Known issues: Windows 365 Enterprise and Frontline

The following items are known issues for Windows 365 Enterprise.

When you use Conditional Access, a user who signs in to a Cloud PC for the first time might trigger an impossible travel location alert.

Follow these steps to investigate risk and verify that the activity matches the expected behavior of the user, based on their physical location and the location of the Cloud PC.

Watermarking support is configured on session hosts and enforced by the Remote Desktop client. The settings for Watermarking support can be configured via Group Policy (GPO) or the Intune Settings Catalog. The default for the QR code embedded content setting doesn't allow administrators to look up device information from leaked images for Cloud PCs.

Ensure that the QR code embedded content setting is configured to Device ID either in the GPO or the Intune Settings Catalog for the Intune Configuration profile used to configure Watermarking support.

For more information, see Administrative template for Azure Virtual Desktop.

When non-local admin users sign in to a Cloud PC by using an iPad and the Microsoft Remote Desktop app, the Start menu and taskbar might be missing from the Windows 11 user interface.

Make sure that you have the latest version of the Remote Desktop client, which can be found from Remote Desktop clients for Remote Desktop Services and remote PCs.

In addition, you can sign in to the Cloud PC by using Windows 365.

Many devices registered with Active Directory might have a machine account password that is automatically updated. By default, these passwords are updated every 30 days. This automation applies to hybrid joined PCs but not Microsoft Entra Native PCs.

The machine account password is maintained on the Cloud PC. If the Cloud PC is restored to a point that has a previous password stored, the Cloud PC won't be able to sign in to the domain.

For more information, see Machine Account Password Process.

In a remote desktop session, when you select one position in a text file, the cursor in the Cloud PC has some offset with the actual position.

In high DPI mode, both the server and Cloud PC browser scale the cursor. This conflict results in an offset between the visible cursor position and the actual cursor focus.

Turn off high DPI mode.

Outlook only downloads one month of previous mail, which can't be changed in Outlook settings.

1. Open Registry Editor.

2. Remove the syncwindowsetting registry key under the path:

   \HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Outlook\Cached Mode

3. Add the syncwindowsetting registry key with the value 1 under the path:

   \HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Cached Mode

After you complete these steps, the default will be one month. However, the download period can be changed in Outlook settings.

Upgrading an existing Cloud PC between release versions of Windows 10 to Windows 11 might cause the computer name to be changed to a name with a prefix of "pps" while leaving the Intune device name unchanged.

Find and manage the Cloud PC in Microsoft Intune by using the unchanged Intune device name, either through the Devices > All devices list or the Devices > Windows 365 > All Cloud PCs list.

Windows 365 provisioning failures might occur if both of the following conditions are met:

• The Desired State Configuration (DSC) extension isn't signed.
• The PowerShell Execution policy is set to AllSigned in the GPO.

1. Check if the Azure network connection (ANC) fails with the error "An internal error occurred. The virtual machine deployment timed out." If yes, review the related GPO.
2. Check if the PowerShell Execution policy is set to AllSigned. If it is, either remove the GPO or reset the PowerShell Execution policy to Unrestricted.
3. Retry the ANC health check. If the check succeeds, retry provisioning.

The following device compliance settings report as Not applicable when being evaluated for a Cloud PC:

• Trusted Platform Module (TPM)
• Require encryption of data storage on device

The following device compliance settings might report as Not Compliant when being evaluated for a Cloud PC:

• Require BitLocker
• Require Secure Boot to be enabled on the device. Cloud PC support for the Secure boot functionality is now available to all customers.

To enable secure boot on the Cloud PC, see Reprovision the specific Cloud PC.

To remove not compliant settings:

1. Create a filter for all Cloud PCs.
2. For any existing device compliance policies that both evaluate to a Cloud PC and contain either of the Not Compliant settings, use this new filter to exclude Cloud PCs from the policy assignment.
3. Create a new device compliance policy without either of the Not Compliant settings and use this new filter to include Cloud PCs for the policy assignment.

When you enable single sign-on, a prompt appears to authenticate to Microsoft Entra ID and allow the Remote Desktop connection when launching a connection to a new Cloud PC. Microsoft Entra remembers up to 15 devices for 30 days before prompting again. If you see this dialog, select Yes to connect.

To prevent this dialog from appearing, you can create a preconsented device group. Follow the instructions to configure a target device group to get started.

To sign in through single sign-on, the remote desktop client requests an access token to the Microsoft Remote Desktop app in Microsoft Entra, which might be the cause of the failed connection.

Follow the steps in troubleshoot sign-in problems.

When single sign-on isn't used, users can see the Cloud PC lock screen and enter credentials to unlock their Windows session. However, when single sign-on is used, the Cloud PC fully disconnects the session so that:

• Users can use passwordless authentication to unlock their Cloud PC.
• Conditional Access policies and multifactor authentication can be enforced when unlocking the Cloud PC.

When you use single sign-on, all authentication behavior (including supported credential types and sign-in frequency) is driven through Microsoft Entra ID.

To enforce periodic reauthentication through Microsoft Entra ID, create a Conditional Access policy using the sign-in frequency control.

If you turn on the Use Devices preview setting in the Intune admin center, the Cloud PC performance (preview) tab, Cloud PCs with connection quality issues report, and Cloud PCs with low utilization report aren't on the Overview page.

Turn off the Use Devices preview toggle in the upper-right corner of the Devices > Overview page.

This issue might occur for Cloud PCs provisioned before July 2022 that use either:

• Microsoft Attack Surface Reduction rules (for example, Manage attack surface reduction settings with endpoint security policies in Microsoft Intune), or
• Third-party solutions that block the install language script execution during the post-provisioning process.

Cloud PCs provisioned after July 2022 don't encounter this issue.

Determine the root cause:

1. Search the Windows Event log. If the system shows the following reboot event (1074), continue to step 2.

   The process C:\WINDOWS\system32\wbem\wmiprvse.exe (<CPC Name>) has initiated the restart of computer <CPC Name> on behalf of user NT AUTHORITY\SYSTEM for the following reason: Application: Maintenance (Planned)
   Reason Code: 0x80040001
   Shutdown Type: restart
   Comment: DSC is restarting the computer.
   

2. Run Get-DscConfigurationStatus in an elevated command window. If the result shows a reboot pending for a job, continue to step 3.

3. Run Get-DscConfiguration in an elevated command window. If the results show the DSC that installs the language, continue to the next section.

To stop the restart loop, try either of these options:

• Remove the Azure Site Recovery policies or switch the policies to Audit mode, and then apply the new policies to the Cloud PC.

• In an elevated command window, run the following command to reboot the job:

  Remove-DSCConfiguration -Stage Pending,Current,Previous -Verbose

Some GCC High government customers whose resources are deployed to microsoft.us environments might encounter issues connecting to their Cloud PC using web clients or the Safari browser.

The issue occurs when the web client or the Safari browser blocks third-party cookies. Third-party cookies are cookies set by a domain other than the one you're visiting.

For GCC High customers with resources deployed to microsoft.us environments, the microsoft.us cookies are considered third-party cookies by the web client or the Safari browser. This consideration is because the web client or Safari browser uses the Cloud PC's domain name, which is different from microsoft.us, to determine the first-party domain. If the web client or Safari browser blocks third-party cookies, it prevents the microsoft.us cookies from:

• Being stored.
• Used for authentication and authorization.

As a result, you can't connect to your Cloud PC session.

Allow third-party cookies from microsoft.us in your Web client settings, Safari browser settings, or Group Policy.

This change lets the web client or Safari browser store and use the microsoft.us cookies to connect to your Cloud PC session.

Windows Security reports "Memory Integrity is off. Your device may be vulnerable."

In the Cloud PC's Windows Systems Information, you might also see that the Virtualization-based security (VBS) row shows Enabled but not running.

This issue can be caused when nested virtualization is turned on. When nested virtualization is turned on, it requires a running nested hypervisor, which inhibits Direct Memory Access (DMA) protections. DMA protections are required when running VBS.

Make sure that:

• Nested virtualization was turned off for the Cloud PC.
• Policies have VBS enabled with DMA protection.

Another option is to not require DMA for VBS because they're incompatible with each other.

When screen capture protection is enabled, Microsoft Teams on Windows 365 Cloud PCs isn't enforcing screen capture protection.

• Confirm that the WebRTC version is up-to-date.

• Confirm that the screen capture protection policy is configured correctly to have the client and server selected:

  1. Sign in to the Microsoft Intune admin center, select Devices > Configuration, and then choose the policy.
  2. Under Configuration settings, select Windows Components > Remote Desktop Services > Remote Desktop Session Host > Azure Virtual Desktop, and then make sure the following is set:
     • Enable screen capture protection = Enable
     • Screen Capture Protection Options = Block screen capture on client and server

Windows 365 doesn't support nested security groups. If you apply a scope tag to the top of a nested security group, Cloud PCs in inner nested groups aren't assigned scope tags.

Apply the scope tag individually to each group in the nested security group.

The Windows 365 user interface and Graph API don't support the editing of scope tags for individual Cloud PCs.

Edit scope tags for individual Cloud PCs on Intune's All Devices blade to sync the scope tag associations to the Windows 365 service.

Scope tags applied to custom images can't be edited or directly added by top-level admins.

When scoped admins create custom images, those custom images are tagged with the same scope tags that are associated with the scoped admin.

For example, if an admin scoped with the scope tag "Scope Tag A" creates a custom image, the created custom image is automatically tagged with "Scope Tag A."

The May 21, 2024 updates for Cloud PC gallery images lack the WebRTC Redirector Service. Without this component, Teams media redirection doesn't work.

This applies to the following gallery images:

• Windows 11 23H2 with Microsoft 365 apps
• Windows 11 22H2 with Microsoft 365 apps

For newly provisioned Cloud PCs, verify that WebRTC is available. If it's not, you can use either of the following options:

• To add the WebRTC Redirector Service app to the list of apps to install by default onto Cloud PCs, follow the steps in Add Microsoft 365 Apps to Windows 10/11 devices with Microsoft Intune.

• To add the WebRTC Redirector Service app to an individual Cloud PC, follow the steps in Install the Remote Desktop WebRTC Redirector Service. To get the most up-to-date installer, use this link: https://aka.ms/msrdcwebrtcsvc/msi.

The following are issues for Windows 365 Frontline:

When a user performs the Reset action on a Frontline Cloud PC in shared mode, the Connect button is grayed out for around 90 seconds. During this time, users can't connect to another Frontline Cloud PC.

When a user is connected to a Frontline Cloud PC, the connect button in the Windows App remains blue and clickable. If the user selects connect, a new window opens and connects. The previous window remains open with a new connection notification dialog.

Troubleshoot Windows 365 Enterprise Cloud PC