-Before setting up any configuration for Microsoft 365 support integration, understand how your ServiceNow environment is set up.

-When you create a communication compliance policy, you must determine who reviews the messages of the supervised users. In the policy, user email addresses identify individuals or groups of people to review supervised communications. All reviewers must have mailboxes hosted on Exchange Online and must be assigned to either the *Communication Compliance Analysis* or *Communication Compliance Investigation* roles. Reviewers (either analysts or investigators) must also have the *Communication Compliance Case Management* role assigned. When reviewers are added to a policy, they automatically receive an email message that notifies them of the assignment to the policy and provides links to information about the review process.

-|[Audit label-related user activity](data-classification-activity-explorer.md) | Current Channel: 2011+ <br /><br> Monthly Enterprise Channel: 2011+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.43+ | 2.46+ | 16.0.13628+ | Yes ^\* |

-|[Audit label-related user activity](data-classification-activity-explorer.md) | Current Channel: 2011+ <br /><br> Monthly Enterprise Channel: 2011+ <br /><br> Semi-Annual Enterprise Channel: 2202+ | 16.51+ ^\* | 4.2126+ | 4.2126+ | Yes |

-App control is an optional security practice in Microsoft Managed Desktop that restricts the execution of code on client devices. This control mitigates the risk of malware or malicious scripts by requiring that only code signed by a customer-approved list of publishers can run. There are many security benefits from this control, but it primarily aims to protect data and identity from client-based exploits.

-Microsoft Managed Desktop simplifies the management of app control policies by creating a base policy that enables core productivity scenarios. You can extend trust to other signers that are specific to the apps and scripts in your environment.

-Any security technology requires a balance among user experience, security, and cost. App control reduces the threat of malicious software in your environment, but there are consequences to the user and further actions for your IT administrator.

-**Additional security:**

-Apps or scripts that are not trusted by the app control policy are blocked from running on devices.

-**Your additional responsibilities:**

-**Microsoft Managed Desktop responsibilities:**

-Microsoft Managed Desktop curates a base policy that trusts the core components of Microsoft technologies. You then *add* trust for your own applications and scripts by informing Microsoft Managed Desktop which of them you already trust.

-Microsoft Managed Desktop, in collaboration with Microsoft cybersecurity experts, creates, and maintains a standard policy that enables most apps deployed through Microsoft Intune while blocking dangerous activities like code compilation or execution of untrusted files.

-If a user other than an administrator could have added an app or script to a device (that is, it's in a user-writable directory), we won't allow it to execute unless it has already been specifically allowed by an administrator. If a user is tricked into trying to install malware, if a vulnerability in an app the user runs attempts to install malware, or if a user intentionally tries to run an unauthorized app or script, our policy will stop execution.

-You inform us of which apps are provided by software publishers you trust by filing a *signer request*. By doing so, we add that trust information into the baseline application control policy and allow any software signed with that publisher's certificate to run on your devices.

-Microsoft Managed Desktop uses two Microsoft Intune policies to provide app control:

-This policy creates logs to record whether an app or script would be blocked by the Enforced policy. Audit policies don't enforce app control rules and are meant for testing purposes to identify whether an application will require a publisher exemption. It logs warnings (8003 or 8006 events) in Event Viewer instead of blocking the execution or installation of specified apps or script.

-### Enforced policy

-This policy blocks untrusted apps and scripts from running and creates logs whenever an app or script is blocked. Enforced policies prevent standard users from executing apps or scripts stored in user-writable directories.

-Devices in the Test group have an Audit policy applied so that you can use them to validate whether any applications will cause issues. All other groups (First, Fast, and Broad) use an Enforced policy, so users in those groups won't be able to run untrusted apps or scripts.

-Microsoft Managed Desktop provides a curated device list, [standard device settings](device-policies.md), applications requirements, and certain [configurable settings](../working-with-managed-desktop/config-setting-overview.md)ΓÇöall designed to provide a secure, productive, and pleasant experience for users. It's best to always stay with the service as provided. However, we recognize that some details of the service might not fit exactly with your organization's needs. If you feel you need to alter the service in some way, it's important that you follow the following processes to request those changes.

-An exception is any addition or change to the Microsoft Managed Desktop base configuration; examples range from USB ports configuration to deploying a new device driver. We group various exceptions as follows:

-| Type | Description |

-| Productivity software | Foreground software needed by users, restricted by the [application requirements](mmd-app-requirements.md). |

-| Security agents & VPNs | Software used to secure, monitor, or change the behavior of the device or network. |

-| Digital experience monitoring | Software used to track data on a user's device to report to IT. |

-| Hardware or software drivers | Device drivers, restricted by the [application requirements](mmd-app-requirements.md). |

-| Devices | Devices that are not on the Microsoft Managed Desktop [device list](device-list.md). |

-1. Some applications and policies which Microsoft Managed Desktop deploys to all devices aren't negotiable, so your request must not affect those. See [Device configuration](device-policies.md) for more information.

-3. If we can meet your requirement by using Microsoft technology, we'll likely approve your request for an exception migration period of three to 12 months (depending on the scope of the project).

-These conditions could change in the future. If we do make such changes, weΓÇÖll provide 30 days notice prior to those conditions coming into effect. If Microsoft Managed Desktop delivers an alternative way to meet an approved exception, Microsoft Managed Desktop will notify the customer should Microsoft Managed Desktop alter the way in supporting the exception.

-If this happens, we'll notify you by using the Microsoft Managed Desktop admin portal. From the first time we notify you, you have 90 days to remove the exception before the devices with the exception are no longer bound by Microsoft Managed Desktop service level agreements. We'll send you several notifications according to a strict timeline--however, a severe incident or threat might require us to change the timeline or our decisions about an exception. We won't *remove* an exception without your consent, but any device with a revoked exception will no longer be bound by our service level agreement. Here is the timeline of notifications we will send you:

-description: Logs that might be collected from devices during troubleshooting and how they are stored

-When we troubleshoot an issue on a device managed by Microsoft Managed Desktop, whether one you've reported or one identified by our service, we might have to collect certain diagnostic logs from the device without intervention from the user. We don't collect any user-generated content or information from user directories. We only collect diagnostic and log data that concerns device health and status.

-This list includes all the folders, event logs, executables, or registry locations that Microsoft Managed Desktop might collect diagnostic logs from. The actual data collected will be a subset of this list and depends on the identified issue.

-# Microsoft Managed Desktop app requirements

-

-Microsoft Managed Desktop requires that we manage devices using a specific approach to guarantee the performance, reliability, and serviceability of devices.

-|Management area |Microsoft Managed Desktop approach |

-|||

-|Device configuration or policy management | Microsoft Intune |

-|Application management | Microsoft Intune and Company Portal |

-|Driver deployment | Drivers included with the device, Windows Update, or Intune |

-|Device security | See [Device security](security.md#device-security) |

-|Identity and access management | See [Identity and access management](security.md#identity-and-access-management) |

-|Network security | See [Network security](security.md#network-security) |

-|Information security | See [Information security](security.md#information-security) |

-|Data recovery | OneDrive for Business |

-|Core productivity | Microsoft 365 Apps for enterprise |

-|Browser | Microsoft Edge |

-Microsoft Managed Desktop might monitor other software running on managed devices. If it negatively impacts device management, device security, performance, or reliability, you might be required to request an [exception to the service plan](customizing.md).

-In a service offering, the balance of responsibility for things such as hardware maintenance and security updates shifts to the service provider (Microsoft) instead of the customer (you). However, you still need to ensure that non-Microsoft and custom software continues to function as expected when updates are rolled out.

-Responsibility | Microsoft Managed Desktop service | Microsoft 365 client software | On-premises clients and servers | non-Microsoft and custom software

-Provide new functionality | Microsoft | Microsoft | Both | Customer

-Test new features for quality assurance | Microsoft | Microsoft | Both | Customer

-Communicate about new features | Both | Both | Both | Customer

-Integrate custom software | Both | Both | Customer | Customer

-Apply security updates | Microsoft | Microsoft | Customer | Customer

-Maintain system software | Microsoft | Microsoft | Customer | Customer

-Package for deployment | Microsoft | Microsoft | Customer | Customer

-HereΓÇÖs a summary of how the change process is shared between Microsoft and customers:

-<table>

-<tr><th></th><th><p>Microsoft's role:</p></th><th><p>Customer's role:</p></th></tr>

-<tr><td>Before a change</td><td><ul><li>Set expectations for service changes.</li><li>Notify customers 5 days in advance for changes that require administrator action.</li><li>For emergency changes, apply a mitigation prior to notifying.</li></ul></td><td><ul><li>Understand what to expect for changes and communications.</li><li>Read Microsoft Managed Desktop Message Center regularly.</li><li>Review and update internal change management processes.</li><li>Understand, and check compliance with Microsoft Managed Desktop requirements. </li><li>Acknowledge and approve, when required.</li></ul></td></tr><tr><td>During a change</td><td><ul><li>Release and deploy monthly security and non-security updates for Windows 10 and Office 365 clients.</li><li>Monitor data signals and support queues for impact.</li></ul></td><td><ul><li>Check the Microsoft Managed Desktop Message Center and review any additional information.</li><li>Take any action required, if applicable, and test applications.</li><li>If a break/fix scenario is experienced, create a Support request.</li></ul></td></tr><tr><td>After a change</td><td><ul><li>Collect customer feedback to improve rollout of future changes.</li><li>Monitor data signals and support queues for impact.</li></ul></td><td><ul><li>Work with people in your organization to adopt the change.</li><li>Review change and adoption management processes for opportunities to gain efficiencies.</li><li>Provide general feedback and specific feedback in the admin feedback tool.</li><li>Train users to provide app-specific feedback using the Windows Feedback Hub and the Smile button in Office apps.</li></ul></td></tr>

-<table>

-There are several types of changes that we make to the service regularly. The communication channel for those changes and the actions that you are responsible for varies.

-Not all changes have the same impact on your users or require action. Some are planned and some unplanned by their nature (non-security updates and security updates aren't usually planned). Depending on the type of change, the communication channel may vary. The following table lists the types of changes you can expect for the Microsoft Managed Desktop service.

-| | Functionality | Non-security updates | Security

- | | |

-**Type of change** | - Feature updates<br>- New features or applications<br>- Deprecated features | Client hotfixes for issues | Security updates

-**Advance notice** | Five days notice for changes that require action | No, such changes are included in the monthly release | No, changes are included in the monthly release

-**Communication channel** | - Message Center<br>- Email alert | - Message Center<br>- Email alert | - Message Center<br>- Email alert

-**Requires global admin action** | Sometimes | Rarely | Rarely

-**Type of action** | Change settings | Communicate changes to users | Change admin settings

-**Requires testing** | Check business applications, including remote access services | Sometimes - testing the fix against processes or customizations | Rarely

-**Examples of change** | - Feature updates: IT Admin Portal simplified support ticket submission and review<br>- New features or applications: Semi-Annual release of a Windows 10 feature update | Hotfixes based on customer reported bugs |

-Categories | Microsoft will | Customer will

- | |

-Network (proxy, packet inspection, VPN) | Advise and plan with customers to minimize risk to business users. | - Create a support request requesting information for a planned configuration change, including configuration details, scope, timeline, and other pertinent details for Microsoft to review.<br>- Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.

-Service accounts |- Implement, securely store, and manage the credentials.<br> - Communicate unauthorized access or use of these credentials to your Security Operations team. | - Create a support request requesting information for a planned configuration change, including configuration details, scope, timeline, and other pertinent details for Microsoft to review.<br>- Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.<br>- Not assign policy, multifactor authentication, conditional access, or application deployment to the Microsoft Managed Desktop Service Accounts.<br>- Not reset the password or use the credentials.<br>- Open a Sev C support request to Microsoft Managed Desktop Operations if suspicious activity is observed in Intune or Azure audit logs, related to these service accounts.

-Device Groups | - Implement and assign the membership of devices within Microsoft Managed Desktop groups.<br>- Use the Microsoft Managed Desktop groups to manage the assignment and release of configuration and updates to devices. | - Create a support request requesting information for a planned configuration change, including configuration details, scope, timeline, and other pertinent details for Microsoft to review.<br>- Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.<br>- Only assign devices to any Microsoft Managed Desktop group following the steps described in [Assign devices to a deployment group](../working-with-managed-desktop/assign-deployment-group.md).<br>- Only use the groups to assign corporate certificates for services such as VPN, Windows Hello for Business or email encryption, or corporate wifi profile configuration.<br>- Where co-management exists, explicitly exclude all Microsoft Managed Desktop groups when deploying the Configuration Manager client.

-Policies | - Implement and manage the Microsoft Managed Desktop policies that govern the configuration state of devices within service.<br>- Deploy updates, to policy or Windows, incrementally using Device Groups.<br> - Explicitly exclude targeting non-Microsoft Managed Desktop groups. | - Create a support request requesting information for a planned configuration change, including configuration details, scope, timeline, and other pertinent details for Microsoft to review.<br>- Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.<br>- Not edit or assign Microsoft Managed Desktop policies to devices or users not managed by the Microsoft Managed Desktop service.

-Microsoft Defender for Endpoint | Monitor and investigate devices within the scope of the Microsoft Managed Desktop service. | - Create a support request requesting information for a planned configuration change, including configuration details, scope, timeline, and other pertinent details for Microsoft to review.<br>- Only apply a change once Microsoft Managed Desktop Operations has assessed and advised

-Microsoft Store for Business | Configure and maintain the Windows Autopilot profile for the Microsoft Managed Desktop service. | - Create a support request requesting information for a planned configuration change, including configuration details, scope, timeline, and other pertinent details for Microsoft to review.<br>- Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.<br>- Not modify the configuration of the Microsoft Managed Desktop Windows Autopilot profile or add/remove assigned devices.

-Certificates | | - Create a support request 60 days prior to a certificate expiring, requesting information for a planned configuration change, including configuration details, scope, timeline, and other pertinent details for Microsoft to review.<br>- Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.<br>- Update all certificates that are required to configure certificate profiles, VPN profiles, and Wi-Fi profiles.

-Managed Desktop Operations team will do the following:

-> Do not remove the user account from Azure AD before the device is reset. If the user isnΓÇÖt in Azure AD, Intune canΓÇÖt send the factory reset command to the device.

-The device will boot into the "out of box experience," and all preinstalled applications and settings will be applied again. The user of the device needs to provide initial setup information again.

-When the device has been reset, you can give it to a different person in your organization. None of the previous userΓÇÖs data or enterprise data will be on the device. The next user will go through the same process that the previous person did with a new Microsoft Managed Desktop device.

-BitLocker is a key component of data security in this process. With BitLocker encryption on Microsoft Managed Desktop devices, data on the drive remains secure even after the device as been factory-reset. Any data that was on the drive will not be available to the next user of the device. For more information, see [BitLocker overview](/windows/security/information-protection/bitlocker/bitlocker-overview).

-Sometimes, Microsoft might need to change details about the way Microsoft Managed Desktop works. Similarly, you might need to make changes that would affect the service as well. We handle such changes differently depending on how significant they are. This topic defines the changes we consider major, and explains how we handle them versus other changes.

-We'll give you notice at least 30 days ahead of time for any major change that requires action. WeΓÇÖll let you know by using the Microsoft Managed Desktop Admin portal messaging system.

-**Major changes** are those that might impact any of these areas:

-WeΓÇÖll routinely make other changes to the service to improve user experience, security, reliability, and reporting. Some examples of these changes include:

-Some changes that you might make in your environment could impact Microsoft Managed Desktop. For these major changes, we ask that you give us at least 30 daysΓÇÖ notice by submitting a service request in the Microsoft Managed Desktop Admin portal. See [Admin support for Microsoft Managed Desktop](../working-with-managed-desktop/admin-support.md) for instructions. This allows us adequate time to plan and prepare for the change to avoid disruptions.

-Major changes are those that might impact any of these areas:

-These changes arenΓÇÖt likely to be disruptive, so you donΓÇÖt need to let us know about them ahead of time:

-Your Microsoft Managed Desktop users can get support either from your organization (we call this "customer-led" support) or from a selected partner ("partner-led" support). We aim to provide a consistent experience for users while keeping devices secure with both support options. No matter which option you choose, these same principles apply:

-## Roles and responsibilities

-To ensure the quality of service without compromising security, the support provider, IT admins, and Microsoft Managed Desktop each have different roles and responsibilities.

-### Support provider

-Whoever provides support (either you for customer-led support or a partner for partner-led) is responsible for these items:

- - Operating system (Windows)

- - Microsoft Apps for enterprise

- - Browser features

- - Device problems

- - Problems with infrastructure, such as printers, drivers, and VPNs

- - Line-of-business applications

-### IT admin

-Your IT admin is responsible for these items:

-### Microsoft Managed Desktop

-As the service provider, we are responsible for these items:

-Integrating your existing processes with this workflow for Microsoft Managed Desktop devices is flexible, so the details could be different. Typically, the support provider follows an existing tier-based or handoff approach, designating specific users who have the ability to elevate permissions or escalate issues to Microsoft Managed Desktop Operations. It's best to keep this group smaller than the broader support team.

-If a user issue needs to be escalated to Microsoft Managed Desktop, it's helpful to identify which team the issue should be directed to. We can transfer cases appropriately, but it saves time to route them to the right place from the start.

-### Elevation portal

-Since Microsoft Managed Desktop devices run on standard user by default, some tasks require elevation of privileges. For more information about user account control, see [User account control](/windows/security/identity-protection/user-account-control/user-account-control-overview). In order for support staff to be able to [perform tasks](../working-with-managed-desktop/end-user-support.md#elevation-requests) while troubleshooting issues for users, we provide "just-in-time" access to an admin account. This password is accessed securely by only those you designate, and rotates every couple of hours.

-### Escalation portal

-> Only Sev C support requests can be filed in this manner. For an issue matching the description of other severities, itΓÇÖs recommended to contact the appropriate IT admin to file. For more info, see [Support request severity definitions](../working-with-managed-desktop/admin-support.md#support-request-severity-definitions).

-Change request | You require the Microsoft Managed Desktop Operations team to make a change, such as moving devices between update groups.

-The following table lists the supported operating systems for attack surface reduction rules that are currently prerelease product. The rules are listed alphabetical order.

-> [!Note]

->

-> - Unless otherwise indicated, the minimum Windows&nbsp;10 build is version 1709 (RS3, build 16299) or later; the minimum Windows&nbsp;Server build is version is 1809 or later.

-|[Block abuse of exploited vulnerable signed drivers](#block-abuse-of-exploited-vulnerable-signed-drivers) | Y | Y | Y version 1803 (Semi-Annual Channel) or later |

-|[Block abuse of exploited vulnerable signed drivers](#block-abuse-of-exploited-vulnerable-signed-drivers) | Y | Y MEM OMA-URI | | Y | [supported](images/checkmark.png) <br><br> |

-_Warn mode_ is a block-mode type that alerts users about potentially risky actions. Users can then choose to bypass the block warning message and allow the underlying action. Users can select **OK** to enforce the block, or select the bypass option - **Unblock** - through the end-user pop-up toast notification that is generated at the time of the block. After the warning is unblocked, the operation is allowed until the next time the warning message occurs, at which time the end-user will need to reperform the action.

-The following diagram illustrates building blocks to achieve a Zero Trust security posture for Microsoft 365 and other SaaS apps that you introduce to this environment. The elements related to devices are numbered 1 through 7. These are the layers of protection device administers will coordinate with other administrators to accomplish.

-|2 | Enroll devices into management | This task requires more planning and time to implement. While you have a choice of tools and methods to accomplish this, [Step 3ΓÇöEnroll devices into management](manage-devices-with-intune-enroll.md) guides you through the process using Intune with Autopilot and automated enrollment. | E3, E5, F1, F3, F5 |

-|3 | Configure compliance policies | You want to be sure devices that are accessing your apps and data meet minimum requirements, for example theyΓÇÖre password or pin-protected and the operating system is up to date. Compliance policies are the way to define the requirements that devices must meet. [Step 3. Set up compliance policies](manage-devices-with-intune-compliance-policies.md) helps you configure these policies. | E3, E5, F3, F5 |

-|6 |Monitor device risk and compliance to security baselines | In this step, you connect Intune to Microsoft Defender for Endpoint. With this integration, you can then monitor device risk as a condition for access. Devices that are found to be in a risky state will be blocked. You can also monitor compliance to security baselines. See [Step 6. Monitor device risk and compliance to security baselines](manage-devices-with-intune-monitor-risk.md). | E5, F5 |

-|7 |Implement data loss prevention (DLP) with information protection capabilities | If your organization has put the work into identifying sensitive data and labeling documents, you can work with your information protection admin to [protect sensitive information and documents on your devices](manage-devices-with-intune-dlp-mip.md). | E5, F5 compliance add on |