Securing Windows 365 Enterprise with Azure Firewall

Configuring Azure Firewall in combination with Windows 365

To increase security on your Windows 365 hosts you might want to put your Windows 365 clients behind a firewall. There are several options but one of the options that you have is to use the Azure Firewall. The Azure firewall is a powerful SaaS solution of Microsoft, but also an expensive one. Recently Microsoft announced the preview of a new Firewall sku, the Azure Firewall basic. The solution is more aimed to midsized companies. It lacks the advanced features of the Standard and premium Firewall but is does provide you with enough features to better secure your environment. Besides it also in a lower price range so it should be more attractive to midsized companies.

  • Azure Firewall Premium is recommended to secure highly sensitive applications (such as payment processing). It supports advanced threat protection capabilities like malware and TLS inspection.
  • Azure Firewall Standard is recommended for customers looking for Layer 3–Layer 7 firewall and needs auto-scaling to handle peak traffic periods of up to 30 Gbps. It supports enterprise features like threat intelligence, DNS proxy, custom DNS, and web categories.
  • Azure Firewall Basic is recommended for SMB customers with throughput needs of less than 250 Mbps.

In this blog I will show you the basics of setting up the new Azure Firewall Basic sku in combination with Windows 365 Enterprise. Unfortunately, Windows 365 Business is not suitable for Azure Firewall because you will need to redirect the traffic through the Azure Firewall. With Windows 365 business you do not have any control over the networking, since it’s managed by Microsoft. The article builds upon the blog series of Windows 365, so if you need information on how to set up Windows 365, I recommend reading through those articles first.

Azure Firewall

This feature is in preview, so you might need to register the new Azure Firewall Basic Provider. To do so:

  • Connect-AzAccount
  • Select-AzSubscription -Subscription “subscription_id or subscription_name”
  • Register-AzProviderFeature -FeatureName AzureFirewallBasic -ProviderNamespace Microsoft.Network
  • Check Registration: Get-AzProviderFeature -FeatureName AzureFirewallBasic -ProviderNamespace Microsoft.Network  
  • Wait until the provider is registered

From a networking perspective an Azure Basic Firewall needs 3 subnets within a vnet. It needs a management subnet, Azure firewall subnet and a subnet workload subnet. The management and the Azure firewall subnet need specific names otherwise you won’t be able to deploy the Firewall. So, in your vnet you need to create 3 subnets:

  1. Subnet : AzureFirewallSubnet, in my case I am using a 10.3.4.0/24 subnet
  2. Subnet: AzureFirewallManagementSubnet, in my case I am using a 10.3.2.0/26 subnet
  3. Subnet: Workload subnet 10.3.5.0/24
Required subnets

In production environments it is considered better to create a hub spoke network topology where you Firewall is in a separate Vnet than your workload. You connect your Vnets via network peering. The functionality doesn’t change is you have 1 or multiple Vnets.

Now you have set up the subnets in your Vnet its time to deploy the Azure Firewall. Sign into the Azure Portal and search for Firewalls and select Create.

To set up Azure Firewall sign into the Azure Portal and search for Firewalls and select Create.

  • Subscription. Where the Azure firewall will be deployed. This needs to be the same subscription as where your vnet is created.
  • Resource Group. Select or create a resource group to deploy the Firewall
  • Name. Give you Firewall a name.
  • Region. Select the region for your Firewall. This also needs to be the same as the region of you vnet.
  • Availability zone. If the region supports availability zones you can select a zone or leave it to none
  • Firewall SKU. Select Basic, or a higher sku.
  • Firewall management. Is greyed out is you choose Basic
  • Firewall Policy. Create a new policy. This also needs to be deployed in the same region.
  • Virtual network. Choose a virtual network. Pick the network where you want to deploy the Firewall. If you did not create the necessary subnets, you will get an error.
  • Public IP address. Create a new Public IP address
  • Management public IP address. The basic sku also needs a public management IP. You won’t be able to connect to this IP, but it is necessary for Microsoft to manage your Firewall.
Azure Firewall deployment

Choose review and create. The deployment will start and can take up to 30 min, so go grab yourself a cup of coffee.

While waiting for the deployment we can already create a route table. With a route table we can redirect network traffic within Azure. Otherwise the Windows 365 clients network traffic will leave Azure without passing through the Firewall.

In the Azure portal search for Route Table and create a new Route table

  • Subscription. Same subscription as the vnet to which you want to connect to route table
  • Resource Group. A resource group of your choosing.
  • Region. Select the same region of your vnet
  • Name. A clear name, such as route-to-fw
  • Propagate gateway routes. Depending on your config, but you can leave it on yes.

When your route table has been created go to the route table and select Routes and select Add

Add route

Add the following to the new route:

  • Route name. A clear descriptive name
  • Address prefix destination. Choose IP Addresses
  • Destination IP addresses/CIDR ranges. Enter 0.0.0.0/0 this way all traffic will be forwared.
  • Next hop. Choose Virtual Applicance
  • Next hop address. This is the IP of the Azure firewall. This is the first available IP in the AzureFirewallSubnet. In my case the range is 10.3.4.0/24 so the first available IP will be 10.2.4.4. You can also check this by going to the Firewall.

The next step is to associate the route table to a subnet, this way all devices in that subnet will use the route defined in the table. Be aware that associating the route table will result in disconnecting your Windows 365 user sessions. You need to configure the firewall as described in the next section. To associate the route table, select subnets and choose associate. You can there select the Vnet and the subnet of where your workload is deployed.

Configuring Azure Firewall

You now have a firewall and you route all the Windows 365 traffic through that firewall. This also means that the traffic that is required for users to connect to the Windows 365 machine is also blocked. So if a user tries to connect to its machine it will get the following message. So if you are deploying the firewall to a production environment wait with applying the route table otherwise your users won’t be able to connect to their machines.

Unable to connect to Windows 365

You will need to make some firewall rules. Unfortunately, there is no official Microsoft documentation of which firewall rules you need to create in order for Windows 365 to work (At least I haven’t found it). There is however documentation available on firewall rules for Azure Virtual Desktop. The two basically share the same connection method so that should give us a good starting point. You can find the AVD documentation here https://learn.microsoft.com/en-us/azure/firewall/protect-azure-virtual-desktop?tabs=azure#create-network-rules . In the Azure Portal search for Firewall Policies. A policy was created when you deployed the Firewall so there should be at least one policy there. Open that policy and let’s start with Application rules. In the Application rules you have to have at least one rule collection. A rule collection is a logical set of rules that allow or deny traffic. Select Add a rule collection. Give the collection a name, for example Windows365Applicationrules. For type use Application and give the collection a priority. The priority determines the order of the collection to be deployed. If you don’t know how many rule collections you are going to have pick a number witch gives you flexibility in deploying higher of low collections. So don’t start with 100 since that is the highest priority. For Rule collection group you can leave the DefaultApplicationRuleCollectionGroup for now. Next you can define the rules.

Enter the following rules. The source is my subnet range where I deployed my Windows 365 machines.

NameSource TypeSourceProtocolDestination TypeDestination
Login Microsoft OnlineIP Address10.2.2.0/24Https:443FQDNlogin.microsoftonline.com
AVDIP Address10.2.2.0/24Https:443FQDN*.wvd.microsoft.com
W365 MonitorIP Address10.2.2.0/24Https:443FQDN*.prod.warm.ingest.monitor.core.windows.net
catalogartifactIP Address10.2.2.0/24Https:443FQDNcatalogartifact.azureedge.net
W365 MonitoringIP Address10.2.2.0/24Https:443FQDNgcs.prod.monitoring.core.windows.net
W365 blob storageIP Address10.2.2.0/24Https:443FQDNmrsglobalsteus2prod.blob.core.windows.net
MicrosoftIP Address10.2.2.0/24http:80, Https:443FQDNwww.microsoft.com
Application rules
Application rules

Next go to Network rules. Here also select Add a rule collection. Give the collection a name, select for rule collection type Network. Give a priority and for Rule collection action select Allow. For rule collection rule group select DefaultNetworkRuleCollectionGroup. Enter the following rules:

NameSource typeSourceProtocolDestination PortsDestination TypeDestination
Azure ServicesIP Address10.2.2.0/24TCP80IP Address169.254.169.254, 168.63.129.16
AVD ServicesIP Address10.2.2.0/24TCP443Service tagsSelect WindowsVirtualDesktop, AzureFrontDoor.Frontend, AzureMonitor
DNSIP Address10.2.2.0/24TCP, UDP53IP Address*
azkms.core.windows.netIP Address10.2.2.0/24TCP1688IP Address20.118.99.224, 40.83.235.53
kms.core.windows.netIP Address10.2.2.0/24TCP1688IP Address23.102.135.246
 IP Address10.2.2.0/24TCP   
 IP Address10.2.2.0/24TCP   
Network rules
Network rules

After the policies are applied (and you have applied the route table) you should be able to sign in to your Windows 365 environment. However, browsing through the firewall logging ( you can enable this in the diagnostic settings of your firewall) I was still getting a lot of deny hits for Microsoft services. Even though I was able to connect to the Windows 365 machine, Windows 365 is depending on more services. For example it also communicates to Intune. So I have also added the following application rules:

NameSource TypeSourceProtocolDestination TypeDestination
servicebus.windows.netIP Address10.2.2.0/24Https:443FQDN*.servicebus.windows.net
self.events.data.microsoft.comIP Address10.2.2.0/24Https:443FQDNself.events.data.microsoft.com
.azure-devices.netIP Address10.2.2.0/24Https:443FQDN*.azure-devices.net
Application rules

The Firewall logging seemed a lot better after adding the extra rules. You now have configured the bare minimum for allowing the Windows 365 services to you hosts. But that doesn’t mean you are ready. Users are still not able to browse the internet of access any of the other Microsoft 365 services. So, you will need to configure additional rules. We did create a rule to browse to www.microsoft.com, but if you want to go to www.google.com your connection will be blocked. The next step would be op further configure the firewall rules depending on the needs of your organization.

I hope this blog was helpful, if you have any questions or some parts needs additional clarification please let me know in the comments.

Windows 365 Enterprise – Hybrid Join

Deploy Windows 365 Enterprise Hybrid with in depth info about hybrid joining devices

Blog series

In the previous article we deployed Windows 365 cloud pc Azure AD only. In this article we will deploy a cloud pc as Hybrid join. So what is hybrid join? Hybrid joining the machine joins the machine to both the Azure AD as well as the Active directory. When would you choose for a hybrid join set up? There are a couple of scenarios when you would want to choose for a hybrid set. For example you are still highly relying on configuring your devices with Group policies, or you have some legacy application that require machine authentication, or you want to use the hybrid join option in your Conditional access policies. All are valid reasons to use hybrid join. In my opinion Azure AD joining is preferable because it eliminates some moving parts in your configuration. These parts can break time to time so not having them will make your life easier.

When you hybrid join a machine the machine is first joined to the Active Directory and then synchronized to Azure AD. This is done via a certificate. AAD connect by default does not synchronize the certificates and therefor you need to adjust AAD connect for hybrid join.

Configure AAD Connect

So, the first step is to configure hybrid Join in AAD connect. Open AAD connect and select Configure device options. You will see an overview screen where you can select Next. Enter your Azure AD global administrator credentials. Select Configure Hybrid Azure AD Join and Next. Then you select Windows 10 or later domain-joined devices and select Next.  You now need to add the SCP configuration. This SCP contains information for the device about where to look for its information as it needs to be joined to Azure. Here you select your forest, authentication service which is most likely Azure Active Directory and select add to enter your enterprise admin credentials. When you hit next some final validations will be done and finally you can choose Configure. Later I will show how to validate the Hybrid Join and what process actually got into motion. Also, if you are planning to deploy the cloud pcs in a specific OU make use the OU is also in sync scope. The OU needs to syn the attributes to Azure AD.

Add the SCP configuration

Azure Network Connection

Now AAD connect is ready you can configure Windows 365 for hybrid join. In order to do so go to endpoint.microsoft.com and choose devices and Windows 365. There you select Azure network Connection.

On the tab select create and choose Hybrid Azure AD Join. Enter a name which tells you something about the connection, for example what the vnet is you are connecting to. Select the subscription that has the vnet and select the subnet you want your machines to join to. It’s important that your vnet is in the same region as where you want to deploy your cloud pcs as vnet are bound to a specific region. Select next and create the connection. Make sure your account has the appropriate permissions on the subscription (Owner) and within Endpoint manager.

Azure network connection

With Hybrid join you need to add additional domain information. Enter the AD DNS name, optional the OU where the devices should be joined into (make sure this OU is syncing to Azure AD), and credentials of a user which has sufficient rights to join multiple pcs.

Azure network connection, domain settings

Microsoft will start running some checks and if all went well, you will get a checks success status. Note that you can have both join types of Azure AD and Hybrid Join pointing to the same vnet and subnet.

Combine join types

Provisioning policies

The next step should be creating a Provisioning Policy. These policies determine how the Windows 365 pc should be created. From the Devices section select Provisioning policies and select create policy. Enter a name and description. For Join type make sure to select Hybrid Azure AD Join. So, choose for Azure network connection and select the hybrid network connection you just created in the previous step.

hybrid join provisioning policy

At the image tab pick a gallery image, or a custom image if you have one. Check this article if you’re interested in how to create a custom image. At the configuration tab select the language and region. This will automatically install the required language packs on the machine. For additional services you may choose Windows Autopatch. Windows Autopatch manages updates for you. It’s not really a Window 365 services but you can read more about it in this blog Blog | Get current and stay current with Windows Autopatch | Tech Community (microsoft.com)

Finally assign the policy to a group which contains your users. When you have finished creating the provisioning policy you are basically set. When a user has a valid license (a Windows 365 enterprise and a license containing Intune) and is a member of the group which is assign the provisioning policy the cloud pc will be created.

Now I assign the following licenses to my test user in order to start the provisioning of the device. My test user Mickey has 2 licenses: a Microsoft 365 E3 and the Windows 365 Enterprise 2 vCPU, 8 GB, 256 GB license.

Hybrid Join

So how is a device hybrid joined? This process is pretty interesting and does not only apply to Windows 365 but also to normally hybrid joining clients. Hybrid joining set a scheduled task in motion. You can find the scheduled task in \Microsoft\Windows\Workplace Join called Automatic-Device-Join, which is triggered from in this case an event Microsoft\Windows\User Device Registration\Admin.  The scheduled task calls upon dsregcmd.exe. One of the first steps in this process is for the computer to create a userCertificate.

User Certificate on computer object

This certificate is then uploaded to Azure AD. This is why you needed to reconfigure AAD connect for this process to work. Without the certificate the device won’t synchronize with AAD.

AAD Connect synced attributes

Sometimes the hybrid join process won’t kick off, you can manually start the process by running the scheduled task (\Microsoft\Windows\Workplace Join\ Automatic-Device-Join) or by running dsregcmd /join from PowerShell.

Also verify that the pc shows up as hybrid joined in the endpoint manager portal.

Hybrid Joined Cloud PC

Windows 365 Enterprise- Custom Images

Step by step creating and capturing a custom image for Windows 365 Enterprise

Blog series

Introduction

Windows 365 Enterprise has a great integration with Endpoint manager. So, your configurations and app deployment should primarily come from there in my opinion. But in some cases, not everything that you need to configure can be (easily) done with Endpoint manager. Sometimes you run into an installation or configuration that is just really hard to accomplish with just Endpoint Manger. An example could be installing language pack (although this process is now included in the provisioning policies). But I’m sure there are other examples out there. This leaves you no other choice than to create your own custom image and use that image to be deployed to your users. In this blog I will walk you through the steps into creating a custom Image.

Prepare your Master Image

First step is to create a new Virtual Machine in Azure. It’s important that for your image you search and select a Windows 10/11 Cloud pc. Other important steps are that you connect your VM to a network you to which you can connect, and you want to disable any boot diagnostics or monitoring options.

Install apps and configurations

Now please consider the following. When you run sysprep the machine won’t be able to start again. This means that if you want to save your master image to make some changes later on you will have to reinstall and configure all your settings again. In order to save your master image for future adjustments is best that you clone your master image VM and sysprep the clone. This way the original master image will be saved for future adjustments. If you want to save your master image vm for future use you can follow along, otherwise skip straight to the sysprep section.

Clone your VM

1 Shutdown your master image vm, until a deallocated state.
2 Create a snapshot of the disk
2a Go to your master image VM
2b Select Disks

Snapshot disk

2c Select the OS disk
2d Select Create Snapshot

Create snapshot of disk

2e Now most settings you can leave as default. I would set storage type to standard HHD

3 Create a new disk from the snapshot
3a Go to your newly created snapshot and select create disk

Create disk from snapshot

3b Here you can also leave all the defaults as is. Make sure that you select the same disk size as you original VM. By default, the size if 128 GB.

Create managed disk

4 Create a new VM from that new disk
4a Go to the newly created disk. From this disk you can now create a new Virtual Machine

Create vm from managed disk

4b Use the same settings as when you created the original Virtual Machine, the only difference should be the image, which should be your created disk.

Sysprepping and capturing your image

Now your master image VM is ready to sysprep. You have created a clone, or you used the original VM the next steps are to sysprep your machine and to create an image from that machine. So, connect to your VM. Navigate to C:\Windows\System32\Sysprep and start sysprep.exe. Use the following setting:

  • System Cleanup Action: Select Enter System Out-of-Box Experience (OOBE) to configure the behavior on startup
  • Select Generalize
  • Shutdown Options: Select Shutdown
Sysprep

After some time, the machine will disconnect. Wait until the machine is in a stopped state in the Azure Portal. When it’s in a stopped state you can select Capture.

On the create image screen it’s important to select No, capture only a managed image. Azure Compute Galleries are not supported. Give your image an easy to recognize name. Also, it’s easy to select Automatically delete this virtual machine after creating the image since the machine won’t be able to function after the sysprep and capture procedure.

Caputre image

When everything went successfully you end up with an image.
Its best to test the image by creating a new VM from this image and validate if the image works as expected.

New image

Add image to Windows 365

After you have validated the image you can add the image to Windows 365. Go to endpoint.microsoft.com and navigate Devices > Windows 365 > Custom images and select Add.

Give your image a name and a version, select the subscription where you saved your image and select the image you created.

Add image

The image will now be uploaded to the Windows 365 services. This process can take a while to complete. After the image has been successfully uploaded you can use the image in your provisioning policy. Instead of choosing a marketplace image your select custom image and you should be able to find your newly uploaded image.

Custom image in provisioning policy

This was the final post of the Windows 365 blog series. I hope the information was useful and you were able to follow the steps.

If you mis any information, please let me know and I will try to incorporate the information into the blog series.

Windows 365 Enterprise – AAD Join

Setting up Windows 365 AAD Join step by step

Windows 365 Enterprise – AAD Join

As we have seen in Getting Started with Windows 365 Business setting up Windows 365 Business is pretty straight forward. With Windows 365 Enterprise you will see you get a lot more options. This makes setting up Windows 365 Enterprise a bit more complicated, because you have more design decisions to make.

One of the decisions you will have to make is how to enroll your Windows 365 clients. You have 2 options. The first option is to hybrid join the devices (see https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-hybrid-azure-ad-join). This means that you join the device to the Azure AD and the Active Directory. This functionality is also possible with normal Windows 10/11 clients. Most often this solution is used in combination with Conditional Access policies, Group policy management or SSO with on premises application. Please note that SSO is also possible to on premises application without hybrid joining the devices. In my experience most applications will SSO without the need of hybrid joining the devices. Accessing file shares and for example shared printers will work fine if you Azure AD join the devices and only sync users between Active Directory and Azure AD with AAD connect without any fancy configurations. That said, it’s always worth testing because it limits the amount of configuration you have to do for SSO. Hybrid joining devices requires extra configuration within AAD connect and line of sight to a domain controller. Only AAD joining does not require any extra configuration besides a sync with AAD connect, which in most scenarios is already present. This means that AAD joining, and Windows 365 Enterprise only requires a network connection and your good to go. Pretty easy ????

So, to demonstrate this we will deploy a Windows 365 Enterprise Azure AD joined device, that will be able to access a file share.

A small overview of my setup in Azure. I have a simple vnet containing 2 VMs, 1 domain controller which is set up to sync identities with AAD connect and a file server. The new Windows 365 machines are being joined to the same network, but in the Windows 365 subnet. In a production environment you could see that the vnet is connect to on premises resources via a vpn or Express Route, or that there is a hub spoke design with multiple vnets.

Test environment setup

Azure Network Connection

The first step would be to connect the Windows 365 services to your vnet. In order to do so go to endpoint.microsoft.com and choose devices and Windows 365. There you select Azure network Connection.

Azure network connection

On the tab select create and choose Azure AD Join. Enter a name which tells you something about the connection, for example what the vnet is you are connecting to. Select the subscription that has the vnet and select the subnet you want your machines to join to. It’s important that your vnet is in the same region as where you want to deploy your cloud pcs as vnet are bound to a specific region.

Network details

Select next and create the connection. Make sure your account has the appropriate permissions on the subscription (Owner) and within Endpoint manager.
Microsoft will start running some checks and if all went well, you will get a checks success status.

Successful network configuration

Provisioning policies

The next step should be creating a Provisioning Policy. These policies determine how the Windows 365 pc should be created. From the Devices section select Provisioning policies and select create policy. Enter a name and description. For Join type make sure to select Azure AD Join. For network it’s important to not choose Microsoft hosted network, this way you won’t be able to integrate with your vnet and the setup is more like the Windows 365 business deployment. So, choose for Azure network connection and select the network connection you just created in the previous step.

Provisioning policy

At the image tab pick a gallery image, or a custom image if you have one. Check out this article if you’re interested in how to create a custom image. At the configuration tab select the language and region. This will automatically install the required language packs on the machine. For additional services you may choose Windows Autopatch. Windows Autopatch manages updates for you. It’s not really a Window 365 services but you can read more about it in this blog Blog | Get current and stay current with Windows Autopatch | Tech Community (microsoft.com)

Enroll device in autopatch

Finally assign the policy to a group which contains your users. When you have finished creating the provisioning policy you are basically set. When a user has a valid license (a Windows 365 enterprise and a lisence containing Intune) and is a member of the group which is assign the provisioning policy the cloud pc will be created.

Now I assign the following licenses to my test user in order to start the provisioning of the device. My test user Pluto  has 2 licences; a Microsoft 365 E3 and the Windows 365 Enterprise 2 vCPU, 8 GB, 256 GB license.

By assigning the license the provisioning starts. Let this process complete.

provisioning finished

Connect to fileserver

Now that the provisioning is ready let’s sign in. As mentioned in the beginning of this article SSO to most of your on-premises resources will work without any extra configuration. So, in my case I have a file server (cluster) which I can connect to via \\filecl02.wvd.local\Bestanden even though I sign into the Windows 365 cloud pc with my Azure AD credentials, pretty cool.

Connect to file server

As you can see my cloud pc is only Azure AD joined and not domain joined, but still able to access on-premises resources based on my Active directory permissions.

AAD Join only

That sums up this part of the series, please continue reading at the next article, where we Hybrid Join the Windows 365 Enterprise cloud pc.