Known issues: Windows 365 Enterprise and Frontline

The following items are known issues for Windows 365 Enterprise.

First-time Cloud PC sign-in triggers Impossible Travel Location alert

When you use Conditional Access, a user who signs in to a Cloud PC for the first time might trigger an impossible travel location alert.

Solution

Follow these steps to investigate risk and verify that the activity matches the expected behavior of the user, based on their physical location and the location of the Cloud PC.

Watermarking support in Windows 365

Watermarking support is configured on session hosts and enforced by the Remote Desktop client. The settings for Watermarking support can be configured via Group Policy (GPO) or the Intune Settings Catalog. The default for the QR code embedded content setting doesn't allow administrators to look up device information from leaked images for Cloud PCs.

Solution

Ensure that the QR code embedded content setting is configured to Device ID either in the GPO or the Intune Settings Catalog for the Intune Configuration profile used to configure Watermarking support.

For more information, see Administrative template for Azure Virtual Desktop.

Missing Start menu and taskbar when using iPad and the Remote Desktop app to access a Cloud PC

When non-local admin users sign in to a Cloud PC by using an iPad and the Microsoft Remote Desktop app, the Start menu and taskbar might be missing from the Windows 11 user interface.

Solution

Make sure that you have the latest version of the Remote Desktop client, which can be found from Remote Desktop clients for Remote Desktop Services and remote PCs.

In addition, you can sign in to the Cloud PC by using Windows 365.

Restore and automatic rolling credentials

Many devices registered with Active Directory might have a machine account password that is automatically updated. By default, these passwords are updated every 30 days. This automation applies to hybrid joined PCs but not Microsoft Entra Native PCs.

The machine account password is maintained on the Cloud PC. If the Cloud PC is restored to a point that has a previous password stored, the Cloud PC won't be able to sign in to the domain.

For more information, see Machine Account Password Process.

Cursor's visible location is offset from the actual position

In a remote desktop session, when you select one position in a text file, the cursor in the Cloud PC has some offset with the actual position.

Possible cause

In high DPI mode, both the server and Cloud PC browser scale the cursor. This conflict results in an offset between the visible cursor position and the actual cursor focus.

Solution

Turn off high DPI mode.

Outlook only downloads one month of mail

Outlook only downloads one month of previous mail, which can't be changed in Outlook settings.

Solution

1. Open Registry Editor.

2. Remove the syncwindowsetting registry key under the path:

   \HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Outlook\Cached Mode

3. Add the syncwindowsetting registry key with the value 1 under the path:

   \HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Cached Mode

After you complete these steps, the default will be one month. However, the download period can be changed in Outlook settings.

In-place Windows upgrade might change the computer name

Upgrading an existing Cloud PC between release versions of Windows 10 to Windows 11 might cause the computer name to be changed to a name with a prefix of "pps" while leaving the Intune device name unchanged.

Solution

Find and manage the Cloud PC in Microsoft Intune by using the unchanged Intune device name, either through the Devices > All devices list or the Devices > Windows 365 > All Cloud PCs list.

Windows 365 provisioning fails

Windows 365 provisioning failures might occur if both of the following conditions are met:

• The Desired State Configuration (DSC) extension isn't signed.
• The PowerShell Execution policy is set to AllSigned in the GPO.

Solution

1. Check if the Azure network connection (ANC) fails with the error "An internal error occurred. The virtual machine deployment timed out." If yes, review the related GPO.
2. Check if the PowerShell Execution policy is set to AllSigned. If it is, either remove the GPO or reset the PowerShell Execution policy to Unrestricted.
3. Retry the ANC health check. If the check succeeds, retry provisioning.

Cloud PC reports as not compliant with compliance policy

The following device compliance settings report as Not applicable when being evaluated for a Cloud PC:

• Trusted Platform Module (TPM)
• Require encryption of data storage on device

The following device compliance settings might report as Not Compliant when being evaluated for a Cloud PC:

• Require BitLocker
• Require Secure Boot to be enabled on the device. Cloud PC support for the Secure boot functionality is now available to all customers.

Solution

To enable secure boot on the Cloud PC, see Reprovision the specific Cloud PC.

To remove not compliant settings:

1. Create a filter for all Cloud PCs.
2. For any existing device compliance policies that both evaluate to a Cloud PC and contain either of the Not Compliant settings, use this new filter to exclude Cloud PCs from the policy assignment.
3. Create a new device compliance policy without either of the Not Compliant settings and use this new filter to include Cloud PCs for the policy assignment.

Single sign-on users see a dialog to allow remote desktop connection during the connection attempt

When you enable single sign-on, a prompt appears to authenticate to Microsoft Entra ID and allow the Remote Desktop connection when launching a connection to a new Cloud PC. Microsoft Entra remembers up to 15 devices for 30 days before prompting again. If you see this dialog, select Yes to connect.

To prevent this dialog from appearing, you can create a preconsented device group. Follow the instructions to configure a target device group to get started.

Single sign-on user connections are being denied through Microsoft Entra Conditional Access

Possible cause

To sign in through single sign-on, the remote desktop client requests an access token to the Microsoft Remote Desktop app in Microsoft Entra, which might be the cause of the failed connection.

Troubleshooting steps

Follow the steps in troubleshoot sign-in problems.

Single sign-on users are immediately disconnected when the Cloud PC locks

When single sign-on isn't used, users can see the Cloud PC lock screen and enter credentials to unlock their Windows session. However, when single sign-on is used, the Cloud PC fully disconnects the session so that:

• Users can use passwordless authentication to unlock their Cloud PC.
• Conditional Access policies and multifactor authentication can be enforced when unlocking the Cloud PC.

Single sign-on users aren't asked to reauthenticate to Microsoft Entra ID when connecting from an unmanaged device

When you use single sign-on, all authentication behavior (including supported credential types and sign-in frequency) is driven through Microsoft Entra ID.

Solution

To enforce periodic reauthentication through Microsoft Entra ID, create a Conditional Access policy using the sign-in frequency control.

I don't see the Cloud PC reports on the Devices > Overview page in the Intune admin center

If you turn on the Use Devices preview setting in the Intune admin center, the Cloud PC performance (preview) tab, Cloud PCs with connection quality issues report, and Cloud PCs with low utilization report aren't on the Overview page.

Solution

Turn off the Use Devices preview toggle in the upper-right corner of the Devices > Overview page.

Cloud PC is stuck in a restart loop after a restore or resize action

Possible cause

This issue might occur for Cloud PCs provisioned before July 2022 that use either:

• Microsoft Attack Surface Reduction rules (for example, Manage attack surface reduction settings with endpoint security policies in Microsoft Intune), or
• Third-party solutions that block the install language script execution during the post-provisioning process.

Cloud PCs provisioned after July 2022 don't encounter this issue.

Troubleshooting steps

Determine the root cause:

1. Search the Windows Event log. If the system shows the following reboot event (1074), continue to step 2.

   The process C:\WINDOWS\system32\wbem\wmiprvse.exe (<CPC Name>) has initiated the restart of computer <CPC Name> on behalf of user NT AUTHORITY\SYSTEM for the following reason: Application: Maintenance (Planned)
   Reason Code: 0x80040001
   Shutdown Type: restart
   Comment: DSC is restarting the computer.
   

2. Run Get-DscConfigurationStatus in an elevated command window. If the result shows a reboot pending for a job, continue to step 3.

3. Run Get-DscConfiguration in an elevated command window. If the results show the DSC that installs the language, continue to the next section.

Solution

To stop the restart loop, try either of these options:

• Remove the Azure Site Recovery policies or switch the policies to Audit mode, and then apply the new policies to the Cloud PC.

• In an elevated command window, run the following command to reboot the job:

  Remove-DSCConfiguration -Stage Pending,Current,Previous -Verbose

Cloud PC connection issues for GCC High government customers

Some GCC High government customers whose resources are deployed to microsoft.us environments might encounter issues connecting to their Cloud PC using web clients or the Safari browser.

Possible cause

The issue occurs when the web client or the Safari browser blocks third-party cookies. Third-party cookies are cookies set by a domain other than the one you're visiting.

For GCC High customers with resources deployed to microsoft.us environments, the microsoft.us cookies are considered third-party cookies by the web client or the Safari browser. This consideration is because the web client or Safari browser uses the Cloud PC's domain name, which is different from microsoft.us, to determine the first-party domain. If the web client or Safari browser blocks third-party cookies, it prevents the microsoft.us cookies from:

• Being stored.
• Used for authentication and authorization.

As a result, you can't connect to your Cloud PC session.

Solution

Allow third-party cookies from microsoft.us in your Web client settings, Safari browser settings, or Group Policy.

This change lets the web client or Safari browser store and use the microsoft.us cookies to connect to your Cloud PC session.

Windows Security reports "Memory Integrity is off. Your device may be vulnerable."

Windows Security reports "Memory Integrity is off. Your device may be vulnerable."

In the Cloud PC's Windows Systems Information, you might also see that the Virtualization-based security (VBS) row shows Enabled but not running.

This issue can be caused when nested virtualization is turned on. When nested virtualization is turned on, it requires a running nested hypervisor, which inhibits Direct Memory Access (DMA) protections. DMA protections are required when running VBS.

Solution

Make sure that:

• Nested virtualization was turned off for the Cloud PC.
• Policies have VBS enabled with DMA protection.

Another option is to not require DMA for VBS because they're incompatible with each other.

Microsoft Teams isn't enforcing screen capture protection

When screen capture protection is enabled, Microsoft Teams on Windows 365 Cloud PCs isn't enforcing screen capture protection.

Troubleshooting steps

• Confirm that the WebRTC version is up-to-date.

• Confirm that the screen capture protection policy is configured correctly to have the client and server selected:

  1. Sign in to the Microsoft Intune admin center, select Devices > Configuration, and then choose the policy.
  2. Under Configuration settings, select Windows Components > Remote Desktop Services > Remote Desktop Session Host > Azure Virtual Desktop, and then make sure the following is set:
     • Enable screen capture protection = Enable
     • Screen Capture Protection Options = Block screen capture on client and server

Windows 365 scope tags and nested groups

Windows 365 doesn't support nested security groups. If you apply a scope tag to the top of a nested security group, Cloud PCs in inner nested groups aren't assigned scope tags.

Solution

Apply the scope tag individually to each group in the nested security group.

Windows 365 doesn't support editing scope tags for individual Cloud PCs

The Windows 365 user interface and Graph API don't support the editing of scope tags for individual Cloud PCs.

Solution

Edit scope tags for individual Cloud PCs on Intune's All Devices blade to sync the scope tag associations to the Windows 365 service.

Scope tags for custom images can't be edited

Scope tags applied to custom images can't be edited or directly added by top-level admins.

Solution

When scoped admins create custom images, those custom images are tagged with the same scope tags that are associated with the scoped admin.

For example, if an admin scoped with the scope tag "Scope Tag A" creates a custom image, the created custom image is automatically tagged with "Scope Tag A."

WebRTC Redirector Service is missing from the latest Windows 365 Cloud PC gallery images

The May 21, 2024 updates for Cloud PC gallery images lack the WebRTC Redirector Service. Without this component, Teams media redirection doesn't work.

This applies to the following gallery images:

• Windows 11 23H2 with Microsoft 365 apps
• Windows 11 22H2 with Microsoft 365 apps

Troubleshooting steps

For newly provisioned Cloud PCs, verify that WebRTC is available. If it's not, you can use either of the following options:

• To add the WebRTC Redirector Service app to the list of apps to install by default onto Cloud PCs, follow the steps in Add Microsoft 365 Apps to Windows 10/11 devices with Microsoft Intune.

• To add the WebRTC Redirector Service app to an individual Cloud PC, follow the steps in Install the Remote Desktop WebRTC Redirector Service. To get the most up-to-date installer, use this link: https://aka.ms/msrdcwebrtcsvc/msi.

Windows 365 Frontline issues

The following are issues for Windows 365 Frontline:

Reprovision action doesn't apply on devices that don't have a configuration change

For Frontline in shared mode Cloud PCs, the reprovision action won't begin unless a change has been made to the provisioning policy image.

Workaround

You can reprovision all devices by removing the assignment group, saving the changes, and then adding the group assignment back to the policy. This workaround method ends the sessions for all active users.

Frontline shared card displays in Windows App during Cloud PC provisioning

When you provision the Frontline Cloud PC in shared mode for the first time, the Frontline shared card displays in the Windows App with the status Ready to Connect during Cloud PC provisioning. Users can select to connect but receive a "Your connection failed" error.

Solution

Users must close all dialogs before connecting to the Cloud PC.

Users must wait for about 90 seconds after Reset

When a user performs the Reset action on a Frontline Cloud PC in shared mode, the Connect button is grayed out for around 90 seconds. During this time, users can't connect to another Frontline Cloud PC.

Users can select Connect while they're connected to a Frontline Cloud PC in shared mode

When a user is connected to a Frontline Cloud PC, the connect button in the Windows App remains blue and clickable. If the user selects connect, a new window opens and connects. The previous window remains open with a new connection notification dialog.

Next steps

Troubleshoot Windows 365 Enterprise Cloud PC