Dieter Kempeneers

Windows 365 : Secure your automatic restore points

Published by

Dieter

on

While Windows 365 (Enterprise and Frontline) provides built-in restore points, it’s essential to periodically evaluate your disaster recovery and business continuity strategy. Windows 365 ensures disaster recovery and business continuity by allowing you to access your Cloud PC from any device. If your physical endpoint is stolen, you can simply get a new laptop and access Windows 365 without any risk of losing files, as no data is stored locally.

Additionally, using Intune and Azure, Windows 365 enables you to copy restore points to your own subscription. Once you have these restore points, you can back them up to any location you prefer.

Point-in-time restore for Windows 365

Restore points are enabled by default, but you have the flexibility to adjust their frequency. Additionally, you can decide whether end users should have the ability to independently restore a Cloud PC to a previous state.

There are three types of restore points:

  • Short-term restore points
  • Long-term restore points
  • On-demand manual restore points

Short-term restore points

You can opt to set short-term restore points at intervals of 4, 6, 12, 16, or 24 hours. Each user within the assigned groups will have a maximum of 10 short-term restore points saved for their Cloud PC according to the intervals you define in the user settings. For instance, if you select four-hour intervals, each assigned Cloud PC will have 10 restore points distributed every four hours over the past 40 hours.

Let’s get started! Navigate to the Windows 365 blade within Intune and create a new User settings policy.

In this policy you can define how often a restore point should be created. The default value is each 12 hours.

Select your desired settings, ensuring that a user settings policy has no overlapping assignments. If there is any overlap, the policy created first will be applied. To work around this limitation, I recommend creating different levels. Level 1 allows users to set the restore point frequency to 4 hours. Level 2 adds the ability to restore and reset their Cloud PC. Level 3 combines all the options from Levels 1 and 2, and adds Local Admin rights.

Long-term restore points

Besides these short term restore points that you can configure manually, Windows 365 offers four long term restore points enabled by default. These are saved every seven days and are not configurable.

Manual restore points

In addition to the short-term and long-term options, you can manually trigger a restore point. This action can be initiated using the bulk device actions feature within Intune.

Creating a manual restore point will replace any previously created manual restore point. This process can take up to one hour to complete. Each Cloud PC can have only one manual restore point at a time, and it expires after 28 days.

Copy the restore point

Using the bulk device actions menu in Intune, you also have the option to share your restore point to an Azure Storage Account. It’s important to note that this action is currently only supported with a Secure Azure Storage Account.

Retaining a copy of a Cloud PC can be useful in some scenario’s, the first ones that come to mind are:

  • Generate a VHD that can be mounted on a physical device
  • Copy a Cloud PC during the off-boarding process
  • Obtain a historical snapshot of a Cloud PC for eDiscovery
  • Create a geographically distributed backup of a Cloud PC

To get started, navigate to the Intune devices blade and select the same bulk devices as described earlier:

In the next step, you simply select the restore point you need. You can choose the one before the specified date, the one after the specified date, or, if the exact timing doesn’t matter, select the third option to use the restore point closest to the provided date and time.

As a last step just select the storage account, and provide all the Cloud PC’s for which you want to copy the restore point.

Troubleshooting

If your storage account is not visible, make sure that following requirements are met:

  • Type: Premium, Page Blobs
  • Configuration: Secure transfer required – Enabled
  • Region: No region restrictions, but the closer you can deploy the storage account to the Cloud PC, the faster the process will run.
  • Security: TLS 1.2
  • Networking: Enable public access from all networks
  • Access Control on the storage account:
    • Windows 365 spn: Storage Account Contributor
    • Windows 365 spn: Storage Blob Data Contributor

If these requirements are not met, you wont be able to select the storage account in the dropdown menu.

Let’s summarize

Windows 365 offers several options to backup your Cloud PC, including short-term, long-term, and manual restore points. You can adjust the frequency of short-term restore points and trigger manual restore points as needed. Additionally, you can copy restore points to your own Azure subscription for added flexibility and control. By periodically evaluating your disaster recovery and business continuity strategy, you can ensure that your data is protected and accessible in the event of a disaster.

4 responses to “Windows 365 : Secure your automatic restore points”

  1. Recover a lost Cloud PC after license expiration – Dieter Kempeneers

    […] step to include in your offboarding or data retention procedures. I covered this process in one of my previous blogposts if you want to read more about […]

    Reply
  2. Windows 365 Disaster Recovery Plus vs Cross-Region Disaster Recovery – Dieter Kempeneers

    […] Minimum 4 hours, based on the frequency of the Point In Time restore points configuration. […]

    Reply
  3. Stay secure on Windows 10 EOL with FREE Extended Security Updates – Dieter Kempeneers

    […] If you are looking for an easy test environment for all those Intune policies, you could leverage the power of Windows 365 as well. With its ability to easily reset the Cloud PC, or use it’s built-in restore points to quickly move back and forth between various testing scenarios. All without impacting your own production machine. You can read more on this in one of my previous posts. […]

    Reply
  4. Windows 365 and Cross-Region Disaster Recovery

    […] DR settings are located within the user-settings is because it’s tied to the frequency of the point-in-time restore points. The Recovery Point Objective (RPO) is the same is the configuration you made in there. Recovery […]

    Reply

Leave a Reply

Previous Post
Next Post

Recent posts

Follow me on

Linkedin Logo
Reddit logo

Dieter Kempeneers

About

Passionate about IT and backed by over a decade of hands-on experience, I’ve seen the major shift from on-premise solutions to cloud-based environments firsthand.

Topics

MVP Badge

Discover more from Dieter Kempeneers

Subscribe now to keep reading and get access to the full archive.

Continue reading