Provision Windows 365 Frontline Shared

Lukas RottachLukas Rottach
8 min read

Welcome, wanderer 🧙‍♂️! If you've ever stared into the depths of virtual desktops and thought, "What magic is this Windows 365 Frontline Shared model, and how do I even begin to conjure it?". You've clicked your way to the perfect scroll. Let's unravel this sorcery together!

Foreword

In the world of Windows 365, we've gotten used to a simple truth: one user, one Cloud PC. Whether it's Windows 365 Enterprise, where assigning a license directly provisions a dedicated Cloud PC for a specific user, or even Windows 365 Frontline (Dedicated), which pools licenses but still maintains a direct assignment between user and Cloud PC. This fundamental relationship was always clear and consistent.

However, Microsoft's introduction of the Windows 365 Frontline Shared model marks a significant shift, breaking away from this established paradigm. For the first time, we're seeing a model where multiple users can dynamically share the same Cloud PC resources, changing the game entirely for organizations managing frontline workers and flexible workforce and task work scenarios.

In this blog post, we'll dive deeper into what exactly the Windows 365 Frontline Shared model is, explore how it works under the hood, and help you understand whether it's the right fit for your organization. Let's explore this new frontier together!

When to use it?

Microsoft designed Windows 365 Frontline Shared specifically for workers who require access to a Cloud PC only for specialized tasks and typically for short periods during their workday. It is ideal for scenarios where data persistence is not necessary between user sessions. This makes it particularly valuable in environments such as healthcare, retail, customer support, and manufacturing, where tasks are typically transactional or highly focused and don't require long-term storage of user-specific data.

In contrast to the traditional Windows 365 Enterprise or Frontline (Dedicated) models, Frontline Shared could provide a significant cost advantage and enhanced flexibility for specific use cases. Instead of assigning licenses and Cloud PCs directly to individual users, Frontline Shared enables dynamic sharing of Cloud PC resources among multiple users. This significantly reduces idle resources, optimizes licensing costs, and simplifies overall management.

Consider Windows 365 Frontline Shared if your organization:

  • Has workers needing temporary, task-specific access to Cloud PCs.

  • Does not require persistent user data storage across sessions.

  • Wants to optimize cost efficiency by dynamically allocating shared computing resources.

If your workforce requires consistent, personalized computing experiences, Windows 365 Enterprise remains the best choice. Windows 365 Frontline (dedicated), meanwhile, provides pooled licensing but maintains a dedicated Cloud PC per user.

💡
Disclaimer: It is important to note that the term "shared" in Windows 365 Frontline Shared does not refer to multi-session capabilities. Each Cloud PC can be accessed by only one user at a time, ensuring exclusive session usage and security.
Keep in mind, that sessions for Windows 365 Frontline Shared are non-persistent. After a users signs out, everything will be wiped away.

Requirements

Before we can start setting up Windows 365 Frontline, we need to ensure we meet the requirements. Make sure you have at least one Frontline license available in your tenant. Additionally, Windows 365 Frontline has some specific license requirements:

  • Windows E3

  • Intune

  • Microsoft Entra ID P1

In most cases it makes much more sense to go for a license bundle like Microsoft 365 E3 or similar.

Source: Windows 365 Licensing Requirements


About the license

Windows 365 Frontline Shared is a new way to provision or deploy Windows 365 Frontline. There is no new license needed for Frontline Shared. You purchase Windows 365 Frontline licenses as usual and choose the setup model you want through your provisioning policies.

Windows 365 Frontline licenses are tenant-scoped, meaning you don't need to assign them to a user or group. This applies to both Frontline Dedicated and Frontline Shared. Every Frontline license you purchase is pooled at the tenant level and is available for provisioning in your provisioning policy.

Good to know: These Windows 365 Frontline licenses do not appear as a product in the Microsoft Entra Admin Center.

The only place to manage is the Microsoft 365 Admin Center, where Windows 365 Frontline licenses are available as a product.

💡
In the admin center Frontline licenses always appear as not assigned.


Provisioning

To assign my Frontline Shared resources to users later, I start by creating a provisioning group in Entra ID.

I recommend implementing a naming convention for your provisioning groups. This is especially helpful if you are managing multiple assignments, license types, and sizes.

Create a provisioning policy

Every successful journey with Windows 365 Frontline Shared begins with setting up the Provisioning Policy. Think of this policy as the blueprint that defines how Cloud PCs are created, assigned, and managed within your organization. In essence, a provisioning policy outlines essential details such as the image used for your Cloud PCs, network configurations, user assignments, and other settings.

In your Microsoft Intune admin center navigate to Devices —> Windows 365 —> Provisioning Policies and create a new policy and give it a proper name. The magic starts to happen when we select the license type and set it to Frontline —> Shared. Here we decide the path of Frontline type we want to go with this policy.

Further down in this menu, we define details like the join type, network setup, and the location of our Cloud PCs. In this case, I've chosen a straightforward Microsoft Entra Join scenario.

💡
Keep in mind that Windows 365 Frontline Shared might not be available in every region you're familiar with from Frontline Dedicated or Windows 365 Enterprise. I live in Switzerland, so I am choosing North Europe as my region.

Click Next and choose the image you want to use for your deployment. Custom images are also supported for Frontline Shared.

If you are planning to implement a device name template for you Cloud PCs, think about the following points:

  • Names must be exactly 15 characters

  • Contain letters, numbers, and hyphens

  • Cannot include a blank spaces

  • Must have a pre-fix that are 0-7 characters long

All of these points must be fulfilled. I’ve decided to go for a simple name template like FLS-%RAND:11%.

Device preparation policies are an excellent way to ensure that your Cloud PCs are ready after provisioning, before the first user connects.

💡
I’m going to cover Windows Autopilot (Preview), device preparation policies in a separate post.

Assign the provisioning policy

Now the exciting part begins. To connect this provisioning policy to our provisioning group in Entra and to select the number and size of Cloud PCs, we need to create an assignment.

Just click on Add groups and choose your provisioning group. Then it’s time to select our Cloud PC size.

Here we can see some details about the Entra group and our assignment.

  1. Selected Group: The name of our selected group and the number of members it contains.

  2. Available Cloud PCs: All licenses available in your tenant.

  3. Assignment: The friendly name of your assignment and the number of Cloud PCs to provision.

💡
You can only provision as much Cloud PCs as licenses available in your tenant for the selected size. One Windows 365 Frontline license equals to one Shared CloudPC.

Now it’s time to review your configuration and finish with a click on Create.

What happens next?

With Frontline Shared, Microsoft introduced a new type of provisioning. Frontline Shared is the first model not tied to a specific user. As you may know, in Windows 365 Enterprise or Frontline Dedicated, the user always triggers the provisioning of a new Cloud PC. You add a user to a group, and you get a new Cloud PC.

Once you complete this provisioning policy, you'll notice that the Windows 365 provisioning service immediately starts to provision the specified number of Cloud PCs.

Now, let’s wait for this to finish and check if everything is working as expected.


Under the hood

When provisioning Windows 365 Frontline Shared, understanding licensing details is essential. Licenses assigned to Frontline Shared assignments are specifically reserved for those assignments (known as the allotmentLicenseCount). These licenses are explicitly separated from your organization's global frontline license pool.

This mechanism ensures strict concurrency management, meaning the number of simultaneous sessions within a Frontline Shared assignment cannot exceed the allotted licenses. Consequently, if all licenses within a particular assignment are actively in use, additional users attempting access must wait until a session becomes available.


End user experience

At the end of the day, every assigned user should be able to access these shared Cloud PCs just like any other Cloud PC.

From a user's perspective, Windows 365 Frontline Shared offers a seamless and instantly accessible experience. Since shared Cloud PCs are always running, users benefit from near-instant connection times.

However, due to the non-persistent nature of Frontline Shared Cloud PCs, each user sign-in is effectively treated as a first-time login. This means users will encounter a clean and standardized desktop environment every time they connect, with no retained personalized settings or stored data from previous sessions.

💡
While this ensures consistency and security, organizations should clearly communicate this aspect to users and set expectations accordingly.

Maintenance

You can perform or schedule reprovisioning operations to refresh Cloud PCs regularly, especially useful when using custom images that evolve over time. Reprovisioning can even run on a scheduled basis, ensuring your shared Cloud PCs always reflect the most up-to-date configurations.

I'll dive deeper into the detailed aspects of image management and comprehensive maintenance strategies in an upcoming blog post. Stay tuned for more insights!

Happy provisioning 🛠️!

0
Subscribe to my newsletter

Read articles from Lukas Rottach directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Lukas Rottach
Lukas Rottach

I am an Azure Architect based in Switzerland, specializing in Azure Cloud technologies such as Azure Functions, Microsoft Graph, Azure Bicep and Terraform. My expertise lies in Infrastructure as Code, where I excel in automating and optimizing cloud infrastructures. With a strong passion for automation and development, I aim to share insights and practices to inspire and educate fellow tech enthusiasts. Join me on my journey through the dynamic world of the Azure cloud, where innovation meets efficiency.