
Refer to section 12.3 within the Intune LA guide, NCSC – Windows 10/11 Baseline Configurations. Guidance is provided.
If assistance is required where issues are encountered with settings that are used in the Centralised Model. The LA should raise a request via the Helpdesk Self-Service. To note, for the Delegated Model all configuration is carried out via the Intune Portal. Organisations should refer to the Intune Operations Guide to carry out key activities.
| Last Reviewed Date | 09/07/2024 |
