Windows 365 Cloud PCs Now Achieve Compliance During Provisioning — What IT Admins Need to Know

Key Takeaways

• Windows 365 Cloud PCs now evaluate Intune compliance policies during provisioning — devices are compliant before users sign in.
• The “Not Evaluated” compliance gap that blocked users on first boot is eliminated.
• Gallery images already include the update; custom images require KB5070311 or later.
• Organizations should audit and remove Conditional Access workarounds that were compensating for the old behavior.
• Windows 365 Frontline and shared Cloud PC scenarios benefit the most from this change.

Windows 365 Closes a Critical Compliance Gap in Cloud PC Provisioning

Microsoft has shipped one of the most practical improvements to Windows 365 in recent memory: Cloud PCs now evaluate Intune compliance policies during provisioning, concurrent with MDM enrollment, without requiring a user to sign in first.

If you manage a Windows 365 environment, you’ve likely encountered the frustration. A Cloud PC finishes provisioning, a user tries to sign in, and Conditional Access immediately blocks them because the device sits in a “Not Evaluated” compliance state. The device is configured correctly — it just hasn’t checked in yet. That gap is now closed.

How Compliance During Provisioning Policy Works

The change is embedded in the Intune management agent’s behavior during the provisioning orchestration phase. Here’s the updated flow:

1. The provisioning policy triggers and Windows 365 begins setting up the Cloud PC.
2. MDM enrollment occurs as part of provisioning.
3. Assigned compliance policies evaluate concurrently during the enrollment phase — no user sign-in required.
4. The Cloud PC achieves a compliant status in Entra ID before provisioning completes.
5. The user signs in to a device that Conditional Access already recognizes as compliant.

The Technical Foundation: KB5070311

This capability ships via KB5070311, a non-security update for Windows 11 versions 25H2 and 24H2 (OS Builds 26200.7309 and 26100.7309). Microsoft’s gallery images already include this update. If your organization uses custom images, you’ll need to refresh them to include KB5070311 or a later cumulative update — without it, custom-image Cloud PCs will fall back to the previous behavior.

Why This Matters for Cloud PC Security and Zero Trust

Conditional Access Without Workarounds

Organizations enforcing Conditional Access policies that require device compliance have been forced into uncomfortable tradeoffs:

• Excluding Cloud PC groups from compliance-required CA policies during a grace window
• Extending compliance grace periods to delay non-compliant marking
• Creating break-glass exceptions for newly provisioned devices

Every one of these workarounds introduced security risk. They created exactly the kind of gap that Zero Trust architectures are designed to prevent. With compliance evaluation during provisioning, none of these workarounds are necessary. Devices are verified before they’re accessible — period.

Zero Trust Alignment

Zero Trust demands continuous verification at every access point. A provisioning flow that left devices in an unevaluated state was a gap in that model. This update tightens the alignment between Windows 365 provisioning and Zero Trust principles, ensuring every Cloud PC is verified before a user can interact with it.

Windows 365 Frontline and Shared Cloud PC Scenarios

For organizations using Windows 365 Frontline or shared Cloud PCs, this improvement is particularly significant. Frontline workers access Cloud PCs on tight schedules — being blocked by Conditional Access on first boot isn’t an inconvenience, it’s a productivity blocker. Compliance during provisioning means workers log in and start working immediately, with no delays and no helpdesk calls.

What IT Admins Should Do Now

1. Audit and Remove Conditional Access Workarounds

If you’ve implemented CA policy exclusions, extended grace periods, or break-glass exceptions for newly provisioned Cloud PCs, review and remove them now. These were security compromises necessitated by the old behavior. Leaving them in place introduces unnecessary risk.

2. Verify Security Group Assignments

Ensure the security groups used for compliance policy assignment include device objects created during Cloud PC provisioning. If you rely on dynamic groups for policy targeting, verify that membership rules capture newly provisioned Cloud PCs during — not after — the provisioning window.

3. Update Custom Images

Gallery images are already current. If your organization uses custom images, refresh them to include KB5070311 or later. This is the single required action item for most environments.

4. Run a Phased Rollout

For complex compliance and Conditional Access configurations, a phased approach reduces risk:

• Pilot group: Assign a test provisioning policy to a small user group and validate compliance evaluation completes during provisioning.
• Monitor: Confirm pilot Cloud PCs show “Compliant” in Intune before users sign in.
• Validate CA behavior: Verify users access Cloud PCs without first-boot Conditional Access blocks.
• Expand: Roll out updated provisioning policies to production.

5. Review Data Residency and Compliance Policy Timing

Compliance policies with grace periods or “Mark device noncompliant” timing delays still apply. A device may be compliant during provisioning but could transition to non-compliant if remediation doesn’t complete within the grace period. Align your compliance policy settings with the new provisioning behavior to avoid surprises.

Additional Context: Windows 11 25H2 Settings Catalog

The Windows 11 25H2 release also brought 36 new settings to the Intune Settings Catalog, including controls for Windows Backup, Windows Recall AI features, the Settings Agent, onlooker detection, and energy saver modes. Organizations deploying 25H2 should incorporate relevant settings into their compliance and configuration policies alongside this provisioning improvement.

What This Means for Your Organization

This isn’t a flashy feature announcement — it’s a pragmatic improvement that closes a real operational gap. If you’re running Windows 365 with Conditional Access and compliance requirements (and you should be), this update eliminates a class of first-boot failures that generated helpdesk tickets and forced security compromises.

For gallery image users, the benefit is automatic. For custom image users, the action item is straightforward. Either way, the real value comes from reviewing your existing workarounds and removing the security exceptions that are no longer needed.

The combination of tighter Zero Trust alignment, better frontline worker experience, and reduced operational overhead makes this a meaningful step forward for Windows 365 deployments of any size.

Need help optimizing your Windows 365 provisioning policies or tightening your Conditional Access configuration? Contact Big Hat Group for Windows 365 deployment help — we specialize in Cloud PC strategy, compliance architecture, and endpoint management for organizations of all sizes.