Scenario: You have employees or contractors you’ve given a Windows 365 license to, Intune is managing those cloud devices just fine, but you want to ensure access to them is validated often, and still have those Cloud PCs part of your device compliance evaluation which you set in Intune.
Part 1: Alterations to “Require Compliant Device”
In this example tenant, we have already required Windows and macOS devices to be marked as compliant, which is specified under Conditions. We want to exclude some Target resources for Windows 365 login to be allowed from non-managed device:
Add these to your exclusions:
- Azure Virtual Desktop
- Microsoft Remote Desktop
- Windows 365
- Windows Cloud Login
Your end-user can now access their Windows 365 desktop via their personal machine without running into this issue:
Part 2: Validating the user, often
Your contractor can now access Windows 365, but that login session is stored in a persistent token on their personal device, meaning if their device is compromised, someone can click straight into the Cloud PC via the Windows 365 app without needing additional sign in. You should consider a session timeout policy for this one.
We create a new Conditional Access policy:
- We add the Windows 365 dependables to the Target resources:
- We modify session controls to suit our business needs:
(for ultra-sensitive, short-term contracts, Every time might be the best option for you)
That’s it.
You’ve made the exception to your normal device compliance policy to allow sign in to Windows 365 from any device, and you’ve added a periodic sign-in option to validate the user when logging in.