Deploying Cloud PCs in different regions

Windows 365 and Cloud PCs are as you know PCs running in Azure somewhere. But what if you want to control this “somewhere” and pinpoint the region they are running in? You might have noticed that spinning up a Cloud PC in e.g., Western Europe gives you Google and all web-based things in Dutch. This isn’t too convenient for the end-users who doesn’t speak Dutch. So, let’s try to address that and give a more “local” experience.

I’m thinking of putting users in a Windows 365 region as close as possible to them, hopefully even within the same country. And to top it off, let’s provide them with a Windows experience in their local language, just for the sake of it.

How can we achieve this?

Well, we need two things, we need a provisioning profile per country and an Azure AD group which has been populated with users for each country. The region selected in the network for Windows 365 decides in which region the Cloud PC is hosted.

Setting up Azure AD groups

There are as many ways to do this as there are IT pros, but I decided to make this easy and just look at three things for my groups, attributes that I know all my users have.

What I decided to look at is that:

  • The account is enabled
  • Usage location for the user is set to Sweden
  • And the country for the user is set to Sweden

That got me the following query for my dynamic group.

(user.accountEnabled -eq True) and (user.usageLocation -eq "SE") and (user. Country -eq "Sweden")

To create a new group, head to Groups in the Intune portal and create a new group by pressing “New group“.

Give your group a name, in my case I’ve called it “All users Sweden” since we will gather all Swedish users in this group. Also make sure to set “Membership type” to Dynamic User so that we can create a query to automatically populate the group based on user attributes.

Add your query to your group by pressing “Add dynamic query” and enter your rule. You can take my example and modify it if you like, copy the rule syntax above and press “Edit” on the rule syntax windows and paste it there. This will populate the fields for you, and you can modify them to suit your needs. Or create your own! Keep in mind that the usage location uses the two-letter country code e.g., Sweden is SE, Norway is NO, Netherlands is NL, USA is US.

Press Save when you have created, and validated, your rule and press Create.

We have now successfully created a dynamic group which will be populated with all active accounts which has their country and usage location set to Sweden.

Creating provisioning policies

Now that we have our groups, we want to put them to effective use. Let’s head into the Windows 365 pane in Microsoft Intune by navigating to Devices > Windows 365 and selecting the “Provisioning policies” tab. To create a new policy, click the “+ Create policy” button on the ribbon.

First off, as always, we will give our policy a name, in my case I’m giving it a name indicating that this is a Windows 11 image, Azure AD joined and running on Microsoft hosted network. And this is for my Swedish users.

The next step is to select what kind of join type you will use and which network. In this example, I will use Azure AD join and using the Microsoft hosted network. The dreadful thing about using Sweden as an example here is that we don’t have Windows 365 in Sweden Central, so we will use the next best thing. Norway East!

You can do this for Azure v-nets, but then you need to set the region stuff when setting up the Azure v-net. There is a limit to the amount of how many Azure Network Connections (ANC) you can define per tenant, you can find out more here. If you know that you have multiple locations and want to put the service as close as possible to the end-user, it’s much easier to use the Microsoft hosted network.

The next step is to select an image, I will go with a gallery Windows 11 image since this will reduce the amount of maintenance I need to do since Microsoft is curating the image. Press next when you have selected your image.

Next, we will configure language and region settings. Like I said, the ambition here is to provide the Windows 365 experience in the user’s local language. So, for this I will select Swedish for this policy.

In this section, you can also choose to opt-in to Windows Autopatch straight away if you have this enabled in your tenant. If you do not wish to do so, just leave it to the default value. But since I have it activated in my tenant, I will add this as well and then press next.

The next step is to assign this policy to our group created in the first part. If you wish, you can add multiple groups to the same provisioning profile. But I only have one which will be used for this one, so I will select my group with all Swedish users and press next.

Final step is to review the settings we have selected and then press “Create“.

Conclusion

Now when a Windows 365 license is assigned to a user, their Cloud PC will be provisioned in the region based on which provisioning policy they are assigned to using our dynamic Azure AD group.

The groups don’t need to be dynamic and you could just as easily accomplish this using assigned groups. Also, you could utilize this setup to also include e.g., your developers who need access to a specific Azure v-net for example. In this case you would have provisioning profiles connected to those networks instead of the Microsoft hosted network, giving those users access to that network.

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.