+- business_assist

+> [!TIP]

+> If you need help with the steps in this topic, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

+- business_assist

+> [!TIP]

+> If you need help with the steps in this topic, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

+- business_assist

+> [!TIP]

+> If you need help with the steps in this topic, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

+- business_assist

+> [!TIP]

+> If you need help with the steps in this topic, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

+- business_assist

+> [!TIP]

+> If you need help with the steps in this topic, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

+ Title: "Step 3 - Wipe and block a former employee's mobile device"

+- admindeeplinkEXCHANGE

+description: "Follow these steps to block a former employee's mobile device access."

+# Step 3 - Wipe and block a former employee's mobile device

+If your former employee had an organization phone, you can use the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a> to wipe and block that device so that all organization data is removed from the device and it can no longer connect to Office 365. If your organization uses Basic Mobility and Security to manage mobile devices, you can wipe and block those devices using Basic Mobility and Security.

+## Wipe mobile device using the Exchange admin center

+1. Go to the Exchange admin center > **Recipients** \> <a href="https://go.microsoft.com/fwlink/?linkid=2183135" target="_blank">Mailboxes</a>.

+1. Select the user, and under **Mobile Devices**, select **View details**.

+1. On the **Mobile Device Details** page, under **Mobile devices**, select the mobile device, select **Wipe Data**, and then select **Block**.

+1. Select **Save**.

+ > [!TIP]

+ > Be sure you remove or disable the user from your on-premises Blackberry Enterprise Service. You should also disable any Blackberry devices for the user. Refer to the Blackberry Business Cloud Services Administration Guide if you need specific steps on how to disable the user.

+ Title: "Step 4 - Forward a former employee's email to another employee or convert to a shared mailbox"

+description: "Follow these steps to forward a former employee's email to another employee or convert to a shared mailbox."

+# Step 4 - Forward a former employee's email to another employee or convert to a shared mailbox

+In this step, you assign the former employee's email address to another employee, or convert the user's mailbox to a shared mailbox.

+## Convert former employee's mailbox to a shared mailbox

+When you convert a user's mailbox to a shared mailbox, all of the existing email and calendar are retained. Only now it's in a shared mailbox where several people will be able to access it instead of one person. You can convert a shared mailbox back to a user (private) mailbox at a later date if you want.

+- Creating a shared mailbox is the less expensive way to go because you won't have to pay for a license **as long as the mailbox is smaller than 50 GB**. If it is over 50 GB, you'll need to assign a license to it.

+- If you convert the mailbox to a shared mailbox, all the old email will be available, too. This can take up a lot of space.

+- If you set up email forwarding, only *new* emails sent to the former employee will be sent to the current employee.

+Follow these steps to [convert the user's mailbox to a shared mailbox](../email/convert-user-mailbox-to-shared-mailbox.md).

+## Forward a former employee's email to another employee

+ > [!IMPORTANT]

+ > If you're setting up email forwarding or a shared mailbox, in the end, don't delete the former employee's account. The account needs to be there to anchor the email forwarding or shared mailbox.

+1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.

+2. Select the name of the employee that you want to block, and then select the **Mail** tab.

+3. Under **Email Forwarding**, select **Manage email forwarding**.

+4. Turn on **Forward all email sent to this mailbox**. In the **Forwarding address** box, type the email address of the current employee who's going to get the email.

+5. Select **Save**.

+6. Remember, don't delete the former employee's account.

+[Open and use a shared mailbox in Outlook](https://support.microsoft.com/office/open-and-use-a-shared-mailbox-in-outlook-d94a8e9e-21f1-4240-808b-de9c9c088afd)

+[Access another person's mailbox](https://support.microsoft.com/office/access-another-person-s-mailbox-a909ad30-e413-40b5-a487-0ea70b763081)

+[Exchange admin center in Exchange Online](/exchange/exchange-admin-center)

+[Manager another person's mail and calendar items](https://support.microsoft.com/office/manage-another-person-s-mail-and-calendar-items-afb79d6b-2967-43b9-a944-a6b953190af5)

+ Title: "Step 5 - Give another employee access to OneDrive and Outlook data"

+- AdminTemplateSet

+description: "Follow the steps in this article to give another employee access to the former employee's OneDrive and Outlook data."

+# Step 5 - Give another employee access to OneDrive and Outlook data

+When an employee leaves your organization, you'll want to access their OneDrive and Outlook data, back it up, and choose whether to give it to another employee.

+

+## Access a former user's OneDrive documents

+If you remove a user's license but don't delete the account, you can give yourself access to the content in the user's OneDrive. If you delete the user's account, you have 30 days by default to access the former user's OneDrive data. [Learn how to set the OneDrive retention for deleted users](/onedrive/set-retention). If you don't [restore a user account](/office365/admin/add-users/restore-user) within this time, their OneDrive content is deleted.

+To preserve a former user's OneDrive files, first give yourself access to their OneDrive, and then move the files you want to keep.

+1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.

+2. Select a user.

+3. On the user properties page, select **OneDrive**. Under **Get access to files**, select **Create link to files**.

+4. Select the link to open the file location. Download the files to your computer, or select **Move to** or **Copy to** to move or copy them to your own OneDrive or to a shared library.

+> [!NOTE]

+> You can move or copy up to 500 MB of files and folders at a time.<br/>

+> When you move or copy documents that have version history, only the latest version is moved.

+You can also grant access to another user to access a former employee's OneDrive.

+1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a> as a global admin or SharePoint admin.

+ If you get a message that you don't have permission to access the admin center, then you don't have administrator permissions in your organization.

+2. In the left pane, select **Admin centers** \> **SharePoint**. (You might need to select **Show all** to see the list of admin centers.)

+3. If the classic SharePoint admin center appears, select **Open it now** at the top of the page to open the SharePoint admin center.

+4. In the left pane, select **More features**.

+5. Under **User profiles**, select **Open**.

+6. Under **People**, select **Manage User Profiles**.

+7. Enter the former employee's name and select **Find**.

+8. Right-click the user, and then choose **Manage site collection owners**.

+9. Add the user to **Site collection administrators** and select **OK**.

+10. The user will now be able to access the former employee's OneDrive using the OneDrive URL.

+### Revoke admin access to a user's OneDrive

+You can give yourself access to the content in a user's OneDrive, but you may want to remove your access when you no longer need it.

+1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a> as a global admin or SharePoint admin.

+ If you get a message that you don't have permission to access the admin center, then you don't have administrator permissions in your organization.

+2. In the left pane, select **Admin centers** \> **SharePoint**. (You might need to select **Show all** to see the list of admin centers.)

+3. If the classic SharePoint admin center appears, select **Open it now** at the top of the page to open the SharePoint admin center.

+4. In the left pane, select **More features**.

+5. Under **User profiles**, select **Open**.

+6. Under **People**, select **Manage User Profiles**.

+7. Enter the user's name and select **Find**.

+8. Right-click the user, and then choose **Manage site collection owners**.

+9. Remove the person who no longer needs access to the user's data, and then select **OK**.

+## Access the Outlook data of a former user

+To save the email messages, calendar, tasks, and contacts of the former employee, export the information to an Outlook Data File (.pst).

+

+1. [Add the former employee's email](https://support.microsoft.com/office/6e27792a-9267-4aa4-8bb6-c84ef146101b) to your Outlook. (If you [reset the user's password](reset-passwords.md), you can set it to something only you know.)

+2. In Outlook, select **File**.

+ 

+

+3. Select **Open &amp; Export** \> **Import/Export**.

+ 

+

+4. Select **Export to a file**, and then select **Next**.

+ 

+

+5. Select **Outlook Data File (.pst)**, and then select **Next**.

+6. Select the account you want to export by selecting the name or email address, such as Mailbox - Anne Weiler or anne@contoso.com. If you want to export everything in your account, including mail, calendar, contacts, tasks, and notes, make sure the **Include subfolders** check box is selected.

+ > [!NOTE]

+ > You can export one account at a time. If you want to export multiple accounts, after one account is exported, repeat these steps.

+

+ 

+

+7. Select **Next**.

+8. Select **Browse** to select where to save the Outlook Data File (.pst). Type a *file name*, and then select **OK** to continue.

+ > [!NOTE]

+ > If you've used export before, the previous folder location and file name appear. Type a *different file name* before selecting **OK**.

+

+9. If you are exporting to an existing Outlook Data File (.pst), under **Options**, specify what to do when exporting items that already exist in the file.

+10. Select **Finish**.

+Outlook begins the export immediately unless a new Outlook Data File (.pst) is created or a password-protected file is used.

+

+- If you're creating an Outlook Data File (.pst), an optional password can help protect the file. When the **Create Outlook Data File** dialog box appears, type the *password* in the **Password** and **Verify Password** boxes, and then select **OK**. In the **Outlook Data File Password** dialog box, type the *password*, and then select **OK**.

+- If you're exporting to an existing Outlook Data File (.pst) that is password protected, in the **Outlook Data File Password** dialog box, type the *password*, and then select **OK**.

+See how to [Export or backup email, contacts, and calendar to an Outlook .pst file](https://support.microsoft.com/office/14252b52-3075-4e9b-be4e-ff9ef1068f91) in Outlook 2010.

+ > [!NOTE]

+ > By default, your email is available offline for a period of 12 months. If required, see how to [increase the data available offline](/outlook/troubleshoot/mailboxes/only-subset-items-synchronized).

+### Give another user access to a former user's email

+To give access to the email messages, calendar, tasks, and contacts of the former employee to another employee, import the information to another employee's Outlook inbox.

+> [!NOTE]

+> You can also [convert the former user's mailbox to a shared mailbox](/office365/admin/email/convert-user-mailbox-to-shared-mailbox) or [forward a former employee's email to another employee](/office365/admin/add-users/remove-former-employee#forward-a-former-employees-email-to-another-employee-or-convert-to-a-shared-mailbox).

+1. In Outlook, go to **File** \> **Open &amp; Export** \> **Import/Export**.

+ This starts the Import and Export Wizard.

+2. Select **Import from another program or file**, and then select **Next**.

+ 

+

+3. Select **Outlook Data File (.pst)**, and select **Next**.

+4. Browse to the .pst file you want to import.

+5. Under **Options**, choose how you want to deal with duplicates.

+6. Select **Next**.

+7. If a password was assigned to the Outlook Data File (.pst), enter the password, and then select **OK**.

+8. Set the options for importing items. The default settings usually don't need to be changed.

+9. Select **Finish**.

+> [!NOTE]

+> The steps remain the same for accessing an existing user's OneDrive and email data.

+> [!TIP]

+> If you want to import or restore only a few items from an Outlook Data File (.pst), you can open the Outlook Data File. Then, in the navigation pane, drag the items from Outlook Data File folders to your existing Outlook folders.

+[Add and remove admins on a OneDrive account](/sharepoint/manage-user-profiles#add-and-remove-admins-for-a-users-onedrive) (article)

+[Restore a deleted OneDrive](/onedrive/restore-deleted-onedrive) (article)

+[OneDrive retention and deletion](/onedrive/retention-and-deletion) (article)

+[Share OneDrive files and folders](https://support.microsoft.com/office/share-onedrive-files-and-folders-9fcc2f7d-de0c-4cec-93b0-a82024800c07)

+- business_assist

+> [!TIP]

+> If you need help with the steps in this topic, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

+- business_assist

+> [!TIP]

+> If you need help with the steps in this topic, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

+- business_assist

+> [!TIP]

+> If you need help with the steps in this topic, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

+- business_assist

+> [!TIP]

+> If you need help with the steps in this topic, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

+- business_assist

+> [!TIP]

+> If you need help with the steps in this topic, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

+- business_assist

+> [!TIP]

+> If you need help with the steps in this topic, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

+- business_assist

+> [!TIP]

+> If you need help with the steps in this topic, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

+- business_assist

+> [!TIP]

+> If you need help with the steps in this topic, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

+- business_assist

+> [!TIP]

+> If you need help with the steps in this topic, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

+- business_assist

+> [!TIP]

+> If you need help with the steps in this topic, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

+1. In the Microsoft 365 admin center, go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2072756" target="_blank">**Security & privacy** tab</a> under **Org Settings**.

+> Password expiration notifications are no longer supported in Office web apps or the [admin center](https://portal.office.com).

+- business_assist

+> [!TIP]

+> If you need help with the steps in this topic, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

+- business_assist

+> [!TIP]

+> If you need help with the steps in this topic, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

+- business_assist

+> [!TIP]

+> If you need help with the steps in this topic, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

+- business_assist

+> [!TIP]

+> If you need help with the steps in this topic, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

+- business_assist

+> [!TIP]

+> If you need help with the steps in this topic, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

+- business_assist

+> [!TIP]

+> If you need help with the steps in this topic, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

+- business_assist

+> [!TIP]

+> If you need help with the steps in this topic, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

+|Microsoft 365 Apps for enterprise and Microsoft 365 Apps for business <br/> |The person can download Office apps on up to five Macs or PCs, five tablets, and five smartphones. <br/> |

+*These IDs have changed. If you previously blocked products using the old IDs, they are automatically blocked using the new IDs. No additional work is required.

+## View or set the status for AllowSelfServicePurchase

+1. From the [Microsoft 365 compliance center](https://compliance.microsoft.com/), select **Information Governance** > **Retention Policies**.

+1. From the [Microsoft 365 compliance center](https://compliance.microsoft.com/), select **Information Governance** > **Retention Policies**.

+1. From the [Microsoft 365 compliance center](https://compliance.microsoft.com/), select **Information Governance** > **Retention Policies**.

+However, if you're looking for lifecycle management of high-value items for business, legal, or regulatory record-keeping requirements, [use file plan to create and manage retention labels](file-plan-manager.md).

+Double Key Encryption is intended for your most sensitive data that is subject to the strictest protection requirements. DKE isn't intended for all data. In general, you'll be using Double Key Encryption to protect only a small part of your overall data. You should do due diligence in identifying the right data to cover with this solution before you deploy. In some cases, you might need to narrow your scope and use other solutions for most of your data, such as Microsoft Information Protection with Microsoft-managed keys or BYOK. These solutions are sufficient for documents that aren't subject to enhanced protections and regulatory requirements. Also, these solutions enable you to use the most powerful Office 365 services; services that you can't use with DKE encrypted content. For example:

+Any external applications or services that aren't integrated with DKE through the Microsoft Information Protection (MIP) SDK will be unable to perform actions on the encrypted data.

+The Microsoft Information Protection SDK 1.7+ supports Double Key Encryption. Applications that integrate with our SDK can reason over this data with sufficient permissions and integrations in place.

+Use Microsoft Information protection capabilities (classification and labeling) to protect most of your sensitive data and only use DKE for your mission-critical data. Double Key Encryption is relevant for sensitive data in highly regulated industries such as Financial services and Healthcare.

+**Online content support**. You can store documents and files that are protected with Double Key Encryption online in both Microsoft SharePoint and OneDrive for Business. You must label and protect documents and files with DKE by supported applications before you upload to these locations. You can share encrypted content by email, but you can't view encrypted documents and files online. Instead, you must view protected content using the supported desktop applications and clients on your local computer.

+You'll follow these general steps to set up DKE. Once you've completed these steps, your end users can protect your highly sensitive data with Double Key Encryption.

+2. Create a label with Double Key Encryption. In the Microsoft 365 compliance center, navigate to **Information protection** and create a new label with Double Key Encryption. See [Restrict access to content by using sensitivity labels to apply encryption](./encryption-sensitivity-labels.md).

+1. Change to the folder where you want to save the test keys. The files you create by completing the steps in this task are stored in the same folder.

+1. Generate the new test key.

+1. Generate the private key.

+1. Generate the public key.

+1. In a text editor, open **pubkeyonly.pem**. Copy all of the content in the **pubkeyonly.pem** file, except the first and last lines, into the `PublicPem` section of the **appsettings.json** file.

+1. In a text editor, open **privkeynopass.pem**. Copy all of the content in the **privkeynopass.pem** file, except the first and last lines, into the `PrivatePem` section of the **appsettings.json** file.

+1. Remove all blank spaces and newlines in both the `PublicPem` and `PrivatePem` sections.

+1. In Visual Studio Code, browse to the **Startup.cs** file. This file is located in the DoubleKeyEncryptionService repo you cloned locally under DoubleKeyEncryptionService\src\customer-key-store\.

+1. Locate the following lines:

+1. Replace these lines with the following text:

+ For example: `https://dkeservice.scm.azurewebsites.net/ZipDeployUI`

+5. Drag and drop the .zip file you create to the ZipDeployUI site you opened above. For example: `https://dkeservice.scm.azurewebsites.net/ZipDeployUI`

+The key name is case-sensitive. Enter the key name as it appears in the appsettings.json file.

+ For example: `https://mydkeservicetest.com`

+ - The domain must be a [registered domain](/azure/active-directory/develop/reference-breaking-changes#appid-uri-in-single-tenant-applications-will-require-use-of-default-scheme-or-verified-domains).

+ - If you're testing locally with Visual Studio, use `https://localhost:5001`.

+11. On the left pane, select **Expose an API**, next to Application ID URI, enter your App Service URL, including both hostname and domain, and then select **Set**.

+In the Microsoft 365 compliance center, create a new sensitivity label and apply encryption as you would otherwise. Select **Use Double Key Encryption** and enter the endpoint URL for your key. You need to include the key name you've provided within the "TestKeys" section of the appsettings.json file in the URL.

+For example: `https://testingdke1.azurewebsites.net/KEYNAME`

+We realize that for some customers in highly regulated industries, this standard reference implementation using software-based keys may not be sufficient to meet their enhanced compliance obligations and needs. We've partnered with third-party hardware security module (HSM) vendors to support enhanced key management options in the DKE service, including:

+ - [Entrust](https://www.entrust.com/digital-security/hsm/services/packaged-services/double-key-encryption-integration#:~:text=Entrust%20Double%20Key%20Encryption%20for%20Microsoft%20AIP%2C%20offered,trust%20for%20the%20protection%20of%20sensitive%20cryptographic%20keys.)

+- [Thales](https://cpl.thalesgroup.com/cloud-security/encryption/double-key-encryption)

+Reach out directly to these vendors for more information and guidance on their in-market DKE HSM solutions.

+A single tenant can have a maximum of 10,000 policies (any configuration). This maximum number includes the different policies for retention, and other policies for compliance such as policies for DLP, information barriers, eDiscovery holds, Litigation holds, In-Place Holds, and sensitivity labels. However, this maximum excludes:

+- Label policies for SharePoint and OneDrive that delete-only, rather than retain-only or retain and then delete. The exception is auto-apply label policies for cloud attachments, which are always included in the 10,000 maximum.

+- Exchange retention policies from [messaging records management (MRM)](/exchange/security-and-compliance/messaging-records-management/messaging-records-management).

+ - Per mailbox: 25 is the recommended maximum before performance might be impacted; 50 is the supported limit.

+> [!NOTE]

+> These maximum numbers for Exchange and SharePoint are not exclusive to retention but are shared with other types of hold policies that include eDiscovery holds, Litigation holds, and In-Place Holds.

+|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) <br /> - Using trainable classifiers | Current Channel: 2105+ <br /><br> Monthly Enterprise Channel: 2105+ <br /><br> Semi-Annual Enterprise Channel: 2018+ | 16.49+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |

+|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) <br /> - Using trainable classifiers | Current Channel: 2105+ <br /><br> Monthly Enterprise Channel: 2105+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.49+ | Under review | Under review | Yes |

+| **reprovision** | Windows 365 | Retry Provisioning | Windows 365 |

+These articles describe the steps you'll need to take in your organization to prepare for enrollment, including:

+- Checking that your environment meets key prerequisites

+- Configuring networks

+- Setting up certificates

+- Preparing your apps for inclusion in the service

+Once you've run the readiness assessment tools, you can complete the other steps in any order or in parallel. Depending on your environment, some of the steps might not be relevant to you.

+1. Run [readiness assessment tools](readiness-assessment-tool.md).

+This article outlines the infrastructure requirements you must meet to assure success with Microsoft Managed Desktop.

+| Area | Prerequisite details |

+| -- | -- |

+| Licensing | Microsoft Managed Desktop requires the Microsoft 365 E3 license with Microsoft Defender for Endpoint (or equivalents) assigned to your users. <ul><li>For details about the specific service plans, see [More about licenses](#more-about-licenses).</li><li> For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).</li></ul>

+| Connectivity | All Microsoft Managed Desktop devices require connectivity to numerous Microsoft service endpoints from the corporate network.<br><br> For the full list of required IPs and URLs, see [Network configuration](../get-ready/network.md).

+| Azure Active Directory | Azure Active Directory (Azure AD) must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure AD Connect. <ul><li>For more information, see [Azure AD Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect).</li><li> For more information on supported Azure AD Connect versions, see [Azure AD Connect:Version release history](/azure/active-directory/hybrid/reference-connect-version-history).</li></ul>

+| Authentication | If Azure AD isn't the source of primary authentication for user accounts, you must configure one of the following authentication methods in Azure AD Connect:<ul><li> Password hash synchronization.</li> <li> Pass-through authentication.</li><li>An external identity provider (including Windows Server ADFS and non-Microsoft IDPs) configured to meet Azure AD integration requirements. For more information, see the [guidelines](https://www.microsoft.com/download/details.aspx?id=56843).</li></ul> <br> When setting authentication options with Azure AD Connect, password writeback is also recommended. For more information, see [Password writeback](/azure/active-directory/authentication/howto-sspr-writeback). <br><br> If an external identity provider is implemented, you must validate the solution:<ul><li>Meets Azure AD integration requirements.</li><li>Supports Azure AD Conditional Access, which allows the Microsoft Managed Desktop device compliance policy to be configured.</li><li>Enables device enrollment, use of Microsoft 365 services, or features required as part of Microsoft Managed Desktop.</li></ul> <br>For more information on authentication options with Azure AD, see [Azure AD Connect user sign in options](/azure/active-directory/connect/active-directory-aadconnect-user-signin).

+| Microsoft 365 | OneDrive for Business must be enabled for Microsoft Managed Desktop users.<br><br>Though it isn't required to enroll with Microsoft Managed Desktop, we highly recommended that the following services be migrated to the cloud:<ul><li>Email: Migrate to cloud-based mailboxes, Exchange online, or configure with Exchange Online Hybrid with Exchange 2013 or higher, on-premises.</li><li>Files and folders: Migrate to OneDrive for Business or SharePoint Online.</li><li>Online collaboration tools: Migrate to Teams.</ul> |

+| Device management | Microsoft Managed Desktop devices require management using Microsoft Intune. Intune must be set as the Mobile Device Management authority.<br><br> For more information, see [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).

+| Data backup and recovery | Microsoft Managed Desktop requires files to be synced to OneDrive for Business for protection. Any files not synced to OneDrive for Business aren't guaranteed by Microsoft Managed Desktop. The files might be lost during device exchanges or support calls requiring a device reset.<br><br>Though not required, Microsoft Managed Desktop strongly recommends migration from mapped network drives to the appropriate cloud solution. For more information, see [Prepare mapped drives for Microsoft Managed Desktop](mapped-drives.md)

+When you're ready to get started with Microsoft Managed Desktop, contact your Microsoft Account Manager.

+> Your Microsoft Account Manager will help you review your current licenses, service plans, and find the most efficient path for you to get any additional licenses or service plans you might need, while avoiding duplication.

+1. Run [readiness assessment tools](readiness-assessment-tool.md).

+1. Address [device names](address-device-names.md).

+To work well with Microsoft Managed Desktop, devices must meet certain requirements for hardware and settings. Each device must be able to reach key endpoints.

+Download and run the readiness assessment checker tool to obtain an HTML report, view results, and take action. You must download the tool and supporting files. Then, run it manually on each device you want to enroll in Microsoft Managed Desktop.

+For each check, the tool will report one of three possible results:

+| Result | Meaning |

+| -- | -- |

+| Ready | No action is required before you complete enrollment. |

+| Advisory | Follow the steps in the tool for the best experience with enrollment and for users. <br><br> You *can* complete enrollment, but you must fix these issues before you deploy your first device. |

+| Not ready | **Enrollment will fail** if you don't fix these issues. <br><br> Follow the steps in the tool to resolve them. |

+**To run the tool:**

+You could also download and extract the .zip archive to a shared location, access **Microsoft.MMD.DeviceReadinessAssessmentTool.exe** from each device. Then, run it locally.

+The downloadable tool checks these device and network-related items:

+| Check | Description |

+| -- | -- |

+| Hardware | Devices must meet specific hardware requirements to work with Microsoft Managed Desktop. For more information, see [Device requirements](../service-description/device-list.md). <br><br> If your device fails any of the checks, it's not compatible with Microsoft Managed Desktop. |

+| Network endpoints | Devices much be able to reach several [key endpoints](network.md) to work with Microsoft Managed Desktop. <br><br> If the tool reports a **Not ready** result, see the detailed report to find out which endpoints weren't reachable. Then, adjust your firewall or other network settings to ensure those endpoints can be reached. |

+| Setting | Description |

+| -- | -- |

+| Enterprise Wi-Fi profiles | An **Advisory** result means that you're using some Wi-Fi profiles that need certificates and profiles to work properly. For more information, see [Deploy certificates and Wi-Fi/VPN profile](certs-wifi-lan.md#deploy-certificates-and-wi-fivpn-profile). |

+| LAN profiles | An **Advisory** result means that you have LANs that need certificates and profiles to work properly. For more information, see [Prepare certificates and network profiles for Microsoft Managed Desktop](certs-wifi-lan.md). |

+| VPN profiles | An **Advisory** result means that you're using a virtual private network (VPN). Create a VPN profile that deploys certificates integrated with Microsoft Intune. For more information, see [Prepare certificates and network profiles for Microsoft Managed Desktop](certs-wifi-lan.md). |

+| Mapped drives | An **Advisory** result means that you have some mapped drives, which aren't recommended. For more information, see [Prepare mapped drives for Microsoft Managed Desktop](mapped-drives.md). |

+| Print queues | An **Advisory** result means that you have some outstanding print queues, which aren't recommended. One solution is to use cloud printing. For more information, see [Prepare printing resources for Microsoft Managed Desktop](printing.md). |

+| Proxies | An **Advisory** result means that you have a proxy server in use. For more information, see [Network configuration for Microsoft Managed Desktop](network.md). |

+| Result | Meaning |

+| -- | -- |

+| Ready | No action is required before completing enrollment. |

+| Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users. <br><br> You *can* complete enrollment, but you must fix these issues before you deploy your first device. |

+| Not ready | **Enrollment will fail if you don't fix these issues.** <br><br> Follow the steps in the tool or this article to resolve them. |

+| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permission to run this check. |

+> The results reported by this tool reflect the status of your settings only at the time that you ran it. If you make changes later to policies in Microsoft Intune, Azure Active Directory, or Microsoft 365, items that were "Ready" can become "Not ready." To avoid problems with Microsoft Managed Desktop operations, check the specific settings described in this article before you change any policies.

+You shouldn't have any existing Autopilot profiles that target assigned or dynamic groups with Microsoft Managed Desktop devices. Microsoft Managed Desktop uses Autopilot to configure new devices. If you have an existing Autopilot deployment profile, the **Convert all targeted devices to Autopilot** setting must be set to **No** for the Microsoft Managed Desktop Autopilot readiness test to succeed.

+| Result | Meaning |

+| -- | -- |

+| Not ready | You have an Autopilot profile that is assigned to all devices. For more information, see [Enroll Windows devices in Intune by using Windows Autopilot](/mem/autopilot/enrollment-autopilot). After Microsoft Managed Desktop enrollment, set your Autopilot policy to exclude the **Modern Workplace Devices -All** Azure AD group.

+| Advisory | Make sure that your Autopilot profiles target an assigned or dynamic Azure AD group that doesn't include Microsoft Managed Desktop devices. For more information, see [Enroll Windows devices in Intune by using Windows Autopilot](/mem/autopilot/enrollment-autopilot). After Microsoft Managed Desktop enrollment, set your Autopilot profiles to exclude the **Modern Workplace Devices -All** Azure AD group. |

+If you have any certificate connectors that will be used by the devices you want to enroll in Microsoft Managed Desktop, the connectors shouldn't have any errors. Only one of the following advisories will apply to your situation, so check them carefully.

+| Result | Meaning |

+| -- | -- |

+| Advisory | No certificate connectors are present. It's possible you don't need any connectors, but you should evaluate whether you might need some for network connectivity on your Microsoft Managed Desktop devices. For more information, see [Prepare certificates and network profiles for Microsoft Managed Desktop](certs-wifi-lan.md). |

+| Advisory | At least one certificate connector has an error. If you need this connector for providing certificates to Microsoft Managed Desktop devices, you must resolve the error. For more information, see [Prepare certificates and network profiles for Microsoft Managed Desktop](certs-wifi-lan.md). |

+| Advisory | You have at least one certificate connector, and no errors are reported. However, in preparation for deployment, you might need to create a profile to reuse the connector for Microsoft Managed Desktop devices. For more information, see [Prepare certificates and network profiles for Microsoft Managed Desktop](certs-wifi-lan.md). |

+Microsoft Managed Desktop requires that IT administrators install Intune Company Portal for their users with Microsoft Managed Desktop devices.

+| Result | Meaning |

+| -- | -- |

+| Not ready | You don't have Company Portal installed for your users. Purchase Company Portal and force a sync between Intune and Microsoft Store for Business. For more information, see [Install Intune Company Portal on devices](../get-started/company-portal.md).

+Conditional access policies can't prevent Microsoft Managed Desktop from managing your Azure AD organization (tenant) in Intune and Azure AD.

+| Result | Meaning |

+| -- | -- |

+| Not ready | You have at least one conditional access policy that targets all users. During enrollment, we'll exclude Microsoft Managed Desktop service accounts from relevant conditional access policies and apply new conditional access policies to restrict access to these accounts. After enrollment, you can review the Microsoft Managed Desktop conditional access policy in Microsoft Endpoint Manager. For more about these service accounts, see [Standard operating procedures](../service-description/operations-and-monitoring.md#standard-operating-procedures). |

+| Advisory | You have conditional access policies that could prevent Microsoft Managed Desktop from managing the Microsoft Managed Desktop service. During enrollment, we'll exclude Microsoft Managed Desktop service accounts from relevant conditional access policies and apply new conditional access policies to restrict access to these accounts. For more information about these service accounts, see [Standard operating procedures](../service-description/operations-and-monitoring.md#standard-operating-procedures). |

+| Error | The Intune Administrator role doesn't have sufficient permissions for this check. You'll also need to have these Azure AD roles assigned to run this check: <ul><li>Security Reader</li><li>Security Administrator</li><li>Conditional Access Administrator</li><li>Global Reader</li><li>Devices Administrator</li></ul>

+Intune Device Compliance policies in your Azure AD organization might affect Microsoft Managed Desktop devices.

+| Result | Meaning |

+| -- | -- |

+| Advisory | You have at least one compliance policy that applies all users. Microsoft Managed Desktop also includes compliance policies that will apply to your Microsoft Managed Desktop devices. Review all of the compliance policies created by your organization that apply to Microsoft Managed Desktop devices to ensure there are no conflicts. For more information, see [Create a compliance policy in Microsoft Intune](/mem/intune/protect/create-compliance-policy). |

+Intune Device Configuration profiles in your Azure AD organization can't target any Microsoft Manage Desktop devices or users.

+| Result | Meaning |

+| -- | -- |

+| Not ready | You have at least one configuration profile that applies to all users, all devices, or both. Reset the profile to apply to a specific Azure AD group that doesn't include any Microsoft Managed Desktop devices. For more information, see [Create a profile with custom settings in Microsoft Intune](/mem/intune/configuration/custom-settings-configure). |

+| Advisory | Make sure that any configuration policies you have don't include any Microsoft Managed Desktop devices or users. For more information, see [Create a profile with custom settings in Microsoft Intune](/mem/intune/configuration/custom-settings-configure). |

+| Result | Meaning |

+| -- | -- |

+| Not ready | You currently have at least one enrollment restriction policy configured to prevent Windows devices from enrollment in Intune. Follow the steps in [Set enrollment restrictions](/mem/intune/enrollment/enrollment-restrictions-set) for each enrollment restriction policy that targets Microsoft Managed Desktop users and change the **Windows (MDM)** setting to **Allow**. You can, however, set any **personally owned** **Windows (MDM)** devices to **Block**. |

+| Result | Meaning |

+| -- | -- |

+| Not ready | You have the ESP default profile set to **Show app and profile configuration progress**. Disable this setting or ensure that assignments to any Azure AD group don't include Microsoft Managed Desktop devices by following the steps in [Set up the Enrollment Status Page](/mem/intune/enrollment/windows-enrollment-status). |

+| Advisory | Make sure that any profiles that have the **Show app and profile configuration progress** setting aren't assigned to any Azure AD group that includes Microsoft Managed Desktop devices. For more information, see [Set up the Enrollment Status Page](/mem/intune/enrollment/windows-enrollment-status). |

+We use Microsoft Store for Business and deploy the Company Portal app on Microsoft Managed Desktop. This method allows users to optionally install some apps, such as Microsoft Project and Microsoft Visio (where permitted).

+| Result | Meaning |

+| -- | -- |

+| Not ready | Microsoft Store for Business either isn't enabled or isn't synced with Intune. For more information, see [How to manage volume purchased apps from the Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business) and [Install Intune Company Portal on devices](../get-started/company-portal.md). |

+### Multi-factor authentication

+Multi-factor authentication can't prevent Microsoft Managed Desktop from managing your Azure AD organization (tenant) in Intune and Azure AD.

+| Result | Meaning |

+| -- | -- |

+| Not ready | You have some multi-factor authentication policies set as **required** for conditional access policies that are assigned to all users. During enrollment, we'll exclude Microsoft Managed Desktop service accounts from relevant conditional access policies and apply new conditional access policies to restrict access to these accounts. For more information about these service accounts, see [Standard operating procedures](../service-description/operations-and-monitoring.md#standard-operating-procedures). |

+| Advisory | You have multi-factor authentication required on conditional access policies that could prevent Microsoft Managed Desktop from managing the Microsoft Managed Desktop service. During enrollment, well exclude Microsoft Managed Desktop service accounts from relevant conditional access policies and apply new conditional access policies to restrict access to these accounts. For more information about these service accounts, see [Standard operating procedures](../service-description/operations-and-monitoring.md#standard-operating-procedures). |

+| Error | The Intune Administrator role doesn't have sufficient permissions for this check. You'll also need to have these Azure AD roles assigned to run this check: <ul><li>Security Reader</li><li>Security Administrator</li><li>Conditional Access Administrator</li><li>Global Reader</li><li>Devices Administrator</li></ul>

+Windows PowerShell scripts can't be assigned in a way that would target Microsoft Managed Desktop devices.

+| Result | Meaning |

+| -- | -- |

+| Advisory | Make sure that Windows PowerShell scripts in your Azure AD organization don't target any Microsoft Manage Desktop devices or users. Don't assign a PowerShell script to target all users, all devices, or both. Change the policy to use an Assignment that targets a specific Azure AD group that doesn't include any Microsoft Managed Desktop devices or users. For more information, see [Use PowerShell scripts on Windows 10 devices in Intune](/mem/intune/apps/intune-management-extension). |

+| Result | Meaning |

+| -- | -- |

+| Not ready | Your Azure AD organization region isn't currently supported by Microsoft Managed Desktop. For more information, see [Microsoft Managed Desktop supported regions and languages](../service-description/regions-languages.md). |

+| Advisory | One or more of the countries where your Azure AD organization is located isn't supported by Microsoft Managed Desktop. For more information, see [Microsoft Managed Desktop supported regions and languages](../service-description/regions-languages.md). |

+Security baseline policies shouldn't target any Microsoft Managed Desktop devices.

+| Result | Meaning |

+| -- | -- |

+| Not ready | You have a security baseline profile that targets all users, all devices, or both. Change the policy to use an assignment that targets a specific Azure AD group that doesn't include any Microsoft Managed Desktop devices. <br><br> For more information, see [Use security baselines to configure Windows 10 devices in Intune](/mem/intune/protect/security-baselines). During enrollment, we apply a new security baseline to all Microsoft Managed Desktop devices. After enrollment, you can review the Microsoft Managed Desktop security baseline policy in the **Configuration policy** area of Microsoft Endpoint Manager. |

+| Advisory | Make sure that any security baseline policies you have exclude Microsoft Managed Desktop devices. For more information, see [Use security baselines to configure Windows 10 devices in Intune](/mem/intune/protect/security-baselines). <br><br> During enrollment, we apply a new security baseline to all Microsoft Managed Desktop devices. The **Modern Workplace Devices -All** Azure AD group is a dynamic group that we create when you enroll in Microsoft Managed Desktop. You'll have to come back to exclude this group after enrollment. |

+This setting must be enabled to avoid a "lack of permissions" error when we interact with your Azure AD organization.

+| Result | Meaning |

+| -- | -- |

+| Not ready | **Allow access to unlicensed admins** should be enabled. For more information, see [Prerequisites for guest accounts](/microsoft-365/managed-desktop/get-ready/guest-accounts). |

+| Result | Meaning |

+| -- | -- |

+| Advisory | You should prepare an inventory of the apps that you want your Microsoft Managed Desktop users to have. Since these apps must be deployed by Intune, evaluate reusing existing Intune apps. Consider using Company Portal (see [Install Intune Company Portal on devices](../get-started/company-portal.md) and Enrollment Status Page (ESP) to distribute apps to your users. <br><br> For more information, see [Apps in Microsoft Managed Desktop](apps.md) and [First-run experience with Autopilot and the Enrollment Status Page](../get-started/esp-first-run.md). <br><br> You can ask your Microsoft account representative for a query in Microsoft Endpoint Configuration Manager to identify those apps that are ready to migrate to Intune or need adjustment. |

+| Result | Meaning |

+| -- | -- |

+| Advisory | Windows Hello for Business is either disabled or not set up. Enable it by following the steps in [Create a Windows Hello for Business policy](/mem/intune/protect/windows-hello#create-a-windows-hello-for-business-policy). |

+| Result | Meaning |

+| -- | -- |

+| Not ready | You have an "update ring" policy that targets all devices, all users, or both. Change the policy to use an Assignment that targets a specific Azure AD group that doesn't include any Microsoft Managed Desktop devices. For steps, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure). |

+| Advisory | Make sure that any update ring policies you have exclude the **Modern Workplace Devices -All** Azure AD group. If you have assigned Azure AD user groups to these policies, make sure that any update ring policies you have also excluded the **Modern Workplace -All** Azure AD group that you add your Microsoft Managed Desktop users to (or an equivalent group). <br><br> For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure). Both the **Modern Workplace Devices -All** and **Modern Workplace -All** Azure AD groups are groups that we create when you enroll in Microsoft Managed Desktop. You'll have to come back to exclude this group after enrollment. |

+You can access Azure Active Directory settings in the [Azure portal](https://portal.azure.com).

+| Result | Meaning |

+| -- | -- |

+| Advisory | Make sure the **MDM User scope** is set to **Some** or **All**, not **None**. <br><br> If you choose **Some**, come back after enrollment and select the **Modern Workplace -All** Azure AD group for **Groups** or an equivalent group targeting all of your Microsoft Managed Desktop users. For more information, see [Set up enrollment for Windows devices by using Microsoft Intune](/mem/intune/enrollment/windows-enroll#enable-windows-10-automatic-enrollment). |

+Advises how to check a setting that, if set to "false", might prevent Enterprise State Roaming from working correctly.

+| Result | Meaning |

+| -- | -- |

+| Advisory | Ensure that **AllowAdHocSubscriptions** is set to **True**. Otherwise, Enterprise State Roaming might not work. For more information, see [Set-MsolCompanySettings](/powershell/module/msonline/set-msolcompanysettings). |

+| Result | Meaning |

+| -- | -- |

+| Advisory | Make sure that Enterprise State Roaming is enabled for **All** or for **Selected** groups. For more information, see [Enable Enterprise State Roaming in Azure Active Directory](/azure/active-directory/devices/enterprise-state-roaming-enable). |

+| Result | Meaning |

+| -- | -- |

+| Advisory | **Member users and users assigned to specific admin roles can invite guest including guests with member permissions** should be enabled. For more information, see [Prerequisites for guest accounts](/microsoft-365/managed-desktop/get-ready/guest-accounts). |

+Microsoft Managed Desktop recommends adjusting guest access, since the default setting allows all guest in your directory to have the same access as members.

+| Result | Meaning |

+| -- | -- |

+| Advisory | **Guest users have limited access to properties and memberships of directory objects** should be enabled. For more information, see [Prerequisites for guest accounts](/microsoft-365/managed-desktop/get-ready/guest-accounts). |

+Many licenses are required to use Microsoft Managed Desktop.

+| Result | Meaning |

+| -- | -- |

+| Not Ready | You don't have all the licenses you need to use Microsoft Managed Desktop. For more information, see [Microsoft Managed Desktop technologies](../intro/technologies.md) and [More about licenses](prerequisites.md#more-about-licenses). |

+| Result | Meaning |

+| -- | -- |

+| Not ready | You have at least one account name that will conflict with account names created by Microsoft Managed Desktop. Work with your Microsoft account representative to exclude these account names. We don't list the account names publicly to minimize security risk.

+| Result | Meaning |

+| -- | -- |

+| Advisory | If you have users assigned to any of these roles in your Azure AD organization, make sure they also have these roles assigned in Microsoft Defender for Endpoint. Otherwise, administrators with these roles won't be able to access the Admin portal. <ul><li>Security Operator</li><li>Global Reader</li></ul> <br> For more information, see [Create and manage roles for role-based access control](/windows/security/threat-protection/microsoft-defender-atp/user-roles).

+| Result | Meaning |

+| -- | -- |

+| Not ready | You have Security defaults turned on. Turn off Security defaults and set up conditional access policies. For more information, see [Common Conditional Access policies](/azure/active-directory/conditional-access/concept-conditional-access-policy-common). |

+| Result | Meaning |

+| -- | -- |

+| Advisory | Make sure that the SSPR **Selected** setting includes Microsoft Managed Desktop users, but excludes Microsoft Managed Desktop service accounts. Microsoft Managed Desktop service accounts can't work as expected when SSPR is enabled. |

+Other than the users who are assigned Global administrator and Device administrator Azure Active Directory roles, Microsoft Managed Desktop users will be standard users without local administrator privileges. All other users will be assigned a standard user role when they start their Microsoft Managed Desktop device.

+| Result | Meaning |

+| -- | -- |

+| Advisory | Microsoft Managed Desktop users won't have local administrator privileges on their Microsoft Managed Desktop devices after enrolling. |

+| Result | Meaning |

+| -- | -- |

+| Advisory | You're using the **Allow syncing only on PCs joined to specific domains** setting. This setting won't work with Microsoft Managed Desktop. Disable this setting. Instead, set up OneDrive to use a conditional access policy. For more information, see [Plan a Conditional Access deployment](/azure/active-directory/conditional-access/plan-conditional-access) for help. |

+For the smoothest possible experience when you enroll in Microsoft Managed Desktop, there are settings and other parameters you must set ahead of time, and certain device and network requirements to meet.

+One tool, accessed through the Microsoft Managed Desktop Admin portal, checks management-related settings. Another tool, which is downloadable, checks individual device requirements and network settings. You can use these tools to check those settings and receive detailed steps for fixing any that aren't right.

+The [online tool](https://aka.ms/mmdart) checks settings in Microsoft Endpoint Manager (specifically, Microsoft Intune), Azure Active Directory (Azure AD), and Microsoft 365 to ensure they'll work with Microsoft Managed Desktop.

+Microsoft Managed Desktop retains the data associated with these checks for 12 months after the last time you run a check in your Azure AD organization (tenant). After 12 months, we retain it in de-identified form. You can choose to delete the data we collect.

+Anyone with at least the Global Reader or Intune Administrator role will be able to run this tool, but two of the checks ([Conditional access policies](readiness-assessment-fix.md#conditional-access-policies) and [Multi-factor authentication](readiness-assessment-fix.md#multi-factor-authentication) require extra permissions.

+The following are the Microsoft Intune settings:

+| Check | Description |

+| | |

+| Autopilot deployment profile | Verifies that assignment of the Autopilot deployment profile doesn't apply to all devices. <br><br> The profile should **not** be assigned to any Microsoft Managed Desktop devices. |

+| Certificate connectors | Checks the state of certificate connectors to ensure they're active. |

+| Conditional access | Verifies that conditional access policies aren't assigned to all users. <br><br> Conditional access policies should **not** be assigned to Microsoft Managed Desktop service accounts. |

+| Device Compliance policies | Checks that Intune compliance policies aren't assigned to all users. <br><br> The policies should **not** be assigned to any Microsoft Managed Desktop devices. |

+| Device Configuration profiles | Confirms that configuration profiles aren't assigned to all users or all devices. <br><br> Configuration profiles should **not** be assigned to any Microsoft Managed Desktop devices. |

+| Device type restrictions | Checks that Windows 10 devices in your organization are allowed to enroll in Intune. |

+| Enrollment Status Page | Confirms that Enrollment Status Page isn't enabled. |

+| Intune enrollment | Verifies that Windows 10 devices in your Azure AD organization are automatically enrolled in Intune. |

+| Microsoft Store for Business | Confirms that Microsoft Store for Business is enabled and synced with Intune. |

+| Multi-factor authentication | Verifies that multi-factor authentication isn't applied to Microsoft Managed Desktop service accounts. |

+| PowerShell scripts | Checks that Windows PowerShell scripts are **not** assigned in a way that would target Microsoft Managed Desktop devices. |

+| Region | Checks that your region is supported by Microsoft Managed Desktop. |

+| Security baselines | Checks that the security baseline profile doesn't target all users or all devices. <br><br> Security baseline policies should **not** target any Microsoft Managed Desktop devices. |

+| Windows apps | Review which apps you want to assign to Microsoft Managed Desktop devices. |

+| Windows Hello for Business | Checks that Windows Hello for Business is enabled. |

+| Windows 10 update ring | Checks that Intune's "Windows 10 update ring" policy doesn't target all users or all devices. <br><br> The policy should **not** target any Microsoft Managed Desktop devices. |

+The following are the Azure Active Directory settings:

+| Check | Description |

+| -- | -- |

+| "Ad hoc" subscriptions for Enterprise State Roaming | Advises how to check a setting that, if set to "false", might prevent Enterprise State Roaming from working correctly. |

+| Enterprise State Roaming | Advises how to check that Enterprise State Roaming is enabled. |

+| Licenses | Checks that you've obtained the necessary [licenses](prerequisites.md#more-about-licenses). |

+| Multi-factor authentication | Checks that multi-factor authentication isn't applied to all users. <br><br> Multi-factor authentication must **not** accidentally be applied to Microsoft Managed Desktop service accounts. |

+| Security account names | Checks that no user names conflict with ones that Microsoft Managed Desktop reserves for its own use. |

+| Security administrator roles | Confirms that users with Security Reader, Security Operator, or Global Reader roles have been assigned those roles in Microsoft Defender for Endpoint. |

+| Security defaults | Checks whether your Azure AD organization has security defaults enabled in Azure Active Directory. |

+| Self-service password reset | Confirms that self-service password reset is enabled. |

+| Standard user role | Verifies that users are standard users and don't have local administrator rights. |

+## Microsoft 365 Apps for Enterprise settings

+The following are the Microsoft 365 Apps for Enterprise settings:

+| Check | Description |

+| -- | -- |

+| OneDrive for Business | Checks whether OneDrive for Business is using unsupported settings. |

+| Result | Meaning |

+| -- | -- |

+| Ready | No action is required before you complete enrollment. |

+| Advisory | Follow the steps in the tool for the best experience with enrollment and for users. <br><br> You *can* complete enrollment, but you must fix these issues before you deploy your first device. |

+| Not ready | **Enrollment will fail** if you don't fix these issues. <br><br> Follow the steps in the tool to resolve them. |

+| Error | The Azure Active Director (AD) role you're using doesn't have sufficient permission to run this check. |

+After you've completed enrollment in Microsoft Managed Desktop, remember to go back and adjust certain Intune and Azure AD settings. For more information, see [Adjust settings after enrollment](../get-started/conditional-access.md).

+| **Service Metrics Report** (*in preview*) | This report provides straightforward summaries of key metrics for Microsoft Managed Desktop month over month. |

+Microsoft Intune is one of the services we use to manage devices on your behalf.

+In some cases, it can be helpful to use Intune reports to specifically monitor administration of your Microsoft Managed Desktop devices. You can exclude the devices we manage from the report you use to manage other devices. The following reports let you filter capability to include or exclude Microsoft Managed Desktop devices.

+For more information about Zero Trust, see Microsoft's [_**Zero Trust Guidance Center**_](/security/zero-trust).

+Go to [**_Zero Trust identity and device access protection_**](office-365-security/microsoft-365-policies-configurations.md) for prescriptive guidance to accomplish this. This series of articles describes a set of identity and device access prerequisite configurations and a set of Azure Active Directory (Azure AD) Conditional Access, Microsoft Intune, and other policies to secure access to Microsoft 365 for enterprise cloud apps and services, other SaaS services, and on-premises applications published with Azure AD Application Proxy.

+Go to [**_Manage devices with Intune_**](../solutions/manage-devices-with-intune-overview.md) for prescriptive guidance to accomplish this.

+Return to [**_Common identity and device access policies_**](office-365-security/identity-access-policies.md) and add the policies in the Enterprise tier.

+Go to [**_Evaluate and pilot Microsoft 365 Defender_**](defender/eval-overview.md) for a methodical guide to piloting and deploying Microsoft 365 Defender components.

+For more information on how to plan and deploy information protection, see [**_Deploy a Microsoft Information Protection solution_**](../compliance/information-protection-solution.md).

+If you're deploying information protection for data privacy regulations, this solution guide provides a recommended framework for the entire process: [**_Deploy information protection for data privacy regulations with Microsoft 365_**](../solutions/information-protection-deploy.md).

+| [Corelight]( https://corelight.com/integrations/iot-security)| Using data, sent from Corelight network appliances, Microsoft 365 Defender gains increased visibility into the network activities of unmanaged devices, including communication with other unmanaged devices or external networks.

+let sender = "{SENDER}"; //Replace {SENDER} with email of the Forwarder

+IdentityLogonEvents

+| where Application == @"Microsoft Exchange Online"

+| where Application == @"Microsoft Exchange Online"

+- **Detection name**ΓÇöname of the detection rule; this name needs to be unique.

+- **Alert title**ΓÇötitle displayed with alerts triggered by the rule; this title needs to be unique.

+| Cloud-only | User account only exists in the Azure AD tenant for your Microsoft 365 tenant. | The Azure AD tenant for your Microsoft 365 tenant performs the authentication with the cloud identity account. | Organizations that don't have or need an on-premises Active Directory. | Simple to use. No extra directory tools or servers required. |

+| Managed authentication | Azure AD handles the authentication process by using a locally stored hashed version of the password or sends the credentials to an on-premises software agent to be authenticated by the on-premises AD DS. <br> <br> There are two types of managed authentication: Password hash synchronization (PHS) and Pass-through authentication (PTA). With PHS, Azure AD performs the authentication itself. With PTA, Azure AD has AD DS perform the authentication. |

+| Use multi-factor authentication (MFA) | MFA requires that user sign-ins be subject to another verification beyond the user account password, such as verification with a smartphone app or a text message sent to a smartphone. See [this video](https://support.microsoft.com/office/set-up-multi-factor-authentication-in-microsoft-365-business-a32541df-079c-420d-9395-9d59354f7225) for instructions on how users set up MFA. | [MFA for Microsoft 365 for enterprise](../enterprise/microsoft-365-secure-sign-in.md#mfa) | Microsoft 365 E3 or E5 |

+- An AD DS forest that is being synchronized with the Azure AD tenant using a directory synchronization server and Azure AD Connect.

+One of your first tenant decisions is how many to have. Each Microsoft 365 tenant is distinct, unique, and separate from all other Microsoft 365 tenants. Its corresponding Azure AD tenant is also distinct, unique, and separate from all other Microsoft 365 tenants.