-Microsoft does not operate the service itself. 21Vianet operates, provides and manages delivery of the service. 21Vianet is the largest carrier-neutral Internet data center services provider in China, providing hosting, managed network services, and cloud computing infrastructure services. By licensing Microsoft technologies, 21Vianet operates local Office 365 datacenters to provide you the ability to use Office 365 services while keeping your data within China. 21Vianet also provides your subscription and billing services, as well as support.

-|Microsoft Power Apps <br/> |Coming soon. <br/> |

-[View your bill or get a Fapiao](../../commerce/billing-and-payments/view-your-bill-or-invoice.md) (article)

-All of your assessments are listed on the assessments tab of Compliance Manager. Learn more about [how to filter your view of your assessments and interpret status states](compliance-manager-setup.md#assessments-page).

-To create an assessment, you will use a wizard to select the template it should use and set the assessmentΓÇÖs properties.

-To begin building assessments, follow these steps.

-1. Know which group youΓÇÖll assign your assessment to, or be prepared to create a new one for this assessment.

-2. Open the assessment wizard. You can access this flyout pane from one of two places:

- - Go to your **assessments** page in Compliance Manager and select **Add assessment**; or

- - Find the template you want to use on the **assessment templates** tab, view its details, and select **Create assessment**. This will populate the wizard's template selection field for you.

-3. **Select a template**: If you didn't already choose a template in step 2, choose a template to serve as the basis for your assessment. YouΓÇÖll see the list of templates divided into included and premium categories (see [Template availability and licensing](compliance-manager-templates.md#template-availability-and-licensing) for more information). Select the radio button next to your chosen template, then select **Next**.

- - **Product**: Select the product you want your assessment to apply to. If you are using a Microsoft template, such as one designed for Microsoft 365, this field will be populated for you to indicate the appropriate product and cannot be changed. If you’re using a universal template, select whether you’re creating this assessment for a new product or a custom product you have already defined in Compliance Manager. If you choose a new product, enter its name. Note that you cannot select a pre-defined Microsoft product when using a universal template.

- - **Name**: Enter a name for your assessment in the **Assessment name** field. Assessment names must be unique within groups. If the name of your assessment matches the name of another assessment in any given group, youΓÇÖll receive an error asking you to create a different name.

-5. **Review and finish:** The last screen of the wizard shows the template, name, and group chosen for the assessment. You can edit any of these settings from the links on the screen, which take you back to the relevant steps in the wizard. When you're ready, select **Create assessment**.

-6. The next screen confirms that youΓÇÖve successfully created your new assessment. Select **Done** to close the wizard, and your new assessment's details page will appear on the screen.

-| **Read but not edit data**| Compliance Manager Reader | Azure AD Global reader, Security reader |

-| **Edit data**| Compliance Manager Contribution | Compliance Administrator |

-| **Edit test results**| Compliance Manager Assessor | Compliance Administrator |

-| **Manage assessments, and template and tenant data**| Compliance Manager Administration | Compliance Administrator, Compliance Data Administrator, Security Administrator |

-| **Assign users**| Global Administrator | Global Administrator |

-This change will not affect certificates, domains, or services used in the US Government, China, or Germany national cloud instances of Microsoft 365.

-## July 2021

-### Advanced eDiscovery

-### App governance

-### Compliance offerings

-### Compliance & service assurance

- - Cloud background checks

- - Employee transfer & termination

- - Governance

- - Human resources

- - Incident management

- - Pre-employment screening

- - Security incident management (SIM)

- - SIM ΓÇô Containment, eradication, and recovery

- - SIM ΓÇô Detection & analysis

- - SIM ΓÇô Post-incident reporting

- - SIM ΓÇô Preparation

- - Tenant isolation

-### Data classification

-### Data loss prevention

-### Insider risk management

-### Privacy management

-### Retention and records management

-### Sensitive information types

-The following pages were added:

-### Sensitivity labels

-Microsoft Managed Desktop applies a standardized name format when devices are enrolled and will automatically rename devices if the name is changed later. For more info, see [Device names](../service-description/device-names.md).

-2. Run [readiness assessment tools](readiness-assessment-tool.md).

-1. Address [device names (this article).

-# Prepare mapped drives for Microsoft Managed Desktop

-Many enterprise environments have legacy requirements for mapped drives to allow their users or teams to share and store files, or for on-premises applications. Microsoft does not recommend the use of mapped drives with the Microsoft Managed Desktop. Instead, we recommend that you modernize your file access solutions as follows:

-Modernizing these services will allow the best user experience with Microsoft Managed Desktop. Microsoft FastTrack Services can assist you in modernizing your environment by using Microsoft Cloud Services. You can check whether you're eligible for FastTrack services at [Eligible Services and Plans](/fasttrack/m365-eligible-services-and-plans) and then contact them directly to prepare for Microsoft Managed Desktop. For background about FastTrack OneDrive for Business or SharePoint Online Migration, see [Data Migration](/fasttrack/o365-data-migration).

-

-If you cannot remove or replace mapped drives for some use cases, you should submit a support request in the Microsoft Managed Desktop admin portal to have them deployed to Microsoft Managed Desktop users.

-

-For such a request, you'll have to provide the following details in the support request:

-It's entirely your responsibility to ensure that users and groups have and maintain the right permissions to access file share locations and that the on-premises file services remain accessible. Also, you should remove your requirements for such file shares as soon as possible.

-### To have mapped drives deployed in Microsoft Managed Desktop

-

-Make sure that mapped drives cannot be avoided and you have carefully reviewed the requirements before submitting any service request. Then follow these steps:

-1. Navigate to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and select "Troubleshooting + support" then look for "Service requests" under the Microsoft Managed Desktop section.

-2. Submit a support request titled ΓÇ£Mapped drives deploymentΓÇ¥ and provide all the required file share details.

-3. Microsoft Managed Desktop IT Operations will advise, by using support request updates, when the request has been completed. Initially this configuration will only be deployed to devices in the Test deployment group.

-4. You must test and confirm whether the configuration deployed by the Microsoft Managed Desktop IT Operations works as you expect. Reply using the Discussion tab in the details of the same support request to notify Microsoft Managed Desktop IT Operations once you've completed your testing.

-5. Microsoft Managed Desktop IT Operations team will then deploy the configuration to the other deployment groups.

-2. Run [readiness assessment tools](readiness-assessment-tool.md).

-1. Address [device names](address-device-names.md).

-

-In all cases, if the printer drivers are not available from Microsoft Update or the Microsoft Store, you'll have to obtain them yourself and have them packaged for deployment to your Microsoft Managed Desktop devices with Microsoft Intune. For more, see [Intune Standalone - Win32 app management](/mem/intune/apps/apps-win32-app-management)

-If you've decided to deploy printers by using a custom PowerShell script and have prepared the printing resources, follow these steps to have shared printers deployed:

-2. Submit a request labeled *Printer deployment* in the **Support > Support requests** section of the Admin Portal, providing these details:

- - All UNC paths to shared printer locations that will need to be deployed for Microsoft Managed Desktop devices

- - User groups that require access to these shared printers

-3. Using the Admin Portal, we'll let you know when the request has been completed. Initially we'll only deploy the configuration to devices in the Test deployment group.

-4. You must test and confirm whether the configuration works as you expect. Reply by using the **Discussion** tab in the Support request to let us know when you've completed your testing.

-5. We'll then deploy the configuration to the other deployment groups.

-2. Run [readiness assessment tools](readiness-assessment-tool.md).

-Your gateway to the Microsoft Managed Desktop service is [Microsoft Endpoint Manager](https://endpoint.microsoft.com/). If you are unfamiliar with the capabilities of this portal for device management, see the [Microsoft Endpoint Manager documentation](/mem/).

-Your administrative account will need specific permissions in order to access the Microsoft Managed Desktop administrative features in Microsoft Endpoint Manager. You can manage admin access to these features within your organization by using role-based access control. Several Azure Active Directory (Azure AD) administrator roles and built-in Microsoft Managed Desktop roles are available to provide more granular control to different features within the Microsoft Managed Desktop Admin portal. For more information about Azure Active Directory roles, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference). Unlike Azure AD administrator roles that apply to various Microsoft products and services, the built-in roles are specific to Microsoft Managed Desktop and will only guarantee access to the Admin features for this service. Admins can assign built-in roles to users individually or in combination with Azure AD administrator roles to add Microsoft Managed Desktop permissions to existing admin accounts.

-|Azure AD role |Microsoft Managed Desktop permissions |

-|||

-|Global Administrator | Admins with this role will have **read and write permissions to all features** in the Microsoft Managed Desktop Admin portal. |

-|Global Reader | Admins with this role will have **read-only permissions to all features** in the Microsoft Managed Desktop Admin portal. |

-|Intune Service Administrator | Admins with this role will have **read and write permissions to features not related to security** in the Microsoft Managed Desktop Admin portal. |

-|Service Support Administrator | Admins with this role will have **read-only permissions to features not related to security** and **write permissions to manage support requests including escalation requests** in the Microsoft Managed Desktop Admin portal. |

-|Security Admin | Admins with this role will have **read-only permissions to all features** and **write permissions for security related features** in Microsoft Managed Desktop in the Admin portal. |

-|Security Reader |Admins with this role will have **read-only permissions to all features** in the Microsoft Managed Desktop Admin portal.|

-|Built-in role |Microsoft Managed Desktop permissions |

-|||

-|Microsoft Managed Desktop Service Administrator | When assigned to a user, this role gives the admin **read and write permissions to Microsoft Managed Desktop features not related to security** in the Microsoft Managed Desktop Admin portal. |

-|Microsoft Managed Desktop Service Reader | When assigned to a user, this role gives the admin **read-only permissions to Microsoft Managed Desktop features not related to security** in the Microsoft Managed Desktop Admin portal. |

-|Microsoft Managed Desktop Security Manager |When assigned to a user, this role gives that admin **read and write permissions only for security related features** in the Microsoft Managed Desktop Admin portal. |

-|Microsoft Managed Desktop Support Partner |When assigned to a user, this role gives the admin **read and write permissions only for creating and managing elevation requests and support partner engaged escalation requests** in the Microsoft Managed Desktop Admin portal. |

-> Security features include security-related communications, management of security contacts, management of security-related support requests, and access to security related reports.

-For easy management of built-in roles, there is a security group for each custom role with the name "Modern Workplace Roles - _Role Name_"(for example, ΓÇ£Modern Workplace Roles ΓÇô Security ManagerΓÇ¥). To assign users to one of these security groups, follow these steps:

-2. Select **Groups** on the left side.

-3. Search for **Modern Workplace Roles**, and then select the group associated with the role you want to assign.

-4. Select **Members** on the left side, and then select **+ Add members** on the command bar.

-5. Enter the email of the person being added. If they are a guest, you must invite them before you can assign the group.

-> Nesting security groups for role assignment is not currently supported.

-If you need to assign one or more of the built-in roles to a existing group, follow these steps:

-There are several ways that Microsoft Managed Desktop service communicates with customers. To streamline communication and ensure weΓÇÖre checking with the right people, you need to provide a set of admin contacts. Microsoft Managed Desktop IT Operations will contact these people for assistance troubleshooting issues for your tenant.

-Area of focus | For questions about

- |

-App packaging | Troubleshooting app packaging

-Devices | Device health, troubleshooting with Microsoft Managed Desktop devices

-Security | Troubleshooting security issues with Microsoft Managed Desktop devices

-IT help desk | in cases where our Support staff hands over user tickets outside of Microsoft Managed Desktop support areas

-Other | For issues not covered by other areas

-**Whoever you choose for these contacts needs to have the knowledge and authority to make decisions for your Microsoft Managed Desktop environment.** When you onboard your Microsoft Managed Desktop environment, youΓÇÖre prompted to add contacts for your local Helpdesk and Security.

-Admin contacts are required when you [submit a Support request](../service-description/support.md). YouΓÇÖll need to have an admin contact for the focus area of the Support request.

-**To add admin contacts**

-1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com).

-2. Under **Tenant administration**, look for the **Microsoft Managed Desktop** section then select **Admin contacts**.

-3. Select **Add**.

-4. Select an **Area of focus** and enter the info for the contact.

-5. Repeat for each area of focus.

-1. [Get started with app control](get-started-app-control.md).

-As part of preparing to enroll in Microsoft Managed Desktop, you'll need to be sure you've obtained the necessary licenses. If you haven't already obtained the licenses, see [More about licenses](../get-ready/prerequisites.md#more-about-licenses) for details about exactly which licenses you need.

-If your licenses are all lined up, it's time now to assign them to your users. To assign licenses, we recommend that you take advantage of the [group-based licensing feature](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal) of Azure Active Directory.

-1. [Get started with app control](get-started-app-control.md).

-After youΓÇÖve completed enrollment in Microsoft Managed Desktop, some management settings might need to be adjusted. To check and adjust if needed, follow these steps:

-2. If any of the items apply to your environment, make the adjustments described.

-3. If you want to double-check that all settings are correct, you can rerun the [readiness assessment tool](https://aka.ms/mmdart) to make sure nothing conflicts with Microsoft Managed Desktop.

-## Azure Active Directory settings

-Self-service password reset: if you use self-service password reset for all users, adjust the assignment to exclude Microsoft Managed Desktop service accounts. To adjust this assignment, create a Azure AD dynamic group for all users *except* Microsoft Managed Desktop service accounts, and then use that group for assignment instead of "all users."

-To help you find and exclude the service accounts, here is an example of a dynamic query you can use:

-In this query, replace @TENANT with your tenant domain name.

-1. [Get started with app control](get-started-app-control.md).

-description: Explains how the new Microsoft Edge browser is deployed and updated

-# New Microsoft Edge app

-The new [Microsoft Edge browser](https://www.microsoft.com/edge) provides world-class performance with more privacy, more productivity, and more value while you browse. Microsoft Managed Desktop is offering a public preview of deployment of the new Microsoft Edge browser in your environment.

-## Initial deployment

-To migrate your Microsoft Managed Desktop devices to the new Microsoft Edge browser, file an IT Support Ticket through the Microsoft Managed Desktop Portal.

-We'll deploy the Microsoft Edge Stable channel to the Test Group when you file the ticket. Then, we deploy it in each subsequent deployment group every 24 hours. To pause the deployment, file another ticket asking Operations to hold.

-The [Beta Channel](/deployedge/microsoft-edge-channels#beta-channel) is also available upon request for representative validation within your organization. Microsoft Managed Desktop will deploy the application as required to the Test and First Groups so that all of those users have the Beta Channel in addition to the Stable Channel. For any other users who need access to the Beta Channel, add them to the **Modern Workplace - Edge Beta Users** group and have them install it from the Company Portal

-Microsoft Managed Desktop deploys the [Stable channel](/deployedge/microsoft-edge-channels#stable-channel) of Microsoft Edge, which is automatically updated about every six weeks. Updates on the Stable channel are rolled out [progressively](/deployedge/microsoft-edge-update-progressive-rollout) by the Microsoft Edge product group to ensure the best experience for customers.

-The [Beta Channel](/deployedge/microsoft-edge-channels#beta-channel) is deployed to devices in both the Test and First groups for representative validation within the organization. This channel is fully supported and automatically updated with new features approximately every six weeks.

-Now that youΓÇÖre ready to enroll, open [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to **Tenant Administration**. Select **Tenant enrollment** under the **Microsoft Managed Desktop** subsection then follow the wizard to enroll your tenant with Microsoft Managed Desktop.

-Once youΓÇÖve finished enrollment, follow the steps below to configure the service. This is the recommended order to follow, but you do have some flexibility in the sequence.

-

-1. [Get started with app control](get-started-app-control.md).

-##### [ASR rules deployment guide]()

-###### [ASR rules deployment overview](attack-surface-reduction-rules-deployment.md)

-###### [Phase 1: Plan](attack-surface-reduction-rules-deployment-plan.md)

-###### [Phase 2: Test](attack-surface-reduction-rules-deployment-test.md)

-###### [Phase 3: Implement](attack-surface-reduction-rules-deployment-implement.md)

-###### [Phase 4: Operationalize](attack-surface-reduction-rules-deployment-operationalize.md)

-# Phase 3 - implement

-The implementation phase moves the ring from testing into functional state.

-[ASR rules deployment overview](attack-surface-reduction-rules-deployment.md)

-[Phase 1: Plan](attack-surface-reduction-rules-deployment-plan.md)

-[Phase 2: Test](attack-surface-reduction-rules-deployment-test.md)

-[Phase 4: Operationalize](attack-surface-reduction-rules-deployment-operationalize.md)

-# Phase 4 - operationalize

-After you've fully deployed ASR rules, it's vital that you have processes in place to monitor and respond to ASR-related activities.

-## Manage false positives

-[ASR rules deployment overview](attack-surface-reduction-rules-deployment.md)

-[Phase 1: Plan](attack-surface-reduction-rules-deployment-plan.md)

-[Phase 2: Test](attack-surface-reduction-rules-deployment-test.md)

-[Phase 3: Implement](attack-surface-reduction-rules-deployment-implement.md)

-description: Provides guidance to plan your attack surface reduction rules deployment.

-# Phase 1: plan

-Starting to test ASR rules involves starting with the right business unit. YouΓÇÖll want to start with a small group of people in a specific business unit. You can identify some ASR champions within a particular business unit who can provide real-world impact to the ASR rules and help you tune your implementation.

-## Define reporting and response team roles and responsibilities

-[ASR rules deployment overview](attack-surface-reduction-rules-deployment.md)

-[Phase 2: Test](attack-surface-reduction-rules-deployment-test.md)

-[Phase 3: Implement](attack-surface-reduction-rules-deployment-implement.md)

-[Phase 4: Operationalize](attack-surface-reduction-rules-deployment-operationalize.md)

-description: Provides guidance to test your attack surface reduction rules deployment.

-# Phase 2 - test

-Begin your ASR rules deployment with ring 1.

-[ASR rules deployment overview](attack-surface-reduction-rules-deployment.md)

-[Phase 1: Plan](attack-surface-reduction-rules-deployment-plan.md)

-[Phase 3: Implement](attack-surface-reduction-rules-deployment-implement.md)

-[Phase 4: Operationalize](attack-surface-reduction-rules-deployment-operationalize.md)

-description: Provides guidance to deploy attack surface reduction rules.

-# ASR rules deployment overview

-Attack surfaces are all the places where your organization is vulnerable to cyberthreats and attacks. Your organization's attack surfaces includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to attack. Configuring attack surface reduction (ASR) rulesΓÇöone of many security features found in Microsoft Defender for EndpointΓÇöcan help.

-During your initial preparation, it's vital that you understand the capabilities of the systems that you'll put in place. Understanding the capabilities will help you determine which ASR rules are most important for protecting your organization.

-## ASR rules deployment phases

-Get the current list of attack surface reduction rules GUIDs from [Attack surface reduction rules deployment phase 3: implement](attack-surface-reduction-rules-deployment-implement.md). For additional, per rules details, see [Attack surface reduction rules reference](attack-surface-reduction-rules-reference.md)

-| [Next-generation protection](defender-endpoint-plan-1.md#next-generation-protection) <br/>(includes antimalware and antivirus) <p> [Attack surface reduction](defender-endpoint-plan-1.md#attack-surface-reduction) <p> [Manual response actions](defender-endpoint-plan-1.md#manual-response-actions) <p> [Centralized management](defender-endpoint-plan-1.md#centralized-management) <p>[Security reports](defender-endpoint-plan-1.md#reporting) <p>[APIs](defender-endpoint-plan-1.md#apis) | [Defender for Endpoint Plan 1](defender-endpoint-plan-1.md), plus: <p> [Device discovery](device-discovery.md) <p> [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) <p> [Automated investigation and response](automated-investigations.md) <p> [Advanced hunting](advanced-hunting-overview.md) <p> [Endpoint detection and response](overview-endpoint-detection-response.md) <p> [Microsoft Threat Experts](microsoft-threat-experts.md) |

-> The Group Policy management of this product is now generally available (4.18.2106): See [Tech Community blog: Protect your removable storage and printer with Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/protect-your-removable-storage-and-printers-with-microsoft/ba-p/2324806)

- <string>Microsoft Defender ATP settings</string>

- <string>Microsoft Defender ATP configuration settings</string>

- <string>Microsoft Defender ATP configuration settings</string>

- <string>Microsoft Defender ATP settings</string>

- <string>Microsoft Defender ATP configuration settings</string>

- <string>Microsoft Defender ATP configuration settings</string>

- <string>Microsoft Defender ATP settings</string>

- <string>Microsoft Defender ATP configuration settings</string>

- <string>Microsoft Defender ATP configuration settings</string>

- <string>Microsoft Defender ATP settings</string>

- <string>Microsoft Defender ATP configuration settings</string>

- <string>Microsoft Defender ATP configuration settings</string>

- <string>Microsoft Defender ATP settings</string>

- <string>Microsoft Defender ATP configuration settings</string>

- <string>Microsoft Defender ATP configuration settings</string>

-7. Open **System Preferences** \> **Security & Privacy** and navigate to the **Privacy** tab. Grant **Full Disk Access** permission to **Microsoft Defender ATP** and **Microsoft Defender ATP Endpoint Security Extension**.

- - Name: MDATP onboarding for macOS

- - Description: MDATP EDR onboarding for macOS

- - **Name**: Microsoft Defender ATP Network Extension

- - **Filter Name**: Microsoft Defender ATP Content Filter

-echo "source /Applications/Microsoft\ Defender\ ATP.app/Contents/Resources/Tools/mdatp_completion.bash" >> ~/.bash_profile

- sudo ln -svf "/Applications/Microsoft Defender ATP.app/Contents/Resources/Tools/mdatp_completion.zsh" /usr/local/share/zsh/site-functions/_mdatp

- <string>Microsoft Defender ATP Network Extension</string>

- <string>Microsoft Defender ATP Network Extension</string>

- <string>Microsoft Defender ATP System Extensions</string>

- <string>Microsoft Defender ATP Network Extension</string>

-> defaults write com.microsoft.autoupdate2 Applications -dict-add "/Applications/Microsoft Defender ATP.app" " { 'Application ID' = 'WDAV00' ; 'App Domain' = 'com.microsoft.wdav' ; LCID = 1033 ; ChannelName = '[channel-name]' ; }"

-> [!NOTE]

-> Beginning in late January 2022, Microsoft Defender for Endpoint (formerly known as Microsoft Defender ATP) will be referenced as "Microsoft Defender" across end user facing MDE experiences on macOS.

->

-> This change is currently available in the Beta (previously called Insider Fast) and Preview (previously called Insider Slow) update channels. The minimum product version that includes this change is 101.56.35. See the below release notes corresponding to this version for more information.

->

-> This change does not impact the `mdatp` command-line tool.

->

-> **Action required**: if your enterprise has custom configurations that rely on either the product name or application installation path, these configurations must be updated with the new values listed above.

-> - [Attack surface reduction rules deployment phase 3: implement](attack-surface-reduction-rules-deployment-implement.md)