Tag: igelos

Microsoft Windows 365 Link vs. IGEL OS: A Practical Comparison 

By Fredrik Brattstig @virtualbrat

The Microsoft Windows 365 Link, a ‘Microsoft Local OS Zero Client‘ (more on why I call it a Zero Client later), is now generally available for purchase of the shelf in extended number of countries.
I bought myself one of them, and would like to share my experience with the device.
This blog should be able to guide you on when this is the right thing for you, and when it isn’t.

In this article, I will be comparing the user experience and some administrative aspects of the Windows 365 Link with IGEL OS. I know that it’s a little bit like comparing apples and pears, though, the reason for why I do it is because IGEL OS can mimic the user experience of the Windows 365 Link. In fact, IGEL OS has been able to do customization of the user interface to do ‘boot-to-service” for quite some time – so depending on how you look at it, the mimicry might go the other way.

I want to highlight that I do like the Windows 365 Link, Microsoft has done an impressive job in creating a seamless, purpose-built device for accessing Windows 365 workloads. The user experience is clean, fast, and tightly integrated into the Microsoft ecosystem.

However, if I were in the position of an IT administrator, I’m not sure I’d roll these devices out to my users. The reason is simple: flexibility. If at any point in the future I decided to shift my investment or move away from Windows 365, I’d be left with hardware that’s effectively locked to that ecosystem. In other words, I’d have to retire or discard my Windows 365 Links, whereas a repurposed endpoint running IGEL OS could easily adapt to other environments or platforms.

The hardware piece – Windows 365 Link

The formfactor of the Windows 365 Link is really neat. The matte black finish is very stylish. Here is how it looks:

Windows 365 Link Top-Front picture with the power adapter

The front panel of the device features a power button on the right side, on the left side you have a 3.5 mm audio in/out jack and a USB-A port. I appreciate the inclusion of the classic 3.5 mm audio jack — nice to see some “backward compatibility” — though I do miss having a USB-C port on the front for quick access.

Windows 365 Link Top-Rear picture. Nice shimmering mirror effect in the Windows logo!

The rear side is well equipped with, from the left, a USB-C port, 2x USB-A ports, a Display Port, a HDMI port, a RJ-45 LAN and power-socket. 100% what to expect from a modern mini form factor device. Apart from that, there is a Kensington lock-slot on the right side (not shown in the photos).
That said, one design choice puzzled me: why use a proprietary power adapter instead of USB-C power delivery? It feels like a missed opportunity for convenience and standardization. 

Overall, though, the design is sleek and modern, and the weight gives it a reassuring sense of quality — even if that might sound a bit odd to say about a device this small. 

UEFI Security

Let’s start with BIOS/UEFI – You can enter the UEFI utility on the Link by pressing ‘DEL’ key on your keyboard while the first part of the startup, and it will take you to the well-known Microsoft UEFI screen:

From within the UEFI interface there are a few parameters that you can change. You can enable boot from USB, adjust the boot order, opt in/out of Zero Touch Deployment, you can import a configuration for your Windows 365 Link from a USB stick, and you “can” alter secure boot alternatives.
Naturally, I was interested in booting IGEL OS from a IGEL UD Pocket on the device, While IGEL OS is Secure Boot signed, it doesn’t boot when the system is locked to “Microsoft Only” Secure Boot mode. To allow IGEL OS to start, the Secure Boot setting needs to be adjusted to “Microsoft & 3rd Party CA.” Clicking on the help tooltip that is presented at the secure boot section displays this screen:

When exploring the Secure Boot settings, the help text clearly states:
Secure Boot is configured by selecting a Secure Boot certificate keyset. There are three keysets to choose from on this PC.
Perfect, I thought — I’ll just select “Microsoft & 3rd Party CA signed” and boot IGEL OS. 

However, clicking on “Secure Boot configuration” reveals a different story: “Microsoft Only” is the only selectable option:

Despite what the Secure boot help screen say, Microsoft has effectively taken the authority—on behalf of its customers—to decide that the Windows 365 Link can only boot an operating system signed by Microsoft’s first-party CA.
Is this restriction meant to protect the user? Perhaps in part, but I can’t help but feel it’s more about protecting Microsoft. And why, then, is the help text misleading? 

After all, once I purchase the device, it should be my property, not Microsoft’s. I should have the freedom to reimage or repurpose my Windows 365 Link however I choose—whether as a Home Assistant appliance, or running IGEL OS to connect to other backend environments. 
To be fair, I haven’t examined the Windows 365 Link EULA or license terms in full detail. It’s possible that, by accepting them, I’ve also accepted these restrictions. Still, I believe this level of control over a customer-owned device is wrong in principle and undermines the spirit of user ownership and open computing. 

The hardware piece – IGEL OS

IGEL OS is a software solution, a part of the IGEL Platform. It allows to be installed on any x86 based hardware supporting Microsoft 3rd party Secure Boot, or even if the hardware does not support Microsoft Secure Boot. This gives flexibility to run IGEL OS on the hardware specification of your choice. Additionally, you can choose from a wide variety of Hardware devices from the IGEL Ready ecosystem, allowing IGEL OS to be preinstalled from factory. Read more at www.igel.com/ready

Windows 365 Link vs. IGEL OS: A Field-Tested Comparison 

Operating System Security

Let me start by saying I’m not an expert on the internal security hardening of the Windows 365 Link and the Windows Cloud PC (WCPC) operating system. What follows are my observations, assumptions, and conclusions based on firsthand experience.

From what I can tell, the Windows 365 Link OS — Windows Cloud PC — is extremely well protected, exactly as it should be. It’s a purpose-built, locked-down operating system designed to do one thing: securely connect users to their Windows 365 Cloud PCs. There’s no way to open a command line, no way to connect remotely, and a simple nmap scan shows the lowest 1000 TCP and UDP ports in an “ignore” state on both TCP and UDP. Very good!
BTW, finding the IP address of the host had to be done through my DHCP server, as the user interface of WCPC does not display it for the user.

The device is managed through Microsoft Intune, often referred to as Modern Endpoint Management. I’m using Intune with default settings, and my impression is that once the Windows 365 Link is enrolled, it becomes locked to your Entra tenant. You can’t use it to log in to another tenant’s Windows 365 environment. 

Out-Of-Box Experience (OOBE)

You can view my full onboarding walkthrough here:

The OOBE process is clean and straightforward, though I’d prefer that language and keyboard selection appeared in the main dialog rather than as tray icons. In my video, the device connects to Windows 365 Frontline, and while I paused before the session starts, the connection speed—once the remote machine is available—is excellent. 

Before recording, I had updated the device. Prior to those updates, my Link only connected to my Windows 365 Cloud PC, not to Windows 365 Frontline. After updating, both options became available. So if you plan to use both Cloud PC and Frontline, make sure to run all Windows updates first. 
Once configured, the user experience feels quick, clean, and responsive—exactly what you’d expect from a purpose-built Microsoft device. 

Windows 365 Link – Use case mapping

I see the Windows 365 Link as a good option for users, that use Windows 365 delivered services exclusively – because the Windows 365 is designed for and will only be able to connect to Windows 365 resources. In the objective look at Windows 365 ecosystem, this is not a limitation – this is how the product is designed. It is an endpoint device directly ment to fit into Windows 365 concept, and ONLY to the Windows 365 concept.
This is why I call it a ‘Microsoft Local OS Zero Client’. Technically it’s running a lightweight Windows 11variant /WCPC), called Windows WCPC – which moves it away from the Zero Client category, though, as its complete use case is limited to Windows 365 service, it effectively behaves like a Zero Client device.

However, this specialization comes at a cost: lock-in. If you ever decide to move to another service or platform, these endpoints can’t be repurposed—you’d need to replace them entirely. 

Windows 365 Link supports Microsoft Teams offloading via Slimcore – new technology with better user experience. However, I have not been able to offload Zoom meetings, as the platform doesn’t allow the installation of the Zoom VDI plugin -or any other third-party agent not explicitly approved and included by Microsoft.
In other words, you get a well-integrated but highly restricted device: secure, stable, but closed. 

IGEL OS – Use case mapping

By contrast, IGEL OS offers a universal endpoint approach. It’s not tied to one cloud or one vendor. IGEL supports multiple session delivery methods including Windows 365, Azure Virtual Desktop (AVD), Citrix, VMware Horizon, and even SaaS and browser-based apps through the IGEL Adaptive Secure Desktop™ model. 

This flexibility means you can mix and match—for example, presenting users with access to both Windows 365 and AVD from the same device. If your backend or investment strategy changes, your endpoints can evolve with it. 

While IGEL OS doesn’t currently support Microsoft Teams offloading via Slimcore, it does provide WebRTC redirection, delivering a solid user experience until Microsoft extends Slimcore capabilities to the Linux ecosystem. Zoom VDI, Cisco Webex, and other collaboration tools run smoothly, and organizations can install custom agents or middleware as needed. 

Authentication Methods supported by Windows 365 Link vs. IGEL OS

Here is the list of official supported authentication methods

  • Username/Password
  • Phone sign-in via Microsoft Authenticator
  • FIDO2 security keys
  • Passkeys
  • Windows Hello for Business

Compared to IGEL OS and Windows365 Service

  • Username/Password
  • FIDO2 security keys
  • Smart Card Authentication with Entra Certificate Based Authentication (MSAL)

While the Windows 365 Link offering more authentication options, it does lacks strong Authentication using Smart Cards. The only reason that I can see is that, as the Windows 365 Link doesn’t support installation of 3rd party software, any middleware software to allow reading of smart cards are not applicable. Interestingly, even when Entra authentication shows “Use a certificate or Smart Card,” the login fails on Windows 365 Link.

Comparisons Windows 365 Link vs. IGEL OS

I’ve put together a series of videos showing the user experience on Windows 365 Link vs. IGEL OS

Boot time:

In the above video I’m comparing the boot time of a Windows 365 Link vs. IGEL OS 12 – From cold boot until ready for user input. Both devices are setup to start up and go directly into a cloud login which will take the user to the Windows 365 machine available.

Session Connection Time:

Here I do a comparison of the login speed, including entering credentials, selecting the resource to start and doing the session connection. In the video you will see that IGEL OS also includes the published resources of Azure Virtual Desktop, this is not part of the use case for Windows 365 Link.

Remote Management – Reboot:

As I tested the remote management of Windows 365 Link with Intune vs. using IGEL OS with IGEL UMS (Universal Management Suite), looking at the simplest use case of remote rebooting the client device, revealed inconsistent results.
The IGEL UMS in this case runs as a virtual Appliance in Azure, and we know that Intune runs in Azure. When issuing the reboot command to the IGEL OS endpoint, the endpoint informs the user within seconds and then starts the reboot sequence. With Microsoft Intune, my Windows 365 Link took over an hour to reboot first time, and three minutes on a second attempt—random, unpredictable behavior. The Windows 365 Link device just reboots “randomly” without informing the user.
I think having a remote management solution where you cannot determine when your commands are becoming effective, is certainly not ideal.

I also tested to do a remote wipe and do an Intune “Fresh Start”, that also took a random time to start reverting the machine, and the actual reverting of the device took 15-30 minutes. It didn’t revert the applied Windows Updates though, which in my case wasn’t a bad thing.

Looking at another use case, let’s say that you have a mini PC, tucked in in the ceiling, displaying eg. flight information/waiting times at an airport, “customers best deals” at a shop floor, etc. While not deal-breaking, this unpredictability can be frustrating – especially for remote or hard-to-access devices like digital signage or kiosk endpoints.

Summary

The Windows 365 Link is a solid, well-designed endpoint built for one specific purpose: connecting users to Windows 365. If your environment is all-in on Microsoft 365 and simplicity tops your priority list, it’s a strong choice. 

However, for organizations seeking flexibility, long-term investment protection, and multi-platform support, IGEL OS offers a more versatile path. It delivers a similar user experience to Windows 365 Link but without the limitations of being tied to a single ecosystem. With the extra capabilities of “booting straight in to” Azure Virtual Desktop, and at the same time giving you the possibilities to change the connection type over time, when your investments change, should be a point to bring with you.