Windows 365 Boot & Reserve: Complete Intune Setup Guide
Windows 365 Boot and Reserve: Complete Intune Guide
What is Windows 365 Boot?
Windows 365 Boot allows users to sign in to a physical Windows 11 device and immediately connect to their Cloud PC without ever interacting with the local operating system . This creates a seamless “thin client” experience where the physical device acts purely as a gateway to the user’s Cloud PC.
Key Scenarios:
- Shared workstations (hot desks, libraries, labs)
- Frontline worker stations
- Secure environments where local data storage is prohibited
- Remote work with consistent desktop experience
Windows 365 Boot Modes
| Mode | Use Case | Authentication Support |
|---|---|---|
| Shared PC Mode | Multiple users share one physical device | Username/password, FIDO key |
| Dedicated Mode | Single user assigned to specific device | Username/password, Windows Hello for Business, FIDO key |
Important: Windows Hello for Business (biometric/PIN) is only supported in Dedicated mode, not Shared mode .
Windows 365 Reserve: Provision on Demand
Windows 365 Reserve is Microsoft’s solution for provisioning Cloud PCs ahead of time and activating them when needed . This ensures:
- Immediate availability: No wait time when users need their Cloud PC
- Cost control: Reserve capacity without paying for active usage until provisioned
- Disaster recovery: Pre-provisioned standby Cloud PCs for business continuity
Implementation: Windows 365 Boot with Intune
Prerequisites
| Requirement | Details |
|---|---|
| Physical devices | Windows 11 Pro/Enterprise, version 22621.3374 or later |
| Cloud PCs | Windows 11 Enterprise or Professional |
| Intune role | Intune Service Administrator |
| Licensing | Windows 365 Cloud PC license |
| Enrollment | Windows Autopilot |
Step-by-Step: Guided Scenario Deployment
Microsoft provides a guided scenario in Intune that automates most configuration :
Path: Devices > Windows 365 > Windows 365 Boot (under Windows 365 Guides)
Step 1: Basics Configuration
| Setting | Options | Recommendation |
|---|---|---|
| Device name template | %SERIAL%, %RAND:7%, custom |
Use %SERIAL% for asset tracking |
| Resource prefix | Text prefix for all created resources | Descriptive name (e.g., “W365-Boot-Shared”) |
| Boot device mode | Shared PC or Dedicated | Match your use case |
Resources created automatically :
- Autopilot deployment profile
- Azure Virtual Desktop (HostApp) configuration
- Windows 365 app configuration
- Device configuration policies
- Microsoft Entra group
Step 2: Endpoint Updates
Configure Windows Update settings for the physical device (not the Cloud PC):
| Setting | Purpose |
|---|---|
| Update deferral | Delay feature updates for stability |
| Active hours | Prevent reboots during work hours |
| Update deadline | Force installation after X days |
| User experience | Configure restart notifications |
Note: Cloud PCs have separate update settings, potentially managed by Windows Autopatch .
Step 3: Settings Configuration
| Setting | Description |
|---|---|
| Language/Region | Default for physical device |
| Company name | Displays on login screen |
| Logo | Company branding (URL to image) |
| Lock screen image | Custom background |
| VPN profile | Optional pre-login VPN |
| Wi-Fi profile | Optional pre-configured wireless |
Step 4: Group Assignment
Assign to a Microsoft Entra group containing your Windows 365 Boot physical devices.
Critical Post-Deployment Step: Switch to Self-Deploying Mode
The guided scenario creates a User-Driven Autopilot profile by default. For shared/kiosk scenarios, you should switch to Self-Deploying mode :
Why?
- No user credentials required for enrollment
- No primary user assigned to device
- True “zero-touch” experience
How to switch:
- Intune admin center >
Devices>Enrollment>Windows Autopilot>Deployment Profiles - Note the name of the User-Driven profile created by the guided scenario
- Remove assignment from that profile (or delete it)
- Create new profile:
- Platform: Windows PC
- Deployment mode: Self-Deploying
- Device name template: Copy from original profile
- Assign to the same Entra group
Windows 365 Reserve: Configuration
Creating Reserve Provisioning Policies
Path: Devices > Windows 365 > Provisioning policies > Create policy
| Configuration | Options |
|---|---|
| License type | Windows 365 Enterprise / Business |
| Join type | Microsoft Entra Join or Hybrid Join |
| Network | Microsoft-hosted or Azure Network Connection |
| Image | Gallery image (blank or with M365 Apps) or Custom image |
| Device name template | %Username%, %RAND:5% (minimum 5 random chars) |
User Settings Policy
Required for all Windows 365 users :
Path: Devices > Windows 365 > User settings policies > Create policy
| Setting | Purpose |
|---|---|
| Local admin rights | Allow/deny users admin on their Cloud PC |
| User account type | Standard or Administrator |
| Point-in-time restore | Allow users to self-restore to previous state |
Shared PC Mode: Deep Dive
When deploying Windows 365 Boot in Shared PC mode, the physical device is optimized for multiple users with automatic cleanup :
Automatic Account Management
| Policy | Behavior |
|---|---|
| Account deletion | Automatically remove cached accounts |
| Storage threshold | Delete when disk space below X% |
| Inactive threshold | Delete accounts inactive for X days |
| Immediate logout | Delete account right after sign-out |
Power Settings (Automatically Configured)
Shared PC mode sets specific power policies :
- Sleep on lid close/power button
- No hibernation
- Automatic maintenance at midnight
Security: Restricting Physical Device Access
By default, Windows 365 Boot doesn’t fully lock down the physical device. You should configure additional policies to prevent local OS access :
Recommended Restrictions
| Policy | Effect |
|---|---|
| Hide local admin account | Prevents local account sign-in |
| Disable Task Manager | Prevents process manipulation |
| Restrict Control Panel | Limits system settings access |
| Block removable storage | Prevents data exfiltration |
| Disable CMD/PowerShell | Prevents script execution |
Reference: Restrict user access to Windows 365 Boot physical device – Microsoft Learn
Troubleshooting
Common Issues
| Symptom | Cause | Solution |
|---|---|---|
| Login screen doesn’t show Cloud PC branding | Windows apps not installed | Verify Azure Virtual Desktop app version โฅ 1.2.4159 |
| Can’t connect to Cloud PC | Network issue | Check Wi-Fi/VPN profile configuration |
| Enrollment fails | Autopilot profile conflict | Ensure only one Autopilot profile assigned |
| User gets “No Cloud PC assigned” | License/provisioning issue | Verify Windows 365 license and provisioning policy |
Log Locations
If issues persist, collect logs from :
C:\Users\{username}\AppData\Local\Temp\DiagOutputDir\Windows365\LogsC:\Users\{username}\AppData\Local\Temp\DiagOutputDir\RdClientAutoTrace
Comparison: Windows 365 Boot vs. Traditional Scenarios
| Aspect | Traditional PC | Windows 365 Boot |
|---|---|---|
| Data storage | Local disk | Cloud PC only |
| Device replacement | Reimage, migrate data | Swap physical device, same Cloud PC |
| Security | Endpoint protection, BitLocker | Minimal local attack surface |
| Management | Full Intune MDM | Minimal physical device policies |
| User experience | Local Windows | Cloud PC desktop |
| Offline work | Possible | Requires internet |
Summary
Windows 365 Boot transforms physical devices into Cloud PC gateways, ideal for shared environments. Windows 365 Reserve ensures Cloud PCs are ready when needed. Together with Intune’s guided scenarios and Self-Deploying Autopilot, organizations can deploy secure, scalable, zero-touch solutions for modern workspaces.
Key Takeaway: The combination of Windows 365 Boot (seamless access) and Reserve (proactive provisioning) enables true “work from anywhere” scenarios with minimal IT overhead and maximum security.
Windows 365 Boot & Reserve: 30 Exam Practice Questions
Section 1: Windows 365 Boot Fundamentals (10 Questions)
Multiple Choice
1. A company wants to deploy Windows 365 Boot for frontline workers who share devices across shifts. Which mode should they configure?
- A) Dedicated mode with Windows Hello for Business
- B) Shared PC mode with username/password authentication
- C) Kiosk mode with automatic sign-in
- D) Hybrid mode with on-premises AD authentication
Answer: B – Shared PC mode is designed for multiple users sharing devices. Windows Hello for Business is not supported in Shared mode .
2. Which authentication method is NOT supported in Windows 365 Boot Shared PC mode?
- A) Username and password
- B) FIDO2 security keys
- C) Windows Hello for Business (biometric/PIN)
- D) Microsoft Authenticator push notifications
Answer: C – Windows Hello for Business is only supported in Dedicated mode, not Shared mode .
3. What is the minimum Windows 11 version required for Windows 365 Boot physical devices?
- A) Windows 11, version 21H2
- B) Windows 11, version 22H2 (22621.3374)
- C) Windows 11, version 23H2
- D) Windows 11, version 24H2
Answer: B – Windows 11, version 22H2 build 22621.3374 or later is required .
4. When using the Intune guided scenario for Windows 365 Boot, what Autopilot deployment mode is created by default?
- A) Self-Deploying
- B) User-Driven
- C) White Glove
- D) Co-management
Answer: B – The guided scenario creates a User-Driven profile by default, which should be switched to Self-Deploying for shared scenarios .
5. Which Intune role is required to deploy Windows 365 Boot using the guided scenario?
- A) Global Administrator
- B) Intune Service Administrator
- C) Cloud Device Administrator
- D) Windows 365 Administrator
Answer: B – Intune Service Administrator role is specifically required .
Scenario-Based
6. Scenario: A hospital deploys Windows 365 Boot in Shared PC mode for nurses’ stations. After initial deployment, administrators notice users can still access local Control Panel and Task Manager on the physical device.
Question: Which policy category should they configure to lock down the physical device?
- A) Endpoint Privilege Management elevation rules
- B) Windows 365 Boot physical device access restrictions
- C) AppLocker application control policies
- D) Azure AD Conditional Access session controls
Answer: B – Microsoft provides specific guidance for restricting user access to Windows 365 Boot physical devices, including hiding local admin accounts and disabling Task Manager .
7. Scenario: An organization deploys Windows 365 Boot with the guided scenario but wants to ensure no user credentials are required for device enrollment, and no primary user is assigned to devices.
Question: What post-deployment configuration change is required?
- A) Enable Windows Hello for Business
- B) Switch Autopilot profile from User-Driven to Self-Deploying
- C) Configure automatic enrollment via Group Policy
- D) Deploy a provisioning package with WICD
Answer: B – The guided scenario creates a User-Driven profile; switching to Self-Deploying mode removes credential requirements and primary user assignment .
True/False
8. Windows 365 Boot supports both Windows 10 and Windows 11 physical devices.
Answer: False – Only Windows 11 Pro/Enterprise is supported for Windows 365 Boot physical devices .
9. In Windows 365 Boot Shared PC mode, user accounts are automatically deleted immediately after sign-out by default.
Answer: False – Account deletion timing is configurable (immediately, at disk space threshold, or after inactivity period), but not enabled by default immediately .
10. The Azure Virtual Desktop app must be installed on physical devices for Windows 365 Boot to function.
Answer: True – The Azure Virtual Desktop (HostApp) is required for the connection to Cloud PC .
Section 2: Windows 365 Reserve & Provisioning (8 Questions)
Multiple Choice
11. What is the primary purpose of Windows 365 Reserve?
- A) Reduce Cloud PC licensing costs
- B) Provision Cloud PCs ahead of time for immediate availability
- C) Create backup copies of existing Cloud PCs
- D) Reserve physical hardware for Windows 365 Boot devices
Answer: B – Reserve allows provisioning Cloud PCs in advance so they’re ready when users need them .
12. Which Windows 365 feature ensures Cloud PCs are available immediately when a user needs them, without waiting for provisioning?
- A) Windows 365 Frontline
- B) Windows 365 Reserve
- C) Windows 365 Boot
- D) Windows 365 Switch
Answer: B – Reserve provisions Cloud PCs ahead of time .
13. When creating a Windows 365 provisioning policy, what is the minimum number of random characters required in the device name template?
- A) 3 characters
- B) 5 characters
- C) 7 characters
- D) 10 characters
Answer: B – The device name template must include at least 5 random characters (e.g., %RAND:5%) .
14. A company wants to allow users to restore their Cloud PC to a previous state without calling IT. Which policy should they configure?
- A) Windows 365 Restore Points
- B) Point-in-time restore in User Settings
- C) Azure Backup for Cloud PCs
- D) Windows 365 Disaster Recovery
Answer: B – User Settings policies include point-in-time restore capability .
Scenario-Based
15. Scenario: An organization has 500 frontline workers who need Cloud PCs only during business hours (8 AM – 6 PM). They want to minimize costs while ensuring immediate availability during work hours.
Question: Which combination of features should they implement?
- A) Windows 365 Enterprise with always-on provisioning
- B) Windows 365 Frontline with Reserve provisioning during business hours
- C) Windows 365 Business with shared user licenses
- D) Windows 365 Boot with dedicated mode
Answer: B – Windows 365 Frontline is designed for shift workers, and Reserve ensures availability during scheduled hours .
16. Scenario: A user’s Cloud PC becomes unresponsive during a critical presentation. They need to quickly access a working desktop with the same applications and data.
Question: What feature allows IT to provide immediate access to a replacement Cloud PC?
- A) Windows 365 Boot
- B) Windows 365 Reserve standby provisioning
- C) Windows 365 Switch
- D) Cloud PC rebuild
Answer: B – Reserve can maintain standby Cloud PCs for disaster recovery scenarios .
Fill in the Blanks
17. The three main join types for Windows 365 Cloud PCs are: Microsoft Entra Join, , and .
Answer: Hybrid Join (Microsoft Entra hybrid joined), Microsoft Entra registration (for BYOD scenarios – though less common for Cloud PCs)
18. To configure Windows 365 user settings such as local admin rights and point-in-time restore, you create a _ policy in the Intune admin center.
Answer: User settings policy
Section 3: Intune Deployment & Configuration (7 Questions)
Multiple Choice
19. Where in the Intune admin center do you access the Windows 365 Boot guided scenario?
- A) Devices > Windows > Windows 365
- B) Devices > Windows 365 > Windows 365 Boot
- C) Endpoint security > Windows 365
- D) Tenant administration > Windows 365
Answer: B – Devices > Windows 365 > Windows 365 Boot under Windows 365 Guides .
20. When configuring Windows 365 Boot endpoint updates, which component are you configuring updates for?
- A) The Cloud PC only
- B) The physical device only
- C) Both Cloud PC and physical device
- D) Neither – updates are managed by Microsoft
Answer: B – Endpoint updates in the Boot guided scenario configure Windows Update for the physical device .
21. Which of the following is NOT automatically created by the Windows 365 Boot guided scenario?
- A) Autopilot deployment profile
- B) Azure Virtual Desktop configuration
- C) Conditional Access policy requiring compliant device
- D) Windows 365 app configuration
Answer: C – Conditional Access policies must be configured separately; the guided scenario does not create them .
Ordering/Sequencing
22. Place the following Windows 365 Boot deployment steps in the correct order:
- Configure settings (language, company name, logo)
- Switch Autopilot profile to Self-Deploying mode
- Run the Windows 365 Boot guided scenario
- Assign to Entra group and deploy
- Configure endpoint updates
Correct Order: 3 โ 5 โ 1 โ 4 โ 2
The guided scenario runs first (creating User-Driven profile), then you configure updates, settings, assign to group, deploy, and finally switch to Self-Deploying .
Matching
23. Match the Windows 365 feature to its primary use case:
| Feature | Use Case |
|---|---|
| A. Windows 365 Boot | 1. Provision Cloud PCs ahead of time for immediate use |
| B. Windows 365 Reserve | 2. Connect physical device directly to Cloud PC at sign-in |
| C. Windows 365 Frontline | 3. Share Cloud PC licenses across shift workers |
| D. Windows 365 Switch | 4. Switch between local and Cloud PC desktop |
Answers: A-2, B-1, C-3, D-4
Section 4: Troubleshooting & Best Practices (5 Questions)
Scenario-Based
24. Scenario: Users report that after signing in to Windows 365 Boot devices, they see the Windows desktop but no Cloud PC connection. The Azure Virtual Desktop app is installed.
Question: What is the most likely cause?
- A) Incorrect Windows 365 license assignment
- B) Outdated Azure Virtual Desktop app version
- C) Missing Conditional Access policy
- D) Incorrect DNS configuration
Answer: B – The Azure Virtual Desktop app must be version 1.2.4159 or later for Windows 365 Boot to function properly .
25. Scenario: After deploying Windows 365 Boot, devices show “Enrollment status: Failed” in Intune. The guided scenario was used with default settings.
Question: What should you check first?
- A) Verify Windows 11 version meets minimum requirements
- B) Confirm Autopilot profile is assigned to correct group
- C) Check that user has Windows 365 license
- D) Validate Azure AD P2 license
Answer: B – The guided scenario creates a User-Driven profile that must be assigned to the correct Entra group containing the devices .
Multiple Select
26. Which of the following are automatically configured when enabling Shared PC mode for Windows 365 Boot? (Select all that apply)
- A) Automatic account deletion after sign-out
- B) Power settings optimized for shared use
- C) Windows Hello for Business enabled
- D) Maintenance window at midnight
- E) BitLocker encryption
Answers: A, B, D – Shared PC mode configures automatic account management, power settings, and maintenance windows. Windows Hello is not supported in Shared mode, and BitLocker is separate .
True/False
27. Windows 365 Boot devices can be enrolled using both Windows Autopilot and manual MDM enrollment.
Answer: False – Windows 365 Boot specifically requires Windows Autopilot enrollment; manual MDM enrollment is not supported for this scenario .
28. If a Windows 365 Boot physical device is restarted during the initial enrollment process, the device may appear enrolled but not receive policies correctly.
Answer: True – Users should not restart devices during enrollment as this can cause incomplete provisioning .
Section 5: Architecture & Design (5 Questions)
Scenario-Based Design
29. Design Scenario: A manufacturing company needs to deploy Windows 365 for three use cases:
- Assembly line workers: Share 10 devices across 30 workers (3 shifts)
- Floor managers: Dedicated devices with biometric sign-in
- Office staff: Traditional laptops with occasional Cloud PC access
Question: Which Windows 365 configurations should be used for each group?
| Group | Configuration |
|---|---|
| Assembly line workers | Windows 365 Boot Shared PC mode with Self-Deploying Autopilot |
| Floor managers | Windows 365 Boot Dedicated mode with Windows Hello for Business |
| Office staff | Standard Windows 365 Cloud PC (non-Boot) with Microsoft 365 apps |
Justification:
- Shared PC mode for shift workers with device sharing
- Dedicated mode supports Windows Hello for Business
- Office staff don’t need Boot functionality; standard Cloud PC is sufficient
30. Cost Optimization Scenario: A retail chain has 1,000 seasonal employees who work 4-hour shifts during holiday season. They need Cloud PC access during shifts but not year-round.
Question: What is the most cost-effective licensing and configuration approach?
- A) Windows 365 Enterprise licenses for all users, year-round
- B) Windows 365 Frontline licenses with Reserve provisioning during shift hours
- C) Windows 365 Business licenses with monthly cancellation
- D) Azure Virtual Desktop personal desktops with auto-shutdown
Answer: B – Windows 365 Frontline is designed for shift workers and allows license sharing. Reserve provisioning ensures availability during scheduled hours without paying for 24/7 usage .
Answer Key Summary
| Section | Questions | Key Topics |
|---|---|---|
| Boot Fundamentals | 1-10 | Modes, authentication, prerequisites, Autopilot |
| Reserve & Provisioning | 11-18 | Reserve purpose, naming, user settings |
| Intune Deployment | 19-23 | Guided scenario, configuration locations |
| Troubleshooting | 24-28 | Common issues, app versions, enrollment |
| Architecture | 29-30 | Design scenarios, cost optimization |
Scoring Guide:
- 90-100% (27-30 correct): Expert – Ready for Windows 365 advanced deployment scenarios
- 75-89% (23-26 correct): Proficient – Solid understanding, review Shared vs Dedicated mode differences
- 60-74% (18-22 correct): Developing – Review guided scenario steps and Autopilot requirements
- Below 60% (<18 correct): Beginner – Complete hands-on lab with Windows 365 Boot before retrying
