When implementing Windows 365 for other companies, I’m often asked, “What if they don’t use the Cloud PC?” This question often comes up when the Cloud PC is not the single endpoint for the end user, such as in Bring Your Own Device (BYOD) for example. Here users often prefer to use a Cloud PC to work from home on their personal devices. If users are required to complete their work exclusively from their Cloud PC, however, this situation is less likely to occur.
Optimise licenses
License optimisation is very important to companies, unused licenses can bring a huge cost with them. One thing to do for traditional licenses is to see if certain features are not being used to switch to cheaper licenses for a certain set of work profile. For Windows 365 this is not entirely true. While you can measure if the assigned license provides a Cloud PC that is powerful enough or not. If it’s not being used you won’t have much benefit of these reports.
The best thing to do if the Cloud PC is not being used for a long period of time is to remove the license. Windows 365 provides metrics to see how much a Cloud PC is being used and I used those metrics to write a script to automate the revocation process. If a user requires access to a Cloud PC again after, they can simply request a new Cloud PC at their company.
This will allow you to grant access to a Cloud PC to more users without having to buy new licenses straight away.
The script!
The script that I wrote will look at the current provisioned Cloud PCs and will remove the user from the license group if they haven’t used the Cloud PC for a specified amount of time. By default it’s set to 30 days before a license is removed, this value can be changed with the “daysSinceLastConnection” parameter .
As this is v1 of my script make sure to run the script in simulation mode (the default run mode) for a couple of days first, if you are sure that the script is running correctly you can put it into production.
Keep in mind that a Cloud PC is not removed immediately when the license is removed. It enters a grace period of 7 days. For obvious reasons this script will not end the grace period of the Cloud PC.
If you have any concerns, troubles or need additional functionality, just ask in the comments below.
How to use it
The script requires an app registration in Entra ID with the following (Admin Consented) Application permissions to fetch data using Microsoft Graph:
- DeviceManagementManagedDevices.Read.All,
- GroupMember.ReadWrite.All
- CloudPC.Read.All
It also requires permissions to Entra ID as well:
- Create a custom role : “microsoft.directory/groups/members/read”
- OR use the built in role: `Directory Readers`
As the functions are completely written without using any other cmdlets, you only need Powershell and no additional modules. I only used this script in Powershell 7.
Run in simulation mode with default parameters
.\Windows365-RevokeUnusedLicense.ps1 -app_id "<app_id>" -app_secret "<app_secret>" -tenantId "<tenantId>"Run in simulation mode with with another amount of days since last connection
.\Windows365-RevokeUnusedLicense.ps1 -app_id "<app_id>" -app_secret "<app_secret>" -tenantId "<tenantId>" -daysSinceLastConnection 60Run the script to actually remove the users from the group
.\Windows365-RevokeUnusedLicense.ps1 -app_id "<app_id>" -app_secret "<app_secret>" -tenantId "<tenantId>" -simulationMode $falseRun the script to actually remove the users from the group with another amount of days since last connection
.\Windows365-RevokeUnusedLicense.ps1 -app_id "<app_id>" -app_secret "<app_secret>" -tenantId "<tenantId>" -simulationMode $false -daysSinceLastConnection 60Download
The script is available on my GitHub page and is available under the Apache 2.0 License.
Leave a Reply