Do smarter provisioning of Cloud PCs

Those of you who attended my session at WP Ninja Summit 2023 will recognize this topic, we will today talk about how to utilize dynamic group to setup your provision policies for Windows 365, to localize the experiences for the user and providing a Cloud PC in the users local language.

This is a great way to tackle the challenge of having multiple  configurations based on were a user is located.


Setting up dynamic groups

There are as many ways to do this as there are IT pros, but I decided to make this easy and just look at three things for my groups, attributes that I know all my users have.

What I decided to look at is that:

  • The account is enabled
  • Usage location for the user is set to Sweden
  • And the country for the user is set to Sweden

That got me the following query for my dynamic group.

(user.accountEnabled -eq True) and (user.usageLocation -eq "SE") and (user. Country -eq "Sweden")

To create a new group, head to Groups in the Intune portal and create a new group by pressing “New group“.

Give your group a name, in my case I’ve called it “All users Sweden” since we will gather all Swedish users in this group. Also make sure to set “Membership type” to Dynamic User so that we can create a query to automatically populate the group based on user attributes.

Add your query to your group by pressing “Add dynamic query” and enter your rule. You can take my example and modify it if you like, copy the rule syntax above and press “Edit” on the rule syntax windows and paste it there. This will populate the fields for you, and you can modify them to suit your needs. Or create your own! Keep in mind that the usage location uses the two-letter country code e.g., Sweden is SE, Norway is NO, Netherlands is NL, USA is US.

Press Save when you have created, and validated, your rule and press Create.

We have now successfully created a dynamic group which will be populated with all active accounts which has their country and usage location set to Sweden.

Creating provisioning policies

Now that we have our groups, we want to put them to effective use. Let’s head into the Windows 365 pane in Microsoft Intune by navigating to Devices > Windows 365 and selecting the “Provisioning policies” tab. To create a new policy, click the “+ Create policy” button on the ribbon.

First off, as always, we will give our policy a name, in my case I’m giving it a name indicating that this is a Windows 11 image, EntraID joined and running on Microsoft hosted network. And this is for my Swedish users.

The next step is to select what kind of join type you will use and which network. In this example, I will use EntraID join and using the Microsoft hosted network. Since we in this case are mostly interested in having this in Europe but the language is the key, networking from a performance and latency perspective isn’t anymore that much of an issue. But please take into consideration what is best suited for you. There is a great tool called Azure Speed Test 2.0 which could help you find the most suitable one for you!

You can do this for Azure v-nets, but then you need to set the region stuff when setting up the Azure V-net. There is a limit to the amount of how many Azure Network Connections (ANC) you can define per tenant, you can find out more here. If you know that you have multiple locations and want to put the service as close as possible to the end-user, it’s much easier to use the Microsoft hosted network.

The next step is to select an image, I will go with a gallery Windows 11 image since this will reduce the amount of maintenance I need to do since Microsoft is curating the image. Press next when you have selected your image.

Next, we will configure language and region settings. Like I said, the ambition here is to provide the Windows 365 experience in the user’s local language. So, for this I will select Swedish for this policy.

To indicate from an administrator perspective while looking at the device in Intune that this is a Cloud PC for Swedish users, we will create a custom name. In this section, you can also choose to opt-in to Windows Autopatch straight away if you have this enabled in your tenant. If you do not wish to do so, just leave it to the default value. But since I have it activated in my tenant, I will add this as well and then press next.

The next step is to assign this policy to our group created in the first part. If you wish, you can add multiple groups to the same provisioning profile. But I only have one which will be used for this one, so I will select my group with all Swedish users and press next.

Final step is to review the settings we have selected and then press “Create“.

Conclusion and take aways

So why should we do this? Well, this will simplify your deployments in a multilanguage environment. For a Cloud PC to be provisioned the user needs two things, a provisioning policy and a license. Nothing will happen if you don’t have both these, but you can assign a provisioning policy without anything happening since, but if you assign a license and no provisioning policy Intune will try to provision a Cloud PC but it will fail.

By doing this, all your users get a provisioning policy so the only thing you need to care about is your licenses. Of course, if you have need for multiple setups, like some users on Azure Network Connections you need to tweak your groups a little. But you can still use the same concept, you just need to identify your rules for the groups. 

You could very well create PowerShell scripts to deploy profiles like this automatically, but since I’m really bad att creating those I haven’t explored that yet. But if you are a PowerShell magician, feel free to try! 


  • Ola Ström

    Ola Ström is a Microsoft MVP for Windows 365 from Sweden and he is one of the first expert contributors in this community. Make sure to follow him as he guides us in the world of Windows 365 and Microsoft Intune!

    View all posts

Leave a Reply

Your email address will not be published. Required fields are marked *