How to enable non-admin users to restart Windows 365 Cloud PC

January 16, 2025 22:12 by Jesper Nielsen • 6 minutes to read

In the quest for a Secure Future, Microsoft has aligned the reboot behavior of Windows 365 Cloud PCs with that of Windows Server, emphasizing security and stability. This decision ensures that only authorized users, typically administrators, have the ability to restart the system. By doing so, Microsoft aims to prevent unauthorized disruptions and maintain the integrity of the system, which is particularly crucial in an enterprise environment where the stakes of potential misuse are higher.

However, non-administrative users frequently encounter limitations that may impede their productivity, such as the inability to restart their Windows 365 Cloud PC from the Start Menu or during software deployment scenarios. This issue occurs because the local Users group are not member of the “Shut down the System” User Right Assignment on Windows 365 Cloud PCs.

This blog post will explain the root of the problem and guide you through how to restore default Windows behavior using Microsoft Intune.

Understanding the Issue

The “Shut down the System” User Right Assignment determines which users logged on locally to the computer, have the ability to shut down the operating system using the Shut Down command, however this also apply to the ability to restarting the operating system.

Default Windows Shut down the System configuration — Default Windows **Shut down the System** configuration

By default, non-admin users do not have this right on a Windows 365 Cloud PC, opposing a Windows PC, which prevents non-admin users from restarting their Windows 365 Cloud PC - unless they know how to use the Restart option within the web-interface for Windows 365, as Restart is not an option within the Windows App either.

Default Windows 365 Shut down the System configuration — Default Windows 365 **Shut down the System** configuration

Warning

This security setting should require some thoughts, but it also means non-admin users cannot perform basic tasks like restarting their Windows 365 Cloud PC as part of a software deployment, Windows Update or similar.

While enabling this ability for non-admin users can resolve the issue, it comes with potential risks. Granting this user right can lead to misuse, where users may shut down systems inadvertently or maliciously, causing a denial of service.

It is essential to weigh the pros and cons before making this change.

Default User Right Assignments

To understand the default configuration for “Shut down the System” User Right Assignment settings, here is a breakdown of the User Right Assignments for different systems:

Default on Windows:

Administrators
Backup Operators
Users

Default on Windows 365:

Administrators
Backup Operators

Default on Windows Server:

Administrators
Backup Operators

Implementing the workaround with Microsoft Intune

The workaround involves creating and assigning a User Rights Assignment policy through Microsoft Intune. Here’s a step-by-step guide to help you achieve this:

Step 1: Create a New Policy

Sign-in to the Microsoft Intune admin center .
Go to Devices -> Windows -> Configuration.
Click on Create New Policy.
Select Windows 10 and later as the platform.
Choose Settings catalog.
Click on Create.
Name the Policy and add a description.

Step 2: Configure the User Rights Assignment

Under the Create profile, click on Add settings, in the Settings picker scroll down to User Rights.
In the Setting name, scroll down to, and select Shut Down The System.
To reverse the default Windows 365 Cloud PC, to default Windows behavior, use the following SIDs for the policy:
- *S-1-5-32-544 (Administrators)
- *S-1-5-32-545 (Users)
- *S-1-5-32-551 (Backup Operators)

See how to retrieve Security Identifiers (SIDs) using PowerShell below.

Important

Using SIDs instead of Group names, ensures the policy works across languages.

When adding the user group SID to the User Rights Assignment policy, it is vital to prepend an asterisk (*) in front of the SID.

The asterisk indicates that the SID is a well-known group, which helps in avoiding conflicts with other user-defined SIDs and ensures that the policy applies correctly to the intended user groups. Failure to include the asterisk may result in the policy not being recognized properly by the system.

It is important to add all three groups (Administrators, Users, and Backup Operators) to the policy as this action replaces the existing groups rather than appending them to the list. Failure to include all necessary groups may result in unintended access restrictions.

Furthermore, please note that removing the policy will not revoke the settings, and administrators will have to modify the policy to revert it back to the default Windows 365 Cloud PC settings.

Step 2.1: Retrieve Security Identifiers (SIDs) using PowerShell

To retrieve Security Identifiers (SIDs) for local groups, you can use PowerShell commands. Here is a step-by-step guide on how to do this:

Open Windows PowerShell.
Use the following command to list all local groups along with their corresponding SID:

Get-LocalGroup | Select-Object "Name", "SID"

If you need the SID for a specific group, such as “Users”, you can use this command:

(Get-LocalGroup -Name "Users") | Select-Object "Name", "SID"

Similarly, to get the SID for “Backup Operators” or “Administrators”, use the following commands:

(Get-LocalGroup -Name "Administrators") | Select-Object "Name", "SID"
(Get-LocalGroup -Name "Backup Operators") | Select-Object "Name", "SID"

Make a note of these SIDs as you will need them to configure the User Rights Assignment.

Step 3: Assign the Policy

Click Next.
Click Next. (Or assign Scope tags)
Assign the policy to the appropriate group(s) that include the Windows 365 Cloud PC’s or target applicable non-admin users only.
Click Next.
Review and create the policy.

Create profile

Important Considerations

It is essential to monitor the effects of this policy change and ensure that users are fully informed of the consequences of shutting down their Windows 365 Cloud PC and how to recover/restart the Windows 365 Cloud PC.

Please note Post provisioning configuration , is enabling the Hide Start Menu power icons: Hide the shutdown button in the Start Menu and Hide the shutdown button in the sign-in screen policy settings, making shutting down a Windows 365 Cloud PC less easy.

While it is acknowledged non-administrative users will be able to shut down their Windows 365 Cloud PC if they know how to run shutdown /s /t 0 within a Command Prompt. This action can be accomplished by Local Administrators as well, and regardless of their permissions, everyone should be made aware of the implications of shutting down a Windows 365 Cloud PC.

Note

If a user shuts down their Windows 365 Cloud PC, they have the option to restart it by selecting the Restart option in the Windows 365 web interface .

Conclusion

Enabling non-admin users to restart their Windows 365 Cloud PCs from the Start Menu can significantly enhance their Productivity and User Experience. However, it is essential to implement this change carefully, considering the potential security risks.

By using Microsoft Intune to configure User Rights Assignments, you can achieve this goal while maintaining control over your environment.
Always ensure that users are informed and trained on the proper use of these settings to prevent misuse and ensure smooth operation of their Windows 365 Cloud PC.

That’s it.

–Jesper

Share this post