Behind the Scenes of Windows 365: Understanding Enterprise, Frontline Dedicated, and Shared Provisioning

Lukas RottachLukas Rottach
7 min read

Table of contents

In this post, I want to explore the technical differences between the different licensing options available. Particularly around how provisioning and resource management actually work behind the scenes. Each of these brings specific technical capabilities and distinct methods of deployment and management.
Rather than covering high-level comparisons, I'll dive into details like resource allocation, license pooling, session management, and what all this means practically for IT teams. I won’t cover topics like license prerequisites, use cases and stuff like that.

By breaking down these technical specifics, my goal is to help you clearly see which Windows 365 model fits best for your particular needs. Ultimately, this should empower you to make more informed choices and streamline your approach to cloud desktop management.

Windows 365 Enterprise

Windows 365 Enterprise represents the original vision behind Windows 365, a straightforward, user-centric model. With this approach, each license is simply assigned directly to an individual user or managed through groups, instantly provisioning a dedicated Cloud PC for them. This creates a clear, easy-to-manage 1:1 relationship between user and license. It's still the ideal solution when your goal is to provide users with a reliable, instantly accessible workspace in the cloud, behaving exactly like a traditional desktop, but hosted entirely in the cloud.

Each Cloud PC is permanently assigned to an individual user as their personal desktop. The user’s data, profile, and applications persist across reboots and sessions (just like a personal physical PC). Even after the user logs off, the Cloud PC remains allocated to them and continues running in the cloud (it doesn’t auto-shutdown just because the user disconnects). This means the machine is always on and up-to-date, ready for the user to connect at any time.

As I mentioned earlier, purchasing Windows 365 Enterprise is similar to acquiring any other Microsoft 365 subscription. To set up a Cloud PC, you must assign the license to a user, which can be done directly or through a group assignment. In many cases, using group assignments is more efficient and scalable. To ensure this process works smoothly, you need both a valid license and a well-configured provisioning policy. Once you add a user to the provisioning group, the provisioning process begins automatically.

💡
To explain it in my own words: The Windows 365 provisioning service continuously monitors the group for any changes. As soon as you add a user to this group, the provisioning process starts immediately.

The Cloud PC is then assigned exclusively to the user, ensuring it is not shared with others and remains consistently available for their use. There is no concept of concurrent usage limits in Enterprise beyond the fact that each active user needs their own license. All licensed users can be on their Cloud PCs simultaneously since each has a dedicated VM. In other words, concurrency is only limited by the number of licenses purchased (e.g. 100 Enterprise licenses support 100 users all online at once). There’s no sharing of sessions. Each Cloud PC is isolated to its assigned user.

Windows 365 Frontline

Windows 365 Frontline is a cost-saving alternative designed for scenarios where not all users need to be on their Cloud PC at the same time. Instead of one-license-per-user, Frontline uses pooled licenses at the tenant level that support concurrent usage. Frontline Cloud PCs are still managed via Intune (just like Enterprise) but the licensing and provisioning differ significantly. There are two modes for Windows 365 Frontline: Dedicated Mode and Shared Mode. Let’s break down each:

Windows 365 Frontline (Dedicated)

In Frontline Dedicated mode, each user gets their own Cloud PC (just like Enterprise), but licenses are shared concurrently rather than assigned one-to-one. A single Frontline license lets you provision up to three Cloud PCs (for three different users) as long as only one is in use at any given time. In other words, one license = one concurrent session, but you can assign that license to multiple users’ Cloud PCs on a time-sharing basis.

Windows 365 Frontline licenses are not assigned to individual users in Entra ID. Instead, they exist as a pool at the tenant level. Admins track license consumption via Windows 365 utilization reports rather than per-user assignment.

Admins create a provisioning policy in Intune with License type = Frontline and Frontline type = Dedicated. You then target an Entra ID group containing the users who need Cloud PCs. Windows 365 provisioning service will set up Cloud PCs for those users up to the allowed limit, which is 3 Cloud PCs per license in dedicated mode. For example, if you purchased 10 Frontline licenses, you can provision up to 30 Cloud PCs (for 30 users) under that policy. Intune will alert you if you try to target more users than the licenses can cover (e.g., if the group has 35 users but only 30 Cloud PCs can be created). Those extra users won’t get a Cloud PC unless more licenses are added. Each Cloud PC is still tied to a specific user (one Cloud PC per user, named and personalized for them) once provisioned.

The number of concurrent Cloud PC sessions allowed, equals the number of Frontline licenses purchased. Using the above example, with 10 licenses (30 provisioned Cloud PCs), only 10 Cloud PCs can be powered on and in use at the same time. If an 11th user attempts to use their Cloud PC, they would be blocked until someone else signs out.

Windows 365 Frontline (Shared)

Frontline Shared mode takes the pooling concept a step further by allowing multiple users to share the same Cloud PC (one at a time), with an ephemeral session model. In this mode, a single Cloud PC is not tied permanently to any one user. It’s a generic machine that any member of a group can use, and when one user signs out, their data is wiped and the Cloud PC is reset for the next user. A single Frontline license corresponds to one shared Cloud PC provisioned (and still one concurrent session).

Admins set up a provisioning policy in Intune with License type = Frontline and Frontline type = Shared. You assign an Entra ID group that contains all users who are allowed to use these shared Cloud PCs. Crucially, the admin can choose how many Cloud PCs to provision (up to the number of licenses available for the selected Cloud PC size). Each Cloud PC in the pool consumes one license. For instance, if you have 50 users in the group and 20 licenses, you might provision 20 shared Cloud PCs for that group. Those 50 users will then share those 20 Cloud PCs.

The total number of concurrent active users in shared mode equals the number of Cloud PCs provisioned (which in turn equals the number of licenses allocated to that pool). If more users are trying to sing in, they must wait until someone logs off. Unlike dedicated mode, there is no concurrency buffer in shared mode – the limit cannot be exceeded at any time.

💡
Here's something special about provisioning: In Windows 365 Enterprise or Frontline (Dedicated), the user always triggers the provisioning of a new Cloud PC. The provisioning service manages your policy assignments and takes action when you add or remove users from your groups. In a Frontline (Shared) model, there is no direct link between a user account and a Cloud PC. Once you complete the assignment for Frontline (Shared), the provisioning service starts deploying these shared Cloud PCs.

Conclusion

Windows 365 Enterprise, Frontline Dedicated, and Frontline Shared all use the same Cloud PC technology but differ in how they license and allocate these Cloud PCs to users. Enterprise uses a traditional model where each user gets their own Cloud PC with a direct license assignment, providing a personal virtual machine that's always available. This is ideal for users who need a constant desktop. Frontline Dedicated also assigns one Cloud PC per user but uses concurrency-based licensing. This means Cloud PCs turn off when not in use, and licenses are only counted for active sessions. This allows organizations to offer personal Cloud PCs to more users than they have licenses for, up to three times more, as long as usage is spread out over time. Frontline Shared allows multiple users to take turns using the same Cloud PC instances, without saving data between sessions, which makes the most of licenses for short-term use cases. Enterprise licenses are assigned to individual users, while Frontline licenses are pooled at the tenant level and managed through Intune policies and Entra ID groups instead of being assigned to each user.

From an architecture perspective, understanding these models is crucial for designing cost-effective Cloud PC deployments. It's important to plan for the right number of licenses, set up provisioning policies correctly, and manage sessions (like idle timeouts) to ensure a smooth experience. Engineers and architects should consider user work patterns: if users have consistent 9-to-5 schedules, Enterprise might be the easiest choice. If users work in shifts or sporadically, Frontline can greatly cut licensing costs. If users only need temporary, generic sessions (without saving data), Frontline Shared can be a great way to optimize resources.

Happy provisioning! 🖥️

0
Subscribe to my newsletter

Read articles from Lukas Rottach directly inside your inbox. Subscribe to the newsletter, and don't miss out.

w365windows365Virtual DesktopEndpointManagementintune

Written by

Lukas Rottach
Lukas Rottach

I am an Azure Architect based in Switzerland, specializing in Azure Cloud technologies such as Azure Functions, Microsoft Graph, Azure Bicep and Terraform. My expertise lies in Infrastructure as Code, where I excel in automating and optimizing cloud infrastructures. With a strong passion for automation and development, I aim to share insights and practices to inspire and educate fellow tech enthusiasts. Join me on my journey through the dynamic world of the Azure cloud, where innovation meets efficiency.