Introduction
I think it’s great that users can restart their Cloud PC from the Windows 365 web interface. It makes sense to bring self-service options to the users. But recently, a customer told me he couldn’t restart his Cloud PC from Windows. First, I thought it was a general problem in the customer environment, but after some troubleshooting, it turns out this only applies to non-admin users, but in all the environments I have access to, this couldn’t be customer-specific issue.
The issue
When users are logged into their Cloud PC, non-admin users cannot see the Restart button in the power menu. Therefore they can only restart their Cloud PC from the Windows 365 web interface. I don’t think this is an issue if users only use the Windows 365 web interface. However, I see a “user experience” problem if they use the Remote Desktop Client instead.
Troubleshooting
I knew Microsoft was doing some work behind the scene when a Cloud PC is being created, but I was unsure if they were doing something about the restart button. When looking at the documentation they are only hiding the shut down button. So I checked if they accidentally were hiding the restart button for non-admins. But it turned out that was not the case.
From here, I have been many places in the registry, also places I don’t think humans ever should be, but it didn’t resolve the issue. After a while, I had to reset my mind and start over. So I started to look at the User Rights Assignment in Local Security Policy, and this is where I found the policy called shut down the system.
When looking at the description(Explain) of the policy, there is nothing about restart action, but it allows users in this policy to shut down the system. So at first, I didn’t think it was related to the issue because it only controlled the ability to shut down, but I found out when adding Users to the policy, I was now able to restart from Windows. The shut down button was still not visible because of the registry key HideShutDown, but this is okay as the users should not turn off their Cloud PC.
When looking at a physical Windows PC, Users are added to the policy by default. So I think this is the root cause of why the non-admin users cannot restart their cloud PC from Windows.
Fixing the issue with a script
Looking at how to automatically add Users to the policy from Intune, I have come up with a quick and dirty solution. Thanks to Ian Xue for posting an answer to a similar request in this forum.
I have taken the Powershell lines and modified them into what I needed for this.
Afterward, I uploaded it as a script to Intune, and non-admin users can now restart from Windows.
If this were a “permanent fix,” I would add a bunch more to the script, such as logging. But as I hope this is only a temporary thing, I try to keep it as simple as possible.
$user = "Users"
$tmp = [System.IO.Path]::GetTempFileName()
secedit.exe /export /cfg $tmp
$settings = Get-Content -Path $tmp
$account = New-Object System.Security.Principal.NTAccount($user)
$sid = $account.Translate([System.Security.Principal.SecurityIdentifier])
for($i=0;$i -lt $settings.Count;$i++){
if($settings[$i] -match "SeShutdownPrivilege")
{
$settings[$i] += ",*$($sid.Value)"
}
}
$settings | Out-File $tmp
secedit.exe /configure /db secedit.sdb /cfg $tmp /areas User_RIGHTS
Remove-Item -Path $tmp
Final thoughts
I’m not sure if it’s by design non-admin users only should be able to restart from the Windows 365 web interface. But from a user perspective, it’s odd if they can restart one place but not another. If anyone knows a better solution for this issue, please shout it out.
I’m aware that non-admin users now can turn off their Cloud PC if they know how to start CMD and type shutdown /s but local administrators can do this as well, and no one regarding their permissions should perform this action on a Cloud PC. If the user turns off their Cloud PC, they can start it again by selecting the Restart in Windows 365 web interface.
Let’s hope Microsoft will fix this in the future, so a workaround isn’t necessary.
If you’re changing the built-in users’ group, then it has a well known SID so your script could be simpler:
$tmp = [System.IO.Path]::GetTempFileName()
secedit.exe /export /cfg $tmp
$settings = Get-Content -Path $tmp
$sidvalue = “S-1-5-32-545” #Well Known SID for ‘Users’ local group
for($i=0;$i -lt $settings.Count;$i++){
if($settings[$i] -match “SeShutdownPrivilege”)
{
$settings[$i] += “,*$sidvalue”
}
}
$settings | Out-File $tmp
secedit.exe /configure /db secedit.sdb /cfg $tmp /areas User_RIGHTS
Remove-Item -Path $tmp
Also, for Microsoft to listen, you need to tell them, so I logged this feature request: https://techcommunity.microsoft.com/t5/windows-365-feature-requests/allow-non-admins-to-restart-their-own-cloud-pc-from-inside-the/idi-p/3253442
Hi Robin
Thanks for sharing your script version.
I have told them but good you do too. 🙂
Thanks for the research you have posted. But i dont want to move the built-in user’s group. i want to give the restart option to non-admin users from custom groups. Is that possible. Is there any feature provided by microsoft?
Hi Kamran,
I’m not aware of a solution from Microsoft.
I believe it’s possible to use custom groups instead of built-in “users” groups.
Have you tried to replace “users” with your custom group in the PowerShell lines in the blog?