Windows 365 Cloud PC: Provisioning, Performance, and Troubleshooting
Why This Is Happening
Here's a scenario I've seen play out more times than I can count: an IT admin purchases Windows 365 Cloud PC licenses, assigns them in the Microsoft 365 admin center, and then waits. And waits. The provisioning spinner just keeps spinning. Or worse , the user opens their browser, navigates to windows365.microsoft.com, and gets greeted by a blank screen or an unhelpful error message that tells them absolutely nothing actionable.
I know this is frustrating , especially when it blocks your workforce from getting any actual work done. Windows 365 Cloud PC is a cloud-based SaaS product that creates a new type of Windows virtual machine hosted entirely by Microsoft. That's powerful, but it also means the failure points are distributed across licensing, network configuration, identity management, and Microsoft's own provisioning pipeline, and the error messages rarely tell you which layer broke.
Windows 365 Cloud PC provisioning failures almost always trace back to one of four root causes:
- License assignment timing: The license propagation from Microsoft 365 admin center to Intune and Entra ID can take anywhere from a few minutes to over an hour. Most people give up too soon or, more commonly, made an assignment error they haven't spotted yet.
- Network or Azure Virtual Network (vNet) misconfiguration: Enterprise deployments using Azure Network Connections (ANCs) are especially prone to this. A single misconfigured subnet or DNS setting will fail the pre-provisioning health check silently.
- Intune enrollment policy gaps: Windows 365 Enterprise requires full Microsoft Intune integration. If your Intune tenant isn't configured to auto-enroll devices, provisioning will stall without a clear error.
- Edition mismatch: Windows 365 Business and Windows 365 Enterprise have fundamentally different provisioning paths. Business is designed for organizations with up to 300 seats and has simplified management. Enterprise supports unlimited seats and requires Intune. Mixing up admin steps between these two editions is a very common source of confusion.
The other thing that trips people up is understanding what a Cloud PC actually is. It's not a traditional VM you spin up in Azure. It's a fully managed, highly available virtual machine that gives end users a persistent 1:1 Windows desktop experience, their own personal PC in the cloud. That means Microsoft controls the underlying infrastructure, and you control the identity, policy, and app layer. When something breaks, diagnosing it means understanding which side of that line the problem lives on.
Whether you're an IT admin deploying Windows 365 Cloud PC for the first time or troubleshooting a broken provisioning profile on an existing tenant, this guide walks through every layer. Browse all Microsoft fix guides →
The Quick Fix, Try This First
If your Windows 365 Cloud PC provisioning is stuck or a user can't connect, start here before going anywhere else. This single workflow resolves the majority of cases I've seen in enterprise deployments.
Step 1: Open the Microsoft Intune admin center at intune.microsoft.com. In the left nav, go to Devices > Windows 365. If you don't see "Windows 365" in the menu at all, your tenant either doesn't have active licenses or the feature hasn't propagated yet, wait 30 minutes and refresh.
Step 2: Click All Cloud PCs. Find the affected user's Cloud PC. Look at the Status column. If it says "Provisioning failed," click the device name, then click Retry. This alone fixes a surprising number of transient provisioning failures caused by backend timeouts on Microsoft's side.
Step 3: If the status shows "Not provisioned," go back and verify the user has both a Windows 365 license AND a valid Microsoft Entra ID (formerly Azure Active Directory) account. Navigate to Microsoft 365 admin center > Users > Active users, find the user, click their name, and confirm the Windows 365 license is checked under the Licenses and apps tab.
Step 4: Have the user navigate to windows365.microsoft.com and sign in with their Microsoft 365 credentials. This is the primary access portal. If they land on a page showing their Cloud PC but can't connect, try the browser-based connection first before diagnosing the Windows App or Remote Desktop client.
Step 5: If they still can't connect from windows365.microsoft.com, try an incognito/private browser window. Cached authentication tokens are a surprisingly common culprit, especially after a password change or MFA re-registration.
Windows 365 Cloud PC comes in several distinct editions, and each has its own provisioning requirements. Before spending time on network or policy troubleshooting, confirm you have the right license for your scenario.
Windows 365 Business is for organizations with up to 300 seats. It's designed for fast, simplified deployment with minimal configuration. You don't need Microsoft Intune set up beforehand, Microsoft handles most of the management layer for you. If you're a small business and you're trying to configure Intune policies before provisioning, you're overcomplicating it. Business edition provisions almost automatically after license assignment.
Windows 365 Enterprise is for larger organizations that need unlimited seats, custom device images, and full Intune management. If you're on Enterprise and haven't set up Intune auto-enrollment, nothing will provision. Full stop.
To verify the right license is assigned:
# PowerShell, check assigned licenses for a user
Connect-MgGraph -Scopes "User.Read.All"
Get-MgUserLicenseDetail -UserId "user@yourdomain.com" | Select-Object SkuPartNumberLook for SKUs containing CPC_ (Cloud PC). If you see nothing, the license isn't assigned. If you see the wrong tier (e.g., a Business SKU on a tenant configured for Enterprise), that's your problem.
After confirming the license in the Microsoft 365 admin center, allow up to 60 minutes for full propagation to Entra ID and Intune before declaring something broken. I've seen impatient admins open three support tickets in the time it took the license to propagate normally.
This step applies to Windows 365 Enterprise deployments using a custom Azure Network Connection. If you're on Business edition, skip to Step 3.
An Azure Network Connection (ANC) links your Windows 365 Cloud PCs to your on-premises network or Azure vNet. If the ANC is unhealthy, every provisioning attempt will fail, even if your licenses, policies, and images are perfect. Microsoft runs a set of automated health checks against every ANC, and they'll tell you exactly what's broken.
Navigate to: Intune admin center > Devices > Windows 365 > Azure network connections
Click your ANC name, then go to the Health checks tab. You'll see individual check results including:
- Azure tenant readiness, confirms your Azure subscription is valid
- Azure virtual network readiness, confirms the vNet and subnet exist and have enough IP addresses
- Endpoint connectivity, confirms required Microsoft service endpoints are reachable from the vNet
- Entra ID device join, confirms devices can join your directory
- Intune enrollment, confirms MDM enrollment is configured
- DNS resolution, confirms internal DNS resolves correctly from the subnet
Any red or warning status here is your smoking gun. The most common failure I see is endpoint connectivity, a firewall rule is blocking outbound access to required Microsoft endpoints. Microsoft publishes the full list of required URLs and ports in their network requirements documentation. Check that your NSG (Network Security Group) rules aren't blocking outbound HTTPS on port 443 to *.manage.microsoft.com, *.cdn.office.net, and related endpoints.
# Test endpoint connectivity from within the vNet (run on a VM in the same subnet)
Test-NetConnection -ComputerName "manage.microsoft.com" -Port 443If that returns TcpTestSucceeded: False, you've found your network block. Update your NSG outbound rules and re-run the ANC health check.
Windows 365 Enterprise Cloud PCs are managed entirely through Microsoft Intune. If your tenant doesn't have MDM auto-enrollment enabled, provisioning will fail with a generic error. Here's how to fix it.
Go to: Azure portal > Microsoft Entra ID > Mobility (MDM and MAM) > Microsoft Intune
Set the MDM user scope to either All or a specific group that includes your Cloud PC users. If it's set to None, that's your problem. Save the change.
Next, verify your provisioning policy in Intune:
- Go to Intune admin center > Devices > Windows 365 > Provisioning policies
- Click Create policy if none exists
- Set the Join type, choose between Microsoft Entra ID Join (cloud-only) or Hybrid Microsoft Entra ID Join (for on-premises AD environments)
- Select your Azure Network Connection if using a custom network
- Choose a Windows image, either a Microsoft-provided gallery image (Windows 10/11 with M365 apps) or a custom image you've uploaded
- Assign the policy to the user group that has Windows 365 licenses
One gotcha I see constantly: admins create the provisioning policy but forget to assign it to a group. The policy just sits there doing nothing. Make sure the assignment is saved and the correct users are in the assigned group.
After saving, go back to All Cloud PCs and check if provisioning starts within 10–15 minutes. If users are already in a failed state, use the Retry button on their individual Cloud PC record to kick off a new provisioning attempt with the corrected policy.
Once your Windows 365 Cloud PC is provisioned, the next class of issues is connectivity and performance. Users connect to their Cloud PC primarily through windows365.microsoft.com in a browser, or through the Windows App (available on Windows, Mac, iOS, and Android). Both use the same underlying RDP/AVD protocol stack.
Connection drops and latency: Windows 365 Cloud PCs route through Microsoft's Azure network infrastructure. If a user in your organization is experiencing high latency or frequent disconnects, check which Azure region their Cloud PC is hosted in. You can see this in Intune under the Cloud PC device details. If the region is geographically far from the user, that's inherent to the SaaS model, you can't move an existing Cloud PC, but you can provision new ones in a closer region by updating your provisioning policy's network settings.
Black screen on connection: This is almost always a GPU/display protocol issue. Try switching the connection quality in the Windows App settings from Automatic to a lower bandwidth profile. In the browser, clear the site data for windows365.microsoft.com specifically, then reconnect.
Audio not working: Audio redirection from Cloud PC to local device needs to be enabled in your Intune configuration profile. Check Intune > Devices > Configuration profiles for any profile applying to your Cloud PC group. If you have a policy explicitly disabling audio redirection, that's the cause.
# Check current RDP/AVD session configuration via PowerShell on the Cloud PC
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" | Select-Object fInheritAudioMode, fEnableAudioCaptureA value of 1 for fInheritAudioMode means audio settings are inherited from the connection client, which is normal. If you see explicit overrides disabling audio, trace that back to your Intune policy.
Authentication errors on Windows 365 Cloud PC typically fall into two buckets: identity federation problems and Conditional Access policy conflicts. Both can completely block a user from reaching their Cloud PC even when provisioning succeeded.
"We couldn't connect to your Cloud PC" with error code 0x3000046: This almost always means the user's Entra ID token couldn't be validated. Have the user sign out of all Microsoft apps on their local device, clear browser cookies, and sign back in at windows365.microsoft.com fresh. If you're using Hybrid Entra ID Join, verify the user's on-premises AD account is syncing correctly to Entra ID via Microsoft Entra Connect.
Conditional Access blocking access: If your organization has Conditional Access policies in Entra ID, they apply to Windows 365 Cloud PC connections. A policy requiring a compliant device will block users connecting from a personal iOS or Android device that isn't enrolled in Intune. Check the Entra ID sign-in logs:
# Entra ID sign-in log query, find CA failures for Windows 365
# In Azure portal: Entra ID > Monitoring > Sign-in logs
# Filter: Application = "Windows 365" | Status = Failure
# Look for: Failure reason = "Conditional Access policy requires..."If you find a CA policy blocking non-compliant devices, you have two options: either exempt the Windows 365 application from that specific CA policy (create an exclusion), or require users to connect from enrolled devices only, which is actually a stronger security posture for most organizations.
MFA prompts on every connection: This is expected behavior if your CA policy requires MFA for every session. To reduce friction, configure a persistent browser session policy in Entra ID for Windows 365 specifically. This lets users authenticate once per day rather than every single connection attempt. Go to Entra ID > Security > Conditional Access, open the relevant policy, and under Session > Sign-in frequency, set an appropriate interval.
Advanced Troubleshooting
If the steps above haven't resolved your Windows 365 Cloud PC issue, you're likely dealing with a more complex configuration conflict. Here's how I approach the cases that don't have obvious surface-level fixes.
Event Viewer Analysis on the Cloud PC
Once you can get onto the Cloud PC, even intermittently, Event Viewer is your best source of ground truth. The most relevant logs for Windows 365 provisioning and connection issues are:
- Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin, Intune enrollment and MDM policy application errors
- Windows Logs > System, Filter for Event ID 7000 (service failed to start) and 7023 (service terminated with error). These surface infrastructure-level failures during Cloud PC startup.
- Applications and Services Logs > Microsoft > Windows > AAD > Operational, Entra ID join and token acquisition errors. Event ID 1098 indicates a device join failure.
# Export relevant event logs via PowerShell from the Cloud PC
Get-WinEvent -LogName "Microsoft-Windows-AAD/Operational" -MaxEvents 50 |
Where-Object { $_.LevelDisplayName -eq "Error" -or $_.LevelDisplayName -eq "Warning" } |
Select-Object TimeCreated, Id, Message | Format-ListGroup Policy Conflicts in Hybrid Environments
Windows 365 Cloud PCs in a Hybrid Entra ID Join configuration receive both Intune MDM policies and on-premises Group Policy Objects. These can conflict. The most common conflict I've seen: a GPO disabling the Windows Update service or blocking certain Microsoft endpoints, both of which are required for Cloud PC health reporting back to Intune.
Run gpresult /h gpresult.html on the Cloud PC and open the HTML report. Look for any policies under Computer Configuration that modify Windows Update, network proxy settings, or disable Microsoft services. If you find conflicting GPOs, either exclude the Cloud PC computer objects from those GPOs using security filtering, or create a dedicated OU for Cloud PC objects with a clean GPO inheritance path.
Windows 365 Frontline, Concurrent Session Management
Windows 365 Frontline is a distinct edition where a single license covers up to three Cloud PCs, but users access them non-concurrently. If users are reporting they can't get a session, it may be a concurrency conflict, all three provisioned Cloud PCs are in active sessions simultaneously. Check the Frontline session usage in Intune > Devices > Windows 365 > Frontline to see active session counts. This is by design, Frontline is explicitly intended for shift workers and task-based users who only need Cloud PC access for limited hours per day.
Cloud PC for Agents (Preview)
The newest Windows 365 edition, Windows 365 for Agents, is currently in preview and operates as a sandbox compute environment for AI-powered, computer-using agents. If you're piloting this in your organization and hitting provisioning errors, note that this edition's management surface is not yet fully integrated into the standard Intune Windows 365 blade. Check the preview-specific documentation and ensure your tenant is enrolled in the preview program before filing support tickets about missing UI elements.
Escalate to Microsoft Support when: provisioning has been stuck in a non-failed, non-succeeded state for more than 4 hours after a Retry; when all ANC health checks pass but provisioning still fails with no error code; when Event ID 1098 appears consistently across multiple users in the same Entra ID tenant; or when your Cloud PCs are provisioned but users are reporting consistent session drops that correlate with a specific Azure region. These scenarios indicate backend infrastructure issues that only Microsoft's engineering teams can resolve. When you call, have your tenant ID, the Cloud PC device IDs from Intune, and the exact timestamps of failure events ready, it cuts escalation time significantly.
Prevention & Best Practices
Most Windows 365 Cloud PC problems are preventable. I've watched organizations deploy hundreds of Cloud PCs without a single provisioning failure, and the difference between them and the ones that struggle comes down to a handful of preparation steps that most admins skip because they seem boring.
Run the ANC health checks before you assign any licenses. Seriously. This is the number one thing that separates smooth deployments from chaotic ones. The health checks will surface network, DNS, and Intune enrollment issues in a pre-provisioning state where fixing them is easy. Fixing them after 200 users have failed Cloud PCs is not easy.
Pilot with a small group first. Assign licenses to 5–10 users in a test group, verify their Cloud PCs provision successfully, let them use them for a week, and only then roll out to the broader organization. Windows 365 licenses are per-user per-month, you're not wasting money by doing a proper pilot.
Document your provisioning policy settings. It sounds tedious, but the moment someone makes a change to your provisioning policy six months from now and provisioning breaks for new users, you'll want a baseline record of what the original settings were. Take screenshots or export the policy configuration.
Monitor Intune enrollment status regularly. Go to Intune > Devices > Monitor > Enrollment failures at least weekly. Cloud PC devices that fail MDM enrollment become "dark", they're provisioned, they exist, but they're not receiving policy updates. You won't know until something important fails to apply.
Plan your Conditional Access policy exclusions before go-live. If you're adding Windows 365 to an existing Microsoft 365 tenant with mature CA policies, audit which policies will apply to Windows 365 connections and decide upfront which ones need Cloud PC-specific exceptions. Don't wait for users to report they can't connect from their phones.
- Set up an Intune device compliance policy specifically for Cloud PCs, this gives you a clear health dashboard separate from physical endpoints
- Enable Microsoft Entra ID sign-in risk policies to automatically block suspicious Cloud PC access attempts without burdening legitimate users
- Use Windows 365 Business for SMB deployments under 300 seats, the simplified management path saves hours of Intune configuration time
- Subscribe to the Microsoft 365 Service Health dashboard in your admin center so you're notified of Windows 365 service incidents before your users report them to you
Frequently Asked Questions
What exactly is Windows 365 Cloud PC and how is it different from a regular VM?
Windows 365 Cloud PC is a cloud-based SaaS product from Microsoft that automatically creates and maintains a Windows virtual machine for each user, think of it as your personal PC, except it lives in Microsoft's data centers instead of on your desk. Unlike a traditional Azure VM where you manage the underlying compute, storage, and OS yourself, Windows 365 Cloud PC handles all of that infrastructure for you. Your job as an admin is managing identity (through Entra ID), policy (through Intune), and licensing. Users access their Cloud PC from any device, Windows, Mac, iOS, or Android, by going to windows365.microsoft.com or using the Windows App. The experience is a full Windows 10 or 11 desktop with persistent apps, files, and settings, exactly like sitting in front of a physical PC.
What's the difference between Windows 365 Business and Windows 365 Enterprise?
The core difference comes down to scale and management depth. Windows 365 Business is built for organizations with up to 300 seats and prioritizes fast, simplified deployment, you don't need a fully configured Intune environment to get started, and Microsoft handles more of the management layer. Windows 365 Enterprise, by contrast, supports unlimited seats and is designed for larger organizations that need custom device images, deep Intune integration, and more granular management controls. Enterprise gives you options like custom golden images, Azure Network Connections to your on-premises infrastructure, and full Group Policy integration. If you're unsure which to choose, Business edition is the right starting point for most SMBs, you can always migrate to Enterprise later as your needs grow.
How do I access my Windows 365 Cloud PC from an iPhone or Android device?
You have two options. The first is the browser, open Safari or Chrome on your mobile device, go to windows365.microsoft.com, sign in with your Microsoft 365 work account, and tap your Cloud PC to launch a browser-based session. It works reasonably well for light tasks but isn't optimized for touch navigation. The better option is downloading the Windows App (previously called Microsoft Remote Desktop) from the App Store or Google Play. Once installed, sign in with your work account, and your Cloud PC will appear automatically. The Windows App gives you a significantly better experience, better input handling, smoother graphics, and the ability to redirect your local camera and microphone into the Cloud PC session. Just make sure any Conditional Access policies in your tenant allow connections from mobile devices, or users will get blocked at authentication.
What is Windows 365 Frontline and who should use it?
Windows 365 Frontline is a cost-saving edition designed for workers who don't need a Cloud PC running all day. A single Frontline license lets you provision up to three Cloud PCs, but only one can be in an active session at a time, users access them non-concurrently. This makes it ideal for shift workers, retail associates, healthcare staff, or anyone who needs Cloud PC access for a few hours per shift rather than a full workday. The economics work out significantly cheaper than buying a 1:1 Business or Enterprise license for every shift worker. The key constraint to communicate to your team upfront: if all three licensed users try to start a session simultaneously, the third person gets blocked until one of the others disconnects.
What is Windows 365 Government and is it different from the regular versions?
Windows 365 Government is a specialized edition for US government agencies and contractors that must meet federal compliance requirements. It spans both a regulated Government Community Cloud (GCC) environment and a public-facing cloud, allowing agencies to maintain regulatory compliance, including FedRAMP authorization and data residency requirements, while still delivering the core Windows 365 Cloud PC experience. The functionality is substantively similar to the commercial editions, but the infrastructure is physically and logically separated from the commercial Microsoft cloud. If you're a government agency evaluating Windows 365, you need to procure the Government edition specifically, a standard commercial Windows 365 Enterprise license doesn't meet GCC compliance requirements.
What is Windows 365 Link and do I need special hardware?
Windows 365 Link is a purpose-built physical device from Microsoft, the first hardware designed exclusively to connect users to their Windows 365 Cloud PC. It's a thin client that skips the local operating system entirely; every bit of compute, storage, and software runs in the cloud. You plug it in, connect to your network, authenticate, and you're at your Cloud PC in seconds. It's currently available in preview in select markets. You don't need Windows 365 Link to use a Cloud PC, a standard Windows PC, Mac, or mobile device works fine through the browser or Windows App, but Link is the purpose-optimized option for organizations running shared desk environments, kiosks, or any scenario where desk-based users need a secure, no-maintenance endpoint. The device is managed centrally like any other Intune-enrolled endpoint, just without a local Windows OS to patch.