Using a Windows 11 IoT Enterprise thin client to connect to Cloud PCs or AVD

What’s up, everyone! 

This week I’ve had a lot of fun with nothing less then a thin client running Windows 11 IoT Enterprise LTSC from my friends at 10ZiG. And there’s some great potential here. The thin client is built like a powerhouse and it runs Windows 11 IoT Enterprise. That means we can manage it in a modern way using Microsoft Intune. With that in mind I was asking myself, where do I go from here? Will I dive into the wonderous world of Windows 11 IoT Enterprise or review the hardware? After some thought I ended up with something more like a use case which is best described as; is a thin client running Windows 11 IoT Enterprise a good platform to connect to Windows 365 and Azure Virtual Desktop? 

Well, let’s find out!

Why should we use Windows 11 IoT Enterprise LTSC?

Windows 11 IoT Enterprise LTSC is not an operating system that I work with on a daily basis, so I thought it was a good idea to start with a brief comparison between the Windows 11 Enterprise that everyone knows and loves and the IoT edition. And just by looking at the name it seems that there are a couple of things to unpack. Like what is that LTSC?

Windows 11 IoT Enterprise comes in two editions: 

  1. Windows 11 IoT Enterprise: this edition follows a 3 year support lifecycle for each release.
  2. Windows 11 IoT Enterprise Long Term Service Channel (or LTSC from now on): this edition is supported for 10 years! 

Let’s shift our focus to IoT. Probably the easiest way to compare both editions is think of IoT as a stripped down version of Windows 11 Enterprise. While it does not have a feature pack installed like Windows 11 Enterprise does, it still does have many other features like the unified write filter. The combination of Windows 11 IoT with LTSC, or 10 years support, makes it a great candidate for special use cases.

Here is a quick comparison of Windows 11 Enterprise vs Windows 11 IoT:

If you want to get a full overview of the various Windows 11 IoT versions and their respective features, I would suggest to read this document by Microsoft.

Shopping for devices; thin client?

There are many things to take into consideration when you’re shopping for thin clients. The form factor, the internal hardware, management options, power consumption if you want to save the world and the different connectivity options to name a few. 

The model I will be testing is part of the 7100 series:

  • 7111q: this model runs Windows 11 IoT Enterprise LTSC.
  • 7172q: this model runs 10ZiGs PeakOS Linux Thin Client OS.
  • 7148qm: this model runs NOS-M, a Linux based zero client which is optimized to connect to Windows 365 and Azure Virtual Desktop.

My friends at 10ZiG sent me the 10ZiG 7111q model. There are a lot of connectivity options:

Internally it runs on an AMD Embedded R2514 Quad Core processor at 2.10GHz (burstable to 3.70 GHz) alongside a Radeon Vega 8 graphics card. It boasts the capability to run 4 displays at a 4k screen resolution.  

The base model support 16 GB of RAM and 128 GB SSD. while the top tier model enjoys 32GB of RAM and a 256 GB SSD. Wireless is optional.

Management via Microsoft Intune

Windows 11 IoT Enterprise (LTSC) devices can be managed via Microsoft Intune. All you need to do is to enroll them in MDM and they will appear in the Devices blade in Microsoft Intune. 

Now that we can manage the device properly, let’s try to accomplish the following tasks:

  1. Create a device filter
  2. Create a security group using dynamic device membership
  3. Configure updates
  4. Personalize the wallpaper
  5. Install the Windows app
  6. Managing the Unified Write Filter (or not?)
  7. Optimize the user experience with multi media redirection

Step 1: Create a device filter 

Let’s make our life a little bit more easy and create a proper device filter. Now the easy way would be to filter on the manufacturer and use the following rule syntax: device.manufacturer -contains “10ZiG”

And here is where it get’s a bit tricky. I wanted to create a filter that filters on the operating system SKU. This would be a really easy way to filter out all devices that are using that specific SKU. The normal way to go about this is to start the rule syntax with: operatingSystemSKU -equals. Then just click on the value box and select the SKU you want. My first idea was to use the following: IoTEnterprise (Windows 10/11 IoT Enterprise(188)). But when I clicked the preview button, the list stayed empty. So let’s find out how the device identifies itself. I ran the following Powershell code:

Get-WmiObject -Class Win32_OperatingSystem | select operatingsystemSKU

This command returned the value 191

And there’s no sign of 191 at the moment of writing:

Other variants such as “-contains 191” also do not work. Since Windows 11 IoT Enterprise LTSC was released only recently, we might have to wait until this is updated. If you have any other ways to filter on these devices, let me know in the comments! Let’s continue to creating a dynamic device group.

Step 2: Create a security group using dynamic device membership

Microsoft Intune uses different properties for dynamic device groups. For example, the operatingSystemSKU property is not available. But we can still filter on the manufacturer. So to keep things in line with the filter, let’s use that: deviceManufacturer -startsWith “10ZiG”

Step 3: Configure Windows Update for Business

Windows Update for Business supports updates for Windows 11 IoT Enterprise (LTSC). The only update category that is not supported is feature updates. We now know that we can update the operating system using Windows Update for Business, but that raises the question; should we?

And that depends on the use case or scenario. Windows 11 IoT tends to be used for specialized use cases. If that scenario requires the IoT device to be online, you might consider to disable automatic updates and install them in maintenance windows. Or optimize when the device will reboot outside of office hours using the active hours setting. You can find these settings in the setting catalog.

Step 4: Branding

Chances are that these devices have different users. They will all end up using the local user account on the thin client but it would be nice if they have a branded experience, right?

Let’s see if we can deploy a company wallpaper and lockscreen. The following setting are easily added from the settings catalog:

Step 5: Installing the Windows app

Let’s see if we can install the Windows app using Microsoft Intune. Go to Apps, All Apps, click the + Add button. Select Microsoft Store app (new) as the app type.

Search for the Windows app by Microsoft and go to the Assignments tab. Assign the app to all devices and use a filter install the app on the filtered devices or use the dynamic group we created earlier.

Finish up by admiring your awesome work and save the app. All that’s left to do is to wait until the app is installed on the device.

Step 6: Managing the Unified Write Filter (or not?)

Somehow thin clients always make me think of write filters. I remember the old days when I was managing thin clients and performed my changes on the device, only to find that they have been undone after a reboot. Well, the good news is that you can use write filters for Windows 11 Enterprise and IoT editions, but once you do, you cannot use Microsoft Intune to manage these devices (yet). See this link for more info: (link).

Using the unified write filter depends on the use case of the device. Since my idea was to use the device to connect to Windows 365 and AVD, I am perfectly fine to leave the write filter off and manage the device using Microsoft Intune.

Step 7: Optimize the user experience with multi media redirection 

Watching a movie on a remote desktop will not give the best user experience. Using MMR you can redirect multi media content to the local device, at least for supported websites like Youtube

Now it’s time for a little disclaimer. Truth be told I have no idea if MMR is going to work. Looking at the official docs, Windows 11 IoT Enterprise is not listed as supported or unsupported. So let’s see if we can get MMR up and running! I will show how to configure MMR on a Cloud PC using Microsoft Intune and test it on a regular Windows 11 Enterprise device. Then I’ll test it on the thin client.

The first step is to install the host component and browser extension on the session host or Cloud PC. We can use Microsoft Intune to distribute the host component to our Cloud PCs by adding the app:

The same goes for the browser extension. Use a device configuration policy and add the extension to Microsoft Edge:

The user will get a nice request to enable the newly added extension in Microsoft Edge:

So how do you know that things work? 

Make sure to sign into your Cloud PC or AVD desktop with a supported client. I used the Windows app which perfectly supports MMR. 

Next, open up your browser and check if the MMR icon appears. If not, check the gear icon and see if the extension is hidden. The icon should be grey in regular websites. Once you navigate to a supported website, such as Youtube, you should see a red color. The following screenshot let’s me know that MMR is configured correctly:

Search for your business critical video, like the Tomorrowland aftermovie of 2023 and enjoy the great MMR experience. The icon will change into the following:

Time for a demo

It’s time to sign into the thin client and see what results we get. The first major change should be our masterpiece by Microsoft Designer as the wallpaper:

Yep, that’s a huge 34″ wide flat panel with the custom wallpaper. So far so good!

Let’s see if Microsoft Intune was able to install the Windows app. So the first thing I did was put the taskbar in the middle where it should be. Apps are stored start menu:

Starting the Windows app gives the same user experience that we all know. Just sign in and your assigned desktops will appear:

Let’s sign into the Cloud PC:

There you go! Now we can work from a thin client, running Windows 11 IoT Enterprise LTSC on a Windows 365 Cloud PC using all the modern comfort!

But there’s still one more thing to test! Does multi media redirection work in combination with Windows 11 IoT Enterprise LTSC?

Yes it does! Amazing right! Now you can enjoy your critical corporate content like a boss…

Resources

5 Comments

  1. Hi Dominik, Great post.

    I have found MMR not to be stable and reliable for me to recommend. I’m not sure if it’s not updated enough but I feel like if a supported site like YouTube changes something on their media player, it stops working and Microsoft isn’t on top of it to go and update their plugin.

    Do you have that same experience?

    1. Hi Tony!

      I’ve had some pretty good results, but I’ve also had some issues. Especially with maximizing the video and resizing back. Or sometimes it will randomly fail and give a grey screen where the video should be. The workaround here was to close the browser and try again which isn’t something you’d want for production. I did find it easy to configure, it does work (most of the time) and the performance gain is pretty awesome.

Leave a Reply

Your email address will not be published. Required fields are marked *