IntuneCloudProvisioningPolicyWindows365¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Autopatch | Write | MSFT_MicrosoftGraphcloudPcProvisioningPolicyAutopatch | Indicates the Windows Autopatch settings for Cloud PCs using this provisioning policy. The settings take effect when the tenant enrolls in Autopatch and the managedType of the microsoftManagedDesktop property is set as starterManaged. | |
| AutopilotConfiguration | Write | MSFT_MicrosoftGraphcloudPcAutopilotConfiguration | The specific settings for Windows Autopilot that enable Windows 365 customers to experience it on Cloud PC. Supports $select. | |
| CloudPcNamingTemplate | Write | String | The template used to name Cloud PCs provisioned using this policy. The template can contain custom text and replacement tokens, including %USERNAME:x% and %RAND:x%, which represent the user's name and a randomly generated number, respectively. For example, CPC-%USERNAME:4%-%RAND:5% means that the name of the Cloud PC starts with CPC-, followed by a four-character username, a - character, and then five random characters. The total length of the text generated by the template can't exceed 15 characters. | |
| Description | Write | String | The provisioning policy description. | |
| DisplayName | Key | String | The display name for the provisioning policy. | |
| DomainJoinConfigurations | Write | MSFT_MicrosoftGraphcloudPcDomainJoinConfiguration[] | Specifies a list ordered by priority on how Cloud PCs join Microsoft Entra ID (Azure AD). Supports $select. | |
| EnableSingleSignOn | Write | Boolean | True if single sign-on can access the provisioned Cloud PC. False indicates that the provisioned Cloud PC doesn't support this feature. The default value is false. Windows 365 users can use single sign-on to authenticate to Microsoft Entra ID with passwordless options (for example, FIDO keys) to access their Cloud PC. Optional. | |
| ImageDisplayName | Write | String | The display name of the operating system image that is used for provisioning. For example, Windows 11 Preview + Microsoft 365 Apps 23H2 23H2. | |
| ImageId | Write | String | The unique identifier that represents an operating system image that is used for provisioning new Cloud PCs. The format for a gallery type image is: {publisherNameofferNameskuName}. Supported values for each of the parameters are:publisher: Microsoftwindowsdesktop offer: windows-ent-cpc sku: 21h1-ent-cpc-m365, 21h1-ent-cpc-os, 20h2-ent-cpc-m365, 20h2-ent-cpc-os, 20h1-ent-cpc-m365, 20h1-ent-cpc-os, 19h2-ent-cpc-m365, and 19h2-ent-cpc-os | |
| ImageType | Write | String | The type of operating system image (custom or gallery) that is used for provisioning on Cloud PCs. Possible values are: gallery, custom. The default value is gallery. | gallery, custom |
| LocalAdminEnabled | Write | Boolean | When true, the local admin is enabled for Cloud PCs false indicates that the local admin isn't enabled for Cloud PCs. The default value is false. | |
| ProvisioningType | Write | String | Specifies the type of licenses to be used when provisioning Cloud PCs using this policy. The possible values are dedicated, shared, sharedByUser, sharedByEntraGroup. The shared member is deprecated and will stop returning on April 30, 2027 going forward, use the sharedByUser member. For example, a dedicated service plan can be assigned to only one user and provision only one Cloud PC. The shared and sharedByUser plans require customers to purchase a shared service plan. Each shared license purchased can enable up to three Cloud PCs, with only one user signed in at a time. The sharedByEntraGroup plan also requires the purchase of a shared service plan. Each shared license under this plan can enable one Cloud PC, which is shared for the group according to the assignments of this policy. By default, the license type is dedicated if the provisioningType isn't specified when you create the cloudPcProvisioningPolicy. You can't change this property after the cloudPcProvisioningPolicy is created. | dedicated, shared, sharedByUser, sharedByEntraGroup, reserve |
| RoleScopeTagIds | Write | StringArray[] | The Role Scope Tag Ids | |
| UserExperienceType | Write | String | Specifies the type of cloud object the end user can access. Possible values are: cloudPc, cloudApp. cloudPc indicates that the end user can access the entire desktop. cloudApp indicates that the end user can only access apps published under this provisioning policy. The type can't be changed once the provisioning policy is created. If not specified during creation, the default value is cloudPc. When cloudApp is selected, the provisioningType must be sharedByEntraGroup. Cannot be changed after creation. | cloudPc, cloudApp |
| WindowsSetting | Write | MSFT_MicrosoftGraphcloudPcWindowsSetting | Indicates a specific Windows setting to configure during the creation of Cloud PCs for this provisioning policy. Supports $select. | |
| WindowsSettings | Write | MSFT_MicrosoftGraphcloudPcWindowsSettings | Specific Windows settings to configure during the creation of Cloud PCs for this provisioning policy. Supports $select. The windowsSettings property is deprecated and will stop returning data on January 31, 2024. Going forward, use the windowsSetting property. | |
| Id | Write | String | The unique identifier for an entity. Read-only. | |
| Assignments | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | |
| Ensure | Write | String | Present ensures the policy exists, absent ensures it is removed. | Present, Absent |
| Credential | Write | PSCredential | Credentials of the Admin | |
| ApplicationId | Write | String | Id of the Azure Active Directory application to authenticate with. | |
| TenantId | Write | String | Id of the Azure Active Directory tenant used for authentication. | |
| ApplicationSecret | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | |
| CertificateThumbprint | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | |
| ManagedIdentity | Write | Boolean | Managed ID being used for authentication. | |
| AccessTokens | Write | StringArray[] | Access token used for authentication. |
MSFT_DeviceManagementConfigurationPolicyAssignments¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| dataType | Write | String | The type of the target assignment. | #microsoft.graph.cloudPcManagementGroupAssignmentTarget, #microsoft.graph.groupAssignmentTarget, #microsoft.graph.allLicensedUsersAssignmentTarget, #microsoft.graph.allDevicesAssignmentTarget, #microsoft.graph.exclusionGroupAssignmentTarget, #microsoft.graph.configurationManagerCollectionAssignmentTarget |
| deviceAndAppManagementAssignmentFilterType | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | none, include, exclude |
| deviceAndAppManagementAssignmentFilterId | Write | String | The Id of the filter for the target assignment. | |
| deviceAndAppManagementAssignmentFilterDisplayName | Write | String | The display name of the filter for the target assignment. | |
| groupId | Write | String | The group Id that is the target of the assignment. | |
| groupDisplayName | Write | String | The group Display Name that is the target of the assignment. | |
| collectionId | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) |
MSFT_MicrosoftGraphCloudPcProvisioningPolicyAutopatch¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| AutopatchGroupId | Write | String | The unique identifier (ID) of a Windows Autopatch group. An Autopatch group is a logical container or unit that groups several Microsoft Entra groups and software update policies. Devices with the same Autopatch group ID share unified software update management. The default value is null that indicates that no Autopatch group is associated with the provisioning policy. | |
| AutopatchGroupDisplayName | Write | String | The unique display name of a Windows Autopatch group. |
MSFT_MicrosoftGraphCloudPcAutopilotConfiguration¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| ApplicationTimeoutInMinutes | Write | UInt32 | Indicates the number of minutes allowed for the Autopilot application to apply the device preparation profile (DPP) configurations to the device. If the Autopilot application doesn't finish within the specified time (applicationTimeoutInMinutes), the application error is added to the statusDetail property of the cloudPC object. The supported value is an integer between 10 and 360. Required. | |
| DevicePreparationProfileId | Write | String | The unique identifier (ID) of the Autopilot device preparation profile (DPP) that links a Windows Autopilot device preparation policy to ensure that devices are ready for users after provisioning. Required. | |
| OnFailureDeviceAccessDenied | Write | Boolean | Indicates whether the access to the device is allowed when the application of Autopilot device preparation profile (DPP) configurations fails or times out. If true, the status of the device is failed and the device is unable to access otherwise, the status of the device is provisionedWithWarnings and the device is allowed to access. The default value is false. Required. |
MSFT_MicrosoftGraphCloudPcDomainJoinConfiguration¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| DomainJoinType | Write | String | Specifies the method by which the provisioned Cloud PC joins Microsoft Entra ID. If you choose the hybridAzureADJoin type, only provide a value for the onPremisesConnectionId property and leave the regionName property empty. If you choose the azureADJoin type, provide a value for either the onPremisesConnectionId or the regionName property. Possible values are: azureADJoin, hybridAzureADJoin. | azureADJoin, hybridAzureADJoin |
| OnPremisesConnectionId | Write | String | The Azure network connection ID that matches the virtual network IT admins want the provisioning policy to use when they create Cloud PCs. You can use this property in both domain join types: Azure AD joined or Hybrid Microsoft Entra joined. If you enter an onPremisesConnectionId, leave the regionName property empty. | |
| RegionGroup | Write | String | The logical geographic group this region belongs to. Multiple regions can belong to one region group. A customer can select a regionGroup when they provision a Cloud PC, and the Cloud PC is put in one of the regions in the group based on resource status. For example, the Europe region group contains the Northern Europe and Western Europe regions. | default, australia, canada, usCentral, usEast, usWest, france, germany, europeUnion, unitedKingdom, japan, asia, india, southAmerica, euap, usGovernment, usGovernmentDOD, norway, switzerland, southKorea, middleEast, mexico, australasia, europe |
| RegionName | Write | String | The supported Azure region where the IT admin wants the provisioning policy to create Cloud PCs. The underlying virtual network is created and managed by the Windows 365 service. This can only be entered if the IT admin chooses Microsoft Entra joined as the domain join type. If you enter a regionName, leave the onPremisesConnectionId property empty. For an automatic selection, choose 'Automatic'. | |
| Type | Write | String | Specifies the method by which the provisioned Cloud PC joins Microsoft Entra ID. If you choose the hybridAzureADJoin type, only provide a value for the onPremisesConnectionId property and leave regionName as empty. If you choose the azureADJoin type, provide a value for either onPremisesConnectionId or regionName. The possible values are: azureADJoin, hybridAzureADJoin. The type property is deprecated and will stop returning data on January 31, 2024. Going forward, use the domainJoinType property. | azureADJoin, hybridAzureADJoin |
MSFT_MicrosoftGraphMicrosoftManagedDesktop¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| ManagedType | Write | String | Indicates the provisioning policy associated with Microsoft Managed Desktop settings. Possible values are: notManaged, premiumManaged, standardManaged, starterManaged. The default value is notManaged. | notManaged, premiumManaged, standardManaged, starterManaged |
| Profile | Write | String | The name of the Microsoft Managed Desktop profile that the Windows 365 Cloud PC is associated with. | |
| Type | Write | String | Indicates whether the provisioning policy enables Microsoft Managed Desktop and, if enabled, specifies the type of plan managing the device. Possible values are: notManaged, premiumManaged, standardManaged, starterManaged. The type property is deprecated and will stop returning data on January 31, 2024. Going forward, use the managedType property. | notManaged, premiumManaged, standardManaged, starterManaged |
MSFT_MicrosoftGraphCloudPcWindowsSetting¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Locale | Write | String | The Windows language or region tag to use for language pack configuration and localization of the Cloud PC. The default value is en-US, which corresponds to English (United States). |
MSFT_MicrosoftGraphCloudPcWindowsSettings¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Language | Write | String | The Windows language/region tag to use for language pack configuration and localization of the Cloud PC. The default value is en-US, which corresponds to English (United States). |
Description¶
Intune Cloud Provisioning Policy for Windows365
Please note: To deploy an Intune Cloud Provisioning Policy for Windows 365 and you opted to use Autopatch, then you must use Credentials as the authentication method.
The Microsoft Graph API does not allow Service Principal authentication for Autopatch configuration.
Permissions¶
Microsoft Graph¶
To authenticate with the Microsoft Graph API, this resource required the following permissions:
Delegated permissions¶
-
Read
- CloudPC.Read.All, Group.Read.All
-
Update
- CloudPC.ReadWrite.All, Group.Read.All
Application permissions¶
-
Read
- CloudPC.Read.All, Group.Read.All
-
Update
- CloudPC.ReadWrite.All, Group.Read.All
Examples¶
Example 1¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
IntuneCloudProvisioningPolicyWindows365 "IntuneCloudProvisioningPolicyWindows365_1"
{
ApplicationId = $ApplicationId;
Assignments = @(
MSFT_DeviceManagementConfigurationPolicyAssignments{
dataType = "#microsoft.graph.cloudPcManagementGroupAssignmentTarget"
groupId = "42a638ec-2bf2-47a8-8f5f-176ce2124b7b"
}
);
Autopatch = MSFT_MicrosoftGraphCloudPcProvisioningPolicyAutopatch{
AutopatchGroupId = "db2d8ac9-0697-4f04-a5cd-b3d230f31dc6"
};
CloudPcNamingTemplate = "CPC-%USERNAME:5%-%RAND:5%";
Description = "";
DisplayName = "IntuneCloudProvisioningPolicyWindows365_1";
DomainJoinConfigurations = @(
MSFT_MicrosoftGraphCloudPcDomainJoinConfiguration{
Type = "azureADJoin"
RegionName = "automatic"
DomainJoinType = "azureADJoin"
RegionGroup = "usCentral"
}
);
EnableSingleSignOn = $True;
Ensure = "Present";
ImageDisplayName = "Windows 11 Enterprise 25H2";
ImageId = "microsoftwindowsdesktop_windows-ent-cpc_win11-25h2-ent-cpc";
ImageType = "gallery";
ProvisioningType = "dedicated";
RoleScopeTagIds = @("0");
WindowsSetting = MSFT_MicrosoftGraphCloudPcWindowsSetting{
Locale = "en-US"
};
WindowsSettings = MSFT_MicrosoftGraphCloudPcWindowsSettings{
Language = "en-US"
};
CertificateThumbprint = $CertificateThumbprint;
TenantId = $TenantId;
}
}
}
Example 2¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
IntuneCloudProvisioningPolicyWindows365 "IntuneCloudProvisioningPolicyWindows365_1"
{
ApplicationId = $ApplicationId;
Assignments = @(
MSFT_DeviceManagementConfigurationPolicyAssignments{
dataType = "#microsoft.graph.cloudPcManagementGroupAssignmentTarget"
groupId = "42a638ec-2bf2-47a8-8f5f-176ce2124b7b"
}
);
Autopatch = MSFT_MicrosoftGraphCloudPcProvisioningPolicyAutopatch{
AutopatchGroupId = "db2d8ac9-0697-4f04-a5cd-b3d230f31dc6"
};
CloudPcNamingTemplate = "CPC-%USERNAME:5%-%RAND:5%";
Description = "";
DisplayName = "IntuneCloudProvisioningPolicyWindows365_1";
DomainJoinConfigurations = @(
MSFT_MicrosoftGraphCloudPcDomainJoinConfiguration{
Type = "azureADJoin"
RegionName = "automatic"
DomainJoinType = "azureADJoin"
RegionGroup = "europe" # Updated property
}
);
EnableSingleSignOn = $True;
Ensure = "Present";
ImageDisplayName = "Windows 11 Enterprise 25H2";
ImageId = "microsoftwindowsdesktop_windows-ent-cpc_win11-25h2-ent-cpc";
ImageType = "gallery";
ProvisioningType = "dedicated";
RoleScopeTagIds = @("0");
WindowsSetting = MSFT_MicrosoftGraphCloudPcWindowsSetting{
Locale = "en-US"
};
WindowsSettings = MSFT_MicrosoftGraphCloudPcWindowsSettings{
Language = "en-US"
};
CertificateThumbprint = $CertificateThumbprint;
TenantId = $TenantId;
}
}
}
Example 3¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
IntuneCloudProvisioningPolicyWindows365 "IntuneCloudProvisioningPolicyWindows365_1"
{
ApplicationId = $ApplicationId;
DisplayName = "IntuneCloudProvisioningPolicyWindows365_1";
Ensure = "Absent";
CertificateThumbprint = $CertificateThumbprint;
TenantId = $TenantId;
}
}
}