Are you using a nice Windows 365 Cloud PC and want to use kickass Intune Suite features like Device Query or EPM Support Approved? If you’re going to use them, you must beware of something funny and legacy simultaneously.
1. Window 365 Cloud PC and Device Query.
One of the most beautiful things about a Cloud PC is that you can log in and start working when you don’t have your notebook. Which is excellent, and it works pretty fast as well.
Some weeks ago, I was playing around with Device Query and Support Approved and trying to find out if they work the same way on a Cloud PC because that’s what I do! I try to find out how something works and doesn’t.
After activating my Cloud PC and logging in, I started playing with Device Query. I kicked off a device query because I noticed that the Intune Management Extension had been updated. With this update, I wondered if Microsoft fixed the issue with the 64-bit registry query. (which they did in the meantime… but this blog was in draft for “some reasons”.
2. The Device Query Issue
After firing off the device query to determine if the issue was resolved, I noticed it wasn’t giving me the expected output.
As shown above, it showed me that an error occurred while I was expecting some or no results. Well, that’s a bit weird. Within a couple of seconds, it became clear what was happening, and it wasn’t because of the IME update.
3. What’s happening?
Device Query and EPM Support Approved both rely on the fact that the Windows Notification Service (WNS) could contact the device. If the WNS service can’t send a push notification to your device, you are pretty much screwed.
Device Query | An Error occurred. Try Running the query again (call4cloud.nl)
Besides Device Query not working at all, EPM Support Approved will not show the notification within a couple of minutes. It will only get the latest policies when rebooting the device or when the scheduled sync kicks in.
The weird thing is that I didn’t configure a policy to block those Cloud Application Notifications as I showed in that blog above. Configuring such a policy to block push notifications on cloud-native devices is not the smartest thing to do.
To be sure, I opened the enrollment registry keys and the corresponding scheduled tasks.
As shown above, the MMP-C and Intune Enrollment were missing the “Push” registry keys and scheduled tasks. After opening the event log, I noticed the same error message as I had with the device query feature.
With this notification popping up, It was pretty evident that my Cloud PC had a policy in place to block Cloud Application Notifications (Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications). I opened the registry and opened the corresponding policy. Somehow that same policy was on my device.
4. Trying to fix the NoCloudApplicationNotification Issue
I deleted that stupid key and rebooted the Cloud PC
After a reboot, that NoCloudApplicationNotification registry key was back where it was and was again blocking the push notifications! That’s weird! Well, until I opened the group policy event log
It mentioned that a change was detected? Huhhh? Cloud Native and having a GPO in place? I wasn’t expecting that at all until I opened the system32\grouppolicy\machine folder
I noticed the same registry key to block push notifications inside the group policy POL file. After a few minutes of searching, it became apparent why that group policy was in place. In the provisioning policy, I selected the Windows 11 Enterprise 23h2 + OS Optimizations template
This template is optimized for improved performance if we believe the corresponding docs
I spent some time on Git Hub finding the policies that will be set with this optimization template. I stumbled upon this policy. It was obvious that this policy would be deployed when you selected the optimization template.
Now we know the issue, how are we going to fix it?
5. The Simple fix
Well, fixing it is easy. I deleted the POL file on my Cloud PC and executed a gpupdate /force command. That command removed all the policies defined in the POL file. Once all the policies were gone, I rebooted the Cloud PC.
As shown above, after the device was rebooted, all of the corresponding Push launch tasks and registry keys showed up! After a couple of minutes of waiting, the device registered the device channel and started communicating with the WNS service.
With the device successfully communicating with the service, executing a device query worked again!
Once my existing Cloud PC was fixed, I also selected the new template from the gallery.
This template doesn’t hold the Optimization GPO and does NOT break the push notifications. I reprovisioned my Cloud PC to make sure everything
6. The Microsoft Fix
It’s obvious that I shared my findings with Microsoft first before publishing this blog. So, in the meantime (while this blog was in draft), Microsoft was busy fixing it.
When we look at the device images overview of Windows 365, we will notice a change. It seems that they changed some pieces and are going to remove the Optimization template from the gallery images.
If we look at the changes that were committed to Git Hub, we will indeed notice that the optimization template’s name was removed!
With the docs being changed, the existing Optimization template from the gallery as shown below, will be removed.
With this template removed, the GPO messing around with the push notifications will also be removed!
That’s very, very nice and if you watched the message center, you could also have spot this message! It is mentioned that MSFT will be removing the current optimized gallery images in mid-August 2024
Conclusion
When using Cloud PCs, please select the proper template for your provisioning gallery. If you choose the optimization one, Device Query and EPM Support Approved will not function properly!