-To understand more about the overall workflow of creating custom trainable classifiers, see [Process flow for creating customer trainable classifiers](classifier-learn-about.md#process-flow-for-creating-custom-classifiers).

-To disable users from reporting Teams messages with the *Report a concern option*, disable the **End user reporting** option in the [Teams Admin Center](/microsoftteams/manage-teams-in-modern-portal).

->If you're using PowerShell to disable the **End user reporting** option in the Teams Admin Center, you must use [Microsoft Teams cmdlets module version 4.2.0](/MicrosoftTeams/teams-powershell-release-notes) or later.

-Use the *Export* option to create a .csv file containing the report details for any detailed report.

-# Learn about the Microsoft Purview Extension)

-To learn more about labeling support with the AIP client, see [Why choose built-in labeling over the AIP add-in for Office apps](sensitivity-labels-aip.md).

-### Office built-in labeling client and the Azure Information Protection client

-If users have the [Azure Information Protection (AIP) client](/azure/information-protection/rms-client/aip-clientv2) installed on their Windows computers, by default, built-in labels are turned off in [Windows Office apps that support them](#labeling-client-for-desktop-apps). Because built-in labels don't use an Office Add-in, as used by the AIP client, they have the benefit of more stability and better performance. They also support the latest features, such as advanced classifiers.

-To learn more about labeling choices with the AIP client, see [Why choose built-in labeling over the AIP add-in for Office apps](sensitivity-labels-aip.md).

-## Week of March 21, 2022

-| Published On |Topic title | Change |

-|||--|

-| 3/21/2022 | [Enable shared channels with all external organizations](/microsoft-365/solutions/allow-direct-connect-with-all-organizations?view=o365-21vianet) | added |

-| 3/21/2022 | [Collaborate with external participants in a channel](/microsoft-365/solutions/collaborate-teams-direct-connect?view=o365-21vianet) | added |

-| 3/21/2022 | [Limit guest sharing to specific organizations](/microsoft-365/solutions/limit-guest-sharing-to-specific-organization?view=o365-21vianet) | added |

-| 3/21/2022 | [Limit who can be invited by an organization](/microsoft-365/solutions/limit-invitations-from-specific-organization?view=o365-21vianet) | added |

-| 3/21/2022 | [Limit organizations where users can have guest accounts](/microsoft-365/solutions/limit-organizations-where-users-have-guest-accounts?view=o365-21vianet) | added |

-| 3/21/2022 | [Limit who can invite guests](/microsoft-365/solutions/limit-who-can-invite-guests?view=o365-21vianet) | added |

-| 3/21/2022 | [Plan external collaboration](/microsoft-365/solutions/plan-external-collaboration?view=o365-21vianet) | added |

-| 3/21/2022 | [Require conditional access for people outside your organization](/microsoft-365/solutions/trust-conditional-access-from-other-organizations?view=o365-21vianet) | added |

-| 3/21/2022 | [Collaborate with guests in a team](/microsoft-365/solutions/collaborate-as-team?view=o365-21vianet) | modified |

-| 3/21/2022 | [Collaborating with people outside your organization](/microsoft-365/solutions/collaborate-with-people-outside-your-organization?view=o365-21vianet) | modified |

-| 3/21/2022 | [Configure teams with protection for highly sensitive data](/microsoft-365/solutions/configure-teams-highly-sensitive-protection?view=o365-21vianet) | modified |

-| 3/21/2022 | [Configure teams with protection for sensitive data](/microsoft-365/solutions/configure-teams-sensitive-protection?view=o365-21vianet) | modified |

-| 3/21/2022 | [Configure Teams with three tiers of file sharing security](/microsoft-365/solutions/configure-teams-three-tiers-protection?view=o365-21vianet) | modified |

-| 3/21/2022 | [Create a secure guest sharing environment](/microsoft-365/solutions/create-secure-guest-sharing-environment?view=o365-21vianet) | modified |

-| 3/21/2022 | [End of lifecycle options for groups, teams, and Yammer](/microsoft-365/solutions/end-life-cycle-groups-teams-sites-yammer?view=o365-21vianet) | modified |

-| 3/21/2022 | [Groups services interactions](/microsoft-365/solutions/groups-services-interactions?view=o365-21vianet) | modified |

-| 3/21/2022 | [Governing access in Microsoft 365 groups, Teams, and SharePoint](/microsoft-365/solutions/groups-teams-access-governance?view=o365-21vianet) | modified |

-| 3/21/2022 | [Set up secure file and document sharing and collaboration with Teams in Microsoft 365](/microsoft-365/solutions/setup-secure-collaboration-with-teams?view=o365-21vianet) | modified |

-| 3/21/2022 | [Detect channel signals with communication compliance](/microsoft-365/compliance/communication-compliance-channels?view=o365-21vianet) | modified |

-| 3/21/2022 | [Get started with Data loss prevention for Power BI](/microsoft-365/compliance/dlp-powerbi-get-started?view=o365-21vianet) | added |

-| 3/21/2022 | [Create and configure retention policies to automatically retain or delete content](/microsoft-365/compliance/create-retention-policies?view=o365-21vianet) | modified |

-| 3/21/2022 | [Data loss prevention and Microsoft Teams](/microsoft-365/compliance/dlp-microsoft-teams?view=o365-21vianet) | modified |

-| 3/21/2022 | [Advanced eDiscovery limits](/microsoft-365/compliance/limits-ediscovery20?view=o365-21vianet) | modified |

-| 3/21/2022 | [Limits for Content search and Core eDiscovery in the compliance center](/microsoft-365/compliance/limits-for-content-search?view=o365-21vianet) | modified |

-| 3/21/2022 | [Learn about retention for Teams](/microsoft-365/compliance/retention-policies-teams?view=o365-21vianet) | modified |

-| 3/21/2022 | [Configure retention settings to automatically retain or delete content](/microsoft-365/compliance/retention-settings?view=o365-21vianet) | modified |

-| 3/21/2022 | [Learn about retention policies & labels to automatically retain or delete content](/microsoft-365/compliance/retention?view=o365-21vianet) | modified |

-| 3/21/2022 | [Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view=o365-21vianet) | modified |

-| 3/22/2022 | [Onboard and offboard macOS devices into Compliance solutions using JAMF Pro for Microsoft Defender for Endpoint customers (preview)](/microsoft-365/compliance/device-onboarding-offboarding-macos-jamfpro-mde?view=o365-21vianet) | modified |

-| 3/22/2022 | [Manage Microsoft Defender Antivirus updates and apply baselines](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus?view=o365-21vianet) | modified |

-| 3/22/2022 | [Microsoft 365 admin center SharePoint site usage reports](/microsoft-365/admin/activity-reports/sharepoint-site-usage-ww?view=o365-21vianet) | modified |

-| 3/22/2022 | [Configurable settings reference for Microsoft Managed Desktop](/microsoft-365/managed-desktop/working-with-managed-desktop/config-setting-ref?view=o365-21vianet) | modified |

-| 3/22/2022 | [Onboard devices without Internet access to Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/onboard-offline-machines?view=o365-21vianet) | modified |

-| 3/22/2022 | [Enable Modern authentication for Office 2013 on Windows devices](/microsoft-365/admin/security-and-compliance/enable-modern-authentication?view=o365-21vianet) | modified |

-| 3/22/2022 | [Microsoft 365 compliance solutions trial playbook](/microsoft-365/compliance/compliance-easy-trials-compliance-playbook?view=o365-21vianet) | modified |

-| 3/22/2022 | [Get started with insider risk management](/microsoft-365/compliance/insider-risk-management-configure?view=o365-21vianet) | modified |

-| 3/22/2022 | [Insider risk management settings](/microsoft-365/compliance/insider-risk-management-settings?view=o365-21vianet) | modified |

-| 3/22/2022 | [Records Management in Microsoft 365](/microsoft-365/compliance/records-management?view=o365-21vianet) | modified |

-| 3/22/2022 | [Set up Advanced Audit in Microsoft 365](/microsoft-365/compliance/set-up-advanced-audit?view=o365-21vianet) | modified |

-| 3/22/2022 | [Microsoft 365 documentation # < 60 chars](/microsoft-365/index?view=o365-21vianet) | modified |

-| 3/22/2022 | [Microsoft 365 Security for Business Decision Makers (BDMs)](/microsoft-365/security/microsoft-365-security-for-bdm?view=o365-21vianet) | modified |

-| 3/22/2022 | [Microsoft 365 Zero Trust deployment plan](/microsoft-365/security/microsoft-365-zero-trust?view=o365-21vianet) | modified |

-| 3/22/2022 | [Attack surface reduction rules reference](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-21vianet) | modified |

-| 3/22/2022 | [Find ransomware with advanced hunting](/microsoft-365/security/defender/advanced-hunting-find-ransomware?view=o365-21vianet) | modified |

-| 3/22/2022 | [Get relevant info about an entity with go hunt](/microsoft-365/security/defender/advanced-hunting-go-hunt?view=o365-21vianet) | modified |

-| 3/22/2022 | [Link query results to an incident](/microsoft-365/security/defender/advanced-hunting-link-to-incident?view=o365-21vianet) | modified |

-| 3/22/2022 | [Work with advanced hunting query results in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-query-results?view=o365-21vianet) | modified |

-| 3/22/2022 | [Data tables in the Microsoft 365 Defender advanced hunting schema](/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-21vianet) | modified |

-| 3/22/2022 | [Use shared queries in Microsoft 365 Defender advanced hunting](/microsoft-365/security/defender/advanced-hunting-shared-queries?view=o365-21vianet) | modified |

-| 3/22/2022 | [Take action on advanced hunting query results in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-take-action?view=o365-21vianet) | modified |

-| 3/22/2022 | [Create an app to access Microsoft 365 Defender APIs on behalf of a user](/microsoft-365/security/defender/api-create-app-user-context?view=o365-21vianet) | modified |

-| 3/22/2022 | [Create an app to access Microsoft 365 Defender without a user](/microsoft-365/security/defender/api-create-app-web?view=o365-21vianet) | modified |

-| 3/22/2022 | [Hello World for Microsoft 365 Defender REST API](/microsoft-365/security/defender/api-hello-world?view=o365-21vianet) | modified |

-| 3/22/2022 | [Partner access through Microsoft 365 Defender APIs](/microsoft-365/security/defender/api-partner-access?view=o365-21vianet) | modified |

-| 3/22/2022 | [Configure your Event Hub](/microsoft-365/security/defender/configure-event-hub?view=o365-21vianet) | modified |

-| 3/22/2022 | [Configure and manage Microsoft Threat Experts capabilities through Microsoft 365 Defender](/microsoft-365/security/defender/configure-microsoft-threat-experts?view=o365-21vianet) | modified |

-| 3/22/2022 | [Create and manage custom detection rules in Microsoft 365 Defender](/microsoft-365/security/defender/custom-detection-rules?view=o365-21vianet) | modified |

-| 3/22/2022 | [Device profile in Microsoft 365 security portal](/microsoft-365/security/defender/device-profile?view=o365-21vianet) | modified |

-| 3/22/2022 | [Create the Microsoft 365 Defender Evaluation Environment for greater cyber security and XDR](/microsoft-365/security/defender/eval-create-eval-environment?view=o365-21vianet) | modified |

-| 3/22/2022 | [Review Microsoft Defender for Endpoint architecture requirements and key concepts](/microsoft-365/security/defender/eval-defender-endpoint-architecture?view=o365-21vianet) | modified |

-| 3/22/2022 | [Enable Microsoft Defender for Endpoint evaluation](/microsoft-365/security/defender/eval-defender-endpoint-enable-eval?view=o365-21vianet) | modified |

-| 3/22/2022 | [Step 4. Evaluate Microsoft Defender for Endpoint overview, including reviewing the architecture](/microsoft-365/security/defender/eval-defender-endpoint-overview?view=o365-21vianet) | modified |

-| 3/22/2022 | [Pilot Microsoft Defender for Endpoint](/microsoft-365/security/defender/eval-defender-endpoint-pilot?view=o365-21vianet) | modified |

-| 3/22/2022 | [Review architecture requirements and the technical framework for Microsoft Defender for Identity](/microsoft-365/security/defender/eval-defender-identity-architecture?view=o365-21vianet) | modified |

-| 3/22/2022 | [Enable the evaluation environment for Microsoft Defender for Identity](/microsoft-365/security/defender/eval-defender-identity-enable-eval?view=o365-21vianet) | modified |

-| 3/22/2022 | [Step 2. An Overview of Microsoft 365 Defender for Identity evaluation](/microsoft-365/security/defender/eval-defender-identity-overview?view=o365-21vianet) | modified |

-| 3/22/2022 | [Pilot Microsoft Defender for Identity](/microsoft-365/security/defender/eval-defender-identity-pilot?view=o365-21vianet) | modified |

-| 3/22/2022 | [Try Microsoft 365 Defender incident response capabilities in a pilot environment](/microsoft-365/security/defender/eval-defender-investigate-respond-additional?view=o365-21vianet) | modified |

-| 3/22/2022 | [Run an attack simulation in a Microsoft 365 Defender pilot environment](/microsoft-365/security/defender/eval-defender-investigate-respond-simulate-attack?view=o365-21vianet) | modified |

-| 3/22/2022 | [Pilot Microsoft Defender for Office 365, use the evaluation in your production environment](/microsoft-365/security/defender/eval-defender-office-365-pilot?view=o365-21vianet) | modified |

-| 3/22/2022 | [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender?view=o365-21vianet) | modified |

-| 3/22/2022 | [Top 12 tasks for security teams to support working from home](/microsoft-365/security/top-security-tasks-for-remote-work?view=o365-21vianet) | modified |

-| 3/22/2022 | [Microsoft cloud architecture models - enterprise resource planning](/microsoft-365/solutions/cloud-architecture-models?view=o365-21vianet) | modified |

-| 3/22/2022 | [Microsoft 365 productivity illustrations](/microsoft-365/solutions/productivity-illustrations?view=o365-21vianet) | modified |

-| 3/23/2022 | [Top 20 most-viewed admin help articles this month # < 60 chars](/microsoft-365/admin/top-m365-admin-articles?view=o365-21vianet) | modified |

-| 3/23/2022 | [Learn about auto-expanding archiving](/microsoft-365/compliance/autoexpanding-archiving?view=o365-21vianet) | modified |

-| 3/23/2022 | [Change history for Microsoft Managed Desktop documentation](/microsoft-365/managed-desktop/change-history-managed-desktop?view=o365-21vianet) | modified |

-| 3/23/2022 | Microsoft Security Guidance - Political campaigns & nonprofits | removed |

-| 3/23/2022 | [Insider risk management cases](/microsoft-365/compliance/insider-risk-management-cases?view=o365-21vianet) | modified |

-| 3/23/2022 | [Configure Microsoft 365 Lighthouse portal security](/microsoft-365/lighthouse/m365-lighthouse-configure-portal-security?view=o365-21vianet) | modified |

-| 3/23/2022 | [Microsoft 365 Lighthouse frequently asked questions (FAQs)](/microsoft-365/lighthouse/m365-lighthouse-faq?view=o365-21vianet) | modified |

-| 3/23/2022 | [Requirements for Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-requirements?view=o365-21vianet) | modified |

-| 3/23/2022 | [Troubleshoot and resolve problems and error messages in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-troubleshoot?view=o365-21vianet) | modified |

-| 3/23/2022 | [Run the client analyzer on macOS or Linux](/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux?view=o365-21vianet) | modified |

-| 3/23/2022 | [Create the Microsoft 365 Defender Evaluation Environment for greater cyber security and XDR](/microsoft-365/security/defender/eval-create-eval-environment?view=o365-21vianet) | modified |

-| 3/23/2022 | [Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes](/microsoft-365/security/office-365-security/configure-advanced-delivery?view=o365-21vianet) | modified |

-| 3/23/2022 | [Email analysis in investigations for Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-21vianet) | modified |

-| 3/23/2022 | [Common Zero Trust identity and device access policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/identity-access-policies?view=o365-21vianet) | modified |

-| 3/23/2022 | [Continuous access evaluation for Microsoft 365 - Microsoft 365 for enterprise](/microsoft-365/security/office-365-security/microsoft-365-continuous-access-evaluation?view=o365-21vianet) | modified |

-| 3/23/2022 | [Zero Trust identity and device access configurations - Microsoft 365 for enterprise](/microsoft-365/security/office-365-security/microsoft-365-policies-configurations?view=o365-21vianet) | modified |

-| 3/23/2022 | [Threat Explorer and Real-time detections basics in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/real-time-detections?view=o365-21vianet) | modified |

-| 3/23/2022 | [Secure by default in Office 365](/microsoft-365/security/office-365-security/secure-by-default?view=o365-21vianet) | modified |

-| 3/23/2022 | [Remove yourself from the blocked senders list and address 5.7.511 Access denied errors](/microsoft-365/security/office-365-security/use-the-delist-portal-to-remove-yourself-from-the-office-365-blocked-senders-lis?view=o365-21vianet) | modified |

-| 3/23/2022 | [View Defender for Office 365 reports](/microsoft-365/security/office-365-security/view-reports-for-mdo?view=o365-21vianet) | modified |

-| 3/23/2022 | [Microsoft 365 solution and architecture center # < 60 chars](/microsoft-365/solutions/index?view=o365-21vianet) | modified |

-| 3/23/2022 | [Microsoft 365 productivity illustrations](/microsoft-365/solutions/productivity-illustrations?view=o365-21vianet) | modified |

-| 3/24/2022 | [Onboard macOS devices into Microsoft 365 overview (preview)](/microsoft-365/compliance/device-onboarding-macos-overview?view=o365-21vianet) | modified |

-| 3/24/2022 | [Onboard Windows 10 or Windows 11 devices into Microsoft 365 overview](/microsoft-365/compliance/device-onboarding-overview?view=o365-21vianet) | modified |

-| 3/24/2022 | [Microsoft 365 Lighthouse Windows 365 (Cloud PCs) page overview](/microsoft-365/lighthouse/m365-lighthouse-win365-page-overview?view=o365-21vianet) | modified |

-| 3/24/2022 | [Manage Microsoft feedback for your organization](/microsoft-365/admin/manage/manage-feedback-ms-org?view=o365-21vianet) | modified |

-| 3/24/2022 | [Azure Active Directory setup guides](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-21vianet) | modified |

-| 3/24/2022 | [GDPR simplified A guide for your small business](/microsoft-365/admin/security-and-compliance/gdpr-compliance?view=o365-21vianet) | modified |

-| 3/24/2022 | [Increase threat protection for Microsoft 365 Business Premium](/microsoft-365/admin/security-and-compliance/set-up-compliance?view=o365-21vianet) | modified |

-| 3/24/2022 | [Set up Windows devices for Microsoft 365 Business Premium users](/microsoft-365/admin/setup/set-up-windows-devices?view=o365-21vianet) | modified |

-| 3/24/2022 | [Increase threat protection for Microsoft 365 Business Premium](/microsoft-365/business-premium/m365bp-increase-protection?view=o365-21vianet) | modified |

-| 3/24/2022 | [Troubleshoot and resolve problems and error messages in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-troubleshoot?view=o365-21vianet) | modified |

-| 3/24/2022 | [Microsoft Defender for Business](/microsoft-365/security/defender-business/index?view=o365-21vianet) | modified |

-| 3/24/2022 | [Outbound delivery pools](/microsoft-365/security/office-365-security/high-risk-delivery-pool-for-outbound-messages?view=o365-21vianet) | modified |

-| 3/24/2022 | [Permissions - Security & Compliance Center](/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center?view=o365-21vianet) | modified |

-| 3/25/2022 | [Customer Lockbox Requests](/microsoft-365/compliance/customer-lockbox-requests?view=o365-21vianet) | modified |

-| 3/25/2022 | [Get started driving adoption of Microsoft SharePoint Syntex](/microsoft-365/contentunderstanding/adoption-getstarted) | modified |

-| 3/25/2022 | [Scenarios and use cases for Microsoft SharePoint Syntex](/microsoft-365/contentunderstanding/adoption-scenarios) | modified |

-| 3/25/2022 | [Run a trial of Microsoft SharePoint Syntex](/microsoft-365/contentunderstanding/trial-syntex) | modified |

-| 3/25/2022 | [Manage Skype for Business Online with PowerShell](/microsoft-365/enterprise/manage-skype-for-business-online-with-microsoft-365-powershell?view=o365-21vianet) | modified |

-| 3/25/2022 | [Configure advanced features in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/advanced-features?view=o365-21vianet) | modified |

-| 3/25/2022 | [Advanced hunting schema reference](/microsoft-365/security/defender-endpoint/advanced-hunting-schema-reference?view=o365-21vianet) | modified |

-| 3/25/2022 | [View and organize the Microsoft Defender for Endpoint Alerts queue](/microsoft-365/security/defender-endpoint/alerts-queue?view=o365-21vianet) | modified |

-| 3/25/2022 | [Provide feedback on the Microsoft Defender for Endpoint Client Analyzer tool](/microsoft-365/security/defender-endpoint/analyzer-feedback?view=o365-21vianet) | modified |

-| 3/25/2022 | [Understand the client analyzer HTML report](/microsoft-365/security/defender-endpoint/analyzer-report?view=o365-21vianet) | modified |

-| 3/25/2022 | [Configure Microsoft Defender for Endpoint risk signals using App Protection Policies (MAM)](/microsoft-365/security/defender-endpoint/android-configure-mam?view=o365-21vianet) | modified |

-| 3/25/2022 | [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](/microsoft-365/security/defender-endpoint/android-intune?view=o365-21vianet) | modified |

-| 3/25/2022 | [Troubleshoot issues on Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/android-support-signin?view=o365-21vianet) | modified |

-| 3/25/2022 | [Hello World for Microsoft Defender for Endpoint API](/microsoft-365/security/defender-endpoint/api-hello-world?view=o365-21vianet) | modified |

-| 3/25/2022 | [How to use Power Automate Connector to set up a Flow for events](/microsoft-365/security/defender-endpoint/api-microsoft-flow?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft Defender for Endpoint APIs connection to Power BI](/microsoft-365/security/defender-endpoint/api-power-bi?view=o365-21vianet) | modified |

-| 3/25/2022 | [Implement attack surface reduction (ASR) rules deployment](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-implement?view=o365-21vianet) | modified |

-| 3/25/2022 | [Operationalize attack surface reduction (ASR) rules deployment](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize?view=o365-21vianet) | modified |

-| 3/25/2022 | [Plan ASR rules attack surface reduction deployment rules deployment](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-plan?view=o365-21vianet) | modified |

-| 3/25/2022 | [Test attack surface reduction (ASR) rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-test?view=o365-21vianet) | modified |

-| 3/25/2022 | [ASR rules deployment prerequisites](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment?view=o365-21vianet) | modified |

-| 3/25/2022 | [Use attack surface reduction rules to prevent malware infection](/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-21vianet) | modified |

-| 3/25/2022 | [Visit the Action center to see remediation actions](/microsoft-365/security/defender-endpoint/auto-investigation-action-center?view=o365-21vianet) | modified |

-| 3/25/2022 | [Take response actions on a file in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/respond-file-alerts?view=o365-21vianet) | modified |

-| 3/25/2022 | [Permissions - Security & Compliance Center](/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center?view=o365-21vianet) | modified |

-| 3/25/2022 | [Collaborate with external participants in a channel](/microsoft-365/solutions/collaborate-teams-direct-connect?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft 365 Security for Business Decision Makers (BDMs)](/microsoft-365/security/microsoft-365-security-for-bdm?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft 365 Zero Trust deployment plan](/microsoft-365/security/microsoft-365-zero-trust?view=o365-21vianet) | modified |

-| 3/25/2022 | [Manage active content in Office documents for IT admins](/microsoft-365/security/active-content-in-trusted-docs?view=o365-21vianet) | modified |

-| 3/25/2022 | [Behavioral blocking and containment](/microsoft-365/security/defender-endpoint/behavioral-blocking-containment?view=o365-21vianet) | modified |

-| 3/25/2022 | [Check the health state of the sensor at Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/check-sensor-status?view=o365-21vianet) | modified |

-| 3/25/2022 | [Client behavioral blocking](/microsoft-365/security/defender-endpoint/client-behavioral-blocking?view=o365-21vianet) | modified |

-| 3/25/2022 | [Cloud protection and sample submission at Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission?view=o365-21vianet) | modified |

-| 3/25/2022 | [Cloud protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus?view=o365-21vianet) | modified |

-| 3/25/2022 | [Collect diagnostic data of Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/collect-diagnostic-data?view=o365-21vianet) | modified |

-| 3/25/2022 | [Enable block at first sight to detect malware in seconds](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-21vianet) | modified |

-| 3/25/2022 | [Onboard Windows devices to Microsoft Defender for Endpoint via Group Policy](/microsoft-365/security/defender-endpoint/configure-endpoints-gp?view=o365-21vianet) | modified |

-| 3/25/2022 | [Onboard Windows devices using Configuration Manager](/microsoft-365/security/defender-endpoint/configure-endpoints-sccm?view=o365-21vianet) | modified |

-| 3/25/2022 | [Onboard Windows devices using a local script](/microsoft-365/security/defender-endpoint/configure-endpoints-script?view=o365-21vianet) | modified |

-| 3/25/2022 | [Onboarding tools and methods for Windows devices](/microsoft-365/security/defender-endpoint/configure-endpoints?view=o365-21vianet) | modified |

-| 3/25/2022 | [Configure and validate exclusions based on extension, name, or location](/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus?view=o365-21vianet) | modified |

-| 3/25/2022 | [Optimize ASR rule deployment and detections](/microsoft-365/security/defender-endpoint/configure-machines-asr?view=o365-21vianet) | modified |

-| 3/25/2022 | [Get devices onboarded to Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-machines-onboarding?view=o365-21vianet) | modified |

-| 3/25/2022 | [Increase compliance to the Microsoft Defender for Endpoint security baseline](/microsoft-365/security/defender-endpoint/configure-machines-security-baseline?view=o365-21vianet) | modified |

-| 3/25/2022 | [Ensure your devices are configured properly](/microsoft-365/security/defender-endpoint/configure-machines?view=o365-21vianet) | modified |

-| 3/25/2022 | [Configure and manage Microsoft Threat Experts capabilities](/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts?view=o365-21vianet) | modified |

-| 3/25/2022 | [Configure and validate Microsoft Defender Antivirus network connections](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-21vianet) | modified |

-| 3/25/2022 | [Configure device proxy and Internet connection settings](/microsoft-365/security/defender-endpoint/configure-proxy-internet?view=o365-21vianet) | modified |

-| 3/25/2022 | [Enable and configure Microsoft Defender Antivirus protection capabilities](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus?view=o365-21vianet) | modified |

-| 3/25/2022 | [Onboard Windows servers to the Microsoft Defender for Endpoint service](/microsoft-365/security/defender-endpoint/configure-server-endpoints?view=o365-21vianet) | modified |

-| 3/25/2022 | [Connected applications in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/connected-applications?view=o365-21vianet) | modified |

-| 3/25/2022 | [Contact Microsoft Defender for Endpoint support](/microsoft-365/security/defender-endpoint/contact-support?view=o365-21vianet) | modified |

-| 3/25/2022 | [Enable Corelight integration in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/corelight-integration?view=o365-21vianet) | modified |

-| 3/25/2022 | [Customize controlled folder access](/microsoft-365/security/defender-endpoint/customize-controlled-folders?view=o365-21vianet) | modified |

-| 3/25/2022 | [Data collection for advanced troubleshooting on Windows](/microsoft-365/security/defender-endpoint/data-collection-analyzer?view=o365-21vianet) | modified |

-| 3/25/2022 | [Address false positives/negatives in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives?view=o365-21vianet) | modified |

-| 3/25/2022 | [Overview of Microsoft Defender for Endpoint Plan 1](/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1?view=o365-21vianet) | modified |

-| 3/25/2022 | [Deployment phases](/microsoft-365/security/defender-endpoint/deployment-phases?view=o365-21vianet) | modified |

-| 3/25/2022 | [Deploy Microsoft Defender for Endpoint in rings](/microsoft-365/security/defender-endpoint/deployment-rings?view=o365-21vianet) | modified |

-| 3/25/2022 | [Plan your Microsoft Defender for Endpoint deployment](/microsoft-365/security/defender-endpoint/deployment-strategy?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control?view=o365-21vianet) | modified |

-| 3/25/2022 | [Protect your organization's data with device control](/microsoft-365/security/defender-endpoint/device-control-report?view=o365-21vianet) | modified |

-| 3/25/2022 | [Device discovery overview](/microsoft-365/security/defender-endpoint/device-discovery?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft Defender for Endpoint device timeline event flags](/microsoft-365/security/defender-endpoint/device-timeline-event-flag?view=o365-21vianet) | modified |

-| 3/25/2022 | [Endpoint detection and response in block mode](/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-21vianet) | modified |

-| 3/25/2022 | [Enable attack surface reduction rules](/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-21vianet) | modified |

-| 3/25/2022 | [Turn on cloud protection in Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus?view=o365-21vianet) | modified |

-| 3/25/2022 | [Enable controlled folder access](/microsoft-365/security/defender-endpoint/enable-controlled-folders?view=o365-21vianet) | modified |

-| 3/25/2022 | [Turn on exploit protection to help mitigate against attacks](/microsoft-365/security/defender-endpoint/enable-exploit-protection?view=o365-21vianet) | modified |

-| 3/25/2022 | [Enable Microsoft Defender for IoT integration in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration?view=o365-21vianet) | modified |

-| 3/25/2022 | [Turn on network protection](/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-21vianet) | modified |

-| 3/25/2022 | [Evaluate network protection](/microsoft-365/security/defender-endpoint/evaluate-network-protection?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft Defender for Endpoint evaluation lab](/microsoft-365/security/defender-endpoint/evaluation-lab?view=o365-21vianet) | modified |

-| 3/25/2022 | [Use Microsoft Defender for Endpoint APIs](/microsoft-365/security/defender-endpoint/exposed-apis-create-app-nativeapp?view=o365-21vianet) | modified |

-| 3/25/2022 | [Create an Application to access Microsoft Defender for Endpoint without a user](/microsoft-365/security/defender-endpoint/exposed-apis-create-app-partners?view=o365-21vianet) | modified |

-| 3/25/2022 | [Create an app to access Microsoft Defender for Endpoint without a user](/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft Defender for Endpoint for US Government customers](/microsoft-365/security/defender-endpoint/gov?view=o365-21vianet) | modified |

-| 3/25/2022 | [Grant access to managed security service provider (MSSP)](/microsoft-365/security/defender-endpoint/grant-mssp-access?view=o365-21vianet) | modified |

-| 3/25/2022 | [Host firewall reporting in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/host-firewall-reporting?view=o365-21vianet) | modified |

-| 3/25/2022 | [Import, export, and deploy exploit protection configurations](/microsoft-365/security/defender-endpoint/import-export-exploit-protection-emet-xml?view=o365-21vianet) | modified |

-| 3/25/2022 | [Create indicators for files](/microsoft-365/security/defender-endpoint/indicator-file?view=o365-21vianet) | modified |

-| 3/25/2022 | [Use sensitivity labels to prioritize incident response](/microsoft-365/security/defender-endpoint/information-protection-investigation?view=o365-21vianet) | modified |

-| 3/25/2022 | [Investigate Microsoft Defender for Endpoint alerts](/microsoft-365/security/defender-endpoint/investigate-alerts?view=o365-21vianet) | modified |

-| 3/25/2022 | [Investigate connection events that occur behind forward proxies](/microsoft-365/security/defender-endpoint/investigate-behind-proxy?view=o365-21vianet) | modified |

-| 3/25/2022 | [Investigate Microsoft Defender for Endpoint files](/microsoft-365/security/defender-endpoint/investigate-files?view=o365-21vianet) | modified |

-| 3/25/2022 | [Investigate incidents in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/investigate-incidents?view=o365-21vianet) | modified |

-| 3/25/2022 | [Investigate devices in the Defender for Endpoint Devices list](/microsoft-365/security/defender-endpoint/investigate-machines?view=o365-21vianet) | modified |

-| 3/25/2022 | [Investigate a user account in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/investigate-user?view=o365-21vianet) | modified |

-| 3/25/2022 | [Configure Microsoft Defender for Endpoint on iOS features](/microsoft-365/security/defender-endpoint/ios-configure-features?view=o365-21vianet) | modified |

-| 3/25/2022 | [Deploy Microsoft Defender for Endpoint on iOS features](/microsoft-365/security/defender-endpoint/ios-install-unmanaged?view=o365-21vianet) | modified |

-| 3/25/2022 | [App-based deployment for Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/ios-install?view=o365-21vianet) | modified |

-| 3/25/2022 | [Troubleshoot issues and find answers on FAQs related to Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/ios-troubleshoot?view=o365-21vianet) | modified |

-| 3/25/2022 | [Enable the limited periodic Microsoft Defender Antivirus scanning feature](/microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus?view=o365-21vianet) | modified |

-| 3/25/2022 | [Deploy Microsoft Defender for Endpoint on Linux manually](/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-21vianet) | modified |

-| 3/25/2022 | [Deploy Microsoft Defender for Endpoint on Linux with Ansible](/microsoft-365/security/defender-endpoint/linux-install-with-ansible?view=o365-21vianet) | modified |

-| 3/25/2022 | [Deploy Microsoft Defender for Endpoint on Linux with Puppet](/microsoft-365/security/defender-endpoint/linux-install-with-puppet?view=o365-21vianet) | modified |

-| 3/25/2022 | [How to schedule scans with Microsoft Defender for Endpoint (Linux)](/microsoft-365/security/defender-endpoint/linux-schedule-scan-mde?view=o365-21vianet) | modified |

-| 3/25/2022 | [Investigate entities on devices using live response in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/live-response?view=o365-21vianet) | modified |

-| 3/25/2022 | [Device control for macOS](/microsoft-365/security/defender-endpoint/mac-device-control-overview?view=o365-21vianet) | modified |

-| 3/25/2022 | [Configure and validate exclusions for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-exclusions?view=o365-21vianet) | modified |

-| 3/25/2022 | [Log in to Jamf Pro](/microsoft-365/security/defender-endpoint/mac-install-jamfpro-login?view=o365-21vianet) | modified |

-| 3/25/2022 | [Manual deployment for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-install-manually?view=o365-21vianet) | modified |

-| 3/25/2022 | [Intune-based deployment for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-install-with-intune?view=o365-21vianet) | modified |

-| 3/25/2022 | [Set up device groups in Jamf Pro](/microsoft-365/security/defender-endpoint/mac-jamfpro-device-groups?view=o365-21vianet) | modified |

-| 3/25/2022 | [Enroll Microsoft Defender for Endpoint on macOS devices into Jamf Pro](/microsoft-365/security/defender-endpoint/mac-jamfpro-enroll-devices?view=o365-21vianet) | modified |

-| 3/25/2022 | [Set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro](/microsoft-365/security/defender-endpoint/mac-jamfpro-policies?view=o365-21vianet) | modified |

-| 3/25/2022 | [Troubleshoot kernel extension issues in Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-support-kext?view=o365-21vianet) | modified |

-| 3/25/2022 | [Troubleshoot license issues for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-support-license?view=o365-21vianet) | modified |

-| 3/25/2022 | [Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-support-perf?view=o365-21vianet) | modified |

-| 3/25/2022 | [New configuration profiles for macOS Catalina and newer versions of macOS](/microsoft-365/security/defender-endpoint/mac-sysext-policies?view=o365-21vianet) | modified |

-| 3/25/2022 | [Deploy updates for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-updates?view=o365-21vianet) | modified |

-| 3/25/2022 | [Device health and compliance report in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/machine-reports?view=o365-21vianet) | modified |

-| 3/25/2022 | [Create and manage device tags](/microsoft-365/security/defender-endpoint/machine-tags?view=o365-21vianet) | modified |

-| 3/25/2022 | [Device inventory](/microsoft-365/security/defender-endpoint/machines-view-overview?view=o365-21vianet) | modified |

-| 3/25/2022 | [Manage Microsoft Defender for Endpoint alerts](/microsoft-365/security/defender-endpoint/manage-alerts?view=o365-21vianet) | modified |

-| 3/25/2022 | [Manage Microsoft Defender for Endpoint incidents](/microsoft-365/security/defender-endpoint/manage-incidents?view=o365-21vianet) | modified |

-| 3/25/2022 | [Manage how and where Microsoft Defender Antivirus receives updates](/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus?view=o365-21vianet) | modified |

-| 3/25/2022 | [Overview of management and APIs](/microsoft-365/security/defender-endpoint/management-apis?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft Defender for Endpoint Device Control Device Installation](/microsoft-365/security/defender-endpoint/mde-device-control-device-installation?view=o365-21vianet) | modified |

-| 3/25/2022 | [Manage Microsoft Defender for Endpoint Plan 1](/microsoft-365/security/defender-endpoint/mde-p1-maintenance-operations?view=o365-21vianet) | modified |

-| 3/25/2022 | [Set up and configure Microsoft Defender for Endpoint Plan 1](/microsoft-365/security/defender-endpoint/mde-p1-setup-configuration?view=o365-21vianet) | modified |

-| 3/25/2022 | [Get started with Microsoft Defender for Endpoint Plan 1](/microsoft-365/security/defender-endpoint/mde-plan1-getting-started?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft Defender Antivirus on Windows Server](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft Defender Offline in Windows](/microsoft-365/security/defender-endpoint/microsoft-defender-offline?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft Defender Antivirus in the Windows Security app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft Threat Experts](/microsoft-365/security/defender-endpoint/microsoft-threat-experts?view=o365-21vianet) | modified |

-| 3/25/2022 | [Minimum requirements for Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/minimum-requirements?view=o365-21vianet) | modified |

-| 3/25/2022 | [Network device discovery and vulnerability management](/microsoft-365/security/defender-endpoint/network-devices?view=o365-21vianet) | modified |

-| 3/25/2022 | [Onboard devices and configure Microsoft Defender for Endpoint capabilities](/microsoft-365/security/defender-endpoint/onboard-configure?view=o365-21vianet) | modified |

-| 3/25/2022 | [Onboard previous versions of Windows on Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/onboard-downlevel?view=o365-21vianet) | modified |

-| 3/25/2022 | [Onboarding using Microsoft Endpoint Configuration Manager](/microsoft-365/security/defender-endpoint/onboarding-endpoint-configuration-manager?view=o365-21vianet) | modified |

-| 3/25/2022 | [Onboarding using Microsoft Endpoint Manager](/microsoft-365/security/defender-endpoint/onboarding-endpoint-manager?view=o365-21vianet) | modified |

-| 3/25/2022 | [Create an onboarding or offboarding notification rule](/microsoft-365/security/defender-endpoint/onboarding-notification?view=o365-21vianet) | modified |

-| 3/25/2022 | [Onboard to the Microsoft Defender for Endpoint service](/microsoft-365/security/defender-endpoint/onboarding?view=o365-21vianet) | modified |

-| 3/25/2022 | [Protect security settings with tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-21vianet) | modified |

-| 3/25/2022 | [Hide the Microsoft Defender Antivirus interface](/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus?view=o365-21vianet) | modified |

-| 3/25/2022 | [Turn on the preview experience in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/preview-settings?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft Defender for Endpoint Device Control Printer Protection](/microsoft-365/security/defender-endpoint/printer-protection?view=o365-21vianet) | modified |

-| 3/25/2022 | [Set up Microsoft Defender for Endpoint deployment](/microsoft-365/security/defender-endpoint/production-deployment?view=o365-21vianet) | modified |

-| 3/25/2022 | [Stream Microsoft Defender for Endpoint events to Azure Event Hubs](/microsoft-365/security/defender-endpoint/raw-data-export-event-hub?view=o365-21vianet) | modified |

-| 3/25/2022 | [Stream Microsoft Defender for Endpoint events to your Storage account](/microsoft-365/security/defender-endpoint/raw-data-export-storage?view=o365-21vianet) | modified |

-| 3/25/2022 | [Take response actions on a device in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-21vianet) | modified |

-| 3/25/2022 | [Review alerts in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/review-alerts?view=o365-21vianet) | modified |

-| 3/25/2022 | [Review the results of Microsoft Defender Antivirus scans](/microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus?view=o365-21vianet) | modified |

-| 3/25/2022 | [Run the client analyzer on macOS or Linux](/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux?view=o365-21vianet) | modified |

-| 3/25/2022 | [Run the client analyzer on Windows](/microsoft-365/security/defender-endpoint/run-analyzer-windows?view=o365-21vianet) | modified |

-| 3/25/2022 | [Run a detection test on a device to verify it has been properly onboarded to Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/run-detection-test?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft Defender Security Center Security operations dashboard](/microsoft-365/security/defender-endpoint/security-operations-dashboard?view=o365-21vianet) | modified |

-| 3/25/2022 | [Make the switch from non-Microsoft endpoint protection to Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/switch-to-mde-overview?view=o365-21vianet) | modified |

-| 3/25/2022 | [Switch to Microsoft Defender for Endpoint - Prepare](/microsoft-365/security/defender-endpoint/switch-to-mde-phase-1?view=o365-21vianet) | modified |

-| 3/25/2022 | [Switch to Microsoft Defender for Endpoint - Setup](/microsoft-365/security/defender-endpoint/switch-to-mde-phase-2?view=o365-21vianet) | modified |

-| 3/25/2022 | [Switch to Microsoft Defender for Endpoint - Onboard](/microsoft-365/security/defender-endpoint/switch-to-mde-phase-3?view=o365-21vianet) | modified |

-| 3/25/2022 | [Techniques in the device timeline](/microsoft-365/security/defender-endpoint/techniques-device-timeline?view=o365-21vianet) | modified |

-| 3/25/2022 | [Understand the analyst report section in threat analytics.](/microsoft-365/security/defender-endpoint/threat-analytics-analyst-reports?view=o365-21vianet) | modified |

-| 3/25/2022 | [Track and respond to emerging threats with Microsoft Defender for Endpoint threat analytics](/microsoft-365/security/defender-endpoint/threat-analytics?view=o365-21vianet) | modified |

-| 3/25/2022 | [Event timeline in threat and vulnerability management](/microsoft-365/security/defender-endpoint/threat-and-vuln-mgt-event-timeline?view=o365-21vianet) | modified |

-| 3/25/2022 | [Threat protection report in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/threat-protection-reports?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft 365 Defender time zone settings](/microsoft-365/security/defender-endpoint/time-settings?view=o365-21vianet) | modified |

-| 3/25/2022 | [Report and troubleshoot Microsoft Defender for Endpoint ASR Rules](/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules?view=o365-21vianet) | modified |

-| 3/25/2022 | [Collect support logs in Microsoft Defender for Endpoint using live response](/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log?view=o365-21vianet) | modified |

-| 3/25/2022 | [Troubleshoot onboarding issues and error messages](/microsoft-365/security/defender-endpoint/troubleshoot-onboarding-error-messages?view=o365-21vianet) | modified |

-| 3/25/2022 | [Troubleshoot Microsoft Defender for Endpoint onboarding issues](/microsoft-365/security/defender-endpoint/troubleshoot-onboarding?view=o365-21vianet) | modified |

-| 3/25/2022 | [Troubleshoot performance issues](/microsoft-365/security/defender-endpoint/troubleshoot-performance-issues?view=o365-21vianet) | modified |

-| 3/25/2022 | [Troubleshoot onboarding issues related to Security Management for Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/troubleshoot-security-config-mgt?view=o365-21vianet) | modified |

-| 3/25/2022 | [Performance analyzer for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus?view=o365-21vianet) | modified |

-| 3/25/2022 | [Assign device value - threat and vulnerability management](/microsoft-365/security/defender-endpoint/tvm-assign-device-value?view=o365-21vianet) | modified |

-| 3/25/2022 | [Dashboard insights - threat and vulnerability management](/microsoft-365/security/defender-endpoint/tvm-dashboard-insights?view=o365-21vianet) | modified |

-| 3/25/2022 | [Plan for end-of-support software and software versions](/microsoft-365/security/defender-endpoint/tvm-end-of-support-software?view=o365-21vianet) | modified |

-| 3/25/2022 | [Create and view exceptions for security recommendations - threat and vulnerability management](/microsoft-365/security/defender-endpoint/tvm-exception?view=o365-21vianet) | modified |

-| 3/25/2022 | [Exposure score in threat and vulnerability management](/microsoft-365/security/defender-endpoint/tvm-exposure-score?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft Secure Score for Devices](/microsoft-365/security/defender-endpoint/tvm-microsoft-secure-score-devices?view=o365-21vianet) | modified |

-| 3/25/2022 | [Remediate vulnerabilities with threat and vulnerability management](/microsoft-365/security/defender-endpoint/tvm-remediation?view=o365-21vianet) | modified |

-| 3/25/2022 | [Security recommendations by threat and vulnerability management](/microsoft-365/security/defender-endpoint/tvm-security-recommendation?view=o365-21vianet) | modified |

-| 3/25/2022 | [Software inventory in threat and vulnerability management](/microsoft-365/security/defender-endpoint/tvm-software-inventory?view=o365-21vianet) | modified |

-| 3/25/2022 | [Vulnerable devices report - threat and vulnerability management](/microsoft-365/security/defender-endpoint/tvm-vulnerable-devices-report?view=o365-21vianet) | modified |

-| 3/25/2022 | [Vulnerabilities in my organization - threat and vulnerability management](/microsoft-365/security/defender-endpoint/tvm-weaknesses?view=o365-21vianet) | modified |

-| 3/25/2022 | [Mitigate zero-day vulnerabilities - threat and vulnerability management](/microsoft-365/security/defender-endpoint/tvm-zero-day-vulnerabilities?view=o365-21vianet) | modified |

-| 3/25/2022 | [View and organize the Incidents queue](/microsoft-365/security/defender-endpoint/view-incidents-queue?view=o365-21vianet) | modified |

-| 3/25/2022 | [Web content filtering](/microsoft-365/security/defender-endpoint/web-content-filtering?view=o365-21vianet) | modified |

-| 3/25/2022 | [Monitoring web browsing security in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/web-protection-monitoring?view=o365-21vianet) | modified |

-| 3/25/2022 | [Web protection](/microsoft-365/security/defender-endpoint/web-protection-overview?view=o365-21vianet) | modified |

-| 3/25/2022 | [Respond to web threats in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/web-protection-response?view=o365-21vianet) | modified |

-| 3/25/2022 | [Why cloud protection should be enabled for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/why-cloud-protection-should-be-on-mdav?view=o365-21vianet) | modified |

-| 3/25/2022 | [Configure Directory Services account in Microsoft Defender for Identity](/microsoft-365/security/defender-identity/directory-service-accounts?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft Defender for Identity entity tags in Microsoft 365 Defender](/microsoft-365/security/defender-identity/entity-tags?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft Defender for Identity detection exclusions in Microsoft 365 Defender](/microsoft-365/security/defender-identity/exclusions?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft Defender for Identity security alerts in Microsoft 365 Defender](/microsoft-365/security/defender-identity/manage-security-alerts?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft Defender for Identity notifications in Microsoft 365 Defender](/microsoft-365/security/defender-identity/notifications?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft Defender for Identity sensor health and settings in Microsoft 365 Defender](/microsoft-365/security/defender-identity/sensor-health?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft Defender for Identity VPN integration in Microsoft 365 Defender](/microsoft-365/security/defender-identity/vpn-integration?view=o365-21vianet) | modified |

-| 3/25/2022 | [About the Microsoft Defender for Office 365 trial](/microsoft-365/security/office-365-security/about-defender-for-office-365-trial?view=o365-21vianet) | modified |

-| 3/25/2022 | [Address compromised user accounts with automated investigation and response](/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-21vianet) | modified |

-| 3/25/2022 | [Admin review for reported messages](/microsoft-365/security/office-365-security/admin-review-reported-message?view=o365-21vianet) | modified |

-| 3/25/2022 | [Manage submissions](/microsoft-365/security/office-365-security/admin-submission?view=o365-21vianet) | modified |

-| 3/25/2022 | [Anti-spoofing protection](/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-21vianet) | modified |

-| 3/25/2022 | [Attack simulation training deployment considerations and FAQ](/microsoft-365/security/office-365-security/attack-simulation-training-faq?view=o365-21vianet) | modified |

-| 3/25/2022 | [Insights and reports Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-insights?view=o365-21vianet) | modified |

-| 3/25/2022 | [Payload automations for Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-payload-automations?view=o365-21vianet) | modified |

-| 3/25/2022 | [Create custom payloads for Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-payloads?view=o365-21vianet) | modified |

-| 3/25/2022 | [Simulation automations for Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-21vianet) | modified |

-| 3/25/2022 | [Simulate a phishing attack with Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training?view=o365-21vianet) | modified |

-| 3/25/2022 | [How automated investigation and response works in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/automated-investigation-response-office?view=o365-21vianet) | modified |

-| 3/25/2022 | [Protection features in Azure Information Protection rolling out to existing tenants](/microsoft-365/security/office-365-security/azure-ip-protection-features?view=o365-21vianet) | modified |

-| 3/25/2022 | [Campaign Views in Microsoft Defender for Office 365 Plan](/microsoft-365/security/office-365-security/campaigns?view=o365-21vianet) | modified |

-| 3/25/2022 | [Configuration analyzer for security policies](/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies?view=o365-21vianet) | modified |

-| 3/25/2022 | [Create safe sender lists](/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365?view=o365-21vianet) | modified |

-| 3/25/2022 | [Email analysis in investigations for Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-21vianet) | modified |

-| 3/25/2022 | [Email security with Threat Explorer in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/email-security-in-microsoft-defender?view=o365-21vianet) | modified |

-| 3/25/2022 | [Enable the Report Message or the Report Phishing add-ins](/microsoft-365/security/office-365-security/enable-the-report-message-add-in?view=o365-21vianet) | modified |

-| 3/25/2022 | [Exchange Online Protection (EOP) overview](/microsoft-365/security/office-365-security/exchange-online-protection-overview?view=o365-21vianet) | modified |

-| 3/25/2022 | [Configuring and controlling external email forwarding in Microsoft 365.](/microsoft-365/security/office-365-security/external-email-forwarding?view=o365-21vianet) | modified |

-| 3/25/2022 | [Find and release quarantined messages as a user](/microsoft-365/security/office-365-security/find-and-release-quarantined-messages-as-a-user?view=o365-21vianet) | modified |

-| 3/25/2022 | [Identity and device access policies for allowing guest and external user B2B access - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/identity-access-policies-guest-access?view=o365-21vianet) | modified |

-| 3/25/2022 | [Common Zero Trust identity and device access policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/identity-access-policies?view=o365-21vianet) | modified |

-| 3/25/2022 | [Prerequisite work for implementing identity and device access policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/identity-access-prerequisites?view=o365-21vianet) | modified |

-| 3/25/2022 | [Impersonation insight](/microsoft-365/security/office-365-security/impersonation-insight?view=o365-21vianet) | modified |

-| 3/25/2022 | [Application Guard for Office for admins](/microsoft-365/security/office-365-security/install-app-guard?view=o365-21vianet) | modified |

-| 3/25/2022 | [Use Microsoft Defender for Office 365 together with Microsoft Defender for Endpoint](/microsoft-365/security/office-365-security/integrate-office-365-ti-with-mde?view=o365-21vianet) | modified |

-| 3/25/2022 | [Investigate malicious email that was delivered in Microsoft 365, Find and investigate malicious email](/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered?view=o365-21vianet) | modified |

-| 3/25/2022 | [Spoof intelligence insight](/microsoft-365/security/office-365-security/learn-about-spoof-intelligence?view=o365-21vianet) | modified |

-| 3/25/2022 | [Mail flow insights in the Mail flow dashboard](/microsoft-365/security/office-365-security/mail-flow-insights-v2?view=o365-21vianet) | modified |

-| 3/25/2022 | [Manage quarantined messages and files as an admin](/microsoft-365/security/office-365-security/manage-quarantined-messages-and-files?view=o365-21vianet) | modified |

-| 3/25/2022 | [Manage your allows in the Tenant Allow/Block List](/microsoft-365/security/office-365-security/manage-tenant-allows?view=o365-21vianet) | modified |

-| 3/25/2022 | [Recommended Microsoft Defender for Cloud Apps policies for SaaS apps - Microsoft 365 Enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/mcas-saas-access-policies?view=o365-21vianet) | modified |

-| 3/25/2022 | [The Microsoft Defender for Office 365 email entity page](/microsoft-365/security/office-365-security/mdo-email-entity-page?view=o365-21vianet) | modified |

-| 3/25/2022 | [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](/microsoft-365/security/office-365-security/mdo-for-spo-odb-and-teams?view=o365-21vianet) | modified |

-| 3/25/2022 | [Auto-forwarded messages insight](/microsoft-365/security/office-365-security/mfi-auto-forwarded-messages-report?view=o365-21vianet) | modified |

-| 3/25/2022 | [Top domain mail flow status insight in the Mail flow dashboard](/microsoft-365/security/office-365-security/mfi-domain-mail-flow-status-insight?view=o365-21vianet) | modified |

-| 3/25/2022 | [Mail flow map](/microsoft-365/security/office-365-security/mfi-mail-flow-map-report?view=o365-21vianet) | modified |

-| 3/25/2022 | [Fix possible mail loop insight](/microsoft-365/security/office-365-security/mfi-mail-loop-insight?view=o365-21vianet) | modified |

-| 3/25/2022 | [New domains being forwarded email insight](/microsoft-365/security/office-365-security/mfi-new-domains-being-forwarded-email?view=o365-21vianet) | modified |

-| 3/25/2022 | [New users forwarding email insight](/microsoft-365/security/office-365-security/mfi-new-users-forwarding-email?view=o365-21vianet) | modified |

-| 3/25/2022 | [Non-accepted domain report in the Mail flow dashboard](/microsoft-365/security/office-365-security/mfi-non-accepted-domain-report?view=o365-21vianet) | modified |

-| 3/25/2022 | [Non-delivery report in the Mail flow dashboard](/microsoft-365/security/office-365-security/mfi-non-delivery-report?view=o365-21vianet) | modified |

-| 3/25/2022 | [Outbound and inbound mail flow insight in the Mail flow dashboard](/microsoft-365/security/office-365-security/mfi-outbound-and-inbound-mail-flow?view=o365-21vianet) | modified |

-| 3/25/2022 | [Queues insight in the Mail flow dashboard](/microsoft-365/security/office-365-security/mfi-queue-alerts-and-queues?view=o365-21vianet) | modified |

-| 3/25/2022 | [Fix slow mail flow rules insight](/microsoft-365/security/office-365-security/mfi-slow-mail-flow-rules-insight?view=o365-21vianet) | modified |

-| 3/25/2022 | [SMTP Auth clients insight and report in the Mail flow dashboard](/microsoft-365/security/office-365-security/mfi-smtp-auth-clients-report?view=o365-21vianet) | modified |

-| 3/25/2022 | [Zero Trust identity and device access configurations - Microsoft 365 for enterprise](/microsoft-365/security/office-365-security/microsoft-365-policies-configurations?view=o365-21vianet) | modified |

-| 3/25/2022 | [Migrate to Microsoft Defender for Office 365 Phase 3: Onboard](/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-onboard?view=o365-21vianet) | modified |

-| 3/25/2022 | [Migrate to Microsoft Defender for Office 365 Phase 1: Prepare](/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-prepare?view=o365-21vianet) | modified |

-| 3/25/2022 | [Migrate to Microsoft Defender for Office 365 Phase 2: Setup](/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-setup?view=o365-21vianet) | modified |

-| 3/25/2022 | [Migrate from a third-party protection service to Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365?view=o365-21vianet) | modified |

-| 3/25/2022 | [Monitor for leaks of personal data](/microsoft-365/security/office-365-security/monitor-for-leaks-of-personal-data?view=o365-21vianet) | modified |

-| 3/25/2022 | [Automated investigation and response in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-air?view=o365-21vianet) | modified |

-| 3/25/2022 | [Threat investigation & response capabilities - Microsoft Defender for Office 365 Plan 2](/microsoft-365/security/office-365-security/office-365-ti?view=o365-21vianet) | modified |

-| 3/25/2022 | [Office 365 Security overview, Microsoft Defender for Office 365, EOP, MSDO](/microsoft-365/security/office-365-security/old-index?view=o365-21vianet) | modified |

-| 3/25/2022 | [Office 365 Security including Microsoft Defender for Office 365 and Exchange Online Protection](/microsoft-365/security/office-365-security/overview?view=o365-21vianet) | modified |

-| 3/25/2022 | [Permissions in the Microsoft 365 Defender portal](/microsoft-365/security/office-365-security/permissions-microsoft-365-security-center?view=o365-21vianet) | modified |

-| 3/25/2022 | [Step-by-step threat protection stack in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/protection-stack-microsoft-defender-for-office365?view=o365-21vianet) | modified |

-| 3/25/2022 | [Quarantine policies](/microsoft-365/security/office-365-security/quarantine-policies?view=o365-21vianet) | modified |

-| 3/25/2022 | [Report false positives and false negatives in Outlook](/microsoft-365/security/office-365-security/report-false-positives-and-false-negatives?view=o365-21vianet) | modified |

-| 3/25/2022 | [Smart reports, insights - Microsoft 365 Security & Compliance Center](/microsoft-365/security/office-365-security/reports-and-insights-in-security-and-compliance?view=o365-21vianet) | modified |

-| 3/25/2022 | [Safe Documents in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/safe-docs?view=o365-21vianet) | modified |

-| 3/25/2022 | [Complete Safe Links overview for Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/safe-links?view=o365-21vianet) | modified |

-| 3/25/2022 | [Secure email recommended policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/secure-email-recommended-policies?view=o365-21vianet) | modified |

-| 3/25/2022 | [Security dashboard overview](/microsoft-365/security/office-365-security/security-dashboard?view=o365-21vianet) | modified |

-| 3/25/2022 | [Security recommendations for priority accounts in Microsoft 365, priority accounts, priority accounts in Office 365, priority accounts in Microsoft 365](/microsoft-365/security/office-365-security/security-recommendations-for-priority-accounts?view=o365-21vianet) | modified |

-| 3/25/2022 | [Anti-phishing policies](/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-21vianet) | modified |

-| 3/25/2022 | [Recommended secure document policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/sharepoint-file-access-policies?view=o365-21vianet) | modified |

-| 3/25/2022 | [Submit malware and non-malware to Microsoft for analysis](/microsoft-365/security/office-365-security/submitting-malware-and-non-malware-to-microsoft-for-analysis?view=o365-21vianet) | modified |

-| 3/25/2022 | [Recommended Teams policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/teams-access-policies?view=o365-21vianet) | modified |

-| 3/25/2022 | [Configure your Microsoft 365 tenant for increased security](/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security?view=o365-21vianet) | modified |

-| 3/25/2022 | [Views in Threat Explorer and real-time detections](/microsoft-365/security/office-365-security/threat-explorer-views?view=o365-21vianet) | modified |

-| 3/25/2022 | [Threat Explorer and Real-time detections](/microsoft-365/security/office-365-security/threat-explorer?view=o365-21vianet) | modified |

-| 3/25/2022 | [Threat hunting in Threat Explorer for Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/threat-hunting-in-threat-explorer?view=o365-21vianet) | modified |

-| 3/25/2022 | [Threat Trackers - New and Noteworthy](/microsoft-365/security/office-365-security/threat-trackers?view=o365-21vianet) | modified |

-| 3/25/2022 | [Microsoft Defender for Office 365 trial playbook](/microsoft-365/security/office-365-security/trial-playbook-defender-for-office-365?view=o365-21vianet) | modified |

-| 3/25/2022 | [How to use DKIM for email in your custom domain](/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-21vianet) | modified |

-| 3/25/2022 | [Use DMARC to validate email, setup steps](/microsoft-365/security/office-365-security/use-dmarc-to-validate-email?view=o365-21vianet) | modified |

-| 3/25/2022 | [Use Azure Privileged Identity Management (PIM) in Microsoft Defender for Office 365 to limit admin access to cyber security tools.](/microsoft-365/security/office-365-security/use-privileged-identity-management-in-defender-for-office-365?view=o365-21vianet) | modified |

-| 3/25/2022 | [Quarantine notifications (end-user spam notifications) in Microsoft 365](/microsoft-365/security/office-365-security/use-spam-notifications-to-release-and-report-quarantined-messages?view=o365-21vianet) | modified |

-| 3/25/2022 | [Remove yourself from the blocked senders list and address 5.7.511 Access denied errors](/microsoft-365/security/office-365-security/use-the-delist-portal-to-remove-yourself-from-the-office-365-blocked-senders-lis?view=o365-21vianet) | modified |

-| 3/25/2022 | [View email security reports](/microsoft-365/security/office-365-security/view-email-security-reports?view=o365-21vianet) | modified |

-| 3/25/2022 | [View mail flow reports in the Reports dashboard](/microsoft-365/security/office-365-security/view-mail-flow-reports?view=o365-21vianet) | modified |

-| 3/25/2022 | [View Defender for Office 365 reports](/microsoft-365/security/office-365-security/view-reports-for-mdo?view=o365-21vianet) | modified |

-| 3/25/2022 | [Manage spoofed senders using the spoof intelligence policy and spoof intelligence insight](/microsoft-365/security/office-365-security/walkthrough-spoof-intelligence-insight?view=o365-21vianet) | modified |

-| 3/25/2022 | [Top 12 tasks for security teams to support working from home](/microsoft-365/security/top-security-tasks-for-remote-work?view=o365-21vianet) | modified |

-Microsoft 365 Lighthouse is an admin portal that helps Managed Service Providers (MSPs) secure and manage devices, data, and users at scale for small- and medium-sized business (SMB) customers who are using Microsoft 365 Business Premium or Microsoft 365 E3.

-This article provides instructions for how to sign up for Microsoft 365 Lighthouse. Microsoft 365 Lighthouse is an admin portal that helps Managed Service Providers (MSPs) secure and manage devices, data, and users at scale for small- and medium-sized business (SMB) customers who are using Microsoft 365 Business Premium, Microsoft 365 E3, or Windows 365 Business.

-Microsoft Defender Antivirus protects tenants, users, and devices from software threats including viruses, malware, and spyware. It's robust, ongoing protection that's built into Windows 10 and included with Microsoft 365 Business Premium and Microsoft&nbsp;365&nbsp;E3.

-| Ineligible - Required license is missing | The tenant is missing a required license. They need at least one Microsoft 365 Business Premium, Microsoft 365 E3, or Microsoft Defender for Business license. | Make sure the tenant has at least one Microsoft 365 Business Premium, Microsoft 365 E3, Windows 365 Business, Microsoft Defender for Business license assigned. |

-description: Correlates ITIL phases with Microsoft Managed Desktop information and articles

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation, ITISM

-# Microsoft Managed Desktop and ITIL

-Many organizations find it valuable to structure their IT services along the lines of a formalized IT Service Model (ITSM), such as [ITIL](https://www.axelos.com/best-practice-solutions/itil).

-Microsoft Managed Desktop enables your organization to comply with many key aspects of such formalized ITSM models. Using ITIL as an example, this article helps you see the connections between common ITIL phases and processes and equivalent Microsoft Managed Desktop features, where applicable. This information only applies to the Microsoft Managed Desktop portion of your organization.

-For more comprehensive about ITIL and its phases and process, see their [documentation](https://www.axelos.com/best-practice-solutions/itil).

-## Service design

-This table relates key ITIL phases and processes to Microsoft Managed Desktop features, with links to our documentation for details:

-|ITIL process |Description |Documentation |

-||||

-|Service-level management | Response times are defined for admin support requests and incidents. | [Admin support for Microsoft Managed Desktop](working-with-managed-desktop/admin-support.md) |

-|Service catalog management | Service description detailing components of the service is kept true to state of the service, available to all current and interested customers.<br><br>Pre-requisites detailed to understand what is needed to operate the service. | - [Microsoft Managed Desktop service description](service-description/index.md)<br><br>- [Get ready for enrollment in Microsoft Managed Desktop](get-ready/index.md) |

-|Information security management | Security information, including information security for the service.<br><br> Security-related policies and other information on how devices are configured. | - [Security in Microsoft Managed Desktop](service-description/security.md)<br><br>- [Device configuration](service-description/device-policies.md) |

-|Availability management | Microsoft Managed Desktop balances responsibility with your organization to ensure availability of service.<br><br>Admins and users have routes to respective support if there are service or availability issues. | - [Microsoft Managed Desktop operations and monitoring](service-description/operations-and-monitoring.md)<br><br>- [Admin support for Microsoft Managed Desktop](working-with-managed-desktop/admin-support.md)<br>- [Getting help for users](working-with-managed-desktop/end-user-support.md) |

-## Service transition

-|ITIL process |Description |Documentation |

-||||

-|Change management | Defined balance of responsibility, process overview, and types related to change management available. | [Microsoft Managed Desktop operations and monitoring](service-description/operations-and-monitoring.md#change-management) |

-|Release and deployment management | Microsoft Managed Desktop manages updates for devices enrolled in the service. | [How updates are handled in Microsoft Managed Desktop](service-description/updates.md) |

-|Service asset and configuration management | Information regarding your organization's Microsoft Managed Desktop deployment is available on the IT admin portal. | [Admin support for Microsoft Managed Desktop](working-with-managed-desktop/admin-support.md) |

-|Knowledge management | Information on the Microsoft Managed Desktop service is kept up to date on this site. | [Change history for Microsoft Managed Desktop documentation](change-history-managed-desktop.md) |

-## Service operation

-|ITIL process |Description |Documentation |

-||||

-|Event management | Details on monitoring of devices are provided.<br><br>Standard operating procedures for the Microsoft Managed Desktop service are detailed. | - [Security in Microsoft Managed Desktop](service-description/security.md)<br>- [Microsoft Managed Desktop operations and monitoring](service-description/operations-and-monitoring.md) |

-|Incident management | Microsoft Managed Desktop will investigate and act on incidents per defined severity definitions. | [Support request severity definitions](working-with-managed-desktop/admin-support.md#support-request-severity-definitions) |

-|Request fulfillment management | Process for requests for information and change requests related to the Microsoft Managed Desktop service are defined. |[Admin support for Microsoft Managed Desktop](working-with-managed-desktop/admin-support.md) |

-|Problem management | Any issues with the service should be directed to your local account team at this time. | Documentation in development |

-|Access management | Access management components and responsibilities for customer to ensure functionality are detailed. | [Identity and access management](service-description/security.md#identity-and-access-management) |

-description: This article lists new and updated articles for Microsoft Managed Desktop.

-keywords: change history

-ms.sitesec: library

-ms.article: article

-# Change history for Microsoft Managed Desktop documentation

-This article lists new and updated articles in the [Microsoft Managed Desktop documentation](index.yml). "Updated" articles have had material additions or corrections--minor fixes such as correction of typos, style, or formatting issues aren't listed. You can always view the history of specific commits (including details of any changes) by visiting the [repo on GitHub](https://github.com/MicrosoftDocs/microsoft-365-docs/tree/public/microsoft-365/managed-desktop).

-## April 2022

-New or changed article | Description

- |

-| [Shared devices](service-description/shared-devices.md) | Added Register new devices using Windows Autopilot self-deploying mode profile |

-| [Teams](get-started/teams.md) | Updated Microsoft Intune changes section |

-## March 2022

-New or changed article | Description

- |

-| [Device images](service-description/device-images.md) | Added Windows 10 Pro section |

-| [Admin support](working-with-managed-desktop/admin-support.md) | Added severity note to the Edit case details section |

-| [Configurable settings reference](working-with-managed-desktop/config-setting-ref.md) | Added additional proxy requirements |

-| [Localize the user experience](get-started/localization.md) | Added note to the Install more languages section |

-| [Configurable settings reference](working-with-managed-desktop/config-setting-ref.md) | Added note about legacy Edge |

-## February 2022

-New or changed article | Description

- |

-| [Service metrics report](working-with-managed-desktop/service-metrics-report.md) | Added the Service metric report |

-| [Microsoft Edge](get-started/edge-browser-app.md) | Updated article |

-## October 2021

-New or changed article | Description

- |

-[Device requirements](service-description/device-requirements.md) | Updated article

-[Register new devices yourself](get-started/manual-registration.md) | Updated article

-[Readiness assessment tools](get-ready/readiness-assessment-tool.md) | Updated article

-[Deploy apps to devices](get-started/deploy-apps.md) | Updated article

-## September 2021

-New or changed article | Description

- |

-[Work with reports](working-with-managed-desktop/reports.md)| Updated article

-[Register new devices yourself](get-started/manual-registration.md) | Updated article

-[Prerequisites for guest accounts](get-ready/guest-accounts.md) | Updated article

-[Fix issues found by the readiness assessment tool](get-ready/readiness-assessment-fix.md) | Updated article

-## August 2021

-New or changed article | Description

- |

-[Work with reports](working-with-managed-desktop/reports.md)| Updated article

-[Device status report](working-with-managed-desktop/device-status-report.md) | Updated article

-[Windows security updates report](working-with-managed-desktop/security-updates-report.md) | Updated article

-[Privacy and personal data](service-description/privacy-personal-data.md) | Updated article

-[Microsoft Managed Desktop product lifecycle](service-description/device-lifecycle.md) | Updated article

-[Prepare certificates and network profiles for Microsoft Managed Desktop](get-ready/certs-wifi-lan.md) | Updated article

-[Fix issues found by the readiness assessment tool](get-ready/readiness-assessment-fix.md) | Updated article

-## July 2021

-New or changed article | Description

- |

-[Device images](service-description/device-images.md)| Updated article

-[Fix issues found by the readiness assessment tool](get-ready/readiness-assessment-fix.md) | Updated article

-[Microsoft Managed Desktop roles and responsibilities](intro/roles-and-responsibilities.md) | Updated article

-[Enable user support features](get-started/enable-support.md) | New article

-[Enable Enterprise State Roaming](get-started/enterprise-state-roaming.md) | Updated article

-[Microsoft Managed Desktop and Windows 11](intro/win11-overview.md) | New article

-[Preview and test Windows 11 with Microsoft Managed Desktop](working-with-managed-desktop/test-win11-mmd.md) | New article

-[Steps for Partners to register devices](get-started/partner-registration.md) | Updated article

-[Register new devices yourself](get-started/manual-registration.md) |Updated article

-[Admin support for Microsoft Managed Desktop](working-with-managed-desktop/admin-support.md) | Updated article

-[First-run experience with Autopilot and the Enrollment Status Page](get-started/esp-first-run.md) | Updated article

-[Microsoft Managed Desktop operations and monitoring](service-description/operations-and-monitoring.md) | Updated article

-[Getting help for users](working-with-managed-desktop/end-user-support.md) | Updated article

-## June 2021

-New or changed article | Description

- |

-[Work with reports](working-with-managed-desktop/reports.md) | Updated article

-[Overview](service-description/privacy-personal-data.md) | Updated article

-[Admin support for Microsoft Managed Desktop](working-with-managed-desktop/admin-support.md) | Updated article

-[Fix issues found by the readiness assessment tool](get-ready/readiness-assessment-fix.md) | Updated article

-[Prerequisites for Microsoft Managed Desktop](get-ready/prerequisites.md) | Updated article

-[Enable Enterprise State Roaming](get-started/enterprise-state-roaming.md) | Updated article

-## May 2021

-New or changed article | Description

- |

-[Set up Microsoft Managed Desktop devices](get-started/prepare-devices.md) | Updated article

-[Device inventory report](working-with-managed-desktop/device-inventory-report.md) | Updated article

-[Network configuration for Microsoft Managed Desktop](get-ready/network.md) | Updated article

-[Diagnostic logs](service-description/diagnostic-logs.md) | New article

-[Microsoft Managed Desktop technologies](intro/technologies.md) | Updated article

-[Prerequisites for guest accounts](get-ready/guest-accounts.md) | Updated article

-[Work with reports](working-with-managed-desktop/reports.md) | Updated article

-## April 2021

-New or changed article | Description

- |

-[Device profiles](service-description/profiles.md) | New article

-[Steps for Partners to register devices](get-started/partner-registration.md) | Updated article

-[Register new devices yourself](get-started/manual-registration.md) | Updated article

-[Register existing devices yourself](get-started/manual-registration-existing-devices.md) | Updated article

-[Address device name dependency](get-ready/address-device-names.md) | New article

-[Device names](service-description/device-names.md) | New article

-[Remove devices](working-with-managed-desktop/remove-devices.md) | New article

-[Prerequisites for Microsoft Managed Desktop](get-ready/prerequisites.md) | Updated article

-[Apps in Microsoft Managed Desktop](get-ready/apps.md) | Updated article

-[Validate new devices](get-started/validate-device.md) | New article

-[Set up Microsoft Managed Desktop devices](get-started/prepare-devices.md) | Updated article

-[Microsoft Managed Desktop product lifecycle](service-description/device-lifecycle.md) | Updated article

-[Microsoft Managed Desktop devices](service-description/device-list.md) |Updated article

-## March 2021

-New or changed article | Description

- |

-[Admin support for Microsoft Managed Desktop](working-with-managed-desktop/admin-support.md) | Updated article

-[First-run experience with Autopilot and the Enrollment Status Page](get-started/esp-first-run.md) | Updated article

-[Windows 10 location service](get-started/device-location.md) | New article

-[Device images](service-description/device-images.md) | New article

-[Microsoft Managed Desktop supported regions](service-description/regions-languages.md) | Updated article

-[Localize the user experience](get-started/localization.md) | New article

-## February 2021

-New or changed article | Description

- |

-[Access the admin portal](get-started/access-admin-portal.md) | Updated article

-[Microsoft Managed Desktop technologies](intro/technologies.md) | Updated article

-[Device requirements](service-description/device-requirements.md) | Updated article

-[Fix issues found by the readiness assessment tool](get-ready/readiness-assessment-fix.md) | Updated article

-[Microsoft OneDrive](get-started/onedrive.md) | New article

-[Compliance](intro/compliance.md) | Updated

-[Microsoft 365 Apps for enterprise](get-started/m365-apps.md) | Updated article

-[Readiness assessment tools](get-ready/readiness-assessment-tool.md) | Updated article

-## January 2021

-New or changed article | Description

- |

-[Fix issues found by the readiness assessment tool](get-ready/readiness-assessment-fix.md) | Updated article

-[Adjust settings after enrollment](get-started/conditional-access.md) | Updated article

-[Work with reports](working-with-managed-desktop/reports.md) | Updated article

-[Install Intune Company Portal on devices](get-started/company-portal.md) | Updated article

-[Device requirements](service-description/device-requirements.md) | New article

-[Compliance](intro/compliance.md) | Updated article

-[How updates are handled in Microsoft Managed Desktop](service-description/updates.md) | Updated article

-[Access the admin portal](get-started/access-admin-portal.md) | Updated article

-## December 2020

-New or changed article | Description

- |

-[What is Microsoft Managed Desktop?](./intro/index.md) | Updated article

-[Work with reports](working-with-managed-desktop/reports.md) | Updated article

-[Privacy and personal data](service-description/privacy-personal-data.md) | Updated article

-[Compliance](intro/compliance.md) | Updated article

-[Prerequisites](get-ready/prerequisites.md) | Updated article

-[Network configuration](get-ready/network.md) | Updated article

-## November 2020

-New or changed article | Description

- |

-[Fix issues found by the readiness assessment tool](get-ready/readiness-assessment-fix.md) | Updated article

-[Readiness assessment tool](get-ready/readiness-assessment-tool.md) | New article

-[Fix issues found by the readiness assessment tool](get-ready/readiness-assessment-fix.md) | New article

-[Register new devices yourself](get-started/manual-registration.md) | Updated article

-[Steps for Partners to register devices](get-started/partner-registration.md) | Updated article

-[Prerequisites for guest accounts](get-ready/guest-accounts.md) | New article

-[Access the admin portal](get-started/access-admin-portal.md) | Updated article

-## October 2020

-New or changed article | Description

- |

-[Prerequisites](get-ready/prerequisites.md) | Updated article

-Work with insights | Updated article

-[Steps for Partners to register devices](get-started/partner-registration.md) | Updated article

-[Access the admin portal](get-started/access-admin-portal.md) | Updated article

-[Deploy apps to devices](get-started/deploy-apps.md) | Updated article

-[Getting help for users](working-with-managed-desktop/end-user-support.md) | Updated article

-## September 2020

-New or changed article | Description

- |

-[Privacy and personal data](service-description/privacy-personal-data.md) | New article

-[Prepare mapped drives for Microsoft Managed Desktop](get-ready/mapped-drives.md) | Updated article

-[Getting help for users](working-with-managed-desktop/end-user-support.md) | Updated article

-[Configurable settings reference - Microsoft Managed Desktop](working-with-managed-desktop/config-setting-ref.md) | Updated article

-[Deploy and track configurable settings - Microsoft Managed Desktop](working-with-managed-desktop/config-setting-deploy.md) | Updated article

-[Admin support for Microsoft Managed Desktop](working-with-managed-desktop/admin-support.md) | Updated article

-[Microsoft Teams](get-started/teams.md) | New article

-[Access the admin portal](get-started/access-admin-portal.md) | New article

-[Prepare printing resources for Microsoft Managed Desktop](get-ready/printing.md) | Updated article

-[First-run experience with Autopilot and the Enrollment Status Page](get-started/esp-first-run.md) | Updated article

-[Register new devices yourself](get-started/manual-registration.md) | Updated article

-[Prepare certificates and network profiles for Microsoft Managed Desktop](get-ready/certs-wifi-lan.md) | Updated article

-[Prerequisites for Microsoft Managed Desktop](get-ready/prerequisites.md) | Updated article

-Work with insights| Updated article

-## August 2020

-New or changed article | Description

- |

-[Device inventory report](working-with-managed-desktop/device-inventory-report.md) | New article

-[New Microsoft Edge app](get-started/edge-browser-app.md) | Updated article

-[Register new devices yourself](get-started/manual-registration.md) | Updated article

-[Register existing devices yourself](get-started/manual-registration-existing-devices

-.md) | Updated article

-[Prerequisites for Microsoft Managed Desktop](get-ready/prerequisites.md) | Updated article

-[Security operations in Microsoft Managed Desktop](service-description/security-operations.md) | New article

-[Access the admin portal](get-started/access-admin-portal.md) | Updated article

-[Microsoft 365 Apps for enterprise](get-started/m365-apps.md) | New article

-[Privacy and personal data](service-description/privacy-personal-data.md) | New article

-## July 2020

-New or changed article | Description

- |

-[Microsoft Managed Desktop app requirements](service-description/mmd-app-requirements.md) | Updated article

-[Compliance](intro/compliance.md) | Updated article

-[Get started with app control](get-started/get-started-app-control.md) | Updated article

-[Work with app control](working-with-managed-desktop/work-with-app-control.md) | Updated article

-[Prerequisites for Microsoft Managed Desktop](get-ready/prerequisites.md) | Updated article

-[App control](service-description/app-control.md) | Updated article

-[Network configuration for Microsoft Managed Desktop](get-ready/network.md) | Updated article

-[New Microsoft Edge app](get-started/edge-browser-app.md) | Updated article

-[Access the admin portal](get-started/access-admin-portal.md) | New article

-[App control](service-description/app-control.md) | New article

-[Install Microsoft Project or Microsoft Visio on Microsoft Managed Desktop devices](get-started/project-visio.md) | Updated article

-## June 2020

-New or changed article | Description

- |

-[New Microsoft Edge app](get-started/edge-browser-app.md) | New article

-[Device configuration](service-description/device-policies.md) | Updated article

-## May 2020

-New or changed article | Description

- |

-[Getting help for users](working-with-managed-desktop/end-user-support.md) | Updated article

-[Steps for Partners to register devices](get-started/partner-registration.md) | Updated article

-[Microsoft Managed Desktop devices](service-description/device-list.md) | Updated article

-[Register new devices yourself](get-started/manual-registration.md) | Updated article

-## April 2020

-New or changed article | Description

- |

-[Compliance](intro/compliance.md) | New article

-[Microsoft Managed Desktop supported regions and languages](service-description/regions-languages.md) | Updated article

-## March 2020

-New or changed article | Description

- |

-[Steps for Partners to register devices](get-started/partner-registration.md)| Updated article

-[Register new devices yourself](get-started/manual-registration.md) | Updated article

-[Prepare printing resources for Microsoft Managed Desktop](get-ready/printing.md) | New article

-## February 2020

-New or changed article | Description

- |

-[Security in Microsoft Managed Desktop](service-description/security.md)| Updated article

-Work with insights | Updated article

-Windows security update insights| New article

-[How updates are handled in Microsoft Managed Desktop](service-description/updates.md) | Updated article

-[Microsoft Managed Desktop device services](service-description/device-services.md) | Updated article

-## January 2020

-New or changed article | Description

- |

-[Get your users ready to use devices](get-started/get-started-devices.md)| Updated article

-[Add and verify admin contacts in the Admin portal](get-started/add-admin-contacts.md) | Updated article

-[Device configuration](service-description/device-policies.md) | Updated article

-## December 2019

-New or changed article | Description

- |

-[Admin support for Microsoft Managed Desktop](working-with-managed-desktop/admin-support.md) | Updated article

-[Microsoft Managed Desktop devices](service-description/device-list.md) | Updated article

-[Microsoft Managed Desktop archived devices](service-description/archived-device-list.md) | Updated article

-## November 2019

-New or changed article | Description

- |

-Work with insights | New article

-Usage insights | New article

-Reliability insights | New article

-[Microsoft Managed Desktop devices](service-description/device-list.md) | Updated article

-[Microsoft Managed Desktop main page](./index.yml) | Updated article

-[What is Microsoft Managed Desktop?](./intro/index.md) | Updated article

-[Get your users ready to use devices](get-started/get-started-devices.md) | Updated article

-[Exceptions to the service plan](service-description/customizing.md) | Updated article

-## October 2019

-New or changed article | Description

- |

-[Exceptions to the service plan](service-description/customizing.md) | New article

-[Getting help for users](working-with-managed-desktop/end-user-support.md) | Updated article

-[Admin support for Microsoft Managed Desktop](working-with-managed-desktop/admin-support.md) | Updated article

-[Service changes and communication](service-description/servicechanges.md) | New article

-[Register new devices yourself](get-started/manual-registration.md) | Updated article

-[Register existing devices yourself](get-started/manual-registration-existing-devices.md) | Updated article

-[Microsoft Managed Desktop supported regions and languages](service-description/regions-languages.md) | Updated article

-## September 2019

-New or changed article | Description

- |

-[Microsoft Managed Desktop technologies](intro/technologies.md) | Updated article

-[Getting help for users](working-with-managed-desktop/end-user-support.md) | Updated article

-[Microsoft Managed Desktop devices](service-description/device-list.md) | Updated article

-[Deploy and track configurable settings - Microsoft Managed Desktop](working-with-managed-desktop/config-setting-deploy.md) | Updated article

-[Admin support for Microsoft Managed Desktop](working-with-managed-desktop/admin-support.md) | Updated article

-[Prerequisites for Microsoft Managed Desktop](get-ready/prerequisites.md) | Updated article

-[Set up Microsoft Managed Desktop devices](get-started/prepare-devices.md) | New article

-[Register new devices yourself](get-started/manual-registration.md) | Updated article

-[Register existing devices yourself](get-started/manual-registration-existing-devices.md) | New article

-[How updates are handled in Microsoft Managed Desktop](service-description/updates.md) | Updated article

-## August 2019

-New or changed article | Description

- |

-[Working with Microsoft Consulting Services](get-ready/apps-mcs.md) | Updated article

-[Admin support for Microsoft Managed Desktop](working-with-managed-desktop/admin-support.md) | Updated article

-[Getting help for users](working-with-managed-desktop/end-user-support.md) | Updated article

-[Prerequisites for Microsoft Managed Desktop](get-ready/prerequisites.md) | Updated article

-[Microsoft Managed Desktop technologies](intro/technologies.md) | Updated article

-## July 2019

-New or changed article | Description

- |

-[Working with Microsoft Consulting Services](get-ready/apps-mcs.md) | Updated article

-[Microsoft Managed Desktop and ITIL](MMD-and-ITSM.md) | New article

-[Device configuration](service-description/device-policies.md) | Updated article

-## June 2019

-New or changed article | Description

- |

-[Apps in Microsoft Managed Desktop](get-ready/apps.md) | Updated article

-[Working with Microsoft Consulting Services](get-ready/apps-mcs.md) | New article

-[Microsoft Managed Desktop roles and responsibilities](intro/roles-and-responsibilities.md) | Updated article

-[Microsoft Managed Desktop product lifecycle](service-description/device-lifecycle.md) | New article

-## May 201

-New or changed article | Description

- |

-[Microsoft Managed Desktop supported regions and languages](service-description/regions-languages.md) | Updated article

-[Microsoft Managed Desktop devices](service-description/device-list.md) | Updated article

-[Microsoft Managed Desktop archived devices](service-description/archived-device-list.md) | New article

-[Prepare mapped drives for Microsoft Managed Desktop](get-ready/mapped-drives.md) | New article

-[Prepare certificates and network profiles for Microsoft Managed Desktop](get-ready/certs-wifi-lan.md) | New article

-[Order Microsoft Managed Desktop devices](get-started/devices.md) | Updated article

-[Getting help for users](working-with-managed-desktop/end-user-support.md) | New article

-## April 2019

-New or changed article | Description

- |

-[Install Intune Company Portal on Microsoft Managed Desktop devices](get-started/company-portal.md) | New article

-[Install Microsoft Project and Microsoft Visio on Microsoft Managed Desktop devices](get-started/project-visio.md) | New article

-[Prepare on-premises resources access for Microsoft Managed Desktop](get-ready/authentication.md) | New article

-[Register devices in Microsoft Managed Desktop](get-started/manual-registration.md) | New article

-[Register devices in Microsoft Managed Desktop for Partners](get-started/partner-registration.md) | New article

-[Deploy apps to Microsoft Managed Desktop devices](get-started/deploy-apps.md) | Updated article

-## March 2019

-New or changed article | Description

- |

-[Install Intune Company Portal on Microsoft Managed Desktop devices](get-started/company-portal.md) | New article

-[Install Microsoft Project and Microsoft Visio on Microsoft Managed Desktop devices](get-started/project-visio.md) | New article

-## February 2019

-New or changed article | Description

- |

-[Program devices](service-description/device-list.md) | Updated with support for certain Dell and HP devices.

-[Configurable settings overview](working-with-managed-desktop/config-setting-overview.md) | New article

-[Configurable settings reference](working-with-managed-desktop/config-setting-ref.md) | New article

-[Track and deploy configurable settings](working-with-managed-desktop/config-setting-deploy.md) | New article

-[Get started with devices](get-started/get-started-devices.md) | New article

-## January 2019

-New or changed article | Description

- |

-[Deploy apps for Microsoft Managed Desktop devices](get-started/deploy-apps.md) | New article.

-[Manage apps for Microsoft Managed Desktop](working-with-managed-desktop/manage-apps.md) | Updated with info on how to update or roll back to a previous version of line-of-business apps.

-## December 2018

-New or changed article | Description

- |

-[Operations and monitoring for Microsoft Managed Desktop](service-description/operations-and-monitoring.md) | Added balance of responsibility table and updated other tables.

-[Admin support for Microsoft Managed Desktop](working-with-managed-desktop/admin-support.md) | Updated support types, severity explanations, and additional details.

-## November 2018

-New or changed article | Description

- |

-[Support for Microsoft Managed Desktop](service-description/support.md)<br />and [User support for Microsoft Managed Desktop](working-with-managed-desktop/end-user-support.md) | Updated to include Australia.

-## October 30, 2018

-Content reorganized: added section for [Microsoft Managed Desktop service description](service-description/index.md).

-description: Remove dependency on device names or request an exception

-# Address device name dependency

-Microsoft Managed Desktop applies a standardized name format when devices are enrolled. Microsoft Managed Desktop will automatically rename devices if the name is changed later. For more information, see [Device names](../service-description/device-names.md).

-> [!IMPORTANT]

-> If your environment depends on specific device names (for example, to support a particular network configuration), you should investigate options to remove that dependency before enrolling in Microsoft Managed Desktop. If you must keep the name dependency, you can submit a request through the [Admin portal](../working-with-managed-desktop/admin-support.md) to disable the renaming function and use your desired name format.

-## Steps to get ready for Microsoft Managed Desktop

-1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).

-1. Run [readiness assessment tools](readiness-assessment-tool.md).

-1. Buy [Company Portal](../get-started/company-portal.md).

-1. Review [prerequisites for guest accounts](guest-accounts.md).

-1. Check [network configuration](network.md).

-1. [Prepare certificates and network profiles](certs-wifi-lan.md).

-1. [Prepare user access to data](authentication.md).

-1. [Prepare apps](apps.md).

-1. [Prepare mapped drives](mapped-drives.md).

-1. [Prepare printing resources](printing.md).

-1. Address device names (this article).

-description: Preparation and steps to follow to work with MCS to package your apps

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Working with Microsoft Consulting Services

-You can engage with Microsoft Consulting Services (MCS) to get your apps packaged for use with Microsoft Managed Desktop. For more information, work with your account representative to contact MCS to review your specific app packaging project.

-## Roles and responsibilities

-| Role | Responsibility |

-| | |

-| You | To work with MCS app packaging, **you must provide the following elements**: <ul><li> The source installer files (for example, setup.exe or .msi).</li><li>The installation instructions that specify details about how the final installation should look. For example, should there be a desktop shortcut to the app? What should the app's visibility be? Should the app connect to a server and if so, which one? For more information, see the [application packaging request template](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/get-ready/downloads/app-packaging-template.docx).</li><li>You must perform your own acceptance testing to verify that the app works as expected in your environment.</li><ul> |

-| Microsoft Consulting Services (MCS) | **MCS will take care of the following actions:** <ul><li>Check whether the app is prohibited or restricted in the Microsoft Managed Desktop environment.</li><li>Test installation, start, and uninstallation of the app to ensure compatibility with Windows 10. If MCS discovers a compatibility issue, they'll hand off the app to the [App Assure](/fasttrack/products-and-capabilities#app-assure) program for remediation.</li><li>Package the app to your specifications, and test app deployment by using Microsoft Intune.</li><ul>

-## App delivery schedule

-Start the packaging process by uploading the app information to the Microsoft Managed Desktop portal. The packaging team reviews new submissions every Thursday. After review and packaging, the packaged apps are delivered the following Friday. Up to five apps per week can be packaged to start, but the service can scale to meet your needs.

-

-You'll be notified once the app has been delivered. At that point, you have 21 days to perform acceptance testing, and approve the work in the Microsoft Managed Desktop portal. If you discover a problem with the app during your acceptance testing, reject the app in the Microsoft Managed Desktop portal. You'll be connected via email with a Microsoft Consulting Services (MCS) packager to understand and resolve the issue.

-## Testing accounts and environment

-In order for the packaging team to complete the migration to Microsoft Intune, we recommend that you provide certain permissions:

-MCS will use those permissions to perform the following actions:

-Without these permissions, it's possible for MCS to move forward, but they won't be able to upload the applications to your environment.

-description: Explains how apps are handled, including how to package, deploy, and support them.

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Apps in Microsoft Managed Desktop

-<!--This topic is the target for 2 "Learn more" links in the Admin Portal (aka.ms/app-overview;app-package); also target for link from Online resources (aka.ms/app-overviewmmd-app-prep) do not delete.-->

-<!--Applications: supported/onboard/deployment -->

-## Apps generally

-Microsoft includes certain key apps along with the Microsoft 365 E3 or E5 license needed to participate in Microsoft Managed Desktop. However, even though we provide these apps, you still have certain responsibilities and actions to complete.

-You can also deploy additional non-Microsoft apps to your users via self-service through the Company Portal, or a required background installation using Microsoft Intune's deployment pipeline.

-## Apps provided by Microsoft

-Included with your Microsoft Managed Desktop license are 64-bit versions of the apps in the Microsoft 365 Apps for Enterprise Standard Suite (Word, Excel, PowerPoint, Outlook, Publisher, Access, Teams, and OneNote.)

-Click-to-Run versions of Microsoft Project and Visio *aren't* included by default, but you can request them to be added. For more information about these apps, see [Install Microsoft Project or Microsoft Visio on Microsoft Managed Desktop devices](../get-started/project-visio.md).

-### What Microsoft does to support the apps we provide

-Microsoft will provide full service for the deployment, update, and support for the included Microsoft 365 Apps for enterprise apps. Click-to-Run versions of Microsoft Project and Visio *aren't* included by default. However, Microsoft Managed Desktop will provide deployment groups to allow your IT administrator to manage licenses, and deploy these applications appropriately for your organization. Microsoft will support users of these applications through the Microsoft Managed Desktop support channels.

-### What you need to do to support the apps we provide

-There are still certain things you need to do with these apps:

-| Task | Description |

-| | |

-| Assign Licenses | You're responsible for obtaining and assigning the appropriate licenses to users for Microsoft 365 Apps for enterprise. |

-| Add users to security groups | If you're using Microsoft Project or Visio, your IT administrator must add those users to the appropriate deployment groups. IT administrators are also responsible for reclaiming licenses from those users if they leave the company. |

-| Deploy Microsoft 365 Add-ons | If you need any Add-ons for any of the Microsoft 365 Apps for enterprise apps, deploy them centrally like any other Windows 32 app.

-## Apps you provide

-You probably have other apps you need for your business operations. These apps can only be deployed to Microsoft Managed Desktop devices by using Microsoft Intune's deployment pipeline. For more information about application deployment, follow the steps in [Deploy apps to Microsoft Managed Desktop devices](../get-started/deploy-apps.md).

-### Preparing your own apps for inclusion in Microsoft Managed Desktop

-Review your apps, checking:

-## Steps to get ready for Microsoft Managed Desktop

-1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).

-1. Run [readiness assessment tools](readiness-assessment-tool.md).

-1. Buy [Company Portal](../get-started/company-portal.md).

-1. Review [prerequisites for guest accounts](guest-accounts.md).

-1. Check [network configuration](network.md).

-1. [Prepare certificates and network profiles](certs-wifi-lan.md).

-1. [Prepare user access to data](authentication.md).

-1. Prepare apps (this article).

-1. [Prepare mapped drives](mapped-drives.md).

-1. [Prepare printing resources](printing.md).

-1. Address [device names](address-device-names.md).

-description: Important steps to make sure an Azure AD can communicate with on-premises AD to provide authentication

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Prepare on-premises resources access for Microsoft Managed Desktop

-In Microsoft Managed Desktop, devices are automatically joined to Azure Active Directory (Azure AD). For this reason, if you're using an on-premises Active Directory, you must ensure that devices joined to Azure AD can communicate with your on-premises Active Directory.

-> [!NOTE]

-> *Hybrid* Azure AD join is not supported by Microsoft Managed Desktop.

-Azure Active Directory lets your users take advantage of Single Sign-On (SSO). Single Sign-on means they typically won't have to provide credentials every time they use resources.

-For information about joining Azure Active Directory, refer to [How to: Plan your Azure AD join implementation](/azure/active-directory/devices/azureadjoin-plan). For background information about Single Sign-On (SSO) on devices joined to Azure AD, see [How SSO to on-premises resources works on Azure AD joined devices](/azure/active-directory/devices/azuread-join-sso#how-it-works).

-This article explains the things you must check in order to ensure that apps, and other resources that depend on local Active Directory connectivity, will work smoothly with Microsoft Managed Desktop.

-## Single Sign-On for on-premises resources

-Single Sign-On (SSO) by using UPN and password is enabled by default on Microsoft Managed Desktop Devices. But your users can also use Windows Hello for Business, which requires some extra setup steps.

-### Single Sign-On by using UPN and password

-In most organizations, your users will be able to use SSO to authenticate by UPN and password on Microsoft Managed Desktop Devices. To make sure this function will work, you should double-check the following things:

- - DNS domain name of the on-premises Active Directory (where the users are located).

- - NetBIOS of your on-premises Active Directory (where the users are located).

- - SAM account name of the user.

-### Single Sign-On by using Windows Hello for Business

-Microsoft Managed Desktop devices also offer your users a fast, password-less experience by employing Windows Hello for Business. To ensure Windows Hello for Business will work without your users having to provide respective UPN and password, visit [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base) to check the requirements, and then follow the steps provided there.

-## Apps and resources that use authentication

-Refer to [Understand considerations for applications and resources](/azure/active-directory/devices/azureadjoin-plan#understand-considerations-for-applications-and-resources) in the Azure content set for full guidance on setting up apps to work with Azure Active Directory. In summary:

-| App or service | Task |

-| | |

-| Cloud-based apps | If you use **cloud-based apps**, such as those added to the Azure AD app gallery, most don't require any further preparation to work with Microsoft Managed Desktop. However, any Win32 apps that don't use Web Account Manager (WAM) might still prompt users for authentication. |

-| Apps hosted on-premises | For apps that are **hosted on-premises**, be sure to add those apps to the trusted sites list in your browsers. This step will enable Windows authentication to work seamlessly, without users being prompted for credentials. To add apps, refer to [Trusted sites](../working-with-managed-desktop/config-setting-ref.md#trusted-sites) in the [Configurable settings reference](../working-with-managed-desktop/config-setting-ref.md). |

-| Active Directory Federated Services | If you're using Active Directory Federated Services, check that SSO is enabled by using the steps in [Verify and manage single sign-on with AD FS](/previous-versions/azure/azure-services/jj151809(v=azure.100)). |

-| On-premises apps using older protocols | For apps that are **on-premises and use older protocols**, no extra setup is required, as long as the devices have access to an on-premises domain controller to authenticate. To provide secure access for these applications, however, you should deploy Azure AD Application Proxy. For more information, see [Remote access to on-premises applications through Azure Active Directory's Application Proxy](/azure/active-directory/manage-apps/application-proxy). |

-| On-premises apps with on machine authentication | Apps that run **on-premises and rely on machine authentication** aren't supported, so you should consider replacing them with newer versions. |

-### Network shares that use authentication

-No extra setup is required for users to access network shares, as long as the devices have access to an on-premises domain controller by using a UNC path.

-### Printers

-Microsoft Managed Desktop devices can't connect to printers that are published to your on-premises Active Directory unless you have configured [Hybrid Cloud Print](/windows-server/administration/hybrid-cloud-print/hybrid-cloud-print-deploy).

-While printers can't be automatically discovered in a cloud only environment, your users can use on-premises printers by using the printer path, or printer queue path, as long as the devices have access to an on-premises domain controller.

-<!--add fuller material on printers when available-->

-## Steps to get ready for Microsoft Managed Desktop

-1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).

-1. Run [readiness assessment tools](readiness-assessment-tool.md).

-1. Buy [Company Portal](../get-started/company-portal.md).

-1. Review [prerequisites for guest accounts](guest-accounts.md).

-1. Check [network configuration](network.md).

-1. [Prepare certificates and network profiles](certs-wifi-lan.md).

-1. Prepare user access to data (this article).

-1. [Prepare apps](apps.md).

-1. [Prepare mapped drives](mapped-drives.md).

-1. [Prepare printing resources](printing.md).

-1. Address [device names](address-device-names.md).

-description: Certificate requirements and wi-fi connectivity

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Prepare certificates and network profiles for Microsoft Managed Desktop

-Certificate-based authentication is a common requirement for customers using Microsoft Managed Desktop. You might require certificates to:

-Because Microsoft Managed Desktop devices are joined to Azure Active Directory (Azure AD) and are managed by Microsoft Intune, you must deploy such certificates by using the:

-## Certificate requirements

-Root certificates are required to deploy certificates through a SCEP or PKCS infrastructure. Other applications and services in your organization might require root certificates to be deployed to your Microsoft Managed Desktop devices.

-Before you deploy SCEP or PKCS certificates to Microsoft Managed Desktop, you should gather requirements for each service that requires a user or device certificate in your organization. To make this activity easier, you can use one of the following planning templates:

-## Wi-Fi connectivity requirements

-To allow a device to be automatically provided with the required Wi-Fi configuration for your enterprise network, you might need a Wi-Fi configuration profile.

-You can configure Microsoft Managed Desktop to deploy these profiles to your devices. If your network security requires devices to be part of the local domain, you might need to evaluate your Wi-Fi network infrastructure to ensure it's compatible with Microsoft Managed Desktop devices. Microsoft Managed Desktop devices are Azure AD-joined only.

-Before you deploy a Wi-Fi configuration to Microsoft Managed Desktop devices, you'll be required to gather your organization's requirements for each Wi-Fi network. To make this activity easier, you can use this [WiFi profile template](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/get-ready/downloads/WiFi-profile-template.xlsx).

-## Wired connectivity requirements and 802.1x authentication

-If you use 802.1x authentication to secure access from devices to your local area network (LAN), you'll need to push the required configuration details to your Microsoft Managed Desktop devices.

-Microsoft Managed Desktop devices running Windows 10, version 1809 or later support deploying an 802.1x configuration through the WiredNetwork configuration service provider (CSP). For more information, see [WiredNetwork CSP](/windows/client-management/mdm/wirednetwork-csp) documentation.

-Before you deploy a wired network configuration profile to Microsoft Managed Desktop devices, gather your organization's requirements for your wired corporate network.

-**To gather wired corporate network requirements:**

-1. Sign on to a device that has your existing 802.1x profile configured and is connected to the LAN network.

-2. Open a command prompt with administrative credentials.

-3. Find the LAN interface name by running `netsh interface show interface`.

-4. Export the LAN profile XML by running `netsh lan export profile folder=. Interface=ΓÇ¥interface_nameΓÇ¥`.

-5. If you need to test your exported profile on Microsoft Managed Desktop device, run `netsh lan add profile filename="PATH_AND_FILENAME.xml" interface="INTERFACE_NAME"`.

-## Deploy certificate infrastructure

-If you already have an existing SCEP or PKCS infrastructure with Intune and this approach meets your requirements, you can also use it for Microsoft Managed Desktop.

-If no SCEP or PKCS infrastructure already exists, you'll have to prepare one. For more information, see [Configure a certificate profile for your devices in Microsoft Intune](/intune/certificates-configure).

-## Deploy a LAN profile

-Once your LAN profile has been exported, you can prepare the policy for Microsoft Managed Desktop.

-**To prepare the policy for Microsoft Managed Desktop:**

-1. Create a custom profile in Microsoft Intune for the LAN profile using the following settings (see [Use custom settings for Windows 10 devices in Intune](/intune/custom-settings-windows-10)). In **Custom OMA-URI Settings**, select **Add**, and then enter the following values:

- - Name: Modern Workplace-Windows 10 LAN Profile

- - Description: Enter a description that gives an overview of the setting, and any other important details.

- - OMA-URI (case sensitive): Enter `./Device/Vendor/MSFT/WiredNetwork/LanXML`

- - Data type: Select **String (XML file)**.

- - Custom XML: Upload the exported XML file.

-2. Assign the custom profile to the **Modern Workplace Devices - Test** group.

-3. Do any testing you feel necessary using a device that's in the Test deployment group. If successful, then assign the custom profile to the following groups:

- - Modern Workplace Devices - First

- - Modern Workplace Devices - Fast

- - Modern Workplace Devices - Broad

-## Deploy certificates and Wi-Fi/VPN profile

-**To deploy certificates and profiles:**

-1. Create a profile for each of the Root and Intermediate certificates (see [Create trusted certificate profiles](/intune/protect/certificates-configure#step-3-create-trusted-certificate-profiles). Each of these profiles must have a description that includes an expiration date in DD/MM/YYYY format. **Certificate profiles must have an expiration date.**

-2. Create a profile for each SCEP or PKCS certificates (see [Create a SCEP certificate profile](/intune/protect/certificates-scep-configure#create-a-scep-certificate-profile) or [Create a PKCS certificate profile](/intune/protect/certficates-pfx-configure#create-a-pkcs-certificate-profile)). Each of these profiles must have a description that includes an expiration date in DD/MM/YYYY format. **Certificate profiles must have an expiration date.**

-3. Create a profile for each corporate WiFi network (see [Wi-Fi settings for Windows 10 and later devices](/intune/wi-fi-settings-windows)).

-4. Create a profile for each corporate VPN (see [Windows 10 and Windows Holographic device settings to add VPN connections using Intune](/intune/vpn-settings-windows-10)).

-5. Assign the profiles to the **Modern Workplace Devices - Test** group.

-6. Do any testing you feel necessary using a device that's in the Test deployment group. If successful, then assign the custom profile to the following groups:

- - Modern Workplace Devices - First

- - Modern Workplace Devices - Fast

- - Modern Workplace Devices - Broad

-## Steps to get ready for Microsoft Managed Desktop

-1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).

-1. Run [readiness assessment tools](readiness-assessment-tool.md).

-1. Buy [Company Portal](../get-started/company-portal.md).

-1. Review [prerequisites for guest accounts](guest-accounts.md).

-1. Check [network configuration](network.md).

-1. Prepare certificates and network profiles (this article).

-1. [Prepare user access to data](authentication.md).

-1. [Prepare apps](apps.md).

-1. [Prepare mapped drives](mapped-drives.md).

-1. [Prepare printing resources](printing.md).

-1. Address [device names](address-device-names.md).

-description: Configuration guidelines for guest accounts and how to adjust them

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Prerequisites for guest accounts

-## External collaboration settings

-Microsoft Managed Desktop recommends the following configuration in your Azure AD organization for guest account access. You can adjust these settings at the [Azure portal](https://portal.azure.com) under **External Identities / External collaboration settings**:

-| Setting | Set to |

-| | |

-| Guest access | Guests have limited access to properties and memberships of directory objects. |

-| Guest invite settings | Member users and users assigned to specific admin roles can invite guests including guests with member permissions |

-Microsoft Managed Desktop requires the following configuration in your Azure AD organization for guest account access. You can adjust this setting at the [Azure portal](https://portal.azure.com) under **External Identities / External collaboration settings**:

-| Setting | Option |

-| | |

-| Collaboration restrictions | Select any of these options: <ul><li>If you select **Allow invitations to be sent to any domain (most inclusive)**, no other configuration required.</li><li>If you select **Deny invitations to the specified domains**, make sure that Microsoft.com isn't listed in the target domains.</li><li>If you select **Allow invitations only to the specified domains (most restrictive)**, make sure that Microsoft.com *is* listed in the target domains.</li><ul>

-If you set restrictions that interact with these settings, ensure to exclude the Azure Active Directory **Modern Workplace Service Accounts**. For example, if you have a conditional access policy that prevents guest accounts from accessing the Intune portal, exclude the **Modern Workplace Service Accounts** group from this policy.

-For more information, see [Enable B2B external collaboration and manage who can invite guests](/azure/active-directory/external-identities/delegate-invitations#to-configure-external-collaboration-settings).

-## Unlicensed Intune admin

-The **Allow access to unlicensed admins** setting must be enabled. Without this setting enabled, errors can occur when we try to access your Azure AD organization for service. You can safely enable this setting without worrying about security implications. The scope of access is defined by the roles assigned to users, including our operations staff.

-**To enable this setting:**

-1. Go to the Microsoft Endpoint Manager [admin center](https://go.microsoft.com/fwlink/?linkid=2109431).

-2. Navigate to **Tenant administration**, select **Roles**. Then, select **Administrator licensing**.

-3. In the **Allow access to unlicensed admins** section, select **Yes**.

-> [!IMPORTANT]

-> You cannot undo this setting after you select **Yes**.

-For more information, see [Unlicensed admins in Microsoft Intune](/mem/intune/fundamentals/unlicensed-admins).

-## Steps to get ready for Microsoft Managed Desktop

-1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).

-1. Run [readiness assessment tools](readiness-assessment-tool.md).

-1. Buy [Company Portal](../get-started/company-portal.md).

-1. Review prerequisites for guest accounts (this article).

-1. Check [network configuration](network.md).

-1. [Prepare certificates and network profiles](certs-wifi-lan.md).

-1. [Prepare user access to data](authentication.md).

-1. [Prepare apps](apps.md).

-1. [Prepare mapped drives](mapped-drives.md).

-1. [Prepare printing resources](printing.md).

-1. Address [device names](address-device-names.md).

-description: Steps to take to prepare your organization for enrollment

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Get ready for enrollment in Microsoft Managed Desktop

-These articles describe the steps you'll need to take in your organization to prepare for enrollment, including:

-Once you've run the readiness assessment tools, you can complete the other steps in any order or in parallel. Depending on your environment, some of the steps might not be relevant to you.

-

-1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).

-1. Run [readiness assessment tools](readiness-assessment-tool.md).

-1. Buy [Company Portal](../get-started/company-portal.md).

-1. Review [prerequisites for guest accounts](guest-accounts.md).

-1. Check [network configuration](network.md).

-1. [Prepare certificates and network profiles](certs-wifi-lan.md).

-1. [Prepare user access to data](authentication.md).

-1. [Prepare apps](apps.md).

-1. [Prepare mapped drives](mapped-drives.md).

-1. [Prepare printing resources](printing.md).

-1. Address [device names](address-device-names.md).

-description: Important steps to make sure users can access data on mapped drives

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Prepare mapped drives for Microsoft Managed Desktop

-Many enterprise environments have legacy requirements for mapped drives to allow their users or teams to share and store files, or for on-premises applications.

-Microsoft doesn't recommend the use of mapped drives with the Microsoft Managed Desktop. Instead, we recommend that you modernize your file access solutions as follows:

-

-

-Modernizing these services will allow the best user experience with Microsoft Managed Desktop. Microsoft FastTrack Services can assist you in modernizing your environment by using Microsoft Cloud Services. You can check whether you're eligible for FastTrack services at [Eligible Services and Plans](/fasttrack/m365-eligible-services-and-plans). Then, contact them directly to prepare for Microsoft Managed Desktop. For more information about FastTrack OneDrive for Business or SharePoint Online Migration, see [Data Migration](/fasttrack/o365-data-migration).

-## Mapped drives on Microsoft Managed Desktop

-If you can't remove or replace mapped drives for some use cases, you should submit a support request in the Microsoft Managed Desktop Admin Portal to have them deployed to Microsoft Managed Desktop users.

-For such a request, you must provide the following details in the support request:

-For example:

-| Drive letter | UNC path | User group |

-|--|-||

-| X: | \\\server\share\Marketing | ContosoMarketing |

-It's entirely your responsibility to:

-You should remove your requirements for such file shares as soon as possible.

-**To have mapped drives deployed in Microsoft Managed Desktop:**

-Make sure that mapped drives can't be avoided and you've carefully reviewed the requirements before submitting any support request.

-1. Navigate to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/), and select **Troubleshooting + support**.

-1. In the **Microsoft Managed Desktop** section, select **Service requests**.

-1. Submit a support request titled "Mapped drives deployment" and provide all the required file share details.

-1. Microsoft Managed Desktop IT Operations will advise, by using support request updates, when the request has been completed. Initially this configuration will only be deployed to devices in the Test deployment group.

-1. You must test and confirm whether the configuration deployed by the Microsoft Managed Desktop IT Operations works as you expect.

-1. In the same support request, reply using the **Discussion** tab to notify Microsoft Managed Desktop IT Operations once you've completed your testing.

-1. Microsoft Managed Desktop IT Operations team will then deploy the configuration to the other deployment groups.

-## Steps to get ready for Microsoft Managed Desktop

-1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).

-1. Run [readiness assessment tools](readiness-assessment-tool.md).

-1. Buy [Company Portal](../get-started/company-portal.md).

-1. Review [prerequisites for guest accounts](guest-accounts.md).

-1. Check [network configuration](network.md).

-1. [Prepare certificates and network profiles](certs-wifi-lan.md).

-1. [Prepare user access to data](authentication.md).

-1. [Prepare apps](apps.md).

-1. Prepare mapped drives (this article).

-1. [Prepare printing resources](printing.md).

-1. Address [device names](address-device-names.md).

-description: How to set up proxies and necessary endpoints

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Network configuration for Microsoft Managed Desktop

-<!--Proxy config-->

-## Proxy configuration

-Microsoft Managed Desktop is a cloud-managed service. There's a set of endpoints the Microsoft Managed Desktop services needs to be able to reach. This section lists the endpoints that need to be allowed for the various aspects of the Microsoft Managed Desktop service.

-Customers can optimize their network by sending all trusted Microsoft 365 network requests directly through their firewall or proxy. It bypasses authentication, and all additional packet-level inspection or processing. This process reduces latency and your perimeter capacity requirements.

-Also, to optimize performance for Microsoft Managed Desktop cloud-based services, these endpoints need special handling by customer client browsers, and the devices in their edge network. These devices include:

-### Proxy requirement

-The proxy or firewall must support TLS 1.2. Otherwise, you might have to disable protocol detection.

-### Allowed endpoints that are necessary for Microsoft Managed Desktop

-Microsoft Managed Desktop uses the Azure portal to host its web console. The following URLs must be on the allowed list of your proxy and firewall so that Microsoft Managed Desktop devices can communicate with Microsoft Services.

-The Microsoft Managed Desktop URL is used for anything our service runs on the customer API. You must ensure this URL is always accessible on your corporate network.

-| Microsoft service | URLs required on allowlist |

-| -- | -- |

-| Microsoft Managed Desktop | prod-mwaas-services-customerapi.azurewebsites.net <br>mmd-support-prod-nam.trafficmanager.net <br>mmdls.microsoft.com

-Get Help | \*.support.services.microsoft.com <br>inprod.support.services.microsoft.com <br>supportchannels.services.microsoft.com <br>graph.windows.net <br>login.windows.net <br>prod-mwaas-services-customerapi.azurewebsites.net <br>concierge.live.com

-Quick Assist | remoteassistance.support.services.microsoft.com <br>relay.support.services.microsoft.com <br>channelwebsdks.azureedge.net <br>web.vortex.data.microsoft.com <br>gateway.channelservices.microsoft.com <br>\*.lync.com

-Microsoft Support and Recovery Assistant | \*.apibasic.diagnostics.office.com <br>\*.api.diagnostics.office.com |

-### Allowed endpoints used by other Microsoft products

-There are URLs from several Microsoft products that must be in the allowed list so that Microsoft Managed Desktop devices can communicate with those Microsoft Services. Use the links to see the complete list for each product.

-| Microsoft service | Documentation |

-| -- | -- |

-| Windows 10 Enterprise including Windows Update for Business | [Manage connection endpoints for Windows 10, version 1803](/windows/privacy/manage-windows-1803-endpoints)<br><br>[Manage connection endpoints for Windows 10, version 1809](/windows/privacy/manage-windows-1809-endpoints)<br><br>[Manage connection endpoints for Windows 10, version 1903](/windows/privacy/manage-windows-1903-endpoints)<br><br>[Manage connection endpoints for Windows 10, version 2004](/windows/privacy/manage-windows-2004-endpoints)

-| Delivery Optimization | [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization) |

-| Microsoft 365 | [Microsoft 365 URL and IP address ranges](../../enterprise/urls-and-ip-address-ranges.md) |

-|Azure Active Directory | [Hybrid identity required ports and protocols](/azure/active-directory/hybrid/reference-connect-ports) <br><br> [Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)) |

-| Microsoft Intune | [Intune network configuration requirements](/intune/network-bandwidth-use)<br><br>[Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)

-| Microsoft 365 Defender for Endpoint | [Microsoft 365 Defender for Endpoint requirements](/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server)

-Windows Autopilot | [Windows Autopilot Networking Requirements](/windows/deployment/windows-autopilot/windows-autopilot-requirements#networking-requirements) |

-| Microsoft service | URLs required on allowlist | Documentation source

-| -- | -- | -- |

-| Windows Update for Business (WUfB) | update.microsoft.com<br>\*.update.microsoft.com<br>download.windowsupdate.com<br>\*.download.windowsupdate.com<br>download.microsoft.com<br>\*.download.microsoft.com<br>windowsupdate.com<br>\*.windowsupdate.com<br>ntservicepack.microsoft.com<br>wustat.windows.com<br>login.live.com <br>mp.microsoft.com<br>\*.mp.microsoft.com | [Windows Update for Business firewall and proxy requirements](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p) |

-| Delivery Optimization | \*.do.dsp.mp.microsoft.com<br>\*.dl.delivery.mp.microsoft.com <br>\*.emdl.ws.microsoft.com<br>\*.download.windowsupdate.com <br>\*.windowsupdate.com | [Windows Update proxy requirements](https://support.microsoft.com/help/3175743/proxy-requirements-for-windows-update) |

-| Microsoft Store for Business | login.live.com <br>account.live.com <br>clientconfig.passport.net <br>wustat.windows.com <br>\*.windowsupdate.com <br>\*.wns.windows.com <br>\*.hotmail.com <br>\*.outlook.com <br>\*.microsoft.com <br>\*.msftncsi.com/ncsi.txt | [Microsoft Store allowlist](https://support.microsoft.com/help/2778122/using-authenticated-proxy-servers-together-with-windows-8) |

-| Microsoft 365 | \*.office365.com<br>\*.office.com<br>\*.office.net<br>\*.live.com<br>\*.portal.cloudappsecurity.com<br>\*.portal.cloudappsecurity.com<br>\*.us.portal.cloudappsecurity.com<br>\*.eu.portal.cloudappsecurity.com<br>\*.us2.portal.cloudappsecurity.com<br>&lt;tenant>.onmicrosoft.com<br>account.office.net<br>agent.office.net<br>apc.delve.office.com<br>aus.delve.office.com<br>can.delve.office.com<br>delve.office.com<br>eur.delve.office.com<br>gbr.delve.office.com<br>home.office.com<br>ind.delve.office.com<br>jpn.delve.office.com<br>kor.delve.office.com<br>lam.delve.office.com<br>nam.delve.office.com<br>admin.microsoft.com<br>outlook.office365.com<br>suite.office.net<br>webshell.suite.office.com<br>www.office.com<br>\*.aria.microsoft.com<br>browser.pipe.aria.microsoft.com<br>mobile.pipe.aria.microsoft.com<br>portal.microsoftonline.com<br>clientlog.admin.microsoft.com<br>nexus.officeapps.live.com<br>nexusrules.officeapps.live.com<br>amp.azure.net<br>\*.o365weve.com<br>auth.gfx.ms<br>appsforoffice.microsoft.com<br>assets.onestore.ms<br>az826701.vo.msecnd.net<br>c.microsoft.com<br>c1.microsoft.com<br>client.hip.live.com<br>contentstorage.osi.office.net<br>dgps.support.microsoft.com<br>docs.microsoft.com<br>groupsapi-<br>rod.outlookgroups.ms<br>groupsapi2-prod.outlookgroups.ms<br>groupsapi3-prod.outlookgroups.ms<br>groupsapi4-prod.outlookgroups.ms<br>msdn.microsoft.com<br>platform.linkedin.com<br>products.office.com<br>prod.msocdn.com<br>r1.res.office365.com<br>r4.res.office365.com<br>res.delve.office.com<br>shellprod.msocdn.com<br>support.content.office.net<br>support.microsoft.com<br>support.office.com<br>technet.microsoft.com<br>templates.office.com<br>video.osi.office.net<br>videocontent.osi.office.net<br>videoplayercdn.osi.office.net<br>\*.manage.office.com<br>\*.protection.office.com<br>manage.office.com<br>Protection.office.com<br>diagnostics.office.com | [Microsoft 365 URL and IP address ranges](../../enterprise/urls-and-ip-address-ranges.md) |

-| Azure Active Directory | api.login.microsoftonline.com<br>api.passwordreset.microsoftonline.com<br>autologon.microsoftazuread-sso.com<br>becws.microsoftonline.com<br>clientconfig.microsoftonline-p.net <br>companymanager.microsoftonline.com <br>device.login.microsoftonline.com <br>hip.microsoftonline-p.net <br>hipservice.microsoftonline.com <br>login.microsoft.com<br>login.microsoftonline.com <br>logincert.microsoftonline.com <br>loginex.microsoftonline.com<br>login-us.microsoftonline.com <br>login.microsoftonline-p.com <br>login.windows.net <br>nexus.microsoftonline-p.com <br>passwordreset.microsoftonline.com <br>provisioningapi.microsoftonline.com<br>stamp2.login.microsoftonline.com<br>\*.msappproxy.net<br>ccs.login.microsoftonline.com<br>ccs-sdf.login.microsoftonline.com<br>accounts.accesscontrol.windows.net<br>secure.aadcdn.microsoftonline-p.com<br>\*.phonefactor.net<br>account.activedirectory.windowsazure.com<br>secure.aadcdn.microsoftonline-p.com<br>graph.microsoft.com | [Hybrid identity required ports and protocols](/azure/active-directory/connect/active-directory-aadconnect-ports) and [Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)) |

-| Microsoft Intune | login.microsoftonline.com<br>portal.manage.microsoft.com<br>m.manage.microsoft.com<br>sts.manage.microsoft.com<br>Manage.microsoft.com <br>i.manage.microsoft.com <br>r.manage.microsoft.com <br>a.manage.microsoft.com <br>p.manage.microsoft.com <br>EnterpriseEnrollment.manage.microsoft.com <br>EnterpriseEnrollment-s.manage.microsoft.com<br>portal.fei.msua01.manage.microsoft.com<br>m.fei.msua01.manage.microsoft.com<br>fei.msua01.manage.microsoft.com<br>portal.fei.msua01.manage.microsoft.com <br>m.fei.msua01.manage.microsoft.com<br>fei.msua02.manage.microsoft.com<br>portal.fei.msua02.manage.microsoft.com<br>m.fei.msua02.manage.microsoft.com<br>fei.msua02.manage.microsoft.com<br>portal.fei.msua02.manage.microsoft.com<br>m.fei.msua02.manage.microsoft.com<br>fei.msua04.manage.microsoft.com<br>portal.fei.msua04.manage.microsoft.com <br>m.fei.msua04.manage.microsoft.com<br>fei.msua04.manage.microsoft.com<br>portal.fei.msua04.manage.microsoft.com <br>m.fei.msua04.manage.microsoft.com<br>fei.msua05.manage.microsoft.com <br>portal.fei.msua05.manage.microsoft.com <br>m.fei.msua05.manage.microsoft.com<br>fei.msua05.manage.microsoft.com <br>portal.fei.msua05.manage.microsoft.com <br>m.fei.msua05.manage.microsoft.com<br>fei.amsua0502.manage.microsoft.com <br>portal.fei.amsua0502.manage.microsoft.com <br>m.fei.amsua0502.manage.microsoft.com<br>fei.amsua0502.manage.microsoft.com <br>portal.fei.amsua0502.manage.microsoft.com <br>m.fei.amsua0502.manage.microsoft.com<br>fei.msua06.manage.microsoft.com <br>portal.fei.msua06.manage.microsoft.com <br>m.fei.msua06.manage.microsoft.com<br>fei.msua06.manage.microsoft.com <br>portal.fei.msua06.manage.microsoft.com <br>m.fei.msua06.manage.microsoft.com<br>fei.amsua0602.manage.microsoft.com <br>portal.fei.amsua0602.manage.microsoft.com <br>m.fei.amsua0602.manage.microsoft.com<br>fei.amsua0602.manage.microsoft.com <br>portal.fei.amsua0602.manage.microsoft.com <br>m.fei.amsua0602.manage.microsoft.com<br>fei.msub01.manage.microsoft.com <br>portal.fei.msub01.manage.microsoft.com <br>m.fei.msub01.manage.microsoft.com<br>fei.msub01.manage.microsoft.com <br>portal.fei.msub01.manage.microsoft.com <br>m.fei.msub01.manage.microsoft.com<br>fei.amsub0102.manage.microsoft.com <br>portal.fei.amsub0102.manage.microsoft.com <br>m.fei.amsub0102.manage.microsoft.com<br>fei.amsub0102.manage.microsoft.com <br>portal.fei.amsub0102.manage.microsoft.com <br>m.fei.amsub0102.manage.microsoft.com<br>fei.msub02.manage.microsoft.com <br>portal.fei.msub02.manage.microsoft.com <br>m.fei.msub02.manage.microsoft.com<br>fei.msub02.manage.microsoft.com <br>portal.fei.msub02.manage.microsoft.com <br>m.fei.msub02.manage.microsoft.com<br>fei.msub03.manage.microsoft.com <br>portal.fei.msub03.manage.microsoft.com <br>m.fei.msub03.manage.microsoft.com<br>fei.msub03.manage.microsoft.com <br>portal.fei.msub03.manage.microsoft.com <br>m.fei.msub03.manage.microsoft.com<br>fei.msub05.manage.microsoft.com <br>portal.fei.msub05.manage.microsoft.com <br>m.fei.msub05.manage.microsoft.com<br>fei.msub05.manage.microsoft.com <br>portal.fei.msub05.manage.microsoft.com <br>m.fei.msub05.manage.microsoft.com<br>fei.msuc01.manage.microsoft.com <br>portal.fei.msuc01.manage.microsoft.com <br>m.fei.msuc01.manage.microsoft.com<br>fei.msuc01.manage.microsoft.com <br>portal.fei.msuc01.manage.microsoft.com <br>m.fei.msuc01.manage.microsoft.com<br>fei.msuc02.manage.microsoft.com <br>portal.fei.msuc02.manage.microsoft.com <br>m.fei.msuc02.manage.microsoft.com<br>fei.msuc02.manage.microsoft.com <br>portal.fei.msuc02.manage.microsoft.com <br>m.fei.msuc02.manage.microsoft.com<br>fei.msuc03.manage.microsoft.com <br>portal.fei.msuc03.manage.microsoft.com <br>m.fei.msuc03.manage.microsoft.com<br>fei.msuc03.manage.microsoft.com <br>portal.fei.msuc03.manage.microsoft.com <br>m.fei.msuc03.manage.microsoft.com<br>fei.msuc05.manage.microsoft.com <br>portal.fei.msuc05.manage.microsoft.com <br>m.fei.msuc05.manage.microsoft.com<br>fei.msuc05.manage.microsoft.com <br>portal.fei.msuc05.manage.microsoft.com <br>m.fei.msuc05.manage.microsoft.com<br>fef.msua01.manage.microsoft.com<br>fef.msua02.manage.microsoft.com<br>fef.msua04.manage.microsoft.com<br>fef.msua05.manage.microsoft.com<br>fef.msua06.manage.microsoft.com<br>fef.msua07.manage.microsoft.com<br>fef.msub01.manage.microsoft.com<br>fef.msub02.manage.microsoft.com<br>fef.msub03.manage.microsoft.com<br>fef.msub05.manage.microsoft.com<br>fef.msuc01.manage.microsoft.com<br>fef.msuc02.manage.microsoft.com<br>fef.msuc03.manage.microsoft.com<br>fef.msuc05.manage.microsoft.com | [Intune network configuration requirements](/intune/network-bandwidth-use) |

-| OneDrive for Business | onedrive.com <br> <br>\*.onedrive.com <br>onedrive.live.com <br>login.live.com <br>spoprod-a.akamaihd.net <br>\*.mesh.com <br>p.sfx.ms <br>\*.microsoft.com <br>fabric.io <br>\*.crashlytics.com <br>vortex.data.microsoft.com <br>https://posarprodcssservice.accesscontrol.windows.net <br>redemptionservices.accesscontrol.windows.net <br>token.cp.microsoft.com/ <br>tokensit.cp.microsoft-tst.com/ <br>\*.office.com <br>\*.officeapps.live.com <br>\*.aria.microsoft.com <br>\*.mobileengagement.windows.net <br>\*.branch.io <br>\*.adjust.com <br>\*.servicebus.windows.net <br>vas.samsungapps.com <br>odc.officeapps.live.com <br>login.windows.net <br>login.microsoftonline.com <br>\*.files.1drv.com <br>\*.onedrive.live.com <br>\*.\*.onedrive.live.com <br>storage.live.com <br>\*.storage.live.com <br>\*.\*.storage.live.com <br>\*.groups.office.live.com <br>\*.groups.photos.live.com <br>\*.groups.skydrive.live.com <br>favorites.live.com <br>oauth.live.com <br>photos.live.com <br>skydrive.live.com <br>api.live.net <br>apis.live.net <br>docs.live.net <br>\*.docs.live.net <br>policies.live.net <br>\*.policies.live.net <br>settings.live.net <br>\*.settings.live.net <br>skyapi.live.net <br>snapi.live.net <br>\*.livefilestore.com <br>\*.\*.livefilestore.com <br>storage.msn.com <br>\*.storage.msn.com <br>\*.*.storage.msn.com | [Required URLs and ports for OneDrive](/onedrive/required-urls-and-ports) |

-| Microsoft Defender Advanced Threat Protection (ATP) | \ *.oms.opinsights.azure.com <br>\*.blob.core.windows.net <br>\*.azure-automation.net <br>\*.ods.opinsights.azure.com <br>winatp-gw-cus.microsoft.com <br>winatp-gw-eus.microsoft.com <br>winatp-gw-neu.microsoft.com <br>winatp-gw-weu.microsoft.com <br>winatp-gw-uks.microsoft.com <br>winatp-gw-ukw.microsoft.com <br>winatp-gw-aus.microsoft.com <br>winatp-gw-aue.microsoft.com | [Windows Defender ATP endpoints](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection)

-| Get Help | \*.support.services.microsoft.com <br>inprod.support.services.microsoft.com <br>supportchannels.services.microsoft.com <br>graph.windows.net <br>login.windows.net <br>prod-mwaas-services-customerapi.azurewebsites.net <br>concierge.live.com <br>rave.office.net |

-Quick Assist | remoteassistance.support.services.microsoft.com <br>relay.support.services.microsoft.com <br>channelwebsdks.azureedge.net <br>web.vortex.data.microsoft.com <br>gateway.channelservices.microsoft.com <br>\*.lync.com |

-| SharePoint Online | \*.sharepoint.com <br>\ *.svc.ms <br>\<tenant\>.sharepoint.com <br>\<tenant\>-my.sharepoint.com <br>\<tenant\>-files.sharepoint.com <br>\<tenant\>-myfiles.sharepoint.com <br>\*.sharepointonline.com <br>cdn.sharepointonline.com <br>static.sharepointonline.com <br>spoprod-a.akamaihd.net <br>publiccdn.sharepointonline.com <br>privatecdn.sharepointonline.com | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) |

-| OneDrive for Business | admin.onedrive.com <br>officeclient.microsoft.com <br>odc.officeapps.live.com <br>skydrive.wns.windows.com <br>g.live.com <br>oneclient.sfx.ms <br>\*.log.optimizely.com <br>click.email.microsoftonline.com <br>ssw.live.com <br>storage.live.com | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)

-| Microsoft Teams | \*.teams.skype.com <br>\*.teams.microsoft.com <br>teams.microsoft.com <br>\*.asm.skype.com <br>\ *.cc.skype.com <br>\*.conv.skype.com <br>\*.dc.trouter.io <br>\*.msg.skype.com <br>prod.registrar.skype.com <br>prod.tpc.skype.com <br>\*.broker.skype.com <br>\*.config.skype.com <br>\*.pipe.skype.com <br>\*.pipe.aria.microsoft.com <br>config.edge.skype.com <br>pipe.skype.com <br>s-0001.s-msedge.net <br>s-0004.s-msedge.net <br>scsinstrument-ss-us.trafficmanager.net <br>scsquery-ss- <br>us.trafficmanager.net <br>scsquery-ss-eu.trafficmanager.net <br>scsquery-ss-asia.trafficmanager.net <br>\*.msedge.net <br>compass-ssl.microsoft.com <br>feedback.skype.com <br>\*.secure.skypeassets.com <br>mlccdnprod.azureedge.net <br>videoplayercdn.osi.office.net <br>\*.mstea.ms | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) |

-| Power BI | maxcdn.bootstrapcdn.com <br>ajax.aspnetcdn.com <br>netdna.bootstrapcdn.com <br>cdn.optimizely.com <br>google-analytics.com <br>\*.mktoresp.com <br>\*.aadcdn.microsoftonline-p.com <br>\*.msecnd.com <br>\*.localytics.com <br>ajax.aspnetcdn.com <br>\*.localytics.com <br>\*.virtualearth.net <br>platform.bing.com <br>powerbi.microsoft.com <br>c.microsoft.com <br>app.powerbi.com <br>\*.powerbi.com <br>dc.services.visualstudio.com <br>support.powerbi.com <br>go.microsoft.com <br>c1.microsoft.com <br>\*.azureedge.net |[Power BI & Express Route](/power-bi/service-admin-power-bi-expressroute)

-| OneNote | apis.live.net <br>www.onedrive.com <br>login.microsoft.com <br>www.onenote.com <br>\*.onenote.com <br>\*.msecnd.net <br>\*.microsoft.com <br>\*.office.net <br>cdn.onenote.net <br>site-cdn.onenote.net <br>cdn.optimizely.com <br>Ajax.aspnetcdn.com <br>officeapps.live.com <br>\\*.onenote.com <br>\*cdn.onenote.net <br>contentstorage.osi.office.net <br>\*onenote.officeapps.live.com <br>\*.microsoft.com | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) |

-## Steps to get ready for Microsoft Managed Desktop

-1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).

-1. Run [readiness assessment tools](readiness-assessment-tool.md).

-1. Buy [Company Portal](../get-started/company-portal.md).

-1. Review [prerequisites for guest accounts](guest-accounts.md).

-1. Check network configuration (this article).

-1. [Prepare certificates and network profiles](certs-wifi-lan.md).

-1. [Prepare user access to data](authentication.md).

-1. [Prepare apps](apps.md).

-1. [Prepare mapped drives](mapped-drives.md).

-1. [Prepare printing resources](printing.md).

-1. Address [device names](address-device-names.md).

-description: Licenses, Azure accounts, authentication settings, and Microsoft 365 settings to set up before enrolling in Microsoft Managed Desktop

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Prerequisites for Microsoft Managed Desktop

-<!--This topic is the target for a "Learn more" link in the Admin Portal (aka.ms/prereq-azure). DO NOT DELETE.-->

-<!--from Prerequisites -->

-This article outlines the infrastructure requirements you must meet to assure success with Microsoft Managed Desktop.

-| Area | Prerequisite details |

-| -- | -- |

-| Licensing | Microsoft Managed Desktop requires the Microsoft 365 E3 license with Microsoft Defender for Endpoint (or equivalents) assigned to your users. <ul><li>For details about the specific service plans, see [More about licenses](#more-about-licenses).</li><li> For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).</li></ul>

-| Connectivity | All Microsoft Managed Desktop devices require connectivity to numerous Microsoft service endpoints from the corporate network.<br><br> For the full list of required IPs and URLs, see [Network configuration](../get-ready/network.md).

-| Azure Active Directory | Azure Active Directory (Azure AD) must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure AD Connect. <ul><li>For more information, see [Azure AD Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect).</li><li> For more information on supported Azure AD Connect versions, see [Azure AD Connect:Version release history](/azure/active-directory/hybrid/reference-connect-version-history).</li></ul>

-| Authentication | If Azure AD isn't the source of primary authentication for user accounts, you must configure one of the following authentication methods in Azure AD Connect:<ul><li> Password hash synchronization.</li> <li> Pass-through authentication.</li><li>An external identity provider (including Windows Server ADFS and non-Microsoft IDPs) configured to meet Azure AD integration requirements. For more information, see the [guidelines](https://www.microsoft.com/download/details.aspx?id=56843).</li></ul> <br> When setting authentication options with Azure AD Connect, password writeback is also recommended. For more information, see [Password writeback](/azure/active-directory/authentication/howto-sspr-writeback). <br><br> If an external identity provider is implemented, you must validate the solution:<ul><li>Meets Azure AD integration requirements.</li><li>Supports Azure AD Conditional Access, which allows the Microsoft Managed Desktop device compliance policy to be configured.</li><li>Enables device enrollment, use of Microsoft 365 services, or features required as part of Microsoft Managed Desktop.</li></ul> <br>For more information on authentication options with Azure AD, see [Azure AD Connect user sign in options](/azure/active-directory/connect/active-directory-aadconnect-user-signin).

-| Microsoft 365 | OneDrive for Business must be enabled for Microsoft Managed Desktop users.<br><br>Though it isn't required to enroll with Microsoft Managed Desktop, we highly recommended that the following services be migrated to the cloud:<ul><li>Email: Migrate to cloud-based mailboxes, Exchange online, or configure with Exchange Online Hybrid with Exchange 2013 or higher, on-premises.</li><li>Files and folders: Migrate to OneDrive for Business or SharePoint Online.</li><li>Online collaboration tools: Migrate to Teams.</ul> |

-| Device management | Microsoft Managed Desktop devices require management using Microsoft Intune. Intune must be set as the Mobile Device Management authority.<br><br> For more information, see [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).

-| Data backup and recovery | Microsoft Managed Desktop requires files to be synced to OneDrive for Business for protection. Any files not synced to OneDrive for Business aren't guaranteed by Microsoft Managed Desktop. The files might be lost during device exchanges or support calls requiring a device reset.<br><br>Though not required, Microsoft Managed Desktop strongly recommends migration from mapped network drives to the appropriate cloud solution. For more information, see [Prepare mapped drives for Microsoft Managed Desktop](mapped-drives.md)

-When you're ready to get started with Microsoft Managed Desktop, contact your Microsoft Account Manager.

-## More about licenses

-Microsoft Managed Desktop requires certain license options in order to function. See [Microsoft Managed Desktop technologies](../intro/technologies.md) for information about how these licenses are used.

-> [!TIP]

-> To assign these license options to specific users, we recommend that you take advantage of the [group-based licensing feature](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal) of Azure Active Directory.

-> [!TIP]

-> Your Microsoft Account Manager will help you review your current licenses, service plans, and find the most efficient path for you to get any additional licenses or service plans you might need, while avoiding duplication.

-## Steps to get ready for Microsoft Managed Desktop

-1. Review prerequisites (this article).

-1. Run [readiness assessment tools](readiness-assessment-tool.md).

-1. Buy [Company Portal](../get-started/company-portal.md).

-1. Review [prerequisites for guest accounts](guest-accounts.md).

-1. Check [network configuration](network.md).

-1. [Prepare certificates and network profiles](certs-wifi-lan.md).

-1. [Prepare user access to data](authentication.md).

-1. [Prepare apps](apps.md).

-1. [Prepare mapped drives](mapped-drives.md).

-1. [Prepare printing resources](printing.md).

-1. Address [device names](address-device-names.md).

-description: Important steps to make sure printing work smoothly

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Prepare printing resources for Microsoft Managed Desktop

-As you get ready to enroll in Microsoft Managed Desktop, you should evaluate your printing requirements and determine the right approach for your environment. You have three options:

-| Option | Description |

-| | |

-| Deploy the Microsoft Universal Print solution | The Microsoft Universal Print solution to make it easy for Microsoft Managed Desktop devices to discover printers. For more information, see [What is Universal Print](/universal-print/fundamentals/universal-print-whatis). |

-| Deploy printers directly by using a custom PowerShell script | Follow the steps in the [Set up local printers](#set-up-local-printers) section. |

-| Use a non-Microsoft cloud printing solution | Use a non-Microsoft cloud printing solution that is compatible with Windows 10 devices and joined to an Azure Active Directory domain. The solution must meet the software requirements for Microsoft Managed Desktop. For more information, see [Microsoft Managed Desktop app requirements](../service-description/mmd-app-requirements.md). |

-In all the above options, if the printer drivers aren't available from Microsoft Update or the Microsoft Store, you must obtain them yourself, and have them packaged for deployment to your Microsoft Managed Desktop devices with Microsoft Intune. For more, see [Intune Standalone - Win32 app management](/mem/intune/apps/apps-win32-app-management)

-## Set up local printers

-The following instructions assume you've prepared the printing resources and decided to deploy printers using a custom PowerShell script.

-**To deploy printers using a custom PowerShell script:**

-1. Navigate to the Microsoft Managed Desktop portal.

-1. Submit a request labeled *Printer deployment* in the **Support > Support requests** section of the Admin Portal.

-1. Provide the following details:

- - All UNC paths to shared printer locations that will need to be deployed for Microsoft Managed Desktop devices.

- - User groups that require access to these shared printers.

-1. Using the Admin Portal, we'll let you know when the request has been completed. Initially we'll only deploy the configuration to devices in the Test deployment group.

-1. Test and confirm whether the configuration works as you expect.

-1. Reply by using the **Discussion** tab in the support request to let us know when you've completed your testing.

-1. We'll then deploy the configuration to the other deployment groups.

-## Steps to get ready

-1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).

-1. Run [readiness assessment tools](readiness-assessment-tool.md).

-1. Buy [Company Portal](../get-started/company-portal.md).

-1. Review [prerequisites for guest accounts](guest-accounts.md).

-1. Check [network configuration](network.md).

-1. [Prepare certificates and network profiles](certs-wifi-lan.md).

-1. [Prepare user access to data](authentication.md).

-1. [Prepare apps](apps.md).

-1. [Prepare mapped drives](mapped-drives.md).

-1. Prepare printing resources (this article).

-1. Address [device names](address-device-names.md).

-description: Checks device and network settings, including required endpoints

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Downloadable readiness assessment checker

-To work well with Microsoft Managed Desktop, devices must meet certain requirements for hardware and settings. Each device must be able to reach key endpoints.

-Download and run the readiness assessment checker tool to obtain an HTML report, view results, and take action. You must download the tool and supporting files. Then, run it manually on each device you want to enroll in Microsoft Managed Desktop.

-For each check, the tool will report one of three possible results:

-| Result | Meaning |

-| -- | -- |

-| Ready | No action is required before you complete enrollment. |

-| Advisory | Follow the steps in the tool for the best experience with enrollment and for users. <br><br> You *can* complete enrollment, but you must fix these issues before you deploy your first device. |

-| Not ready | **Enrollment will fail** if you don't fix these issues. <br><br> Follow the steps in the tool to resolve them. |

-## Obtain the checker

-Download the .zip file from https://aka.ms/mmddratoolv0.

-> [!NOTE]

-> The user running the tool must have local Administrator rights on the device where they're running it.

-**To run the tool:**

-1. Copy the downloaded .zip file to each device you want to check.

-2. Extract all files in the compressed download.

-3. Run **Microsoft.MMD.DeviceReadinessAssessmentTool.exe**.

-4. When the User Access Control prompt appears, select **Yes**. The tool runs and opens a report in your default browser.

-You could also download and extract the .zip archive to a shared location, access **Microsoft.MMD.DeviceReadinessAssessmentTool.exe** from each device. Then, run it locally.

-## Checks

-The downloadable tool checks these device and network-related items:

-| Check | Description |

-| -- | -- |

-| Hardware | Devices must meet specific hardware requirements to work with Microsoft Managed Desktop. For more information, see [Device requirements](../service-description/device-list.md). <br><br> If your device fails any of the checks, it's not compatible with Microsoft Managed Desktop. |

-| Network endpoints | Devices much be able to reach several [key endpoints](network.md) to work with Microsoft Managed Desktop. <br><br> If the tool reports a **Not ready** result, see the detailed report to find out which endpoints weren't reachable. Then, adjust your firewall or other network settings to ensure those endpoints can be reached. |

-### Other settings

-| Setting | Description |

-| -- | -- |

-| Enterprise Wi-Fi profiles | An **Advisory** result means that you're using some Wi-Fi profiles that need certificates and profiles to work properly. For more information, see [Deploy certificates and Wi-Fi/VPN profile](certs-wifi-lan.md#deploy-certificates-and-wi-fivpn-profile). |

-| LAN profiles | An **Advisory** result means that you have LANs that need certificates and profiles to work properly. For more information, see [Prepare certificates and network profiles for Microsoft Managed Desktop](certs-wifi-lan.md). |

-| VPN profiles | An **Advisory** result means that you're using a virtual private network (VPN). Create a VPN profile that deploys certificates integrated with Microsoft Intune. For more information, see [Prepare certificates and network profiles for Microsoft Managed Desktop](certs-wifi-lan.md). |

-| Mapped drives | An **Advisory** result means that you have some mapped drives, which aren't recommended. For more information, see [Prepare mapped drives for Microsoft Managed Desktop](mapped-drives.md). |

-| Print queues | An **Advisory** result means that you have some outstanding print queues, which aren't recommended. One solution is to use cloud printing. For more information, see [Prepare printing resources for Microsoft Managed Desktop](printing.md). |

-| Proxies | An **Advisory** result means that you have a proxy server in use. For more information, see [Network configuration for Microsoft Managed Desktop](network.md). |

-description: Detailed actions to take for each issue the tool finds

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Fix issues found by the readiness assessment tool

-For each check, the tool will report one of four possible results:

-| Result | Meaning |

-| -- | -- |

-| Ready | No action is required before completing enrollment. |

-| Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users. <br><br> You *can* complete enrollment, but you must fix these issues before you deploy your first device. |

-| Not ready | **Enrollment will fail if you don't fix these issues.** <br><br> Follow the steps in the tool or this article to resolve them. |

-| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permission to run this check. |

-> [!NOTE]

-> The results reported by this tool reflect the status of your settings only at the time that you ran it. If you make changes later to policies in Microsoft Intune, Azure Active Directory, or Microsoft 365, items that were "Ready" can become "Not ready." To avoid problems with Microsoft Managed Desktop operations, check the specific settings described in this article before you change any policies.

-## Microsoft Intune settings

-You can access Intune settings at the Microsoft Endpoint Manager [admin center](https://endpoint.microsoft.com).

-### Autopilot deployment profile

-You shouldn't have any existing Autopilot profiles that target assigned or dynamic groups with Microsoft Managed Desktop devices. Microsoft Managed Desktop uses Autopilot to configure new devices. If you have an existing Autopilot deployment profile, the **Convert all targeted devices to Autopilot** setting must be set to **No** for the Microsoft Managed Desktop Autopilot readiness test to succeed.

-| Result | Meaning |

-| -- | -- |

-| Not ready | You have an Autopilot profile that is assigned to all devices. <br><br> For more information, see [Enroll Windows devices in Intune by using Windows Autopilot](/mem/autopilot/enrollment-autopilot). After Microsoft Managed Desktop enrollment, set your Autopilot policy to exclude the **Modern Workplace Devices - All** Azure AD group.

-| Advisory | Make sure that your Autopilot profiles target an assigned or dynamic Azure AD group that doesn't include Microsoft Managed Desktop devices. <br><br> For more information, see [Enroll Windows devices in Intune by using Windows Autopilot](/mem/autopilot/enrollment-autopilot). After Microsoft Managed Desktop enrollment, set your Autopilot profiles to exclude the **Modern Workplace Devices - All** Azure AD group. |

-### Certificate connectors

-If you have any certificate connectors that will be used by the devices you want to enroll in Microsoft Managed Desktop, the connectors shouldn't have any errors. Only one of the following advisories will apply to your situation, so check them carefully.

-| Result | Meaning |

-| -- | -- |

-| Advisory | No certificate connectors are present. It's possible you don't need any connectors, but you should evaluate whether you might need some for network connectivity on your Microsoft Managed Desktop devices. <br><br> For more information, see [Prepare certificates and network profiles for Microsoft Managed Desktop](certs-wifi-lan.md). |

-| Advisory | At least one certificate connector has an error. If you need this connector for providing certificates to Microsoft Managed Desktop devices, you must resolve the error. <br><br> For more information, see [Prepare certificates and network profiles for Microsoft Managed Desktop](certs-wifi-lan.md). |

-| Advisory | You have at least one certificate connector, and no errors are reported. However, in preparation for deployment, you might need to create a profile to reuse the connector for Microsoft Managed Desktop devices. <br><br> For more information, see [Prepare certificates and network profiles for Microsoft Managed Desktop](certs-wifi-lan.md). |

-### Company Portal

-Microsoft Managed Desktop requires that IT administrators install Intune Company Portal for their users with Microsoft Managed Desktop devices.

-| Result | Meaning |

-| -- | -- |

-| Not ready | You don't have Company Portal installed for your users. Purchase Company Portal and force a sync between Intune and Microsoft Store for Business. <br><br> For more information, see [Install Intune Company Portal on devices](../get-started/company-portal.md).

-### Conditional access policies

-Conditional access policies can't prevent Microsoft Managed Desktop from managing your Azure AD organization (tenant) in Intune and Azure AD.

-| Result | Meaning |

-| -- | -- |

-| Not ready | You have at least one conditional access policy that targets all users. <br><br> During enrollment, we'll attempt to exclude Microsoft Managed Desktop service accounts from relevant conditional access policies and apply new conditional access policies to restrict access to these accounts. However, if we are unsuccessful, this can cause errors during your enrollment experience. For best practice, create an assignment that targets a specific Azure AD group that doesn't include Microsoft Managed Desktop service accounts. <br><br> After enrollment, you can review the Microsoft Managed Desktop conditional access policy in Microsoft Endpoint Manager. For more about these service accounts, see [Standard operating procedures](../service-description/operations-and-monitoring.md#standard-operating-procedures). |

-| Advisory | You have conditional access policies that could prevent Microsoft Managed Desktop from managing the Microsoft Managed Desktop service. <br><br> During enrollment, we'll exclude Microsoft Managed Desktop service accounts from relevant conditional access policies and apply new conditional access policies to restrict access to these accounts. <br><br> For more information about these service accounts, see [Standard operating procedures](../service-description/operations-and-monitoring.md#standard-operating-procedures). |

-| Error | The Intune Administrator role doesn't have sufficient permissions for this check. You'll also need to have these Azure AD roles assigned to run this check: <ul><li>Security Reader</li><li>Security Administrator</li><li>Conditional Access Administrator</li><li>Global Reader</li><li>Devices Administrator</li></ul>

-### Device Compliance policies

-Intune Device Compliance policies in your Azure AD organization might affect Microsoft Managed Desktop devices.

-| Result | Meaning |

-| -- | -- |

-| Advisory | You have at least one compliance policy that applies all users. Microsoft Managed Desktop also includes compliance policies that will apply to your Microsoft Managed Desktop devices. Review all of the compliance policies created by your organization that apply to Microsoft Managed Desktop devices to ensure there are no conflicts. <br><br> For more information, see [Create a compliance policy in Microsoft Intune](/mem/intune/protect/create-compliance-policy). |

-### Device Configuration profiles

-Intune Device Configuration profiles in your Azure AD organization can't target any Microsoft Manage Desktop devices or users.

-| Result | Meaning |

-| -- | -- |

-| Not ready | You have at least one configuration profile that applies to all users, all devices, or both. Reset the profile to apply to a specific Azure AD group that doesn't include any Microsoft Managed Desktop devices. <br><br> For more information, see [Create a profile with custom settings in Microsoft Intune](/mem/intune/configuration/custom-settings-configure). |

-| Advisory | Make sure that any configuration policies you have don't include any Microsoft Managed Desktop devices or users. <br><br> For more information, see [Create a profile with custom settings in Microsoft Intune](/mem/intune/configuration/custom-settings-configure). |

-### Device type restrictions

-Microsoft Managed Desktop devices must be allowed to enroll in Intune.

-| Result | Meaning |

-| -- | -- |

-| Not ready | You currently have at least one enrollment restriction policy configured to prevent Windows devices from enrollment in Intune. <br><br> Follow the steps in [Set enrollment restrictions](/mem/intune/enrollment/enrollment-restrictions-set) for each enrollment restriction policy that targets Microsoft Managed Desktop users and change the **Windows (MDM)** setting to **Allow**. You can, however, set any **personally owned** **Windows (MDM)** devices to **Block**. |

-### Enrollment Status Page

-You currently have the Enrollment Status Page (ESP) enabled. If you intend to participate in the Microsoft Managed Desktop public preview of this feature, you can ignore this item. For more information, see [First-run experience with Autopilot and the Enrollment Status Page](../get-started/esp-first-run.md).

-| Result | Meaning |

-| -- | -- |

-| Not ready | You have the ESP default profile set to **Show app and profile configuration progress**. <br><br> Disable this setting or ensure that assignments to any Azure AD group don't include Microsoft Managed Desktop devices by following the steps in [Set up the Enrollment Status Page](/mem/intune/enrollment/windows-enrollment-status). |

-| Advisory | Make sure that any profiles that have the **Show app and profile configuration progress** setting aren't assigned to any Azure AD group that includes Microsoft Managed Desktop devices. <br><br> For more information, see [Set up the Enrollment Status Page](/mem/intune/enrollment/windows-enrollment-status). |

-### Microsoft Store for Business

-We use Microsoft Store for Business and deploy the Company Portal app on Microsoft Managed Desktop. This method allows users to optionally install some apps, such as Microsoft Project and Microsoft Visio (where permitted).

-| Result | Meaning |

-| -- | -- |

-| Not ready | Microsoft Store for Business either isn't enabled or isn't synced with Intune. <br><br> For more information, see [How to manage volume purchased apps from the Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business) and [Install Intune Company Portal on devices](../get-started/company-portal.md). |

-### Multi-factor authentication

-Multi-factor authentication can't prevent Microsoft Managed Desktop from managing your Azure AD organization (tenant) in Intune and Azure AD.

-| Result | Meaning |

-| -- | -- |

-| Not ready | You have some multi-factor authentication policies set as **required** for conditional access policies that are assigned to all users. <br><br> During enrollment, we'll exclude Microsoft Managed Desktop service accounts from relevant conditional access policies and apply new conditional access policies to restrict access to these accounts. <br><br> For more information about these service accounts, see [Standard operating procedures](../service-description/operations-and-monitoring.md#standard-operating-procedures). |

-| Advisory | You have multi-factor authentication required on conditional access policies that could prevent Microsoft Managed Desktop from managing the Microsoft Managed Desktop service. <br><br> During enrollment, well exclude Microsoft Managed Desktop service accounts from relevant conditional access policies and apply new conditional access policies to restrict access to these accounts. For more information about these service accounts, see [Standard operating procedures](../service-description/operations-and-monitoring.md#standard-operating-procedures). |

-| Error | The Intune Administrator role doesn't have sufficient permissions for this check. You'll also need to have these Azure AD roles assigned to run this check: <ul><li>Security Reader</li><li>Security Administrator</li><li>Conditional Access Administrator</li><li>Global Reader</li><li>Devices Administrator</li></ul>

-### PowerShell scripts

-Windows PowerShell scripts can't be assigned in a way that would target Microsoft Managed Desktop devices.

-| Result | Meaning |

-| -- | -- |

-| Advisory | Make sure that Windows PowerShell scripts in your Azure AD organization don't target any Microsoft Manage Desktop devices or users. Don't assign a PowerShell script to target all users, all devices, or both. Change the policy to use an Assignment that targets a specific Azure AD group that doesn't include any Microsoft Managed Desktop devices or users. <br><br> For more information, see [Use PowerShell scripts on Windows 10 devices in Intune](/mem/intune/apps/intune-management-extension). |

-### Region

-Your region must be supported by Microsoft Managed Desktop.

-| Result | Meaning |

-| -- | -- |

-| Not ready | Your Azure AD organization region isn't currently supported by Microsoft Managed Desktop. <br><br> For more information, see [Microsoft Managed Desktop supported regions and languages](../service-description/regions-languages.md). |

-| Advisory | One or more of the countries where your Azure AD organization is located isn't supported by Microsoft Managed Desktop. <br><br> For more information, see [Microsoft Managed Desktop supported regions and languages](../service-description/regions-languages.md). |

-### Security baselines

-Security baseline policies shouldn't target any Microsoft Managed Desktop devices.

-| Result | Meaning |

-| -- | -- |

-| Not ready | You have a security baseline profile that targets all users, all devices, or both. Change the policy to use an assignment that targets a specific Azure AD group that doesn't include any Microsoft Managed Desktop devices. <br><br> For more information, see [Use security baselines to configure Windows 10 devices in Intune](/mem/intune/protect/security-baselines). During enrollment, we apply a new security baseline to all Microsoft Managed Desktop devices. After enrollment, you can review the Microsoft Managed Desktop security baseline policy in the **Configuration policy** area of Microsoft Endpoint Manager. |

-| Advisory | Make sure that any security baseline policies you have exclude Microsoft Managed Desktop devices. For more information, see [Use security baselines to configure Windows 10 devices in Intune](/mem/intune/protect/security-baselines). <br><br> During enrollment, we apply a new security baseline to all Microsoft Managed Desktop devices. The **Modern Workplace Devices - All** Azure AD group is a dynamic group that we create when you enroll in Microsoft Managed Desktop. You'll have to come back to exclude this group after enrollment. |

-### Unlicensed admins

-This setting must be enabled to avoid a "lack of permissions" error when we interact with your Azure AD organization.

-| Result | Meaning |

-| -- | -- |

-| Not ready | **Allow access to unlicensed admins** should be enabled. For more information, see [Prerequisites for guest accounts](/microsoft-365/managed-desktop/get-ready/guest-accounts). |

-### Windows apps

-Review apps you want your Microsoft Managed Desktop users to have.

-| Result | Meaning |

-| -- | -- |

-| Advisory | You should prepare an inventory of the apps that you want your Microsoft Managed Desktop users to have. Since these apps must be deployed by Intune, evaluate reusing existing Intune apps. Consider using Company Portal (see [Install Intune Company Portal on devices](../get-started/company-portal.md) and Enrollment Status Page (ESP) to distribute apps to your users. <br><br> For more information, see [Apps in Microsoft Managed Desktop](apps.md) and [First-run experience with Autopilot and the Enrollment Status Page](../get-started/esp-first-run.md). <br><br> You can ask your Microsoft account representative for a query in Microsoft Endpoint Configuration Manager to identify those apps that are ready to migrate to Intune or need adjustment. |

-### Windows Hello for Business

-Microsoft Managed Desktop requires Windows Hello for Business to be enabled.

-| Result | Meaning |

-| -- | -- |

-| Advisory | Windows Hello for Business is either disabled or not set up. Enable it by following the steps in [Create a Windows Hello for Business policy](/mem/intune/protect/windows-hello#create-a-windows-hello-for-business-policy). |

-### Windows 10 update rings

-Your "Windows 10 update ring" policy in Intune must not target any Microsoft Managed Desktop devices.

-| Result | Meaning |

-| -- | -- |

-| Not ready | You have an "update ring" policy that targets all devices, all users, or both. Change the policy to use an Assignment that targets a specific Azure AD group that doesn't include any Microsoft Managed Desktop devices. <br><br> For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure). |

-| Advisory | Make sure that any update ring policies you have exclude the **Modern Workplace Devices - All** Azure AD group. If you have assigned Azure AD user groups to these policies, make sure that any update ring policies you have also excluded the **Modern Workplace - All** Azure AD group that you add your Microsoft Managed Desktop users to (or an equivalent group). <br><br> For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure). Both the **Modern Workplace Devices - All** and **Modern Workplace - All** Azure AD groups are groups that we create when you enroll in Microsoft Managed Desktop. You'll have to come back to exclude this group after enrollment. |

-## Azure Active Directory settings

-You can access Azure Active Directory settings in the [Azure portal](https://portal.azure.com).

-### Intune enrollment

-Windows 10 devices in your Azure AD organization must be able to automatically enroll in Intune.

-| Result | Meaning |

-| -- | -- |

-| Advisory | Make sure the **MDM User scope** is set to **Some** or **All**, not **None**. <br><br> If you choose **Some**, come back after enrollment and select the **Modern Workplace - All** Azure AD group for **Groups** or an equivalent group targeting all of your Microsoft Managed Desktop users. <br><br> For more information, see [Set up enrollment for Windows devices by using Microsoft Intune](/mem/intune/enrollment/windows-enroll#enable-windows-10-automatic-enrollment). |

-### Ad hoc subscriptions

-Advises how to check a setting that, if set to "false", might prevent Enterprise State Roaming from working correctly.

-| Result | Meaning |

-| -- | -- |

-| Advisory | Ensure that **AllowAdHocSubscriptions** is set to **True**. Otherwise, Enterprise State Roaming might not work. <br><br> For more information, see [Set-MsolCompanySettings](/powershell/module/msonline/set-msolcompanysettings). |

-### Enterprise State Roaming

-Enterprise State Roaming should be enabled.

-| Result | Meaning |

-| -- | -- |

-| Advisory | Make sure that Enterprise State Roaming is enabled for **All** or for **Selected** groups. <br><br> For more information, see [Enable Enterprise State Roaming in Azure Active Directory](/azure/active-directory/devices/enterprise-state-roaming-enable). |

-### Guest invitation settings

-Microsoft Managed Desktop recommends adjusting guest invitation settings, since the default setting allows all users and guests in your directory to invite guests.

-| Result | Meaning |

-| -- | -- |

-| Advisory | **Member users and users assigned to specific admin roles can invite guest including guests with member permissions** should be enabled. <br><br> For more information, see [Prerequisites for guest accounts](/microsoft-365/managed-desktop/get-ready/guest-accounts). |

-### Guest user access

-Microsoft Managed Desktop recommends adjusting guest access, since the default setting allows all guest in your directory to have the same access as members.

-| Result | Meaning |

-| -- | -- |

-| Advisory | **Guest users have limited access to properties and memberships of directory objects** should be enabled. <br><br> For more information, see [Prerequisites for guest accounts](/microsoft-365/managed-desktop/get-ready/guest-accounts). |

-### Licenses

-Many licenses are required to use Microsoft Managed Desktop.

-| Result | Meaning |

-| -- | -- |

-| Not Ready | You don't have all the licenses you need to use Microsoft Managed Desktop. <br><br> For more information, see [Microsoft Managed Desktop technologies](../intro/technologies.md) and [More about licenses](prerequisites.md#more-about-licenses). |

-### Microsoft Managed Desktop service accounts

-Certain account names could conflict with account names created by Microsoft Managed Desktop to manage the Microsoft Managed Desktop service.

-| Result | Meaning |

-| -- | -- |

-| Not ready | You have at least one account name that will conflict with account names created by Microsoft Managed Desktop. Work with your Microsoft account representative to exclude these account names. We don't list the account names publicly to minimize security risk.

-### Security administrator roles

-Users with certain security roles must have those roles assigned in Microsoft Defender for Endpoint.

-| Result | Meaning |

-| -- | -- |

-| Advisory | If you have users assigned to any of these roles in your Azure AD organization, make sure they also have these roles assigned in Microsoft Defender for Endpoint. Otherwise, administrators with these roles won't be able to access the Admin portal. <ul><li>Security Operator</li><li>Global Reader</li></ul> <br> For more information, see [Create and manage roles for role-based access control](/windows/security/threat-protection/microsoft-defender-atp/user-roles).

-### Security default

-Security defaults in Azure Active Directory will prevent Microsoft Managed Desktop from managing your devices.

-| Result | Meaning |

-| -- | -- |

-| Not ready | You have Security defaults turned on. Turn off Security defaults and set up conditional access policies. <br><br> For more information, see [Common Conditional Access policies](/azure/active-directory/conditional-access/concept-conditional-access-policy-common). |

-### Self-service Password Reset

-Self-service Password Reset (SSPR) can be enabled for all Microsoft Managed Desktop users excluding Microsoft Managed Desktop service accounts. <br><br> For more information, see [Tutorial: Enable users to unlock their account or reset passwords using Azure Active Directory self-service password reset](/azure/active-directory/authentication/tutorial-enable-sspr).

-| Result | Meaning |

-| -- | -- |

-| Advisory | Make sure that the SSPR **Selected** setting includes Microsoft Managed Desktop users, but excludes Microsoft Managed Desktop service accounts. Microsoft Managed Desktop service accounts can't work as expected when SSPR is enabled. |

-### Standard user role

-Other than the users who are assigned Global administrator and Device administrator Azure Active Directory roles, Microsoft Managed Desktop users will be standard users without local administrator privileges. All other users will be assigned a standard user role when they start their Microsoft Managed Desktop device.

-| Result | Meaning |

-| -- | -- |

-| Advisory | Microsoft Managed Desktop users won't have local administrator privileges on their Microsoft Managed Desktop devices after enrolling. |

-## Microsoft 365 Apps for enterprise

-### OneDrive

-The **Allow syncing only on PCs joined to specific domains** setting will conflict with Microsoft Managed Desktop. You can access OneDrive settings at the OneDrive [admin center](https://admin.onedrive.com).

-| Result | Meaning |

-| -- | -- |

-| Advisory | You're using the **Allow syncing only on PCs joined to specific domains** setting. This setting won't work with Microsoft Managed Desktop. Disable this setting. Instead, set up OneDrive to use a conditional access policy. <br><br> For more information, see [Plan a Conditional Access deployment](/azure/active-directory/conditional-access/plan-conditional-access) for help. |

-description: Explains the two tools, the checks they run, and the meaning of the results

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Readiness assessment tools

-For the smoothest possible experience when you enroll in Microsoft Managed Desktop, there are settings and other parameters you must set ahead of time, and certain device and network requirements to meet.

-One tool, accessed through the Microsoft Managed Desktop Admin portal, checks management-related settings. Another tool, which is downloadable, checks individual device requirements and network settings. You can use these tools to check those settings and receive detailed steps for fixing any that aren't right.

-## Downloadable readiness assessment checker for devices and network

-For details about using the downloadable readiness assessment checker, see [Downloadable readiness assessment checker](readiness-assessment-downloadable.md).

-## Online readiness assessment tool for management settings

-The [online tool](https://aka.ms/mmdart) checks settings in Microsoft Endpoint Manager (specifically, Microsoft Intune), Azure Active Directory (Azure AD), and Microsoft 365 to ensure they'll work with Microsoft Managed Desktop.

-Microsoft Managed Desktop retains the data associated with these checks for 12 months after the last time you run a check in your Azure AD organization (tenant). After 12 months, we retain it in de-identified form. You can choose to delete the data we collect.

-Anyone with at least the Global Reader or Intune Administrator role will be able to run this tool, but two of the checks ([Conditional access policies](readiness-assessment-fix.md#conditional-access-policies) and [Multi-factor authentication](readiness-assessment-fix.md#multi-factor-authentication)) require extra permissions.

-> [!IMPORTANT]

-> The online readiness assessment tool helps you check your readiness to enroll in Microsoft Managed Desktop for the first time. If your organization is already enrolled in Microsoft Managed Desktop, don't use this tool.

-The assessment tool checks these items:

-## Microsoft Intune settings

-The following are the Microsoft Intune settings:

-| Check | Description |

-| | |

-| Autopilot deployment profile | Verifies that assignment of the Autopilot deployment profile doesn't apply to all devices. <br><br> The profile should **not** be assigned to any Microsoft Managed Desktop devices. |

-| Certificate connectors | Checks the state of certificate connectors to ensure they're active. |

-| Conditional access | Verifies that conditional access policies aren't assigned to all users. <br><br> Conditional access policies should **not** be assigned to Microsoft Managed Desktop service accounts. |

-| Device Compliance policies | Checks that Intune compliance policies aren't assigned to all users. <br><br> The policies should **not** be assigned to any Microsoft Managed Desktop devices. |

-| Device Configuration profiles | Confirms that configuration profiles aren't assigned to all users or all devices. <br><br> Configuration profiles should **not** be assigned to any Microsoft Managed Desktop devices. |

-| Device type restrictions | Checks that Windows 10 devices in your organization are allowed to enroll in Intune. |

-| Enrollment Status Page | Confirms that Enrollment Status Page isn't enabled. |

-| Intune enrollment | Verifies that Windows 10 devices in your Azure AD organization are automatically enrolled in Intune. |

-| Microsoft Store for Business | Confirms that Microsoft Store for Business is enabled and synced with Intune. |

-| Multi-factor authentication | Verifies that multi-factor authentication isn't applied to Microsoft Managed Desktop service accounts. |

-| PowerShell scripts | Checks that Windows PowerShell scripts are **not** assigned in a way that would target Microsoft Managed Desktop devices. |

-| Region | Checks that your region is supported by Microsoft Managed Desktop. |

-| Security baselines | Checks that the security baseline profile doesn't target all users or all devices. <br><br> Security baseline policies should **not** target any Microsoft Managed Desktop devices. |

-| Windows apps | Review which apps you want to assign to Microsoft Managed Desktop devices. |

-| Windows Hello for Business | Checks that Windows Hello for Business is enabled. |

-| Windows 10 update ring | Checks that Intune's "Windows 10 update ring" policy doesn't target all users or all devices. <br><br> The policy should **not** target any Microsoft Managed Desktop devices. |

-## Azure Active Directory settings

-The following are the Azure Active Directory settings:

-| Check | Description |

-| -- | -- |

-| "Ad hoc" subscriptions for Enterprise State Roaming | Advises how to check a setting that, if set to "false", might prevent Enterprise State Roaming from working correctly. |

-| Enterprise State Roaming | Advises how to check that Enterprise State Roaming is enabled. |

-| Licenses | Checks that you've obtained the necessary [licenses](prerequisites.md#more-about-licenses). |

-| Multi-factor authentication | Checks that multi-factor authentication isn't applied to all users. <br><br> Multi-factor authentication must **not** accidentally be applied to Microsoft Managed Desktop service accounts. |

-| Security account names | Checks that no user names conflict with ones that Microsoft Managed Desktop reserves for its own use. |

-| Security administrator roles | Confirms that users with Security Reader, Security Operator, or Global Reader roles have been assigned those roles in Microsoft Defender for Endpoint. |

-| Security defaults | Checks whether your Azure AD organization has security defaults enabled in Azure Active Directory. |

-| Self-service password reset | Confirms that self-service password reset is enabled. |

-| Standard user role | Verifies that users are standard users and don't have local administrator rights. |

-## Microsoft 365 Apps for Enterprise settings

-The following are the Microsoft 365 Apps for Enterprise settings:

-| Check | Description |

-| -- | -- |

-| OneDrive for Business | Checks whether OneDrive for Business is using unsupported settings. |

-For each check, the tool will report one of four possible results:

-| Result | Meaning |

-| -- | -- |

-| Ready | No action is required before you complete enrollment. |

-| Advisory | Follow the steps in the tool for the best experience with enrollment and for users. <br><br> You *can* complete enrollment, but you must fix these issues before you deploy your first device. |

-| Not ready | **Enrollment will fail** if you don't fix these issues. <br><br> Follow the steps in the tool to resolve them. |

-| Error | The Azure Active Director (AD) role you're using doesn't have sufficient permission to run this check. |

-## After enrollment

-After you've completed enrollment in Microsoft Managed Desktop, remember to go back and adjust certain Intune and Azure AD settings. For more information, see [Adjust settings after enrollment](../get-started/conditional-access.md).

-## Steps to get ready for Microsoft Managed Desktop

-1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).

-2. Run readiness assessment tools (this article).

-3. Buy [Company Portal](../get-started/company-portal.md).

-4. Review [prerequisites for guest accounts](guest-accounts.md).

-5. Check [network configuration](network.md).

-6. [Prepare certificates and network profiles](certs-wifi-lan.md).

-7. [Prepare user access to data](authentication.md).

-8. [Prepare apps](apps.md).

-9. [Prepare mapped drives](mapped-drives.md).

-10. [Prepare printing resources](printing.md).

-11. Address [device names](address-device-names.md).

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-description: How to find and use the Admin portal, including controlling access to it.

-# Access the admin portal

-Your gateway to the Microsoft Managed Desktop service is [Microsoft Endpoint Manager](https://endpoint.microsoft.com/). If you're unfamiliar with the capabilities of this portal for device management, see the [Microsoft Endpoint Manager documentation](/mem/).

-> [!NOTE]

-> In [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) the following browsers are supported:

-> - Microsoft Edge (latest version)

-> - Safari (latest version, Mac only)

-> - Chrome (latest version)

-> - Firefox (latest version)

-Your administrative account will need specific permissions in order to access the Microsoft Managed Desktop administrative features in Microsoft Endpoint Manager.

-You can manage admin access to these features within your organization by using role-based access control. Several Azure Active Directory (Azure AD) administrator roles, and built-in Microsoft Managed Desktop roles are available to provide more granular control to different features within the Microsoft Managed Desktop Admin portal. For more information about Azure Active Directory roles, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference).

-Unlike Azure AD administrator roles that apply to various Microsoft products and services, the built-in roles are specific to Microsoft Managed Desktop and will only guarantee access to the Admin features for this service. Admins can assign built-in roles to users individually, or in combination with Azure AD administrator roles to add Microsoft Managed Desktop permissions to existing admin accounts.

-## Azure Active Directory roles with Microsoft Managed Desktop access

-| Azure AD role | Microsoft Managed Desktop permissions |

-| -- | -- |

-| Global Administrator | Admins with this role will have **read and write permissions to all features** in the Microsoft Managed Desktop Admin portal. |

-| Global Reader | Admins with this role will have **read-only permissions to all features** in the Microsoft Managed Desktop Admin portal. |

-| Intune Service Administrator | Admins with this role will have **read and write permissions to features not related to security** in the Microsoft Managed Desktop Admin portal. |

-| Service Support Administrator | Admins with this role will have **read-only permissions to features not related to security** and **write permissions to manage support requests including escalation requests** in the Microsoft Managed Desktop Admin portal. |

-| Security Admin | Admins with this role will have **read-only permissions to all features** and **write permissions for security related features** in Microsoft Managed Desktop in the Admin portal. |

-| Security Reader |Admins with this role will have **read-only permissions to all features** in the Microsoft Managed Desktop Admin portal. |

-If you need help with assigning Azure Active Directory roles, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference).

-> [!IMPORTANT]

-> Only the Global Administrator role has the necessary permissions to *enroll* your organization in Microsoft Managed Desktop. Be aware that Azure Active Directory roles will give user accounts privileges across a variety of Microsoft services. After completing enrollment with Microsoft Managed Desktop, you should always use the role with the *least* privileges necessary to accomplish your other tasks.

-## Built-in roles provided by Microsoft Managed Desktop

-The following are the built-in roles provided by Microsoft Managed Desktop:

-| Built-in role | Microsoft Managed Desktop permissions |

-| -- | -- |

-| Microsoft Managed Desktop Service Administrator | When assigned to a user, this role gives the admin **read and write permissions to Microsoft Managed Desktop features not related to security** in the Microsoft Managed Desktop Admin portal. |

-| Microsoft Managed Desktop Service Reader | When assigned to a user, this role gives the admin **read-only permissions to Microsoft Managed Desktop features not related to security** in the Microsoft Managed Desktop Admin portal. |

-| Microsoft Managed Desktop Security Manager | When assigned to a user, this role gives that admin **read and write permissions only for security related features** in the Microsoft Managed Desktop Admin portal. |

-| Microsoft Managed Desktop Support Partner |When assigned to a user, this role gives the admin **read and write permissions only for creating and managing elevation requests and support partner engaged escalation requests** in the Microsoft Managed Desktop Admin portal. |

-> [!NOTE]

-> Security features include security-related communications, management of security contacts, management of security-related support requests, and access to security related reports.

-### Assigning built-in roles to user

-For easy management of built-in roles, there's a security group for each custom role with the name "Modern Workplace Roles - _Role Name_". For example, ΓÇ£Modern Workplace Roles ΓÇô Security ManagerΓÇ¥).

-**To assign users to one of these security groups:**

-1. Go the Microsoft Endpoint Manager portal.

-2. In the left pane, select **Groups**.

-3. Search for **Modern Workplace Roles**, and then select the group associated with the role you want to assign.

-4. Select **Members** on the left side, and then select **+ Add members** in the command bar.

-5. Enter the email of the person being added. If they're a guest, you must invite them before you can assign the group.

-6. Select **Select** at the bottom.

-> [!NOTE]

-> Nesting security groups for role assignment is not currently supported.

-### Assigning built-in roles to groups

-**To assign one or more of the built-in roles to a existing group:**

-1. Go to [portal.azure.com](https://portal.azure.com/).

-2. Search for and open **Enterprise applications**.

-3. Change the **Application type** filter to _Microsoft Applications_ and, then select **Apply**.

-4. Search for and select _Modern Workplace Customer APIs_.

-5. Select **Users and groups** from the pane on the left side, and then select **+ Add user/group**.

-6. Search for the group you want from **Users and groups**.

-7. Search for the applicable role from **Select a role**, and then select it.

-8. Select **Assign**.

-## Steps to get started with Microsoft Managed Desktop

-1. Access admin portal (this article).

-1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).

-1. [Adjust settings after enrollment](conditional-access.md).

-1. Deploy and assign [Intune Company Portal](company-portal.md).

-1. [Assign licenses](assign-licenses.md).

-1. [Deploy apps](deploy-apps.md).

-1. [Prepare devices](prepare-devices.md).

-1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).

-1. [Enable user support features](enable-support.md).

-1. [Get your users ready to use devices](get-started-devices.md).

-1. [Get started with app control](get-started-app-control.md).

-description: Tell us who to contact for each area of focus.

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Add and verify admin contacts in the Admin portal

-There are several ways that Microsoft Managed Desktop service communicates with customers. To streamline communication and ensure we're checking with the right people, you must provide a set of admin contacts. Microsoft Managed Desktop IT Operations will contact these people for assistance with troubleshooting issues.

-> [!IMPORTANT]

-> You might have already added these contacts in the Admin portal. If so, take a moment now to double-check that the contact list is accurate, since Microsoft Managed Desktop **must** be able to reach them if a severe incident occurs.

-## Admin contact areas of focus

-Admin contacts should be the best person or group that can answer questions and make decisions for different areas of focus. **Microsoft Managed Desktop Operations will contact these Admin contacts for questions involving support requests filed by the customer.** These Admin contacts will receive notifications for support request updates and new messages. These areas include:

-| Area of focus | For questions about |

-| -- | -- |

-| App packaging | Troubleshooting app packaging. |

-| Devices | Device health, troubleshooting with Microsoft Managed Desktop devices. |

-| Security | Troubleshooting security issues with Microsoft Managed Desktop devices. |

-| IT help desk | In cases where our support staff hands over user tickets outside of Microsoft Managed Desktop support areas. |

-| Other | For issues not covered by other areas. |

-> [!IMPORTANT]

-> **Whoever you choose for these contacts must have the knowledge and authority to make decisions for your Microsoft Managed Desktop environment.**

-When you onboard your Microsoft Managed Desktop environment, you're prompted to add contacts for your local Helpdesk and Security.

-Admin contacts are required when you [submit a Support request](../service-description/support.md). You must have an admin contact for the focus area of the Support request.

-**To add admin contacts:**

-1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com).

-1. Under **Tenant administration**, in the **Microsoft Managed Desktop** section, select **Admin contacts**.

-1. Select **Add**.

-1. Select an **Area of focus** and enter the info for the contact.

- 

-1. Repeat for each area of focus.

-## Steps to get started with Microsoft Managed Desktop

-1. Access [admin portal](access-admin-portal.md).

-1. Add and verify admin contacts in the Admin portal (this article).

-1. [Adjust settings after enrollment](conditional-access.md).

-1. Deploy and assign [Intune Company Portal](company-portal.md).

-1. [Assign licenses](assign-licenses.md).

-1. [Deploy apps](deploy-apps.md).

-1. [Prepare devices](Prepare-devices.md).

-1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).

-1. [Enable user support features](enable-support.md).

-1. [Get your users ready to use devices](get-started-devices.md).

-1. [Get started with app control](get-started-app-control.md).

-description: As part of enrollment, you need to assign licenses you've already obtained to your users

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Assign licenses

-In preparation to enroll in Microsoft Managed Desktop, you must ensure you've obtained the necessary licenses. For more information about licenses, see [More about licenses](../get-ready/prerequisites.md#more-about-licenses) for the licenses you'll need.

-When you have the appropriate licenses, assign them to your users. To assign licenses, we recommend that you take advantage of the [group-based licensing feature](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal) of Azure Active Directory.

-If you have any difficulty with license assignment, contact Admin [support](../working-with-managed-desktop/admin-support.md).

-## Steps to get started with Microsoft Managed Desktop

-1. Access [admin portal](access-admin-portal.md).

-1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).

-1. [Adjust settings after enrollment](conditional-access.md).

-1. Deploy and assign [Intune Company Portal](company-portal.md).

-1. Assign licenses (this article).

-1. [Deploy apps](deploy-apps.md).

-1. [Prepare devices](prepare-devices.md).

-1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).

-1. [Enable user support features](enable-support.md).

-1. [Get your users ready to use devices](get-started-devices.md).

-1. [Get started with app control](get-started-app-control.md).

-description: Info on installing company portal app on Microsoft Managed Desktop devices

-keywords: Microsoft Managed Desktop, Microsoft 365, Company Portal

-# Install Intune Company Portal on devices

-Microsoft Managed Desktop requires that IT administrators install the Intune Company Portal for their users with Microsoft Managed Desktop devices. The benefits to your organization include:

-This article documents the process for deploying the Intune Company Portal to your Microsoft Managed Desktop users. The overall process looks like this:

-1. [Purchase Company Portal from Microsoft Store for Business and sync with Intune](#step-1-purchase-company-portal-from-microsoft-store-for-business-and-sync-with-intune).

-2. [Assign Company Portal to your users](#step-2-assign-company-portal-to-your-users).

-3. [Communicate change to your users.](#step-3-communicate-change-to-your-users)

-## Step 1: Purchase Company Portal from Microsoft Store for Business and sync with Intune

-For information on how to purchase the apps and sync with Intune, see [Microsoft Store for Business apps](deploy-apps.md#msfb-apps) in *Deploy apps to Microsoft Managed Desktop devices*.

-This article provides info on how to:

-## Step 2: Assign Company Portal to your users

-Following your enrollment in Microsoft Managed Desktop, we'll automatically deploy Company Portal to your tenant and install the app on Microsoft Managed Desktop devices in your organization.

-## Step 3: Communicate change to your users

-As the IT administrator for your organization, it's important to let your users know how to use Company Portal in your organization. Microsoft Managed Desktop recommends:

-## Steps to get started with Microsoft Managed Desktop

-1. Access [admin portal](access-admin-portal.md).

-1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).

-1. [Adjust settings after enrollment](conditional-access.md).

-1. Deploy and assign Intune Company Portal (this article).

-1. [Assign licenses](assign-licenses.md).

-1. [Deploy apps](deploy-apps.md).

-1. [Prepare devices](prepare-devices.md)

-1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).

-1. [Enable user support features](enable-support.md).

-1. [Get your users ready to use devices](get-started-devices.md).

-1. [Get started with app control](get-started-app-control.md).

-description: How to exclude certain Microsoft accounts

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Adjust settings after enrollment

-After you've completed enrollment in Microsoft Managed Desktop, some management settings might need to be adjusted. To check and adjust if needed, follow these steps:

-1. Review the Microsoft Intune and Azure Active Directory settings described in the next section.

-2. If any of the items apply to your environment, make the adjustments as described.

-3. If you want to double-check that all settings are correct, you can rerun the [readiness assessment tool](https://aka.ms/mmdart) to ensure nothing conflicts with Microsoft Managed Desktop.

-> [!NOTE]

-> As your operations continue in following months, if you make changes after enrollment to policies in Microsoft Intune, Azure Active Directory, or Microsoft 365 that affect Microsoft Managed Desktop, it's possible that Microsoft Managed Desktop could stop operating properly. To avoid problems with the service, check the specific settings described in [Fix issues found by the readiness assessment tool](../get-ready/readiness-assessment-fix.md) before you change the policies listed there. You can also rerun the readiness assessment tool at any time.

-## Microsoft Intune settings

-| Setting | Description |

-| | |

-| Autopilot deployment profile | If you use any Autopilot policies, update each one to exclude the **Modern Workplace Devices -All** Azure AD group. <br><br> **To update the Autopilot policies:** <br><br> Under **Assignments**, in the **Excluded groups**, select the **Modern Workplace Devices -All** Azure AD group that was created during Microsoft Managed Desktop enrollment. <br><br> Microsoft Managed Desktop will also have created an Autopilot profile, which will have "Modern Workplace" in the name (the **Modern Workplace Autopilot Profile**). When you update your own Autopilot profiles, ensure that you *don't* exclude the **Modern Workplace Devices -All** Azure AD group from the **Modern Workplace Autopilot Profile** that was created by Microsoft Managed Desktop. |

-| Conditional Access policies | If you create any new conditional access policies related to Azure AD, Microsoft Intune, or Microsoft 365 Defender for Endpoint after Microsoft Managed Desktop enrollment, exclude the **Modern Workplace Service Accounts** Azure AD group from them. For more information, see [Conditional Access: Users and groups](/azure/active-directory/conditional-access/concept-conditional-access-users-groups). Microsoft Managed Desktop maintains separate conditional access policies to restrict access to these accounts. <br><br> **To review the Microsoft Managed Desktop conditional access policy (Modern Workplace ΓÇô Secure Workstation):** <br><br> Go to Microsoft Endpoint Manager and navigate to **Conditional Access** in **Endpoint Security**. Don't modify any Azure AD conditional access policies created by Microsoft Managed Desktop that have "Modern Workplace" in the name. |

-| Multi-factor authentication | If you create any new multi-factor authentication requirements in conditional access policies related to Azure AD, Intune, or Microsoft 365 Defender for Endpoint after Microsoft Managed Desktop enrollment, exclude the **Modern Workplace Service Accounts** Azure AD group from them. For more information, see [Conditional Access: Users and groups](/azure/active-directory/conditional-access/concept-conditional-access-users-groups). Microsoft Managed Desktop maintains separate conditional access policies to restrict access to members of this group. <br><br> **To review the Microsoft Managed Desktop conditional access policy (Modern Workplace -):** <br><br> Go to Microsoft Endpoint Manager and navigate to **Conditional Access** in **Endpoint Security**.

-| Windows 10 update ring | For any Windows 10 update ring policies you've created, exclude the **Modern Workplace Devices -All** Azure AD group from each policy. For more information, see [Create and assign update rings](/mem/intune/protect/windows-10-update-rings#create-and-assign-update-rings). <br><br> Microsoft Managed Desktop will also have created some update ring policies, all of which will have "Modern Workplace" in the name. For example: <ul><li>Modern Workplace Update Policy [Broad]</li><li>Modern Workplace Update Policy [Fast]</li><li>Modern Workplace Update Policy [First]</li><li>Modern Workplace Update Policy [Test]</li></ul> <br>When you update your own policies, ensure that you *don't* exclude the **Modern Workplace Devices -All** Azure AD group from those that Microsoft Managed Desktop created. |

-## Azure Active Directory settings

-Self-service password reset: if you use self-service password reset for all users, adjust the assignment to exclude Microsoft Managed Desktop service accounts.

-**To adjust this assignment:**

-1. Create an Azure AD dynamic group for all users *except* Microsoft Managed Desktop service accounts

-1. Use that group for assignment instead of "all users."

-To help you find and exclude the service accounts, here's an example of a dynamic query you can use:

-```Console

-(user.objectID -ne null) and (user.userPrincipalName -ne "MSADMIN@TENANT.onmicrosoft.com") and (user.userPrincipalName -ne "MSADMININT@TENANT.onmicrosoft.com") and (user.userPrincipalName -ne "MWAAS_SOC_RO@TENANT.onmicrosoft.com") and (user.userPrincipalName -ne "MWAAS_WDGSOC@TENANT.onmicrosoft.com") and (user.userPrincipalName -ne "MSTEST@TENANT.onmicrosoft.com")

-```

-In this query, replace `@TENANT` with your tenant domain name.

-## Steps to get started with Microsoft Managed Desktop

-1. Access [admin portal](access-admin-portal.md).

-1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).

-1. Adjust settings after enrollment (this article).

-1. Deploy and assign [Intune Company Portal](company-portal.md).

-1. [Assign licenses](assign-licenses.md).

-1. [Deploy apps](deploy-apps.md).

-1. [Prepare devices](prepare-devices.md).

-1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).

-1. [Enable user support features](enable-support.md).

-1. [Get your users ready to use devices](get-started-devices.md).

-1. [Get started with app control](get-started-app-control.md).

-description: Information for adding and deploying apps to Microsoft Managed Desktop devices.

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation, apps, line-of-business apps, LOB apps

-# Deploy apps to devices

-Part of onboarding to Microsoft Managed Desktop includes adding and deploying apps to your user's devices. Once you're using the Microsoft Managed Desktop portal, you can add and deploy your apps.

-The overall process looks like this:

-1. [Add apps to Microsoft Managed Desktop portal](#1): These apps can be existing line-of-business (LOB) apps, or apps from Microsoft Store for Business that you've synced with Intune.

-2. [Create Azure Active Directory (AD) groups for app assignment](#2): You'll use these groups to manage app assignment.

-3. [Assign apps to your users](#3).

-<span id="1" />

-## Step 1: Add apps to Microsoft Managed Desktop portal

-You can add [Win32, or Windows MSI-based apps](#lob-apps), or [Microsoft Store for Business apps](#msfb-apps) to Microsoft Managed Desktop, and then deploy them to Microsoft Managed Desktop devices.

-<span id="lob-apps">

-### Win32 or Windows MSI-based apps to Microsoft Managed Desktop

-You can add your line-of-business (LOB) apps to Microsoft Managed Desktop portal. For requirement information for apps installed on Microsoft Managed Desktop devices, see [Microsoft Managed Desktop app requirements](../service-description/mmd-app-requirements.md).

-In this procedure, you'll select which kind of app you want to add, and then configure and upload the app source.

-**To add your LOB app or Windows app to Microsoft Managed Desktop portal:**

-You can sign in to the Microsoft Managed Desktop portal, or sign in to Intune and then search for Microsoft Managed Desktop. We'll show signing in to Microsoft Managed Desktop portal below:

-1. Sign in to [Microsoft Managed Desktop Admin portal](https://aka.ms/mmdportal).

-2. Under **Inventory**, select **Apps**.

-3. In the Apps workload section, select **Add**.

-4. In **Add app**, select **Line-of-business app** or **Windows app (Win32)**.

- - If you selected **Line-of-business app**, see [Add a Windows line-of-business app to Microsoft Intune](/intune/lob-apps-windows) for instruction on adding and configuring line-of-business apps.

- - If you selected **Windows app (Win32)**, see [Win32 app management](/intune/apps-win32-app-management) for instruction on adding and configuring Windows apps.

-<span id="msfb-apps">

-### Microsoft Store for Business apps

-If you haven't signed up with Microsoft Store for Business, you can sign up when you shop for apps. After you have your apps, you can sync them with Microsoft Managed Desktop.

-**To buy apps from the Microsoft Store for Business:**

-1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) with your Microsoft Store for Business Admin account.

-2. Select **Shop for my group**.

-3. Use Search to find the app that you want, and select the app.

-4. In the product details, select **Get the App**.

-Microsoft Store adds the app to **Your products** for your organization.

-**To verify that a sync between Intune and Microsoft Store for Business is active:**

-1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) with your Microsoft Store for Business Admin account.

-2. Select **Manage**.

-3. Select **Settings** and then select **Distribute**.

-4. Under **Management tools**, verify that Intune is listed and that the status is **Active**.

-**To force a sync between Intune and Microsoft Store for Business:**

-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).

-2. Select **Tenant administration** , then **Connectors and tokens**, then **Microsoft Store for Business**.

-3. Select **Enabled** for **Enabling Microsoft Store for Business sync lets you access volume-purchased apps with Intune.**

-4. Select your preferred language, then select **Sync** to get the apps you've purchased from the Microsoft Store into Intune.

-<span id="2" />

-## Step 2: Create Azure AD groups

-Create three Azure AD groups for each app. This table outlines the groups you'll need (Available, Required, and Uninstall).

-App assignment type | Group use | Example Azure AD name |

- | | |

-Available | The app will be available from Company Portal app or website. | MMD ΓÇô *app name* ΓÇô Available |

-Required | The app is installed on devices in the selected groups. | MMD ΓÇô *app name* ΓÇô Required |

-Uninstall | The app is uninstalled from devices in the selected groups. | MMD ΓÇô *app name* ΓÇô Uninstall |

-Add your users to these groups to either:

-<span id="3" />

-## Step 3: Assign apps to your users

-**To assign the app to your users:**

-1. Sign in to [Microsoft Managed Desktop Admin portal](https://aka.ms/mmdportal).

-2. In the Managed Desktop pane, select **Apps**.

-3. In the Apps workload section, select the app you want to assign users to, and select **Assign users groups**.

-4. For the specific app, select an assignment type (Available, Required, Uninstall) and assign the appropriate group.

-5. In the Assign Apps pane, select **OK**.

-## Steps to get started with Microsoft Managed Desktop

-1. Access [admin portal](access-admin-portal.md).

-1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).

-1. [Adjust settings after enrollment](conditional-access.md).

-1. Deploy and assign [Intune Company Portal](company-portal.md).

-1. [Assign licenses](assign-licenses.md).

-1. Deploy apps (this article).

-1. [Prepare devices](prepare-devices.md).

-1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).

-1. [Enable user support features](enable-support.md).

-1. [Get your users ready to use devices](get-started-devices.md).

-1. [Get started with app control](get-started-app-control.md).

-<!--# Preparing apps for Microsoft Managed Desktop

-This topic is the target for 2 "Learn more" links in the Admin Portal (aka.ms/app-overview;app-package); also target for link from Online resources (aka.ms/app-overviewmmd-app-prep) do not delete.

-description: Describes how to have Windows location services turned on for your devices

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Windows 10 location service

-Devices in Microsoft Managed Desktop are registered by using Windows Autopilot. This process lets us manage them with Azure Active Directory and Microsoft Intune.

-By default, the Windows 10 location service is disabled when a device is turned on for the first time, unless, this feature is enabled in the Privacy settings during the "out of box experience." These settings are hidden during Autopilot enrollment in Microsoft Managed Desktop. For more information about how Autopilot is set up, see [First-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).

-For this reason, Microsoft Managed Desktop devices can't obtain their device location, and limits the functionality of several Windows features, such as time zones. For more information about the Windows 10 location service, see [Windows 10 location service and privacy](https://support.microsoft.com/windows/windows-10-location-service-and-privacy-3a8eee0a-5b0b-dc07-eede-2a5ca1c49088).

-You don't have to use the location service in order to participate in Microsoft Managed Desktop. The user experience will be restricted. For example, devices won't be able to automatically determine the time zone they're in when your users work in a different time zone.

-## Enable the location service

-You can either:

-### Opt in during enrollment

-You can have the Microsoft Managed Desktop service enable the location service. During the enrollment sequence, you'll be asked to select whether you want to allow the Windows 10 location service to be enabled on devices.

-### Control the location service after enrollment

-You can have the location service turned on (or off), at any time, by submitting a [support request](../working-with-managed-desktop/admin-support.md) through the [Admin portal](access-admin-portal.md).

-## How Microsoft Managed Desktop configures the Windows 10 location service

-If you opt in to using the location service, we use the minimum settings necessary without affecting users' privacy. For more information, see [Windows 10 location service and privacy](https://support.microsoft.com/windows/windows-10-location-service-and-privacy-3a8eee0a-5b0b-dc07-eede-2a5ca1c49088).

-Microsoft Managed Desktop enables the **Location privacy** setting in **Windows settings** to **Allow access to location on this device**. The user interface looks like this:

- :::image type="content" source="../../medi-location-services-UI.png" alt-text="Location settings in Windows settings.":::

-> [!NOTE]

-> If you opt in to using the location service, this applies only to the Windows operating system itself. Apps are not allowed to use location services. Each user can choose whether to allow apps to access their location.

-description: Information on the device registration methods in Microsoft Managed Desktop

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Device registration methods

-Before Microsoft can manage your devices in Microsoft Managed Desktop, you must have devices registered with the service.

-## Registration process

-Microsoft Managed Desktop is powered by the Windows Autopilot service for the device registration workflow. Successful device registration requires a two-step process:

-1. The device's unique hardware identity, known as the hardware hash, is captured and uploaded to the Autopilot service.

-1. The device is associated to an Azure Active Directory tenant ID.

-Ideally, both steps are performed by the OEM, reseller, or distributor where the devices were purchased. An OEM, or other device provider, uses the registration authorization process to perform device registration on your behalf.

-## Registration methods

-Registration can also be performed within your organization by collecting the hardware identity from new or existing devices and uploading it manually. Below are the device registration methods Microsoft Managed Desktop supports:

- - [Using the Partner portal](partner-registration.md#register-devices-using-the-partner-center)

- - [Using OEM APIs](partner-registration.md#register-devices-by-using-the-oem-api)

-## Recommended resources

-## Steps to get started with Microsoft Managed Desktop

-1. Access [admin portal](access-admin-portal.md).

-1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).

-1. [Adjust settings after enrollment](conditional-access.md).

-1. Deploy and assign [Intune Company Portal](company-portal.md).

-1. [Assign licenses](assign-licenses.md).

-1. [Deploy apps](deploy-apps.md).

-1. [Prepare devices](prepare-devices.md).

-1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).

-1. [Enable user support features](enable-support.md).

-1. [Get your users ready to use devices](get-started-devices.md).

-1. [Get started with app control](get-started-app-control.md).

-description: How to order devices

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Order Microsoft Managed Desktop devices

-We recommend working with one of our approved device partners. You can work with your Microsoft account contact for more help setting up a device partnership.

-Microsoft Managed Desktop no longer requires device models be from the list of [currently approved devices](../service-description/device-list.md). As of May 3, 2021, all devices from an approved manufacturer should meet our posted hardware and software requirements. You can continue to use devices on that list with confidence, but you can find more devices recommended for Microsoft Managed Desktop on the [Shop Windows Pro business devices](https://www.microsoft.com/windows/business/devices) site. At that site, view the recommended devices by expanding **Features** in the **Filter by** area, and then selecting **Microsoft Managed Desktop**. Anytime you plan to enroll a particular device model in the service for the first time, you should test an example to ensure it'll deliver the user experience you expect. For more information, see [Validate new devices](../get-started/validate-device.md).

-description: Explains how the Microsoft Edge browser is deployed and updated

-keywords: browser, Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Microsoft Edge

-[Microsoft Edge](https://www.microsoft.com/edge) provides world-class performance and value with:

-> [!IMPORTANT]

-> The Internet Explorer 11 desktop application will be retired and go out of support on June 15, 2022 (for a list of what's in scope, see the [FAQ](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/internet-explorer-11-desktop-app-retirement-faq/ba-p/2366549). The same IE11 apps and sites you use today can open in Microsoft Edge with Internet Explorer mode. [Learn more here](https://blogs.windows.com/windowsexperience/2021/05/19/the-future-of-internet-explorer-on-windows-10-is-in-microsoft-edge/).

-## Updates to Microsoft Edge

-Microsoft Managed Desktop deploys the [Extended Stable channel](/deployedge/microsoft-edge-channels#extended-stable-channel) of Microsoft Edge, which is automatically updated every eight weeks. Updates on the Extended Stable channel are rolled out [progressively](/deployedge/microsoft-edge-update-progressive-rollout) by the Microsoft Edge product group to ensure the best experience for customers.

-The [Beta Channel](/deployedge/microsoft-edge-channels#beta-channel) is deployed to devices in the Test group for representative validation within the organization. This channel is fully supported and automatically updated with new features approximately every four weeks.

-> [!IMPORTANT]

-> To ensure that Microsoft Edge updates correctly, don't modify the Microsoft Edge [update policies](/deployedge/microsoft-edge-update-policies).

-## Settings managed by Microsoft Managed Desktop

-Microsoft Managed Desktop has created a default set of policies for Microsoft Edge to secure the browser. The default browser settings are as follows:

-### Microsoft Edge extensions

-The security baseline for Microsoft Edge on Microsoft Managed Desktop devices sets two policies to disable all Chrome extensions and secure users. To enable and deploy extensions in your environment, see [Settings you manage](#settings-you-manage).

-| Setting | Default value | Description |

-| | | |

-| Extension installation blocklist | All | Microsoft Managed Desktop sets this policy to prevent Chrome extensions from being installed on managed endpoints. There are known risks associated with the Chromium extension model including data loss protection, privacy, and other risks that can compromise devices. |

-| Allow user-level native messaging hosts (installed without admin permissions) | Disabled | By disabling this policy, Microsoft Edge will only use native messaging hosts installed on the system level. Native messaging hosts are a part of Chrome extensions, which allow for the browser to interact with other parts of user's endpoint, creating various security concerns. |

-### Secure Sockets Layer (TLS/SSL)

-| Setting | Default value | Description

-| | | |

-| Minimum TLS version | Minimum TLS 1.2 supported | If you want to use the less secure TLS 1.1, you can file a request to do so. |

-| Allow users to proceed from the SSL warning page | Disabled | We don't recommend enabling this setting since it allows users to visit sites with TSL errors. |

-### Microsoft Defender SmartScreen

-| Setting | Default value | Description

-| | | |

-| Configure Windows Defender SmartScreen | Enabled | Enabled by default to help protect users. |

-| Windows Defender SmartScreen prompts for sites | Enabled | We don't recommend disabling this setting since that would allow users to ignore warnings and continue to potentially malicious sites. |

-| Prevent bypassing of Windows Defender SmartScreen warnings about downloads | Enabled | We don't recommend disabling this setting since that would allow users to ignore warnings and complete unverified downloads. |

-### Adobe Flash

-| Setting | Default value | Description

-| | | |

-| Default Adobe Flash setting | Disabled | We don't recommend using Flash because of associated security risks. <br><br> If you still have processes that depend on Flash, set the **[PluginsAllowedForUrls](/deployedge/microsoft-edge-policies#pluginsallowedforurls)** policy to enable Flash for sites that need it. If you can't maintain an allowed list of sites to use Flash, file a change request to change the value to **Click to Play**, which allows users choose when it's appropriate to run Flash. |

-### Password manager

-| Setting | Default value | Description

-| | | |

-| Enable saving passwords to the password manager | Disabled | The password manager is disabled by default. If you'd like this feature enabled, file a support request and our engineers can enable the setting in your environment. |

-### Internet Explorer Mode in Microsoft Edge

-IE mode on Microsoft Edge makes it easy to use all of the sites your organization needs in a single browser. It uses the integrated Chromium engine for sites that are compatible with the Chromium rendering engine. Microsoft Edge uses the Trident MSHTML engine from Internet Explorer 11 (IE11) for sites that aren't or have dependencies on IE functionality. [Learn more](/DeployEdge/edge-ie-mode)

-Microsoft Managed Desktop enables Internet Explorer mode for your devices by default.

-| Setting | Default value | Description

-| | | |

-| Internet Explorer mode integration | Internet Explorer mode | By default, devices are set to use Internet Explorer mode, but you can set them to open sites in a standalone Internet Explorer 11 window instead. To change this behavior, file a support request. |

-| Add sites to the Enterprise Mode Site List | See description | For sites to open in Internet Explorer mode you must include them on the [Enterprise Site list](/DeployEdge/edge-ie-mode-sitelist). Maintaining and deploying the Enterprise Site list is your responsibility. For details, see [Configure using the Configure Enterprise Mode Site List policy](/DeployEdge/edge-ie-mode-policies#configure-using-the-configure-the-enterprise-mode-site-list-policy). |

-### Other settings

-| Setting | Default value | Description

-| | | |

-| Enable site isolation for every site | Enabled | When this policy is enabled, users can't opt out of the default behavior in which each site runs in its own process. |

-| Supported authentication schemes | NTLM, Negotiate | Microsoft Managed Desktop doesn't support Basic or Digest Authentication schemes. |

-| Automatically import another browser's data and settings at first run | Automatically import all supported datatypes and settings from the default browser. | With this policy applied, the First Run Experience will skip the import section, minimizing user interaction. The browser data from older versions of Microsoft Edge will always be silently migrated at the first run, regardless of this setting. |

-## Settings you manage

-You can deploy any Microsoft Edge settings not previously described by using the Administrative Templates profile in Microsoft Intune. For details, see [Configure Microsoft Edge policy settings with Microsoft Intune](/deployedge/configure-edge-with-intune). If you want to evaluate a policy that isn't currently included in the Microsoft Edge Administrative Templates in Intune, you can use custom settings for Windows 10 devices in Intune.

-| Setting | Description

-| | |

-| Enable specific Chrome extensions | The Administrative Template offers a setting to deploy particular Chrome extensions with Microsoft Intune. You can find it in **Computer Configuration > Microsoft Edge > Extensions > Allow Specific Extensions to be installed**. |

-| Install extensions silently | You can also use the Administrative Template to set Microsoft Edge to install extensions without alerting the user. You can find it in **Computer Configuration > Microsoft Edge > Extensions > Control which extensions are installed silently**. |

-| Microsoft Edge update policies | To ensure that Microsoft Edge updates correctly, don't modify the Microsoft Edge [update policies](/deployedge/microsoft-edge-update-policies). |

-| Other common enterprise policies | Microsoft Edge offers a great many other policies. The following are some of the more common ones: <ul> <li> [Configure Sites on the Enterprise Site List and IE Mode](/deployedge/edge-ie-mode-sitelist)</li><li> [Configure start-up, home page, and new tab page settings](/deployedge/microsoft-edge-policies#startup-home-page-and-new-tab-page)</li> <li> [Configure Surf game setting](/deployedge/microsoft-edge-policies#allowsurfgame)</li> <li> [Configure proxy server settings](/deployedge/microsoft-edge-policies#proxy-server)</li></ul>

-description: How to enable elevation and escalation features for user support

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Enable user support features

-Whether you're providing your own user support or working with a partner to provide support, follow the steps below to enable the support provider to request elevated device access, or escalate issues to Microsoft Managed Desktop, if needed.

-1. If they don't already have one, users need an account in same the Azure Active Directory (AAD) domain as the Microsoft Managed Desktop devices.

-1. Add the user accounts to the **Modern Workplace Roles-Support Partner** security group in the Azure Active Directory (AAD).

-<!--when available, add link to downloadable articles at DLC-->

-## Steps to get started with Microsoft Managed Desktop

-1. Access [admin portal](access-admin-portal.md).

-1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).

-1. [Adjust settings after enrollment](conditional-access.md).

-1. Deploy and assign [Intune Company Portal](company-portal.md).

-1. [Assign licenses](assign-licenses.md).

-1. [Deploy apps](deploy-apps.md).

-1. [Prepare devices](prepare-devices.md).

-1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).

-1. Enable user support features (this article).

-1. [Get your users ready to use devices](get-started-devices.md).

-1. [Get started with app control](get-started-app-control.md).

-description: This article describes how to enable enterprise state roaming

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Enable Enterprise State Roaming

-[Enterprise State Roaming](/azure/active-directory/devices/enterprise-state-roaming-overview) lets users securely synchronize user and application settings data to the cloud. This means they'll have the same experience no matter which Windows device they sign into. For example, if you replace one of their Microsoft Managed Desktop devices with a new device, it will look and behave exactly the same as the last one.

-Enterprise State Roaming is an optional feature for the Microsoft Managed Desktop service that you can configure for your users. It isn't included or managed as part of Microsoft Managed Desktop.

-To enable Enterprise State Roaming, follow the steps in [Enable Enterprise State Roaming in Azure Active Directory](/azure/active-directory/devices/enterprise-state-roaming-enable).

->[!NOTE]

->If you enable Enterprise State Roaming, your preferred language list will overwrite the language selected during device setup. Although users can fix this easily, it could cause an inconsistent localization experience initially. Determine if Enterprise State Roaming is right for your users before setting up devices.

-## Steps to get started with Microsoft Managed Desktop

-1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).

-2. [Adjust conditional access](conditional-access.md).

-3. [Assign licenses](assign-licenses.md).

-4. [Deploy Intune Company Portal](company-portal.md).

-5. Enable Enterprise State Roaming (this topic).

-6. [Prepare devices](prepare-devices.md).

-7. [Get your users ready to use devices](get-started-devices.md).

-8. [Deploy apps](deploy-apps.md).

-description: How to deploy the ESP experience, the settings used, and configuration changes

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# First-run experience with Autopilot and the Enrollment Status Page

-Microsoft Managed Desktop uses both [Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) and Microsoft Intune's [Enrollment Status Page (ESP)](/windows/deployment/windows-autopilot/enrollment-status) to provide the best possible first-run experience to your users.

-## Initial deployment

-To provide the ESP experience, you must register devices in the Microsoft Managed Desktop service. For more about registration, see [Manual registration](../get-started/manual-registration.md) or [Partner registration](../get-started/partner-registration.md).

-Enrollment Status Page and Autopilot for pre-provisioned deployment are enabled by default in Microsoft Managed Desktop.

-## Autopilot profile settings

-Microsoft Managed Desktop uses these settings in the Autopilot profile used for your users' devices:

-| Setting | Value |

-| -- | -- |

-| Deployment mode | User Driven |

-| Join to Azure AD as | Azure AD joined |

-| Language (Region) | User Select |

-| Automatically configure keyboard | No |

-| Microsoft Software License Terms | Hide |

-| Privacy settings | Hide |

-| Hide change account options | Show |

-| User account type| Standard |

-| Allow White Glove Out of Box Experience (OOBE) | Yes |

-| Apply device name template | Yes |

-| Enter a name | `MMD-%RAND:11%` |

-## Enrollment Status Page settings

-Microsoft Managed Desktop uses these settings for the Enrollment Status Page experience:

-| Setting | Value |

-| | |

-| Show app and profile configuration progress | Yes |

-| Show an error when installation takes longer than specified number of minutes | 60 |

-| Show custom message when time limit error occurs | No |

-| Allow users to collect logs about installation errors| Yes |

-| Only show page to devices provisioned by out-of-box experience (OOBE) | Yes |

-| Block device use until all apps and profiles are installed | Yes |

-| Allow users to reset device if installation error occurs | Yes |

-| Allow users to use device if installation error occurs | Yes |

-| Block device use until these required apps are installed if they're assigned to the user/device <ul><li> Modern Workplace - Time Correction</li><li>Modern Workplace - Client Library</li></ul> | Yes |

-The Enrollment Status Page experience occurs in three phases. For more, see [Enrollment Status Page tracking information](/mem/intune/enrollment/windows-enrollment-status#enrollment-status-page-tracking-information).

-The experience proceeds as follows:

-1. The Autopilot experience starts and the user enters their credentials.

-2. The device opens the Enrollment Status Page and proceeds through Device Preparation and Device Set up phases. The third step (Account Setup) is *currently skipped* in the Microsoft Managed Desktop configuration because the User ESP is disabled. The device restarts.

-3. After restarting, the device opens the Windows sign-in page with **Other user**.

-4. The users enter their credentials again and the desktop opens.

-> [!NOTE]

-> Win32 apps are only deployed during ESP if the Windows 10 version is 1903 or later.

-

-## Additional prerequisites for Autopilot for pre-provisioned deployment

-## Sequence of events in Autopilot for pre-provisioned deployment

-1. IT Admin reimages or resets the device if needed.

-2. IT Admin boots the device, reaches the out-of-box-experience, and presses the Windows key five times.

-3. IT Admin selects Windows Autopilot Provisioning and then selects **Continue**. On the Windows Autopilot configuration screen, information will be displayed about the device.

-4. IT admin selects **Provision** to start the provisioning process.

-5. Device starts ESP and goes through device preparation and setup phases. During the device setup phase, you'll see **App installation x of x** displayed (depending on the exact configuration of the ESP profile).

-6. The account setup step is currently skipped in the Microsoft Managed Desktop configuration, since we disable User ESP.

-7. The device restarts.

-After it restarts, the device will show the green status screen, with a **Reseal** button.

-> [!IMPORTANT]

-> Known issues:

->

-> - ESP does not run again after the Autopilot for pre-provisioned deployment reseal function.

-> - Device are not being renamed by Autopilot for pre-provisioned deployment. The device will only be renamed after going through the ESP user flow.

-## Change to Autopilot and Enrollment Status Page settings

-If the setup used by Microsoft Managed Desktop doesn't exactly match your needs, you can file a support ticket through the [Admin Portal](https://portal.azure.com/). Here are some examples of the types of configuration you might need:

-### Autopilot settings change

-You might want to request a different device name template. You can't, however, change Deployment Mode, Join to Azure AD As, Privacy Settings, or User Account Type.

-### Enrollment Status Page settings change

-## Required applications

-## Steps to get started with Microsoft Managed Desktop

-1. Access [admin portal](access-admin-portal.md).

-1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).

-1. [Adjust settings after enrollment](conditional-access.md).

-1. Deploy and assign [Intune Company Portal](company-portal.md).

-1. [Assign licenses](assign-licenses.md).

-1. [Deploy apps](deploy-apps.md).

-1. [Prepare devices](prepare-devices.md).

-1. Set up first-run experience with Autopilot and the Enrollment Status Page (this article).

-1. [Enable user support features](enable-support.md).

-1. [Get your users ready to use devices](get-started-devices.md).

-1. [Get started with app control](get-started-app-control.md).

-description: This article describes how to enable app control

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Get started with app control

-Before you enable app control in your environment, be sure to review and understand [how Microsoft Managed Desktop implements it](../service-description/app-control.md) and your roles and responsibilities.

-Microsoft Managed Desktop simplifies app control by taking care of the more challenging aspects of getting a secure base policy.

-Your IT Administrators must test your apps in the Test ring, and review the logs for any warnings, or errors. If an app needs an exemption, you can file a request, or Microsoft Managed Desktop Operation might, depending on who detects it first.

-## Initial deployment of apps

-When you first deploy apps, Microsoft Managed Desktop needs to assess their current behavior. The exact steps for enabling app control depend on whether devices have already been deployed in your environment.

-### Devices not yet in use

-If you don't yet have any devices in use, open a support ticket with Microsoft Managed Desktop Operations to request to turn on app control. Operations will progressively deploy policies to deployment groups following this schedule:

-| Deployment group | Policy type | Timing |

-| | | |

-| Test | Audit | Day 0 |

-| First | Enforced | Day 1 |

-| Fast | Enforced | Day 2 |

-| Broad | Enforced | Day 3 |

-You can always open another support request to pause or roll back part of this deployment at any time during the rollout.

-### Devices already in use

-If already have at least one Microsoft Managed Desktop device in use, follow these steps:

-1. Open a service ticket with Microsoft Managed Desktop Operations requesting that we turn on app control. Operations will deploy an [Audit policy](../service-description/app-control.md#audit-policy) to all devices.

-2. [Test your applications](../working-with-managed-desktop/work-with-app-control.md#add-a-new-app) to see if any would be blocked. If an application would be blocked, open a [signer request](../working-with-managed-desktop/work-with-app-control.md#add-or-remove-a-trusted-signer).

-3. Once you've completed your testing (whatever the results), notify Operations, noting any pending signer requests. Operations will progressively deploy policies to deployment groups following this schedule:

-| Deployment group | Policy type | Timing |

-| | | |

-| Test | Audit | Day 0 |

-| First | Enforced | Day 1 |

-| Fast | Enforced | Paused, rollout on request |

-| Broad | Enforced | Paused, rollout on request |

-You can always open another support request to pause or roll back part of this deployment at any time during the rollout.

-## Steps to get started with Microsoft Managed Desktop

-1. Access [admin portal](access-admin-portal.md).

-1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).

-1. [Adjust settings after enrollment](conditional-access.md).

-1. Deploy and assign [Intune Company Portal](company-portal.md).

-1. [Assign licenses](assign-licenses.md).

-1. [Deploy apps](deploy-apps.md).

-1. [Prepare devices](prepare-devices.md).

-1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).

-1. [Enable user support features](enable-support.md).

-1. [Get your users ready to use devices](get-started-devices.md).

-1. Get started with app control (this article).

-description: Information to help you get your users ready to use devices

-keywords: Microsoft Managed Desktop, device, get started, Microsoft 365

-# Get your users ready to use devices

-Once a Microsoft Managed Desktop device is in the hands of your user, getting started is fast and easy. Devices come pre-configured with the current version of Windows and configurations, and apps are installed from the cloud as the user completes setup.

-To make getting started even easier, we offer a guide that walks your users through the initial setup. The guide provides helpful resources for both the setup, and for use later, if needed. You can customize the following guide to include certain details specific to your organization. You then distribute the guide directly to your users along with their device.

-## Prepare the guide

-**To prepare the guide:**

-1. Download the [Microsoft Managed Desktop - Get started with your device](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/get-started/downloads/microsoft-managed-desktop-user-guide-no-help-custom-v2.pdf) guide.

-2. Use any app capable of opening PDF files to enter details relevant to your organization:

- - The name of the network your users should connect to in order to continue setup (Step 3 in the guide).

- - The name of your organization's Azure tenant account (Step 4 in the guide).

- - Contact information for your organization's internal IT support (top of second page).

-3. Save the edited PDF, and then distribute to your users.

-## Ready-to-use guide

-We also provide a more generic version of the guide for those organizations that don't need to customize it.

-Just download the [Microsoft Managed Desktop - Get started with your device (ready to use)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/get-started/downloads/microsoft-managed-desktop-user-guide-no-help-v2.pdf) guide.

-At this point, you're ready to move on to [deploying apps](deploy-apps.md).

-## Steps to get started with Microsoft Managed Desktop

-1. Access [admin portal](access-admin-portal.md).

-1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).

-1. [Adjust settings after enrollment](conditional-access.md).

-1. Deploy and assign [Intune Company Portal](company-portal.md).

-1. [Assign licenses](assign-licenses.md).

-1. [Deploy apps](deploy-apps.md).

-1. [Prepare devices](prepare-devices.md).

-1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).

-1. [Enable user support features](enable-support.md).

-1. Get your users ready to use devices (this article).

-1. [Get started with app control](get-started-app-control.md).

-description: Steps to set up devices and configure Azure features to work with the service

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Get started with Microsoft Managed Desktop

-Now that you're ready to enroll, open [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to **Tenant Administration**. Select **Tenant enrollment** under the **Microsoft Managed Desktop** subsection. Then, follow the prompts to enroll your tenant with Microsoft Managed Desktop.

-> [!NOTE]

-> You must be logged in as a Global Administrator to complete enrollment. For more information, see [access the admin portal](access-admin-portal.md) for details.

-Once you've finished enrollment, follow the steps below to configure the service. This is the recommended order to follow, but you do have some flexibility in the sequence.

-

-1. Access [admin portal](access-admin-portal.md).

-1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).

-1. [Adjust settings after enrollment](conditional-access.md).

-1. Deploy and assign [Intune Company Portal](company-portal.md).

-1. [Assign licenses](assign-licenses.md).

-1. [Deploy apps](deploy-apps.md).

-1. [Prepare devices](prepare-devices.md).

-1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).

-1. [Enable user support features](enable-support.md).

-1. [Get your users ready to use devices](get-started-devices.md).

-1. [Get started with app control](get-started-app-control.md).

-description: How to localize devices for users

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Localize the user experience

-Users of Microsoft Managed Desktop devices can select the language of their choice either during the setup process (the "out of box experience"), or afterwards.

-## During setup (the "out of box experience")

-During setup, users can select the language of their choice. This selection affects these attributes:

-| Attribute | Description |

-| | |

-| Windows 10 language features | <ul><li>Display language</li><li>Keyboard language</li><li>Language-related Features on Demand</li><ul> |

-| Microsoft 365 Apps for Enterprise language features | <ul><li>Display language</li><li>Proofing and authoring tools</li></ul> |

-> [!NOTE]

-> Users can only get language-related Features On Demand by selecting the language during the setup process.

-## After completing setup

-Users can select the language of their choice for Windows 10, and Microsoft 365 Apps for Enterprise anytime after the setup process is complete. Specifically:

-| Feature | Description |

-| | |

-| Windows 10 language features | <ul><li>Display language</li><li>Keyboard language</li><ul> |

-| Microsoft 365 Apps for Enterprise language features | <ul><li>Display language</li><li>Proofing and authoring tools</li></ul> |

-## Install more languages

-> [!NOTE]

-> As of March 16, 2022, we're phasing out the Modern Workplace-Office-Language_Packs group that allows yours to add languages to Microsoft Office. The transition to the new method (see below) will be completed in April 2022. If you have any issues during this transition period, please reach out to [support](../working-with-managed-desktop/admin-support.md).

-By default, Microsoft Office requires users to be admin. Microsoft Managed Desktop deploys an Office policy to enable standard users to install language accessory packs directly from their Office apps. For more information, see [Allow users who aren't admins to install additional languages](/deployoffice/overview-deploying-languages-microsoft-365-apps#allow-users-who-arent-admins-to-install-additional-languages).

-## Supported languages

-For new devices, your manufacturer must provide device images that include the languages you require. If your manufacturer's image includes languages that aren't included in the supported languages list, the device is still supported by the service.

-If you're reusing existing devices, you might need to work with your Microsoft account representative to obtain appropriate images. For more information, see [Device images](../service-description/device-images.md).

-The [universal image](../service-description/device-images.md#universal-image) provided by Microsoft Managed Desktop includes these languages and for Windows 10:

-> [!NOTE]

-> Microsoft 365 Apps for Enterprise might support a slightly different list.

-If your users need a language other than the ones listed here, file a [support request](../working-with-managed-desktop/admin-support.md) by using the [Admin portal](access-admin-portal.md).

-## Languages for support and operations

-### Admin support and operations

-Microsoft Managed Desktop provides admin support only in English. This support includes the Admin portal and all communications with Microsoft Managed Desktop Operations. You should assume that all admin-related interactions and interfaces will be in English, unless specified otherwise.

-description: How to deploy Microsoft 365 Apps, how they're updated, and how settings are managed

-keywords: change history

-ms.sitesec: library

-# Microsoft 365 Apps for enterprise

-## Initial deployment

-Microsoft Managed Desktop ensures that Microsoft 365 Apps for enterprise (64-bit) are installed as a part of the image on all [program devices](../service-description/device-list.md). All of the following applications should be present on the device when it's delivered:

-This approach minimizes network impact and ensures that users can be productive as soon as they receive their device. We then deploy more policies to managed devices to set up the applications for use.

-> [!NOTE]

-> Microsoft Teams is deployed separately from Microsoft 365 Apps for enterprise and is not included in the base image.

-### Available deployment to users

-If a user doesn't have Microsoft 365 Apps on their device for any reason, you can use a package to return the device to its expected state. Add the user to the **Modern Workplace-Office-Office365_Install** group and the apps will become available to them in the Company Portal.

-### Microsoft 365 Apps for enterprise (32-bit)

-Microsoft Managed Desktop doesn't support the deployment of the 32-bit version of Microsoft 365 Apps for enterprise.

-## Updates to Microsoft 365 Apps

-Microsoft 365 Apps are set to update on the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). This practice provides your users with new Office features each month, but they'll receive just one update per month on a predictable release schedule. Updates are released on the second Tuesday of the month; these updates can include feature, security, and quality updates. These updates occur automatically and are pulled directly from the Office CDN for that specific channel.

-Microsoft Managed Desktop staggers each release to identify any potential issues in your environment. We complete the rollout from the Microsoft 365 App product group. Microsoft Managed Desktop schedules update releases to different groups to allow time for validation and testing as follows:

-Microsoft Managed Desktop sets a seven-day [update deadline](/deployoffice/configure-update-settings-microsoft-365-apps) for devices. Once the update is available, it must be installed within seven days. Users are [notified](/deployoffice/end-user-update-notifications-microsoft-365-apps#notifications-your-users-see-when-you-set-an-update-deadline-for-microsoft-365-apps) that updates are required in several locations: the application, in the system tray 12 hours prior to the deadline, and they receive a 15-minute warning prior to the deadline. All Microsoft 365 Apps must be closed for the update to complete.

-### Pausing or rolling back an update

-If you need to pause or roll back Microsoft 365 App update for any reason, file an [admin support request](../working-with-managed-desktop/admin-support.md) through the Microsoft Managed Desktop portal.

-During a release, Microsoft Managed Desktop monitors the error rates of all Microsoft 365 Apps. If we see a significant difference in quality between the new release and the previous release, we might contact you through the Microsoft Managed Desktop Admin portal.

-Depending on the severity, we'll either:

-### Delivery optimization

-Delivery Optimization is a peer-to-peer distribution technology available in Windows 10. It allows devices to share content, such as updates, that the devices downloaded from Microsoft over the internet. Us Delivery Optimization can help reduce network bandwidth, because a device can get portions of the update from another device on its local network instead downloading the update completely from Microsoft.

-[Delivery Optimization](/deployoffice/delivery-optimization) is enabled by default on devices running the Windows 10 Enterprise or Windows 10 Education editions.

-## Settings managed by Microsoft Managed Desktop

-Microsoft manages some settings as a part of the service. Microsoft Managed Desktop doesn't manage an Office Security baseline. However, you can set one yourself by following the guidance in the [Settings you manage](#settings-you-manage) section.

-### Update settings

-Microsoft Managed Desktop maintains all [update settings](/deployoffice/configure-update-settings-microsoft-365-apps) for managed devices and you should modify these settings.

-| Setting | Default value | Description |

-| | | |

-| Set updates to occur automatically | Enabled | This policy is configured in order to ensure that all Office devices can be kept up to date from the cloud. |

-| Set a deadline when updates must be applied | Seven days | The **UpdateDeadline** policy is used to configure the grace period which users have before an update is enforced on the device. This deadline policy also triggers [notifications](/deployoffice/end-user-update-notifications-microsoft-365-apps#notifications-your-users-see-when-you-set-an-update-deadline-for-microsoft-365-apps) to the user to inform them of the changes required on their device. |

-| Defer updates on a device for a period | See description | This policy is configured differently for each update management device group. It's required for Microsoft Managed Desktop to meet its update targets: <ul> <li> Test: zero days </li> <li>First: zero days</li><li>Fast seven days</li><li>Broad: 21 days</li></ul> |

-| Update notification settings | False | The "hide update notifications" setting is set to **False** on Microsoft Managed Desktop devices to provide the best update experience for users by [notifying](/deployoffice/end-user-update-notifications-microsoft-365-apps#notifications-your-users-see-when-you-set-an-update-deadline-for-microsoft-365-apps) them when updates are required.|

-| Specify a location to look for updates | Monthly Enterprise Channel | A combination of the **UpdatePath** and **UpdateChannel** policies is used as needed to achieve the update schedule. These policies are set to ensure that all Office devices receive updates directly from the CDN for the Monthly Enterprise Channel.|

-| Specify the Target Version of Microsoft 365 Apps | See description | The Target Version policy is sometimes used by Microsoft Managed Desktop in order to roll back or pin a specific version of Office.|

-| Hide the option to enable or disable Office automatic updates | Enabled | This setting is required for Microsoft Managed Desktop to meet its update targets for Microsoft 365 Applications. |

-| First run settings | See description | There are several settings that affect the behavior the first time Office is run. |

-| Accept the license terms on behalf of the end user | Disabled | The first time a user opens a Microsoft 365 App, they're prompted to accept the license terms. If you want to accept the license terms on behalf of your users, file a support request with the Microsoft Managed Desktop Operations team, and ask for this setting to be enabled. |

-| Suppress Outlook mobile checkbox | Disabled | The first time a user opens Outlook, they're prompted to install Outlook Mobile. If you don't want your users to see that checkbox, file a support request with the Microsoft Managed Desktop Operations team, and ask for this setting to be enabled for your devices. |

-## Other settings

-There are other Microsoft 365 App settings which Microsoft Managed Desktop can optionally configure on your behalf.

-| Setting | Default value | Description |

-| | | |

-| Disable personal OneDrive | Disabled | Some organizations are concerned about users having access to both corporate and personal files on their devices. You can file a support request with the Microsoft Managed Desktop Operations team and ask for this setting to be enabled. |

-## Settings you manage

-There are many other policies which Microsoft Managed Desktop doesn't yet set as a part of our service. You can configure these policies by using Microsoft Intune, which uses the [Office Cloud Policy](/DeployOffice/overview-office-cloud-policy-service#how-the-policy-configuration-is-applied) service. To set these policies, follow these steps:

-1. Sign in to the Microsoft Endpoint Manager admin center.

-1. Select **Apps**.

-1. Select **Policies for Office apps** then select **Create**.

-1. In the **Create policy** configuration page, do the following:

- - Enter a name.

- - Provide an optional description.

- - Under **assignments**, choose whether this policy applies to all users of Microsoft 365 Apps for enterprise, or just to users who anonymously access documents using Office for the web.

- - Select the **AAD-based security group** that is assigned to the policy configuration. Each policy configuration can only be assigned to one group. Each group can only be assigned one policy configuration.

- - Configure the policy settings to be included in the policy configuration. You can search on the policy setting name to find the policy setting that you want to configure. You can also filter if the policy is a recommended security baseline, and if the policy has been configured. The platform column indicates whether the policy is applied to Microsoft 365 Apps for enterprise for Windows devices, Office for the web, or all.

-1. After you have made your selections, select **Create**.

-> [!NOTE]

-> Office Configuration Policies only support user-based deployment

-description: Register existing devices so they can be managed by Microsoft Managed Desktop

-# Manual registration for existing devices

->[!NOTE]

->This article describes the steps for you to reuse devices you already have, and register them in Microsoft Managed Desktop. If you are working with brand-new devices, follow the steps in [Register new devices in Microsoft Managed Desktop yourself](manual-registration.md) instead. <br> <br> The process for Partners is documented in [Steps for Partners to register devices](partner-registration.md).

-Microsoft Managed Desktop can work with brand-new devices, or you can reuse devices you might already have. If you reuse devices, you must reimage them. You're able to register devices with Microsoft Managed Desktop in the Microsoft Endpoint Manager portal.

-## Prepare to register existing devices

-**To register existing devices:**

-1. [Obtain the hardware hash for each device.](#obtain-the-hardware-hash)

-2. [Merge the hash data](#merge-hash-data).

-3. [Register the devices in Microsoft Managed Desktop](#register-devices-by-using-the-admin-portal).

-4. [Double-check that the image is correct.](#check-the-image)

-5. [Deliver the device](#deliver-the-device).

-### Obtain the hardware hash

-Microsoft Managed Desktop identifies each device uniquely by referencing its hardware hash. You have four options for getting this information from devices you're already using.

-**To obtain the hardware hash:**

-#### Microsoft Endpoint Configuration Manager

-You can use Microsoft Endpoint Configuration Manager to collect the hardware hashes from existing devices that you want to register with Microsoft Managed Desktop. If you've met all these prerequisites, you're ready to collect the information.

-> [!IMPORTANT]

-> Any devices you want to get this information for must be running Windows 10, version 1703 or later.

-**To collect the hardware hash information:**

-1. In the Configuration Manager console, select **Monitoring**.

-2. In the Monitoring workspace, expand the **Reporting** node, expand **Reports**, and select the **Hardware - General** node.

-3. Run the report, **Windows Autopilot Device Information**, and view the results.

-4. In the report viewer, select the **Export** icon, and select the **CSV (comma-delimited)** option.

-5. After saving the file, you'll need to filter results to just the devices you plan to register with Microsoft Managed Desktop. Then, upload the data to Microsoft Managed Desktop.

- - Open Microsoft Endpoint Manager and navigate to the **Devices** menu.

- - In the Microsoft Managed Desktop section, select **Devices**.

- - Select **+ Register devices**, which opens a fly-in to register new devices.

-For more information, see [Register devices by using the Admin Portal](#register-devices-by-using-the-admin-portal) below.

-#### Active Directory PowerShell script method

-In an Active Directory environment, you can use the `Get-WindowsAutoPilotInfo` PowerShell cmdlet to remotely collect the information from devices in Active Directory Groups by using WinRM. You can also use the `Get-AD Computer` cmdlet and get filtered results for a specific hardware model name included in the catalog. Before you proceed, confirm these prerequisites, and then proceed.

-**To use the Active Directory PowerShell script method:**

-1. Ensure WinRM is enabled.

-1. The devices you want to register are active on the network. That is, they aren't disconnected or turned off.

-1. Ensure you have a domain credential parameter that has permission to execute remotely on the devices.

-1. Ensure that Windows Firewall allows access to WMI. To do that, follow these steps:

- - Open the **Windows Defender Firewall** control panel and select **Allow an app or feature through Windows Defender Firewall**.

- - Find **Windows Management Instrumentation (WMI)** in the list, enable for both **Private and Public**, and then select **OK**.

-1. Open a PowerShell prompt with administrative rights.

-1. Run *either one* of these scripts:

- ```powershell

- Install-script -name Get-WindowsAutoPilotInfo

- #example one ΓÇô leverage Get-ADComputer to enumerate devices

- Get-ADComputer -filter * | powershell -ExecutionPolicy Unrestricted Get-WindowsAutoPilotInfo.ps1 -credential Domainname\<accountname>

- ```

- ```powershell

- #example two ΓÇô target specific devices:

- Set-ExecutionPolicy powershell -ExecutionPolicy Unrestricted Get-WindowsAutoPilotInfo.ps1 -credential Domainname\<accountname> -Name Machine1,Machine2,Machine3

- ```

-1. Access any directories where there might be entries for the devices. Remove entries for each device from *all* directories, including Windows Server Active Directory Domain Services and Azure Active Directory. It could take a few hours to completely process.

-1. Access management services where there might be entries for the devices. Remove entries for each device from *all* management services, including Microsoft Endpoint Configuration Manager, Microsoft Intune, and Windows Autopilot. It could take a few hours to completely process.

-Now you can proceed to [register devices](#register-devices-by-using-the-admin-portal).

-#### Manual PowerShell script method

-**To use the manual Powershell script method:**

-1. Open a PowerShell prompt with administrative rights.

-2. Run `Install-Script -Name Get-WindowsAutoPilotInfo`.

-3. Run `powershell -ExecutionPolicy Unrestricted Get-WindowsAutoPilotInfo -OutputFile <path>\hardwarehash.csv`.

-4. [Merge the hash data.](#merge-hash-data)

-#### Flash drive method

-**To use the flash drive method:**

-1. On a device other than the one you're registering, insert a USB drive.

-2. Open a PowerShell prompt with administrative rights.

-3. Run `Save-Script -Name Get-WindowsAutoPilotInfo -Path <pathToUsb>`.

-4. Turn on the device you're registering, but *don't start the setup experience*. If you accidentally start the setup experience, you'll have to reset or reimage the device.

-5. Insert the USB drive, and then press SHIFT + F10.

-6. Open a PowerShell prompt with administrative rights, and then run `cd <pathToUsb>`.

-7. Run `Set-ExecutionPolicy -ExecutionPolicy Unrestricted`.

-8. Run `.\Get-WindowsAutoPilotInfo -OutputFile <path>\hardwarehash.csv`.

-9. Remove the USB drive, and then shut down the device by running `shutdown -s -t 0`.

-10. [Merge the hash data.](#merge-hash-data)

-> [!IMPORTANT]

-> Do not power on the device you are registering again until you've completed registration for it.

-### Merge hash data

-If you collected the hardware hash data by the manual PowerShell or flash drive methods, you must combine the data in the two CSV files into a single file to complete registration. Here's a sample PowerShell script to make it easy:

-```powershell

-Import-CSV -Path (Get-ChildItem -Filter *.csv) | ConvertTo-Csv -NoTypeInformation | % {$_.Replace('"', '')} | Out-File .\aggregatedDevices.csv

-```

-With the hash data merged into one CSV file, you can now proceed to [register the devices](#register-devices-by-using-the-admin-portal).

-## Register devices by using the Admin Portal

-In [Microsoft Endpoint Manager](https://endpoint.microsoft.com/), select **Devices** in the left navigation pane. In the Microsoft Managed Desktop section, select **Devices**. In the Microsoft Managed Desktop Devices workspace, Select **+ Register devices**, which opens a fly-in to register new devices.

-<!-- Update with new picture [](../../media/new-registration-ui.png) -->

-<!--Registering any existing devices with Managed Desktop will completely re-image them; make sure you've backed up any important data prior to starting the registration process.-->

-**To register devices using the Admin Portal:**

-1. In **File upload**, provide a path to the CSV file you created previously.

-2. Select a [device profile](../service-description/profiles.md) in the dropdown menu.

-3. Select **Register devices**. The system will add the devices to your list of devices on the **Devices blade**. The devices are marked as **Registration Pending**. Registration typically takes less than 10 minutes, and when successful, the device will show as **Ready for user**. **Ready for user** means it's ready and waiting for a user to start using.

-> [!NOTE]

-> If you manually change the Azure Active Directory (AAD) group membership of a device, it will be automatically reassigned to the group for its device profile and removed from any conflicting groups.

-You can monitor the progress of device registration on the main page. Possible states reported include:

-| State | Description |

-| -- | -- |

-| Registration Pending | Registration isn't completed yet. Check back later. |

-| Registration failed | Registration couldn't be completed. For more information, see [Troubleshooting device registration](#troubleshooting-device-registration). |

-| Ready for user | Registration succeeded. The device is now ready to be delivered to the user. Microsoft Managed Desktop will guide them through first-time set-up, so there's no need for you to do any further preparations. |

-| Active | The device has been delivered to the user and they've registered with your tenant. This state also indicates that they're regularly using the device. |

-| Inactive | The device has been delivered to the user and they've registered with your tenant. However, the user hasn't used the device recently (in the last seven days). |

-### Troubleshooting device registration

-| Error message | Details |

-| -- | -- |

-| Device not found | We couldn't register this device because we couldn't find a match for the provided manufacturer, model, or serial number. Confirm these values with your device supplier. |

-| Hardware hash not valid | The hardware hash you provided for this device wasn't formatted correctly. Double-check the hardware hash and then resubmit. |

-| Device already registered | This device is already registered to your organization. No further action required. |

-| Device claimed by another organization | This device has already been claimed by another organization. Check with your device supplier. |

-| Unexpected error | Your request couldn't be automatically processed. Contact Support and provide the Request ID: `<requestId>` |

-## Check the image

-If your device has come from a Microsoft Managed Desktop partner supplier, the image should be correct.

-You're also welcome to apply the image on your own if you prefer. To get started, contact the Microsoft representative you're working with and they'll provide you the location and steps for applying the image.

-## Deliver the device

-> [!IMPORTANT]

-> Before you hand off the device to your user, make sure you have obtained and applied the [appropriate licenses](../get-ready/prerequisites.md) for that user.

-If all the licenses are applied, you can [get your users ready to use the devices](get-started-devices.md). Then, your user can start up the device and proceed through the Windows setup experience.

-description: Register devices to be managed by Microsoft Managed Desktop

-# Manual registration

-Microsoft Managed Desktop can work with brand-new devices, or you can reuse devices you might already have. If you reuse devices, you must reimage them. You're able to register devices with Microsoft Managed Desktop in the Microsoft Endpoint Manager portal.

-> [!NOTE]

-> Working with a partner to obtain devices? If so, you don't need to worry about getting the hardware hashes; they'll take care of that for you. Make sure your partner establishes a relationship with you at the [Partner Center](https://partner.microsoft.com/dashboard). Your partner can learn more at [Partner Center help](/partner-center/request-a-relationship-with-a-customer). <br><br>Once this relationship established, your partner will simply register devices on your behalf ΓÇô no further action required from you. If you want to see the details, or your partner has questions, see [Partner registration](partner-registration.md). Once the devices are registered, you can proceed with [checking the image](#check-the-image) and [delivering the devices](#deliver-the-device) to your users.

-## Prepare to register brand-new devices

-Once you have the new devices in hand, you'll follow these steps:

-1. [Obtain the hardware hash for each device.](#obtain-the-hardware-hash)

-2. [Merge the hash data](#merge-hash-data).

-3. [Register the devices in Microsoft Managed Desktop](#register-devices-by-using-the-admin-portal).

-4. [Double-check that the image is correct.](#check-the-image)

-5. [Deliver the device](#deliver-the-device).

-### Obtain the hardware hash

-Microsoft Managed Desktop identifies each device uniquely by referencing its hardware hash. You have three options for getting this information.

-**To obtain the hardware hash:**

-#### PowerShell script method

-You can use the [Get-WindowsAutoPilotInfo.ps1](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) PowerShell script on the PowerShell Gallery website. For more information about device identification and hardware hash, see [Adding devices to Windows Autopilot](/mem/autopilot/add-devices#device-identification).

-**To use the Powershell script method:**

-1. Open a PowerShell prompt with administrative rights.

-2. Run `Install-Script -Name Get-WindowsAutoPilotInfo`.

-3. Run `powershell -ExecutionPolicy Unrestricted Get-WindowsAutoPilotInfo -OutputFile <path>\hardwarehash.csv`.

-4. Run `powershell -ExecutionPolicy restricted` to prevent subsequent unrestricted scripts from running.

-#### Flash drive method

-**To use the flash drive method:**

-1. On a device other than the one you're registering, insert a USB drive.

-2. Open a PowerShell prompt with administrative rights.

-3. Run `Save-Script -Name Get-WindowsAutoPilotInfo -Path <pathToUsb>`

-4. Turn on the device you're registering, but *don't start the setup experience*. If you accidentally start the setup experience, you'll have to reset or reimage the device.

-5. Insert the USB drive, and then press SHIFT + F10.

-6. Open a PowerShell prompt with administrative rights, and then run `cd <pathToUsb>`.

-7. Run `Set-ExecutionPolicy -ExecutionPolicy Unrestricted`

-8. Run `.\Get-WindowsAutoPilotInfo -OutputFile <path>\hardwarehash.csv`

-9. Remove the USB drive, and then shut down the device by running `shutdown -s -t 0`

-> [!IMPORTANT]

-> Do not power on the device you are registering again until you've completed registration for it.

-### Merge hash data

-You'll need to have the data in the CSV files combined into a single file to complete registration. Here's a sample PowerShell script to make it easy:

-`Import-CSV -Path (Get-ChildItem -Filter *.csv) | ConvertTo-Csv -NoTypeInformation | % {$_.Replace('"', '')} | Out-File .\aggregatedDevices.csv`

-> [!NOTE]

-> Extra columns are not supported. Quotes are not supported. Only ANSI-format text files can be used (not Unicode). Headers are case-sensitive. Editing the file in Excel and saving it as a CSV file will not generate a usable file due to these requirements. Be sure to preserve any leading zeroes in the device serial numbers.

-### Register devices by using the Admin Portal

-In [Microsoft Endpoint Manager](https://endpoint.microsoft.com/), select **Devices** in the left navigation pane. In the Microsoft Managed Desktop section, select **Devices**. In the Microsoft Managed Desktop Devices workspace, Select **+ Register devices**, which opens a fly-in to register new devices.

-<!-- [](../../media/new-registration-ui.png) -->

-<!--Registering any existing devices with Managed Desktop will completely re-image them; make sure you've backed up any important data prior to starting the registration process.-->

-**To register devices using the Admin Portal:**

-1. In **File upload**, provide a path to the CSV file you created previously.

-2. Select a [device profile](../service-description/profiles.md) in the drop-down menu.

-3. Select **Register devices**. The system will add the devices to your list of devices on **Devices**, marked as **Registration Pending**. Registration typically takes less than 10 minutes, and when successful the device will show as **Ready for user** meaning it's ready and waiting for a user to start using.

-> [!NOTE]

-> If you manually change the Azure Active Directory (AAD) group membership of a device, it will be automatically reassigned to the group for its device profile and removed from any conflicting groups.

-You can monitor the progress of device registration on the main page. Possible states reported include:

-| State | Description |

-| --|--|

-| Registration Pending | Registration isn't completed yet. Check back later. |

-| Registration failed | Registration couldn't be completed. For more information, see [Troubleshooting device registration](#troubleshooting-device-registration). |

-| Ready for user | Registration succeeded. The device is now ready to be delivered to the user. Microsoft Managed Desktop will guide them through first-time set-up, so there's no need for you to do any further preparations. |

-| Active | The device has been delivered to the user and they've registered with your tenant. This state also indicates that they're regularly using the device. |

-| Inactive | The device has been delivered to the user and they've registered with your tenant. However, they haven't used the device recently (in the last seven days). |

-#### Troubleshooting device registration

-| Error message | Details |

-|--| -- |

-| Device not found | We couldn't register this device because we couldn't find a match for the provided manufacturer, model, or serial number. Confirm these values with your device supplier. |

-| Hardware hash not valid | The hardware hash you provided for this device wasn't formatted correctly. Double-check the hardware hash and then resubmit. |

-| Device already registered | This device is already registered to your organization. No further action required. |

-| Device claimed by another organization | This device has already been claimed by another organization. Check with your device supplier. |

-| Unexpected error | Your request couldn't be automatically processed. Contact Support and provide the Request ID: `<requestId>` |

-### Check the image

-If your device has come from a Microsoft Managed Desktop partner supplier, the image should be correct.

-You're also welcome to apply the image on your own if you prefer. To get started, contact the Microsoft representative you're working with. The representative will provide you the location and steps for applying the image.

-### Autopilot group tag

-When you use the Admin portal to register devices, we automatically assign the Autopilot Group Tag associated with the device profile listed in [Register devices by using Partner Center](partner-registration.md).

-The service monitors all Microsoft Managed Desktop devices daily and assigns the group tag to any that don't already have it.

-### Deliver the device

-> [!IMPORTANT]

-> Before you hand off the device to your user, make sure you have obtained and applied the [appropriate licenses](../get-ready/prerequisites.md) for that user.

-If all the licenses are applied, you can [get your users ready to use devices](get-started-devices.md). Then, your user can start up the device and proceed through the Windows setup experience.

-description: How Microsoft Managed Desktop sets up OneDrive for enrolled devices

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation, apps, line-of-business apps, LOB apps

-# Microsoft OneDrive

-Microsoft Managed Desktop uses [OneDrive for Business](/onedrive/plan-onedrive-enterprise) as a cloud storage service for all Microsoft Managed Desktop devices. It ensures that the devices are as stateless as possible. Users will be able to find their files no matter which device they sign into. For example, if you replace a Microsoft Managed Desktop device with a new one, the files will automatically sync to the new device.

-We automatically configure these settings by default on Microsoft Managed Devices:

-| Feature | Description |

-| | |

-| Silent configuration | OneDrive is silently configured with the user account. It automatically signs in, without user interaction, to the user account that was used to sign into Windows. For more information, see [Silently configure user accounts - OneDrive](/onedrive/use-silent-account-configuration) |

-| Files-On-Demand | The Files-On-Demand feature enables users to access files from their cloud storage in OneDrive without having to use disk space unnecessarily. For more information, see [Save disk space with OneDrive Files On-Demand for Windows 10](https://support.microsoft.com/office/save-disk-space-with-onedrive-files-on-demand-for-windows-10-0e6860d3-d9f3-4971-b321-7092438fb38e). |

-| Known Folder Move | The Known Folder Move feature is enabled silently to back up usersΓÇÖ data in the cloud, which gives them access to their files from any device. For more information, see [Back up your Documents, Pictures, and Desktop folders with OneDrive](https://support.microsoft.com/office/back-up-your-documents-pictures-and-desktop-folders-with-onedrive-d61a7930-a6fb-4b95-b28a-6552e77c3057). <p> Users can't disable the Known Folder Move feature or change the location of known folders to ensure a consistent experience across Microsoft Managed Desktop devices.</p>|

-## User experience

-When Microsoft Managed Desktop users receive a new device, they go through a first-run experience, by entering their Azure credentials, while setting up the device. After this process is completed, they can access their desktop and have the OneDrive experience.

-1. The system tells users that OneDrive has been configured and that they've been automatically signed into OneDrive.

-2. The system tells users that OneDrive Known Folder Move has been configured for them.

-3. To prevent duplicate icons on the desktop when devices are reset or reimaged, the system automatically removes Microsoft Edge and Microsoft Teams icons from the OneDrive sync. This information is shown in File Explorer.

-## OneDrive sync restrictions

-If you need to restrict the OneDrive sync, we recommend that you control access with an Azure Active Directory conditional access policy. For more information, see

-[Enable conditional access support in the OneDrive sync app](/onedrive/enable-conditional-access).

-If you can't use an Azure AD conditional access policy in your organization, your IT Admin should follow these steps:

-1. If you don't already know it, look up your tenant ID, as described in [Find your Microsoft 365 tenant ID](/onedrive/find-your-office-365-tenant-id).

-1. Sign in to the OneDrive admin center.

-1. In the left pane, select **Sync**.

-1. Select the **Allow syncing only on PCs joined to specific domains** checkbox, and then add the tenant ID to the list of domains. For more information, see [Allow syncing only on computers joined to specific domains](/onedrive/allow-syncing-only-on-specific-domains).

-> [!NOTE]

-> This guidance applies only to tenants in Microsoft Managed Desktop. There are other settings in use that aren't discussed in this article.

-description: Partners can register devices to be managed by Microsoft Managed Desktop

-# Partner registration

-This article describes the steps for Partners to register devices. The process for registering devices yourself is documented in [Manual registration](manual-registration.md).

-## Prepare for registration

-Before completing registration for a customer, you must first establish a relationship with them in the [Partner Center](https://partner.microsoft.com/dashboard). For more information on that process, see the [consent documentation](/windows/deployment/windows-autopilot/registration-auth#csp-authorization). Any CSP partner can add devices on behalf of any customer, as long as the customer consents. You can also learn more about partner relationships and Autopilot permissions at [Partner Center help](/partner-center/customers_revoke_admin_privileges#windows-autopilot).

-> [!NOTE]

-> This documentation is only for Partners and OEMs. The process for self-registration is documented in [Manual registration](manual-registration.md).

-## Register devices using the Partner Center

-Once you've established the relationship with your customers, you can use Partner Center to add devices to Autopilot for any of the customers.

-**To register devices using the Partner Center:**

-1. Navigate to [Partner Center](https://partner.microsoft.com/dashboard).

-2. Select **Customers** from the Partner Center menu and then select the customer whose devices you want to manage.

-3. On the customer's detail page, select **Devices**.

-4. Under **Apply profiles** to devices, select **Add devices**.

-5. Enter the appropriate Group Tag for the device profile you've selected (as shown in the following table) and then select **Browse** to upload the customer's list (in .csv file format) to Partner Center.

-| [Device profile](../service-description/profiles.md) | Group Tag |

-| -- | --|

-| Sensitive data | **Microsoft365Managed\_SensitiveData** |

-| Power user | **Microsoft365Managed\_PowerUser** |

-| Standard | **Microsoft365Managed\_Standard** |

-> [!IMPORTANT]

-> The Group Name must match those listed in the table exactly, including capitalization and special characters. This will allow the newly registered devices to be assigned with the Microsoft Managed Desktop Autopilot profile.

->[!NOTE]

-> You should have received this .csv file with your device purchase. If you didn't receive a .csv file, you can create one yourself by following the steps in [Adding devices to Windows Autopilot](/windows/deployment/windows-autopilot/add-devices#collecting-the-hardware-id-from-existing-devices-using-powershell). Requirements: <ul><li>Extra columns are not supported.</li> <li>Quotes are not supported.</li> <li>Only ANSI-format text files can be used (not Unicode).</li> <li>Headers are case-sensitive.</li></ul> Editing the file in Excel and saving it as a CSV file will not generate a usable file due to these requirements. Ensure that you preserve any leading zeroes in the device serial numbers. Partners should use [Get-WindowsAutoPilotInfo](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) to register devices for Microsoft Managed Desktop devices in Partner Center.

-If you receive an error message while trying to upload the .csv file, check the format of the file. Make sure the column order matches what is described in [Use Windows Autopilot profiles on new devices to customize a customer's out-of-box experience](/partner-center/autopilot#add-devices-to-a-customers-account). You can also use the sample .csv file provided from the link next to **Add devices** to create a device list.

-For more information about Autopilot in Partner scenarios, see [Add devices to a customer's account](/partner-center/autopilot#add-devices-to-a-customers-account).

-## Register devices by using the OEM API

-Before completing registration for a customer, you must first establish a relationship with them. You should have a unique link to provide to your respective customers. See [How to establish OEM relationship](/windows/deployment/windows-autopilot/registration-auth#oem-authorization).

-Once you've established the relationship, you can start registering devices for customers using the appropriate Group Tag for each device profile they've selected:

-| Device profile | Group Tag |

-| -- | -- |

-| Sensitive data | **Microsoft365Managed\_SensitiveData** |

-| Power user | **Microsoft365Managed\_PowerUser** |

-| Standard | **Microsoft365Managed\_Standard** |

-> [!IMPORTANT]

-> The Group Tags must match those listed in the table exactly, including capitalization and special characters. This will allow the newly registered devices to be assigned with the Microsoft Managed Desktop Autopilot profile.

-description: Prepare new devices or reuse existing ones that qualify

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Prepare devices

-You can use both new and existing devices in Microsoft Managed Desktop.

-## Obtain new devices

-We recommend working with one of our approved device partners. You can work with your Microsoft account contact for more help setting up a device partnership.

-**To obtain new devices:**

-1. Review the list of currently recommended devices by filtering for Microsoft Managed Desktop in the [Shop Windows Pro business devices](https://www.microsoft.com/windows/business/devices) site.

-1. Order one or a few examples of the devices you want to use with a compliant image. Ordering might require [specific ordering steps](../service-description/device-images.md).

-1. [Validate](validate-device.md) the example devices.

-1. After successful validation, order the devices, working with an approved device partner.

-1. Once they've arrived, either:

- - [Manually register](manual-registration.md).

- - Work with a partner to register the devices.

-1. [Get your users ready](get-started-devices.md) to use Microsoft Managed Desktop devices.

-## Reuse existing devices

-> [!IMPORTANT]

->Check that your existing devices meet our [device requirements](../service-description/device-requirements.md). You can also use the downloadable [readiness assessment checker](../get-ready/readiness-assessment-downloadable.md) to verify that a given device meets the necessary requirements. <br><br>If you reuse an existing device, you may have to reimage it. For image options, see [Device images](../service-description/device-images.md).

-**To reuse existing devices:**

-1. Select one or a few examples of the devices you want to reuse, and then [validate them](validate-device.md).

-1. After successful validation, either:

- - [Manually register existing devices](manual-registration-existing-devices.md).

- - Work with a partner to register the devices.

-1. [Get your users ready](get-started-devices.md) to use Microsoft Managed Desktop devices.

-## Steps to get started with Microsoft Managed Desktop

-1. Access [admin portal](access-admin-portal.md).

-1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).

-1. [Adjust settings after enrollment](conditional-access.md).

-1. Deploy and assign [Intune Company Portal](company-portal.md).

-1. [Assign licenses](assign-licenses.md).

-1. [Deploy apps](deploy-apps.md).

-1. Prepare devices (this article).

-1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).

-1. [Enable user support features](enable-support.md).

-1. [Get your users ready to use devices](get-started-devices.md).

-1. [Get started with app control](get-started-app-control.md).

-description: Info on installing Microsoft Project or Microsoft Visio on Microsoft Managed Desktop devices

-keywords: Microsoft Managed Desktop, Microsoft 365, Microsoft Project, Microsoft Visio

-# Install Microsoft Project or Microsoft Visio on Microsoft Managed Desktop devices

-Microsoft Project and Microsoft Visio require specific steps to be installed on Microsoft Managed Desktop devices. This article documents the prerequisites and installation process for these applications.

-## Prerequisites

-Admins should verify that they meet these prerequisites:

-| Prerequisites | Description |

-| | |

-| License quantities | The correct amount of Microsoft Project and Microsoft Visio licenses must be available for your users. Microsoft Managed Desktop currently only supports 64-bit versions of these applications. |

-| License names | The appropriate license names for these applications are: <ul><li>**Microsoft Project** - Project Online Professional or Project Online Premium</li><li>**Microsoft Visio** - Visio Online Plan 2</li><ul> |

-| Company Portal | The Company Portal must be available in your tenant for your users to install these applications. If the Company Portal isn't deployed in your tenant, see [Company Portal](company-portal.md). |

-## Deploy Project and Visio for Microsoft Managed Desktop devices

-Microsoft Managed Desktop will add Microsoft Project and Microsoft Visio as two Win32 Applications in Microsoft Intune. We'll also create two groups in Azure Active Directory. The groups will be assigned to the corresponding application with the "Available" intent.

-**To deploy Project and Visio:**

-Add the user to the appropriate group and the application will become available in the Company Portal. It may take a few minutes to sync, but then your users can install the apps from Company Portal.

-Azure AD Group name | Which users to assign?

- |

-Modern Workplace-Office-Project_Install | Users needing Project

-Modern Workplace-Office-Visio_Install | Users needing Visio

-## Communicate changes

-It's important for IT administrators to let their users know how to install Project and Visio. This communication includes:

-description: How Teams is installed on devices and updated afterwards

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation, apps, line-of-business apps, LOB apps

-# Microsoft Teams

-[Teams](https://www.microsoft.com/microsoft-365/microsoft-teams/group-chat-software) is a [messaging app](https://support.microsoft.com/office/microsoft-teams-basics-6d5f52e6-5306-4096-ac24-c3082b79eaf0) that also provides a workspace for real-time collaboration and communication, meetings, and file and app sharing.

-## Initial deployment

-Most hardware vendors don't yet include Teams as a part of their images. Microsoft Managed Desktop deploys Teams to your devices by using Microsoft Intune. All managed devices have the [Teams .msi package](/MicrosoftTeams/msi-deployment#how-the-microsoft-teams-msi-package-works) installed. The .msi package ensures all users, who sign in to a device, have Microsoft Teams ready to use. When the package first finishes installing, Teams automatically starts and adds a shortcut to the desktop.

-### Microsoft Intune changes

-Microsoft Managed Desktop adds Microsoft Teams to your tenant: Modern Workplace - Teams Machine Wide Installer x64

-## Updates

-Teams follows a separate update path from Microsoft 365 Apps for enterprise. The desktop client updates itself automatically. Teams checks for updates every few hours, downloads them, and then waits for the computer to be idle before silently installing the update.

-The Teams product group doesn't allow admins to control updates, so Microsoft Managed Desktop uses the [standard automatic update channel](/microsoftteams/teams-client-update#can-admins-deploy-updates-instead-of-teams-auto-updating).

-### Manually updating Teams

-Individual users can also download updates. At the top right of the app, in the Profile dropdown, select **Check for updates**. If an update is available, it will be downloaded and silently installed when the computer is idle.

-## Delivery optimization of updates

-Delivery optimization for Teams updates is turned on by default and requires no action from admins or users.

-description: Before ordering devices, obtain one of each model and test it

-# Validate new devices

-Whether you're new to Microsoft Managed Desktop or a long-time subscriber, it's recommended to test an example of any device model you're enrolling in the service for the first time. This is true whether you're ordering brand-new devices or reusing existing ones including devices recommended for Microsoft Managed Desktop.

-## View devices

-**To view devices recommended for use with the service:**

-1. Go to [Shop Windows Pro business devices](https://www.microsoft.com/en-us/windowsforbusiness/view-all-devices) site.

-1. In the **Filter by** section in the left pane, expand the **Features** filter.

-1. Select **Microsoft Managed Desktop**.

-Validating devices ensures that they'll deliver the user experience you expect.

-## Validate devices

-**To validate devices:**

-1. Take one or more examples of new models through the steps in the following articles:

- - [Prepare devices](prepare-devices.md)

- - [Localize the user experience](localization.md)

- - [First-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md)

- - [Windows 10 location service](device-location.md)

- - [Get started with app control](get-started-app-control.md)

- - [Deploy apps to devices](deploy-apps.md)

-2. Verify that the following experiences work without any failures, errors, or prompts:

- - The Autopilot experience after joining the network and the user signs in.

- - If you've enabled the [Enrollment Status Page](esp-first-run.md), it works.

- - User can sign into to Office applications.

- - OneDrive folders sync, including Windows Desktop, Documents, and Pictures.

- - Device receives updates, policies, and line-of-business applications.

-3. Review the reported devices and hardware requirements in the [Device inventory report](../working-with-managed-desktop/device-inventory-report.md) to check that they match what you expect.

-If any problems occur, you can [request support](../working-with-managed-desktop/admin-support.md) in the Admin portal.

-If everything goes well, you're ready to order the rest of the validated devices you need for your deployment.

-description: This article lists the compliance standards relevant to Microsoft Managed Desktop.

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Compliance

-When you use Microsoft Managed Desktop, Microsoft provides you with a comprehensive set of compliance offerings. This effort helps your organization comply with the various compliance requirements.

-## Compliance coverage

-Microsoft Managed Desktop has achieved the following certifications:

-## Auditor reports and compliance certificates

-You can find relevant information, including control and technical requirements, in the [Service Trust Portal (STP)](https://servicetrust.microsoft.com/). This portal is the central repository for such information about Microsoft Cloud Service offerings. You can download auditor reports, compliance certificates, and more from the [Audit Reports](https://servicetrust.microsoft.com/ViewPage/MSComplianceGuide) section of the STP.

-> [!NOTE]

-> Because Microsoft Managed Desktop runs on Azure, relevant documents usually have file names such as "Microsoft Azure, Dynamics 365, and other Online Services". In those documents, you can usually find Microsoft Managed Desktop under the category "Microsoft Online Services" or "Monitoring + Management".

-## Shared responsibility

-Compliance for cloud services is a shared responsibility between cloud service providers and their customers. For more information, see [Shared responsibility in the cloud](/azure/security/fundamentals/shared-responsibility).

-description: Orientation for what the service is and shortcuts to articles for different audiences

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# What is Microsoft Managed Desktop?

-Microsoft Managed Desktop is a cloud-based service that brings together [Microsoft 365 Enterprise](../../enterprise/microsoft-365-overview.md) (including [Windows 10](/windows/windows-10/) Enterprise and [Office 365 Enterprise](https://www.microsoft.com/microsoft-365/business/compare-more-office-365-for-business-plans)) and adds these features:

-Microsoft Managed Desktop offers a solution for several of the challenges facing businesses and their people today:

-Your users will enjoy the latest versions of Windows 10 and Microsoft 365 Apps for Enterprise apps (and more), using devices and software that are curated and rigorously tested for best performance and reliability.

-Also, you'll never have to worry about keeping any of this software up to date because that happens automatically. The updates follow a careful rollout sequence that is monitored every step of the way. Registered devices are monitored 24 hours a day, seven days a week for technical and security issues. If something goes wrong, help will be on the way.

-## Unique to Microsoft Managed Desktop

-Of course, there's nothing stopping you from obtaining and managing your own devices and Microsoft 365 deployments yourself. So what does Microsoft Managed Desktop offer?

-Our policies and security baseline offers your users these benefits:

-Your IT admins benefit from these features:

-## Device management

-Microsoft Managed Desktop takes on the burden of managing registered devices and the Microsoft software they use.

-| Management | Description |

-| -- | -- |

-| Hardware management| Instead of your IT department researching and figuring out if a device is compatible with the service, we've provided specific hardware and software requirements, tools, and processes to streamline selection so you can choose devices with confidence.<br><br>You can find recommended devices by filtering for Microsoft Managed Desktop on the [Shop Windows Pro business devices](https://www.microsoft.com/windows/business/devices) site. You can either obtain devices yourself, work with a partner, or reuse devices you already have. Registering devices is easy and straightforward. Before they're deployed, you can also [customize](../working-with-managed-desktop/config-setting-overview.md) certain aspects of the device experience for your users. |

-| Update management | Microsoft Managed Desktop sets up and manages all aspects of [deployment groups](../service-description/updates.md) for Windows 10 quality and feature updates, drivers, firmware, anti-virus definitions, and Microsoft 365 Apps for enterprise updates.<br><br>This includes extensive testing and verification of all updates, assuring that registered devices are always up to date and minimizing disruptions, freeing your IT department from that ongoing task. |

-| Apps | As part of Microsoft 365 Enterprise, Microsoft provides and manages several key Microsoft apps for you.<br><br>However, you may also have other apps that you need for your business. Instead of your IT department having to test, package, and deploy those apps, Microsoft helps you deploy them through the [FastTrack](https://www.microsoft.com/FastTrack) program.<br><br>Additionally, Microsoft's [App Assure](/fasttrack/products-and-capabilities#app-assuree) program can help remediate any app compatibility issues that arise when migrating to the latest versions of our products. Learn more at [Apps in Microsoft Managed Desktop](../get-ready/apps.md).

-## Device monitoring

-We help maintain the security of your devices with a dedicated security operations center that monitors your devices and uses data from the unique threats that Microsoft analyzes each month. These security features are built in instead of added on later.

-We also monitor device health and provide you with insights about device performance. For more information, see [Microsoft Managed Desktop operations and monitoring](../service-description/operations-and-monitoring.md).

-## Need more details?

-For more information about the value of Microsoft Managed Desktop, including customer stories, see [Microsoft Managed Desktop](https://aka.ms/mmd).

-Great places to get started:

-You can find the latest news at the Microsoft Managed Desktop [blog](https://aka.ms/AA6l2dd).

-If Microsoft Managed Desktop seems right for your organization, you can delve into further documentation that explains:

-If you're already ready to come on board, start with contacting your [local account team](https://pages.email.office.com/contactmmd/).

-### More information

-| Information | Description |

-| -- | -- |

-| More overview and background | Primarily for technical and business decision makers, these articles detail the division of roles and responsibilities between your organization and Microsoft, technologies used in Microsoft Managed Desktop, and how the service fits into a broader strategy as part of the ITIL framework.<br><ul><li>[Microsoft Managed Desktop roles and responsibilities](roles-and-responsibilities.md)</li><li>[Microsoft Managed Desktop technologies](technologies.md)</li><li>[Microsoft Managed Desktop and ITIL](../MMD-and-ITSM.md)</li><li>[Compliance](compliance.md)</li><li>[Microsoft Managed Desktop service description](../service-description/index.md)</li></ul> |

-| Get ready for enrollment | These articles describe the steps you must take in your organization to prepare for enrollment, including checking that your environment meets key prerequisites, configuring networks, setting up certificates, and preparing your apps.<ul><li>[Prerequisites for Microsoft Managed Desktop](../get-ready/prerequisites.md)</li><li>[Network configuration for Microsoft Managed Desktop](../get-ready/network.md)</li><li>[Prepare on-premises resources access for Microsoft Managed Desktop](../get-ready/authentication.md)</li><li>[Prepare mapped drives for Microsoft Managed Desktop](../get-ready/mapped-drives.md)</li><li>[Prepare certificates and network profiles for Microsoft Managed Desktop](../get-ready/certs-wifi-lan.md)</li><li>[Apps in Microsoft Managed Desktop](../get-ready/apps.md)</li></ul> |

-| Get started | Once you're ready to enroll, this section includes the steps to follow to actually join the service, obtain and set up devices, prep your users, and deploy apps.<ul><li>[Add and verify admin contacts in the Admin portal](../get-started/add-admin-contacts.md)</li><li>[Adjust conditional access](../get-started/conditional-access.md)</li><li>[Assign licenses](../get-started/assign-licenses.md)</li><li>[Install Intune Company Portal on on devices](../get-started/company-portal.md)</li><li>[Enable Enterprise State Roaming](../get-started/enterprise-state-roaming.md)</li><li>[Prepare devices](../get-started/prepare-devices.md)</li><li>[Get your users ready to use devices](../get-started/get-started-devices.md)</li><li>[Deploy apps to devices](../get-started/deploy-apps.md)</li></ul> |

-| Working with Microsoft Managed Desktop | This section includes information about your day-to-day life with the service, such as how your IT admins can get support if needed, how your users get support, managing your apps once deployed, and how to work the customizable settings on devices.<ul><li>[Admin support for Microsoft Managed Desktop](../working-with-managed-desktop/admin-support.md)</li><li>[Getting help for users](../working-with-managed-desktop/end-user-support.md)</li><li>[Configurable settings - Microsoft Managed Desktop](../working-with-managed-desktop/config-setting-overview.md)</li><ul> |

-<!--When you enroll in Microsoft Managed Desktop, Microsoft provides you with devices that are configured to join your Azure Active Directory tenant. Windows 10, Office 365, and some apps and features associated with [Microsoft 365 Enterprise E5](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans) are installed (by Microsoft) on your devices. When your employees who are using these devices need help, they contact Microsoft Managed Desktop support (provided by Microsoft) through a custom chat app.-->

-<!--With Microsoft Managed Desktop, you get **software as a service** (Microsoft 365 E5), **Device as a service** (Microsoft Surface devices ready to use), and **IT support as a service** (Help desk and more).-->

-description: This article describes the roles and responsibilities provided by Microsoft for Microsoft Managed Desktop.

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Microsoft Managed Desktop roles and responsibilities

-<!--This topic is the target for a "Learn more" link in the Admin Portal (aka.ms/admin-access); do not delete.-->

-<!-- from Roles and responsibilities -->

-When your organization is enrolled in Microsoft Managed Desktop, what does Microsoft do for you? And what are your organization's responsibilities?

-## Microsoft's roles and responsibilities

-Microsoft provides these key roles and responsibilities:

-| Role or responsibility | Description |

-| -- | -- |

-| MDM policy management | Microsoft will apply MDM policies according to best practices and consider requests for policy changes. We'll also make changes to your tenant as prescribed in [Device policies](../service-description/device-policies.md). |

-| User support | We provide a mechanism for elevated access to devices and for issues to get escalated through a support request if necessary. For more information, see [User support](../service-description/user-support.md).

-| Microsoft Managed Desktop service support | Microsoft will provide support to your IT department through a Microsoft Managed Desktop Operations Team. This team will support technical troubleshooting, change requests, and incident management for the customer's Microsoft Managed Desktop environment. For more information, see [Admin support for Microsoft Managed Desktop](../working-with-managed-desktop/admin-support.md). |

-| Security monitoring | Microsoft will monitor your Microsoft Managed Desktop devices using Microsoft Defender for Endpoint. If the Microsoft Managed Desktop Security Operations Center (SOC) detects a threat, we'll notify you, isolate the device, and rectify the issue remotely. For more information, see [Security](../service-description/security.md). |

-| Update monitoring and management | We actively monitor your Microsoft Managed Desktop devices to ensure that the latest quality and feature updates are installed for Microsoft Windows and Microsoft Office. For more information, see [How updates are handled](../service-description/updates.md). |

-| User and device grouping | Microsoft Managed Desktop operations team will create and manage required device and user groups as part of IT operations. No membership or configuration changes are allowed to these groups. Altering these groups can lead to unexpected configuration of devices and loss of functionality. For any issues or questions around these groups once established, IT administrators can contact Microsoft Managed Desktop operations. For more information, see [Admin support for Microsoft Managed Desktop](../working-with-managed-desktop/admin-support.md). |

-## Your roles and responsibilities

-This set of common roles and responsibilities is required for deployment, but aren't provided by Microsoft. It's not exhaustive but is applicable for most organizations. There are a few items that both you and Microsoft share responsibility for.

-| Role or responsibility | Description |

-| -- | -- |

-| Change management | Microsoft will notify customers, in advance, when changes need to be made to their Microsoft Managed Desktop environment. For more information, see [service changes and communication](../service-description/servicechanges.md).<br><br>You must have your own change management process and have a contact established with Microsoft Managed Desktop Operations team. You also must have resources to review and approve these changes. For more information, see [Operations and monitoring](../service-description/operations-and-monitoring.md). |

-| Identity management | You're responsible for creating user accounts, assigning users to groups, and keeping metadata up to date. |

-| Microsoft 365 Apps for enterprise configuration and management | Microsoft is responsible for ensuring Office applications are deployed to users and those applications are kept up to date. <br><br> You're responsible for managing Microsoft 365 services and policies, including Exchange Online administration responsibilities:<br><ul><li>Email administration</li><li> Mailbox and rule configuration</li><li>Exchange on-premises management</li></ul><br>You're also responsible for collaboration tools, SharePoint server administration, domain management, and security and information policies that are set in the Microsoft 365 admin center. |

-| User support | Provide all user support and technical assistance from first contact through to resolution for the user, either by you or through a designated support partner. You must either provide user support directly or work with a partner to provide support for these areas: <br><ul><li>On-site infrastructure: all network and internet connectivity, VPN infrastructure and client configuration, local conference room equipment, printers, proxy server and configuration, and firewalls.</li><li>Company-wide cloud resources: email, SharePoint, collaboration services, and other cloud infrastructure that relates to the company-wide technology footprint.</li><li>Line of business and any other company-specific applications.</li></ul>

-| Apps | Roles and responsibilities vary somewhat for the apps provided as part of Microsoft Managed Desktop versus the apps you provide. <br><br>For apps provided by Microsoft (Microsoft 365 Apps for enterprise comprising Word, Excel, PowerPoint, Outlook, Publisher, Access, Skype for Business, Teams, and OneNote), **Microsoft** will provide full service for the deployment, update, and support. **You** must obtain and assign licenses for these apps, add users to security groups, and manage end of life and deploy any add-ons you need.<br><br>For apps you provide (such as your line-of-business apps), whether you package them yourself or engage a non-Microsoft vendor to do so, **you** are responsible for these actions: <br><ul><li>Identifying applications needed for targeted user groups</li><li>Creating and managing Azure AD groups for app deployment</li><li>Packaging apps to meet Microsoft Intune deployment standards</li><li> Uploading apps to Microsoft Intune</li><li>Testing apps in Microsoft Managed Desktop environment</li><li>Testing apps with your users</li><li>Managing and assigning users to applications</li><li>Identify and deploy application updates through Microsoft Intune</li><li>Uninstalling and removing applications when they've been retired</li><li>Procuring and assigning licenses</li><li>Providing user support for line-of-business apps</li><li> Managing app settings remotely</li></ul><br>**Microsoft** will provide Microsoft Intune deployment tools to deliver the applications to remote clients.<br><br>For more information, see [Apps](../get-ready/apps.md).

-| Security monitoring and response | You're responsible for investigating and resolving incidents for devices that aren't Microsoft Managed Desktop devices. You must ensure that the Microsoft Managed Desktop Operations Team is informed of any issues that may impact the service.

-| Operations support | You must provide a list of preferred contacts and subject matter experts in your organization. We need these contacts if there's an operational incident unrelated to Microsoft Managed Desktop. <br><br>You're also responsible for investigating and resolving incidents for devices and services that aren't in Microsoft Managed Desktop. You must ensure that the Microsoft Managed Desktop Operations Team is always informed.

-| Network infrastructure, including VPN | You're responsible for setup, configuration, and management (including troubleshooting and debugging) of all networking-related infrastructure and services. This also includes internet connectivity, network controls, proxy configuration, and remote connectivity infrastructure.<br><br>If a proxy is configured (in hardware or software), there's a collection of URLs that must be allowed by the proxy. You're responsible for troubleshooting any conflicts or incompatibilities due to multiple proxies. You can add network proxies specific to your organization using configurable settings. For more information, see [Configurable settings](../working-with-managed-desktop/config-setting-ref.md#proxy).<br><br>For more information, see [Proxy Configuration](../get-ready/network.md).

-| Printing | You're responsible for installing, maintaining, and administering printers and print queues. Cloud printing is a recommended solution, but it isn't required.

-description: This article lists the technologies and apps used in Microsoft Managed Desktop.

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Microsoft Managed Desktop technologies

-This article lists the technologies and apps used in Microsoft Managed Desktop.

-<!-- Microsoft 365 E5; Device as a Service -->

-<!-- in O365 table, standard suite, removed this sentence "Please see the Installation of Project/Visio 64bit Click to Run Addendum for important deployment instructions. -->

-Microsoft 365 Enterprise licensing is required for all Microsoft Managed Desktop users. For more information on licensing requirements for the service, see [Prerequisites for Microsoft Managed Desktop](../get-ready/prerequisites.md).

-This article summarizes the components included in the required Enterprise licenses, and how the service uses each component with Microsoft Managed Desktop devices. Specific roles and responsibilities for each area are detailed throughout Microsoft Managed Desktop documentation.

-## Office 365 E3 or E5

-| Product | Information |

-| -- | -- |

-| Microsoft 365 Apps for enterprise (64-bit) | The following Office applications will be shipped with the device:<br><ul><li>Word</li><li>Excel</li><li>PowerPoint</li><li>Outlook</li><li>Publisher</li><li>Access</li><li>Skype for Business</li><li>OneNote</li></ul><br>The 64-bit full versions of Microsoft Project and Microsoft Visio aren't included. However, since the installation of these applications depends on the Microsoft 365 Apps for Enterprise installation, Microsoft Managed Desktop created default Microsoft Intune deployments, and security groups that you can use to deploy these applications to licensed users. For more information, see [Install Microsoft Project or Microsoft Visio on Microsoft Managed Desktop devices](../get-started/project-visio.md). |

-| OneDrive | Azure Active Directory Single Sign On is enabled for users when they first sign in to OneDrive.<br><br>Known Folder Redirection for Desktop, Document, and Pictures folders are included. These folders are enabled and configured by Microsoft Managed Desktop. |

-| Store Apps | Microsoft Sway and Power BI aren't shipped with the device. These apps are available for download from Microsoft Store. |

-| Win32 Applications | Teams isn't shipped with the device, but it's packaged and provided by Microsoft for Microsoft Managed Desktop devices. Azure Information Protection Client isn't shipped with the device, but you can have it packaged for deployment. |

-| Web Applications | The following web applications aren't shipped with the device: <ul><li>Yammer</li><li>Office in a browser</li><li>Delve</li><li>Flow</li><li>StaffHub</li><li>Power Apps</li><li>Planner</li></ul> <br>Users can access the web version of these applications with a browser. |

-## Windows 10 Enterprise E5 or E3 with Microsoft Defender for Endpoint

-We recommend that your IT admins configure the following settings.

-> [!NOTE]

-> These settings aren't included or managed as part of Microsoft Managed Desktop.

-| Product | Information |

-| -- | -- |

-| Windows Hello for Business | You should implement Windows Hello for Business to replace passwords with strong two-factor authentication for Microsoft Managed Desktop devices. For more information, see [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification). |

-| Application Virtualization | You can deploy Application Virtualization (App-V) packages using the Intune Win32 app management client. For more information, see [Application Virtualization](/windows/application-management/app-v/appv-technical-reference). |

-| Microsoft Purview data loss prevention | You should implement data loss prevention to monitor the actions taken on items you've determined to be sensitive, and to help prevent the unintentional sharing of those items. For more information, see [data loss prevention](../../compliance/endpoint-dlp-learn-about.md). |

-Features included and managed as part of Microsoft Managed Desktop:

-| Product | Information |

-| -- | -- |

-| BitLocker Drive Encryption | BitLocker Drive Encryption is used to encrypt all system drives. For more information, see [BitLocker Drive Encryption](/windows/security/information-protection/bitlocker/bitlocker-overview). |

-| Windows Defender System Guard | Protects the integrity of the system at startup, and validates that system integrity has truly been maintained. For more information, see [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows). |

-| Windows Defender Credential Guard | Windows Defender Credential Guard uses Virtualization-based security to isolate secrets so that only privileged system software can access them. For more information, see [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows). |

-| Microsoft Defender for Endpoint - Endpoint Detection and Response | Microsoft Managed Desktop Security Operations responds to alerts and takes action to remediate threats using Endpoint Detection and Response. For more information, see [Microsoft Defender for Endpoint - Endpoint Detection and Response](/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response). |

-| Microsoft Defender for Endpoint - Threat Experts | Microsoft Managed Desktop integrates with Threat Experts insights and data through targeted attack notifications. You must provide additional consent before this service is enabled. For more information, see [Microsoft Defender for Endpoint - Threat Experts](/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts). |

-| Microsoft Defender for Endpoint - Threat and Vulnerability Management | Required for future use in the Microsoft Managed Desktop service plan. For more information, see [Microsoft Defender for Endpoint - Threat and Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt). |

-| Microsoft Defender for Endpoint - Attack Surface Reduction | Targets risky software behaviors that are often abused by attackers. For more information, see [Microsoft Defender for Endpoint - Attack Surface Reduction](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction). |

-| Microsoft Defender for Endpoint - Exploit Protection | Protects against malware that uses exploits to infect devices, and spreads by automatically applying exploit mitigation techniques to operating system processes and apps. For more information, see [Microsoft Defender for Endpoint - Exploit Protection](/windows/security/threat-protection/microsoft-defender-atp/exploit-protection). |

-| Microsoft Defender for Endpoint - Network Protection | Expands the scope of Microsoft Defender SmartScreen to block all outbound HTTP and HTTPS traffic that attempts to connect to low-reputation sources. For more information, see [Microsoft Defender for Endpoint - Network Protection](/windows/security/threat-protection/microsoft-defender-atp/network-protection). |

-| Microsoft Defender Tamper Protection | Windows Tamper Protection is used to prevent security settings such as anti-virus protection from being changed. For more information, see [Microsoft Defender Tamper Protection](/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection). |

-| Microsoft Defender Antivirus Behavior-based, heuristic, and real-time antivirus protection | Always on to scan for file and process threats that may not be detected as malware. For more information, see [Microsoft Defender Antivirus Behavior-based, heuristic, and real-time antivirus protection](../../security/defender-endpoint/microsoft-defender-antivirus-in-windows-10.md). |

-| Microsoft Defender Antivirus Cloud-delivered Protection | Provides dynamic near-instant, automated protection against new and emerging threats. For more information, see [Microsoft Defender Antivirus Cloud-delivered Protection](/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus). |

-| Microsoft Defender for Endpoint - "Block at first sight" | Provides detection and blocking of new malware when Windows detects a suspicious or unknown file. For more information, see [Microsoft Defender for Endpoint - Block at first sight](/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus). |

-| Microsoft Defender Antivirus Potentially Unwanted Applications | Used to block apps that can cause your machine to run slowly, display unexpected ads, or, at worst, install other software that might be unexpected or unwanted. For more information, see [Microsoft Defender Antivirus Potentially Unwanted Applications](/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). |

-| Windows Defender Firewall with Advanced Security | Host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. For more information, see [Windows Defender Firewall with Advanced Security](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security). |

-| User Account Control | User Account Control switches to the Secure Desktop when a task or action requires the administrator account-type access. Microsoft Managed Desktop users are assigned Standard user access at enrollment. For more information, see [User Account Control](/windows/security/identity-protection/user-account-control/how-user-account-control-works). |

-## Enterprise Mobility + Security E5

-| Product | Information |

-| -- | -- |

-| Enterprise Mobility + Security E3<br><br>Azure Active Directory Premium P2 | You can use all features of Enterprise Mobility + Security E3 to manage MDM devices.<br><br>You can use Azure Active Directory Premium P2 as an optional feature with Microsoft Managed Desktop. |

-| Microsoft Defender for Cloud Apps | You can use this optional feature with Microsoft Managed Desktop.

-| Azure Information Protection P2 | You can use this optional feature with Microsoft Managed Desktop.

-description: How and when Windows 11 is available in the service

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Microsoft Managed Desktop and Windows 11

-Following the announcement of Windows 11, you might have started planning Windows 11 migrations as part of your efforts to keep Windows 10 devices up to date.

-This article outlines important considerations and how Microsoft Managed Desktop will support smooth transitions in your environments. For information about Windows 11 itself, see [Windows 11 overview](/windows/whats-new/windows-11).

-For specific steps to follow to get Windows 11 installed on your Microsoft Managed Desktop devices, see [Preview and test Windows 11 with Microsoft Managed Desktop](../working-with-managed-desktop/test-win11-mmd.md).

-## Timeline for Windows 10 and Windows 11

-Windows 11 became generally available on October 4, 2021. It's ready for consumer and enterprise deployment, and it's a fully supported platform.

-We'll begin scheduling deployments for all Microsoft Managed Desktop devices starting January 2023. However, we'll provide full support for those that wish to deploy Windows 11 sooner. We'll consult and advise admins to develop and implement migration plans for each tenant based on technical readiness and your business considerations.

-Microsoft Managed Desktop continues to support Windows 10 in parallel until it reaches end of enterprise support. See [Windows 10 release information](/windows/release-health/release-information) for life cycle information.

-## Assessing pre-release versions of Windows 11

-More than 95% of Microsoft Managed Desktop devices are eligible for Windows 11. You might want to try the upgrade on test devices prior to production deployment. For more about Windows 11 system requirements, see [Windows 11 requirements](/windows/whats-new/windows-11-requirements).

-For Microsoft Managed Desktop devices, you can [add devices to the Windows 11 test device group](/microsoft-365/managed-desktop/working-with-managed-desktop/test-win11-mmd?view=o365-worldwide#add-devices-to-the-windows-11-test-group). This group receives the Windows 11 general availability build along with a Microsoft Managed Desktop baseline configuration. Once added to the device group, allow one to two days for a device to pick up the new settings and be offered Windows 11.

-For devices that aren't managed by Microsoft Managed Desktop, you can read [Endpoint Manager guidance](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/endpoint-manager-simplifies-upgrades-to-windows-11/ba-p/2771886) to learn about deploying Windows 11. If you have devices running Windows 11 and later and enroll them in Microsoft Managed Desktop, they won't revert back to Windows 10.

-## Support for pre-release Windows 11 devices

-For those that opted into Windows 11 testing prior to general availability, devices may have preview builds installed.

-Microsoft Managed Desktop devices in this state won't be offered the Windows 11 general availability build. However, the devices will still be supported to resolve encountered issues. Microsoft Managed Desktop monitors all managed devices for security threats, and will respond to any alerts regardless if the device is running a Windows 11 preview build.

-Because we're committed to helping you migrate to Windows 11 while remaining productive, we encourage you to report defects you encounter with the platform. We prioritize:

-## Testing application compatibility

-Application compatibility is one of the most common concerns in any platform migration because of the potential for productivity disruptions. We're using several proactive and reactive measures to help you feel confident about smooth app transitions to Windows 11.

-### Proactive measures

-The following are some proactive measures:

-| Proactive measures | Description |

-| -- | -- |

-| Common apps | Microsoft extensively tests the most common enterprise applications and suites deployed on Windows 11 builds. We work with external software publishers and internal product teams to resolve any issues discovered during testing. For more information about our proactive compatibility testing effort, see the [Application Compatibility blog](https://blogs.windows.com/windowsexperience/2019/01/15/application-compatibility-in-the-windows-ecosystem/).

-| Line-of-business apps | [Test Base](https://www.microsoft.com/en-us/testbase) is a resource that app publishers and IT admins can use to submit apps and test cases for Microsoft to run on a virtual machine running Windows 11 builds in a secure Azure environment.<br><br>Results, test insights, and regression analysis for each test execution are available to you on a private Azure portal. Microsoft Managed Desktop will help you prioritize your line-of-business apps for validation based on app usage and reliability data. For more information about Test Base, see [Test Base for Microsoft 365](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/test-base-for-microsoft-365-microsoft-ignite-2021-updates/ba-p/2185566). |

-### Reactive measures

-If you encounter app compatibility issues in test or production environments, you can receive no-cost support by opening a [support request](/microsoft-365/managed-desktop/working-with-managed-desktop/test-win11-mmd?view=o365-worldwide#report-issues).

-For Windows 11, support includes any functionality with the following apps that run on the latest operating system builds:

-Microsoft App Assure directly engages app publishers to prioritize and resolve app compatibility issues when needed.

-description: How to use app control and trust with applications

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# App control

-App control is an optional security practice in Microsoft Managed Desktop that restricts the execution of code on client devices.

-This control mitigates the risk of malware or malicious scripts. The control requires that only codes signed by a customer-approved list of publishers can run. There are many security benefits from this control, but it primarily aims to protect data and identity from client-based exploits.

-Microsoft Managed Desktop simplifies the management of app control policies by creating a base policy that enables core productivity scenarios. You can extend trust to other signers that are specific to the apps and scripts in your environment.

-Any security technology requires a balance amongst user experience, security, and cost. App control reduces the threat of malicious software in your environment, but there are consequences to the user and further actions for your IT administrator.

-| Additional security and responsibilities | Description |

-| | |

-| Additional security | Apps or scripts that aren't trusted by the app control policy are blocked from running on devices. |

-| Your additional responsibilities | <ul><li>You're responsible for testing your apps to identify whether they would be blocked by the application control policy.</li><li>If an app is (or would be) blocked, you're responsible for identifying the required signer details. You must request a change through the Admin portal.</li></ul>

-| Microsoft Managed Desktop responsibilities | <ul><li>Microsoft Managed Desktop maintains the base policy that enables core Microsoft products like Microsoft 365 Apps, Windows, Teams, OneDrive, and so on.</li><li>Microsoft Managed Desktop inserts your trusted signers and deploys the updated policy to your devices.</li></ul>

-## Managing trust in applications

-Microsoft Managed Desktop curates a base policy that trusts the core components of Microsoft technologies. You then *add* trust for your own applications and scripts by informing Microsoft Managed Desktop which apps and scripts you already trust.

-### Base policy

-Microsoft Managed Desktop, in collaboration with Microsoft cybersecurity experts, creates and maintains a standard policy. This standard policy:

-The base policy takes the following approach to restricting software execution:

-If a user, other than an administrator, could have added an app or script to a device (that is, it's in a user-writable directory), we won't allow it to execute. We'll allow the execution if the app or script has already been allowed by an administrator.

-Our policy will stop the execution of apps in the following scenarios:

-### Signer requests

-You inform us which apps are provided by software publishers you trust by filing a *signer request*. By doing so, we:

-## Audit and Enforced policies

-Microsoft Managed Desktop uses Microsoft Intune policies to provide app control:

-### Audit policy

-This policy creates logs to record whether an app or script would be blocked by the Enforced policy.

-Audit policies don't enforce app control rules. They're meant for testing purposes to identify whether an application will require a publisher exemption. It logs warnings (8003 or 8006 events) in the Event Viewer instead of blocking the execution or installation of specified apps or script.

-### Enforced policy

-This policy blocks untrusted apps and scripts from running, and creates logs whenever an app or script is blocked. Enforced policies prevent standard users from executing apps or scripts stored in user-writable directories.

-Devices in the Test group have an Audit policy applied to validate whether any applications will cause issues. All other groups (First, Fast, and Broad) use an Enforced policy. Users in those groups won't be able to run untrusted apps or scripts.

-description: How to request exceptions to the standard service plan

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Exceptions to the service plan

-Microsoft Managed Desktop provides a curated device list, [standard device settings](device-policies.md), applications requirements, and certain [configurable settings](../working-with-managed-desktop/config-setting-overview.md)ΓÇöall designed to provide a secure, productive, and pleasant experience for users.

-It's best to always stay with the service as provided. However, we recognize that some details of the service might not fit exactly with your organization's needs. If you feel you need to alter the service in some way, it's important that you follow the following processes to request those changes.

-## Types of exceptions

-An exception is any addition or change to the Microsoft Managed Desktop base configuration. Examples range from USB ports configuration to deploying a new device driver. We group various exceptions as follows:

-| Exception types | Description |

-| -- | -- |

-| Productivity software | Foreground software needed by users, restricted by the [application requirements](mmd-app-requirements.md). |

-| Security agents & VPNs | Software used to secure, monitor, or change the behavior of the device or network. |

-| Digital experience monitoring | Software used to track data on a user's device to report to IT. |

-| Hardware or software drivers | Device drivers, restricted by the [application requirements](mmd-app-requirements.md). |

-| Policies | Windows 10 or Microsoft 365 Apps for enterprise settings on a managed device. |

-| Devices | Devices that aren't on the Microsoft Managed Desktop [device list](device-list.md). |

-| Other | Anything not covered by the other areas. |

-## Request an exception

-Submit requests through the Microsoft Managed Desktop Admin portal by creating a change request. Be sure to include these details:

-| Change request detail | Description |

-| -- | -- |

-| Exemption type | Which type of exception is it? (see the [previous table](#types-of-exceptions)) |

-| Requirement | What is the specific business requirement for the exception? |

-| Proposal | Which solution is your business requesting? |

-| Timeline | How long do you want this exception to last? |

-## How we assess an exception request

-When we review exception requests, we assess these factors in this order:

-1. Some applications and policies which Microsoft Managed Desktop deploys to all devices aren't negotiable. Your request must not affect those applications and policies. For more information, see [Device configuration](device-policies.md).

-2. Restricted productivity software required by a user to do their job will likely be approved.

-3. If we can meet your requirement by using Microsoft technology, we'll likely approve your request for an exception migration period of three to 12 months. The migration period depends on the scope of the project.

-4. If we can't meet your requirement by using Microsoft technology, we'll likely approve your request unless it violates one of the [Key conditions](#key-conditions).

-These principles ensure that Microsoft Managed Desktop can always meet your needs while tracking deviations from our standard template.

-## Key conditions

-We review exceptions to ensure they don't violate any of these conditions:

-These conditions could change in the future. If we do make such changes, we'll provide 30 days notice prior to those conditions coming into effect. If Microsoft Managed Desktop delivers an alternative way to meet an approved exception, Microsoft Managed Desktop will notify the customer should Microsoft Managed Desktop alter the way it supports the exception.

-## Revoking approval for an exception

-After a requested exception is approved and deployed, it's possible that we might discover problems that violate the key conditions that weren't evident when we approved the change in the first place. In this situation, we might have to revoke approval for the exception.

-If we must revoke approval for the exception, we'll notify you by using the Microsoft Managed Desktop admin portal. From the first time we notify you, you have 90 days to remove the exception before the devices with the exception are no longer bound by Microsoft Managed Desktop service level agreements.

-We'll send you several notifications according to a strict timeline. However, a severe incident or threat might require us to change the timeline of our decisions about an exception. We won't *remove* an exception without your consent. However, any device with a revoked exception will no longer be bound by our service level agreement. The following table is the timeline of notifications we'll send you:

-| Notice type | Description |

-| -- | -- |

-| First notice | We provide the following information in the first notice: <ul><li>Information about why we're revoking it.</li><li>The actions we advise you to take.</li><li>The deadline for those actions.</li><Li>Steps to follow if you want to appeal the decision.</li></ul> <br>This notice occurs 90 days in advance before the exception must be removed from all devices. |

-| Second notice (30 days later) | We provide a second notice, including the same information provided in the first notice. |

-| Third notice (60 days after the first notice) | We provide a third notice, including the same information provided in the first notice. |

-| Final notice (one week before the 90-day deadline) | We provide a fourth notice, including the same information provided in the first notice. |

-| 90 days after first notice| Microsoft Managed Desktop service level agreements no longer apply to any devices that have the revoked exception. At any time, you can challenge the decision and provide additional information for consideration, including upgrade, configuration changes, or change of software. |

-description: The deployment groups used to manage updates and other changes

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Device deployment groups

-Microsoft Managed Desktop uses deployment groups to manage the release of updates and configuration changes to devices. Devices are added to deployment groups ("rings" or "update groups") automatically when they're enrolled into Microsoft Managed Desktop. Deployment groups allow for devices to receive changes in a phased timeline.

-You might want to assign certain devices for test purposes only, or designate specific early adopters to receive the changes first. If you have critical devices, such as those used by executives or that do business-critical functions, you might want to keep them in the group that gets updates on the slowest cadence. Microsoft Managed Desktop allows you to specify that a device should stay in any one of the following groups.

-| Group | Description |

-| -- | -- |

-| Test | The Test group is best for devices that are used for testing, or users who can tolerate frequent changes, exposure to new features, and are able to provide early feedback.<br><br>This group receives changes frequently and experiences in this group have a strong effect. The Test group is exempt from any established service level agreements and user support. It's best to move just a few devices at first and then review the user experience. Microsoft Managed Desktop won't automatically assign devices to this group. This group will only contain devices you specify.

-| First | The First group is ideal for early adopters, volunteer, designated validators, IT Pros, or representatives of business functions. That is, people who can validate changes and provide you feedback on the experience.

-| Fast | The Fast group is ideal for representatives of business functions. These individuals can validate changes prior to broad deployment.

-| Broad | The Broad group receives changes last.<br><br>Most of your organization will typically be in this group. You can specify devices that must be in this group. These devices should receive changes last because they're doing business critical functions, or belong to users in critical roles.

-| Automatic | Select Automatic when you want Microsoft Managed Desktop to automatically assign devices to one of the other groups.<br><br>We won't automatically assign devices to Test. If you want to release a device that you've previously specified so it can be automatically assigned again, select this option.

-For more information about how Windows updates are managed in groups, see [How updates are handled in Microsoft Managed Desktop](updates.md).

-## Labels

-The Group assigned by column contains the following labels:

-| Label | Description |

-| -- | -- |

-| Admin | The device is in a group you've specified. |

-| Auto | Microsoft Managed Desktop assigned the group. |

-| Pending | The device is in the process of moving to a group. |

-The **Group** column always shows the group the device is currently in and only updates when a move is complete.

-> [!IMPORTANT]

-> Don't try to directly modify the membership of these groups. Always follow the steps described in [Assign devices to a deployment group](../working-with-managed-desktop/assign-deployment-group.md).

-description: Image requirements when ordering new devices or reusing existing devices

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Device images

-Whether you order [new devices](#new-devices) or reuse [existing](#existing-devices) ones, you have several options to ensure the image on the device meets our [device requirements](device-requirements.md#check-hardware-requirements).

-## New devices

-When you order a new device from an [approved manufacturer](device-requirements.md#minimum-requirements), follow these steps to make sure they ship devices with the right Microsoft Managed Desktop image and software configuration.

-Anytime you plan to enroll a particular device model in the service for the first time, you should test an example to ensure it will deliver the user experience you expect. For more information, see [Validate new devices](/microsoft-365/managed-desktop/get-started/validate-device).

-### Windows 10 Pro

-If you're ordering devices with Windows 10, work directly with your OEM sales representative. As of November 1, 2022, OEMs can only sell Windows 10 Pro under the Windows 11 Pro with Windows 10 Pro Downgrade license. For more information, see [Windows 10 support dates](/lifecycle/products/windows-10-enterprise-and-education?msclkid=4a74c7b9b04111eca478c6fdafbc51a5) for the retirement dates of Windows 10 versions.

-For customers interested in moving to Windows 11, you can find more information on the recommended process [here](/microsoft-365/managed-desktop/intro/win11-overview).

-### Dell

-Work directly with the Dell sales representative.

-The representative will ensure that the image approved by Microsoft Managed Desktop is applied to devices in your order. For more information on Dell devices, the image, and the ordering process, contact MMD_at_dell@dell.com.

-### HP

-When you order new devices from HP, be sure to use the specific SKU listed in the Additional requirements section for each model found in the [Shop Windows Pro business devices](https://www.microsoft.com/windows/business/devices#view-all-filter) page. Filter the view to list the Microsoft Managed Desktop devices.

-If you're ordering a device from HP that has been approved as an [exception](customizing.md), but isn't currently listed on the Device List page, request the SKU to be used for your model. We'll work with HP to get you this information by using your exception request. You can also contact HP directly for any questions about devices and device ordering instructions by using these addresses:

-### Lenovo

-When you order devices from Lenovo, you must indicate a specific part number in the order. Contact your Lenovo sales representative or Lenovo Channel Partner and ask them to create a "*special bid model*" with a system that meets our [device requirements](device-requirements.md#minimum-requirements).

-To include a pre-loaded image compatible with Microsoft Managed Desktop, ask the sales representative to reference "*system building block part number SBB0Q94938 - MMD Enablement*." Work with your Lenovo sales representative or Lenovo Channel Partner for recommended services, support, and imaging services.

-### Microsoft

-All Microsoft devices that meet device requirements come with an image that works with Microsoft Managed Desktop. No other steps are required.

-To get the latest image available in the factory on a Microsoft device, work with your Surface specialist to use the Surface "Pegged PO" process.

-## Existing devices

-You can reuse existing devices as long as they meet both:

-Follow the steps relevant to your manufacturer.

-You can reimage devices either with an image from the manufacturer, or by using the Microsoft Managed Desktop "universal image." To get an appropriate manufacturer image, order at least one [new device](#new-devices) of the model you're reusing. Then, you can obtain the image from that device and apply it to other devices of the exact same model.

-> [!NOTE]

-> It's your the responsibility to create, test, and deploy images. We also recommend using appropriate images provided by the manufacturer whenever possible instead of custom images; this includes the "universal image."

-### HP

-HP Commercial PCs shipped with the HP Corporate Ready Image include a `.WIM` file for recovery. You can use this image to apply the factory restoration image to other devices of the same model.

-The following steps will remove all data on the device. Before starting, you should back up any data on you want to keep.

-**To remove data on the device:**

-1. [Create a bootable USB drive](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive) with WinPE.

-2. Copy these files from `C:\\SOURCES` to the USB drive:

- - The factory recovery WIM file (for example, `HP\_EliteBook\_840\_G7\_Notebook\_PC\_CR\_2004.wim`)

- - `DEPLOY.CMD`

- - `ReCreatePartitions.txt`

-3. [Boot the device to WinPE](https://store.hp.com/us/en/tech-takes/how-to-boot-from-usb-drive-on-windows-10-pcs) USB drive.

-4. In a command prompt, run [Diskpart.exe](/windows-server/administration/windows-commands/diskpart#additional-references).

-5. In Diskpart, run `list disk`, and then note the primary storage disk number (typically, Disk 0).

-6. Exit Diskpart by typing `exit`.

-7. In the command prompt, run `deploy.cmd <sys_disk> <recovery_wim>`, where `sys_disk` is the disk number of the primary storage disk you determined, and `recovery_wim` is the filename of the `.WIM` file you copied earlier.

-8. Remove the USB drive, and then restart the device.

-### Microsoft

-Microsoft Surface devices include "bare metal recovery" [images](https://support.microsoft.com/en-us/surfacerecoveryimage) that are specific to each model. You can use these images to reimage devices.

-These images use the Windows Recovery Environment (WinRE). This is a manual process (not automated). Follow the steps in [Creating and using a USB recovery drive for Surface](https://support.microsoft.com/surface/creating-and-using-a-usb-recovery-drive-for-surface-677852e2-ed34-45cb-40ef-398fc7d62c07).

-### Universal image

-Microsoft Managed Desktop has created an image containing Windows Pro and Microsoft 365 Apps for Enterprise that you can use with Microsoft Managed Desktop.

-However, it's best to use images appropriate to Microsoft Managed Desktop provided by the manufacturer whenever possible, even if that means an older Windows version must be updated once the user signs in. Using the Microsoft Managed Desktop Universal image should be a final option.

-> [!NOTE]

-> It's your responsibility to add all necessary drivers, perform all testing, and ensure there are no issues with the final deployed image. We provide the Universal Image "as-is" but will provide technical guidance and answer questions. Contact MMDImage@microsoft.com.

-Submit requests for the Universal Image content and documentation by creating a change request it the [Admin portal](../get-started/access-admin-portal.md).

-description: How Microsoft Managed Desktop manages device names

-# Device names

-Microsoft Managed Desktop uses Windows Autopilot, Azure Active Directory, and Microsoft Intune.

-For these services to work together seamlessly, devices need consistent, standardized names. Microsoft Managed Desktop applies a standardized name format (of the form `MMD-%RAND11`) when devices are enrolled. Windows Autopilot assigns these names. For more information about Autopilot, see [First-run experience with Autopilot and the Enrollment Status Page](../get-started/esp-first-run.md).

-## Automated name changes

-If a device is renamed later, Microsoft Managed Desktop will automatically rename it to a new name in the standardized format. This process occurs every four hours. The name change takes place the next time the user restarts the device.

-> [!IMPORTANT]

-> If your environment depends on specific device names (for example, to support a particular network configuration), you should investigate options to remove that dependency before enrolling in Microsoft Managed Desktop.<br><br>If you must keep the name dependency, you can submit a request through the [Admin portal](../working-with-managed-desktop/admin-support.md) to disable the renaming function and use your desired name format.

-description: Learn about the default policies applied to Microsoft Managed Desktop devices.

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Device configuration

-<!--This topic is the target for a "Learn more" link in the Enterprise Agreement (aka.ms/dev-config); do not delete.-->

-<!-- Device configuration and Security Addendum-->

-When a new Microsoft Managed Desktop device is being set up, we ensure that the configuration is optimized Microsoft Managed Desktop.

-The configuration includes a set of default policies that are set as part of the onboarding process. These policies are delivered using Mobile Device Management (MDM) whenever possible. For more information, see [Mobile Device Management](/windows/client-management/mdm/).

->[!NOTE]

->To avoid conflicts, do not alter these policies.

-Devices will arrive with a signature image, and then join the Azure Active Directory domain when the first user signs in. The device will automatically install required policies and applications without any intervention from your IT personnel.

-## Default policies

-This table highlights the default policies that are applied to all Microsoft Managed Desktop devices during device provisioning. All detected changes to objects not approved by Microsoft Managed Desktop Operations Team and managed by Microsoft Managed Desktop will be reverted.

-| Policy | Description

-| -- | -- |

-| Security baseline | [Microsoft security baseline](/windows/device-security/windows-security-baselines) for mobile device management is configured for all Microsoft Managed Desktop devices. This baseline is the industry-standard configuration. It's publicly released, well tested, and reviewed by Microsoft security experts to keep Microsoft Managed Desktop devices, and apps secure in the modern workplace. <br><br>To mitigate threats in the constantly evolving security threat landscape, the Microsoft security baseline will be updated, and deployed to Microsoft Managed Desktop devices with each Windows 10 feature update.<br><br>For more information, see [Windows security baselines](/windows/security/threat-protection/windows-security-baselines).

-| Microsoft Managed Desktop recommended security template | This template is a set of recommended changes to the security baseline that optimizes the user experience. These changes are documented in [the Security Addendum](#security-addendum). Updates to the policy addendum occur on an as needed basis.

-| Update deployment | Use Windows Update for Business to perform gradual deployment of software updates. IT admins can't modify settings for the deployment group policies. For more information on group-based deployment, see [How updates are handled in Microsoft Managed Desktop](updates.md).

-| Metered connections | By default, updates over metered connections (such as LTE networks) are turned off. Though, each user can independently turn on this setting by navigating to **Settings, then Updates, then to Advanced options**. <br><br>If you want to allow all users to enable updates over metered connections, [submit a change request](../working-with-managed-desktop/admin-support.md), which will turn on this setting for all devices.

-| Device compliance | These policies are configured for all Microsoft Managed Desktop devices. A device is reported as non-compliant when it drifts from our required security configuration.

-## Windows diagnostic data

- Devices will be set to provide enhanced diagnostic data to Microsoft under a known commercial identifier. As part of Microsoft Managed Desktop, IT admins can't change these settings.

-For customers in General Data Protection Regulation (GDPR) regions, users can reduce the level of diagnostic data that is provided, but there will be a reduction in service. For example, Microsoft Managed Desktop will be unable to collect the data necessary to iterate on settings and policies to best serve performance and security needs. For more information, see [Configure Windows diagnostic data in your organization.](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enhanced-level)

-## Security addendum

- This section outlines the policies that will be deployed in addition to the standard Microsoft Managed Desktop policies listed in [Default policies](#default-policies). This configuration is designed with financial services and highly regulated industries in mind, and optimized for the highest security while maintaining user productivity.

-### Additional security policies

- These policies are added to increase security for highly regulated industries:

-| Policy | Description |

-| -- | -- |

-|Security monitoring | Microsoft will monitor devices using [Microsoft Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). If a threat is detected, Microsoft will notify the customer, isolate the device, and rectify the issue remotely. |

- | Disable PowerShell V2 | Microsoft removed PowerShell V2 in August 2017.<br><br>This feature has been disabled on all Microsoft Managed Desktop devices. For more information on this change, see [Windows PowerShell 2.0 Deprecation](https://devblogs.microsoft.com/powershell/windows-powershell-2-0-deprecation/). |

-description: Summary of the minimum hardware and software requirements for devices to work with Microsoft Managed Desktop

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Device requirements

-Microsoft Managed Desktop regularly evaluates device requirements to be included in the service. This article describes the hardware and software requirements a device must meet in order to work with Microsoft Managed Desktop.

-You can review a list of specific devices already approved for use based on these requirements. Filter for Microsoft Managed Desktop in the [Shop Windows Pro business devices](https://www.microsoft.com/en-us/windows/business/devices) page.

-> [!NOTE]

-> These requirements can change at any time, but we'll provide 30 days notice of any hardware requirement changes. The requirements most recently changed are marked with <b>\*</b>.

-## Check hardware requirements

-Besides reviewing device specs, you can also use the downloadable [readiness assessment checker](../get-ready/readiness-assessment-downloadable.md) to verify that the device meets the necessary requirements.

-This tool also checks network settings and endpoints that are necessary for the service to work.

-## Minimum requirements

-To be enrolled in Microsoft Managed Desktop, a device must meet or exceed all of these requirements.

-### Manufacturer

-The device must have been made by one of these manufacturers:

-> [!NOTE]

-> As of Mar 01, 2022, devices managed by Microsoft Managed Desktop must be supported by the OEM.<br><br>Work with your OEM to find out when devices in your portfolio will reach end of life support. Customers will be responsible for ensuring devices are replaced prior to end of life support. Any devices falling outside of OEM support will continue to be managed by Microsoft Managed Desktop, but support for these devices may be limited as they are at risk of security and performance issues that may not be mitigated by our service.

-</b>

-### Installed software

-The device must have this software preinstalled:

-### Physical features

-Devices must have these capabilities:

-For more about these capabilities and the technologies related to them that the service uses, see [Microsoft Managed Desktop technologies](../intro/technologies.md).

-> [!NOTE]

->- ARM processors aren't supported.

->- <b>\*</b> Windows 11 has additional [hardware requirements](/windows/whats-new/windows-11-requirements).

-Devices should meet or exceed following limits for storage and memory:

-If the device was made after July 1, 2020, it should also have an IR camera, fingerprint reader, or both, in order to support [Windows Hello](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security).

-## Recommended features

-Your users will have a much better experience if you choose devices that have these features:

-description: This article lists device services and limitation for Microsoft Managed Desktop.

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Microsoft Managed Desktop device services

-This article lists the services and service limitations for Microsoft Managed Desktop devices.

-## Device services

-Microsoft will provide the following services for Microsoft Managed Desktop devices. For a list of recommended Microsoft Managed Desktop program devices, filter for Microsoft Managed Desktop on the [Shop Windows Pro business devices](https://www.microsoft.com/windows/business/devices) page.

-| Service | Description |

-| -- | -- |

-| Support | Support agents will answer questions directly related to device functionality and diagnose device issues.

-| Inventory | All devices are tracked in the Microsoft Managed Desktop Admin portal for inventory and status.

-| Firmware and driver updates | By default, Microsoft Managed Desktop devices receive firmware and driver updates from Windows Update.<br><br>Not all hardware partners deploy their updates via Windows Update. Updates not published as Automatic require an exception and must be deployed by the customer.

-| Accessories | Accessories that come with your device are covered by the same services as the device itself, but warranty terms may differ. Refer to the warranty terms when selecting your devices.

-| Device setup | Devices will be pre-configured with the current version of Windows and receive their apps and configurations via the cloud.

-For information on device replacement, upgrades, and support terms, see your agreement with your device provider and your warranty terms.

-For information on Surface warranties and repairs:

-## Device service limitations

-Microsoft won't provide service for these items:

-| Service | Description |

-| -- | -- |

-| Personalization | Devices and accessories provided with the service are unable to be customized.<br><br>All devices and accessories are provided with standard branding, specification, and color combinations. Application deployment and policy configurations are handled through IT-as-a-Service.

-| Data recovery | User and team data, including personalization, is stored in OneDrive for Business, with only the cache data residing locally.<br><br>If data is intentionally stored on the device's internal storage system, any data recovery must be attempted, and completed prior to returning the device to Microsoft.

-| Device setup | Devices are delivered to the customer address. The device must be powered on and set up by the customer.

-description: Logs that might be collected from devices during troubleshooting and how they're stored

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Diagnostic logs

-Whether you've reported an issue or an issue was identified by our service, we might have to collect certain diagnostic logs from the device without intervention from the user.

-We don't collect any user-generated content or information from user directories. We only collect diagnostic and log data that concerns device health and status.

-We store any collected logs for 28 days, and then delete them. We process any logs collected from a device following our [data handling standards](privacy-personal-data.md).

-## Data collected

-This list below includes all the folders, event logs, executables, or registry locations that Microsoft Managed Desktop might collect diagnostic logs from. The actual data collected will be a subset of this list and depends on the identified issue.

-### Registry keys

-### Commands

- - Get-appxpackage -allusers

- - Get-appxpackage -packagetype bundle

- - Get-Service wuauserv

- - Get-NetFirewallRule

- - Get-WmiObject -Class win32\_product

- - Get-ComputerInfo

- - Get-Service

- - Get-Process

- - Get-WmiObject Win32\_PnPSignedDriver

-### Event logs

-### Files

-description: Outlines what is included in Microsoft Managed Desktop as a service

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Microsoft Managed Desktop service description

-Microsoft Managed Desktop provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows 10 Enterprise edition, Microsoft 365 Apps for enterprise, and Microsoft security services, including:

-## Included services

-For details about the specific services included with Microsoft Managed Desktop, see the articles below.

-If you've already decided that Microsoft Managed Desktop is for you, the articles in [Get ready for enrollment in Microsoft Managed Desktop](../get-ready/index.md) will provide you with the steps to prepare to join the service.

-| Service | Description |

-| -- | -- |

-| [Supported regions and languages](regions-languages.md) | Explains which regions and languages are supported with the service. |

-| [Program devices](device-list.md) | To guarantee the best experience for your users, only certain devices are supported by Microsoft Managed Desktop. [Program devices](device-list.md) specifies the exact device models and configurations you can use with the service. You provide them or work with a partner. |

-| [Device services](device-services.md) | Specifies the device-related services that Microsoft will provide to subscribers.

-| [Device configuration](device-policies.md) | Clarifies the default and security-related Mobile Device Management policies that the service will apply to enrolled devices. |

-| [Security](security.md) | Specifies the data collected from enrolled devices, the features and policies related to device security, identity and access management, network security, and information security. |

-| [Updates](updates.md) | Describes the various update groups that Microsoft Managed Desktop uses to roll out updates to your devices.

-| [Support](support.md) | Clarifies the support Microsoft provides for your organization and users. |

-| [Operations and monitoring](operations-and-monitoring.md) | Explains how change management works with Microsoft Managed Desktop. This includes standard procedures for requesting and preparing for changes in the deployment. |

-| [Application requirements](mmd-app-requirements.md) | Describes the types of apps and behaviors allowed in Microsoft Managed Desktop, and the division of roles and responsibilities for app deployment and management. |

-description: Management tools we use

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# App requirements

-<!--This topic is the target for aka.ms/app-req. This is aka link is used from EA agreement for MMD. do not delete.-->

-<!--Application addendum -->

-Microsoft Managed Desktop requires that we manage devices using a specific approach to guarantee the performance, reliability, and serviceability of devices.

-| Management area | Microsoft Managed Desktop approach |

-| -- | -- |

-| Device configuration or policy management | Microsoft Intune |

-| Application management | Microsoft Intune and Company Portal |

-| Driver deployment | Drivers included with the device, Windows Update, or Intune. |

-| Device security | See [Device security](security.md#device-security). |

-| Identity and access management | See [Identity and access management](security.md#identity-and-access-management). |

-| Network security | See [Network security](security.md#network-security). |

-| Information security | See [Information security](security.md#information-security). |

-| Data recovery | OneDrive for Business |

-| Core productivity | Microsoft 365 Apps for enterprise |

-| Browser | Microsoft Edge |

-Microsoft Managed Desktop might monitor other software running on managed devices. If any software negatively affects device management, device security, performance, or reliability, you might be required to request an [exception to the service plan](customizing.md).

-description: Who does what for various change processes

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Microsoft Managed Desktop operations and monitoring

-<!-- Operations and monitoring: -->

-## Change management

-In the service offering, the balance of responsibility for hardware maintenance and security updates shifts to the service provider (Microsoft) instead of the customer (you). However, you must still ensure that non-Microsoft and custom software continues to function as expected when updates are rolled out.

-For on-premises products, your organization assumes all responsibility for managing change.

-### Balance of responsibility

-| Responsibility | Microsoft Managed Desktop service | Microsoft 365 client software | On-premises clients and servers | Non-Microsoft and custom software

-| -- | -- | -- | -- | -- |

-| Provide new functionality | Microsoft | Microsoft | Both | Customer

-| Test new features for quality assurance | Microsoft | Microsoft | Both | Customer

-| Communicate about new features | Both | Both | Both | Customer

-| Integrate custom software | Both | Both | Customer | Customer

-| Apply security updates | Microsoft | Microsoft | Customer | Customer

-| Maintain system software | Microsoft | Microsoft | Customer | Customer

-| Package for deployment | Microsoft | Microsoft | Customer | Customer

-### Change process overview

-Below is a summary of how the change process is shared between Microsoft and customers:

-| Scenario | Microsoft's role | Customer's role |

-| -- | -- | -- |

-| Before a change | <ul><li>Set expectations for service changes.</li><li>Notify customers 5 days in advance for changes that require administrator action.</li><li>For emergency changes, apply a mitigation prior to notifying.</li></ul> | <ul><li>Understand what to expect for changes and communications.</li><li>Read Microsoft Managed Desktop Message Center regularly.</li><li>Review and update internal change management processes.</li><li>Understand, and check compliance with Microsoft Managed Desktop requirements. </li><li>Acknowledge and approve, when required.</li></ul>

-| During a change | <ul><li>Release and deploy monthly security and non-security updates for Windows 10 and Office 365 clients.</li><li>Monitor data signals and support queues for impact.</li></ul> | <ul><li>Check the Microsoft Managed Desktop Message Center and review any additional information.</li><li>Take any action required, if applicable, and test applications.</li><li>If a break/fix scenario is experienced, create a support request.</li></ul> |

-| After a change | <ul><li>Collect customer feedback to improve rollout of future changes.</li><li>Monitor data signals and support queues for impact.</li></ul> | <ul><li>Work with people in your organization to adopt the change.</li><li>Review change and adoption management processes for opportunities to gain efficiencies.</li><li>Provide general feedback and specific feedback in the admin feedback tool.</li><li>Train users to provide app-specific feedback using the Windows Feedback Hub and the Smile button in Office apps.</li></ul> |

-### Change types

-There are several types of changes that we make to the service regularly. The communication channel for those changes and the actions you're responsible for vary.

-Not all changes have the same effect on your users or require action. Some are planned and some are unplanned. For example, non-security updates and security updates aren't usually planned.

-Depending on the type of change, the communication channel may vary. The following table lists the types of changes you can expect for the Microsoft Managed Desktop service.

-| | Functionality | Non-security updates | Security |

-| -- | -- | -- | -- |

-| **Type of change** | <ul><li>Feature updates</li><li>New features or applications</li><li>Deprecated features</li></ul> | Client hotfixes for issues | Security updates |

-**Advance notice** | Five days notice for changes that require action | No such changes are included in the monthly release | No changes are included in the monthly release |

-**Communication channel** | <ul><li>Message Center</li><li>Email alert</li></ul> | <ul><li>Message Center</li><li>Email alert</li></ul> | <ul><li>Message Center</li><li>Email alert</li></ul> |

-**Requires global admin action** | Sometimes | Rarely | Rarely |

-**Type of action** | Change settings | Communicate changes to users | Change admin settings |

-**Requires testing** | Check business applications including remote access services | Sometimes; testing the fix against processes or customizations | Rarely |

-**Examples of change** | <ul><li>Feature updates: IT Admin Portal simplified support ticket submission and review</li><li>New features or applications: Semi-Annual release of a Windows 10 feature update</li></ul> | Hotfixes based on customer reported bugs |

-## Standard operating procedures

-The Microsoft Managed Desktop service is implemented and operated by Microsoft in your Microsoft cloud instance where you might conduct other administrative activities. Microsoft is solely responsible for Microsoft Managed Desktop-specific setup, configuration, and operation.

-For on-premises products, your organization takes on all the responsibility for managing setup, and configuration and operational activities.

-| Categories | Microsoft will | Customer will |

-| -- | -- | -- |

-| Network (proxy, packet inspection, VPN) | Advise and plan with customers to minimize risk to business users. | <ul><li>Create a support request requesting information for a planned configuration change. Include the configuration details, scope, timeline, and other pertinent details for Microsoft to review.</li><li>Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.</li></ul> |

-Service accounts | <ul><li>Implement, securely store, and manage the credentials.</li><li>Communicate unauthorized access or use of these credentials to your Security Operations team.</li></ul> | <ul><li>Create a support request requesting information for a planned configuration change. Include configuration details, scope, timeline, and other pertinent details for Microsoft to review.</li><li>Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.</li><li>Not assign policy, multi-factor authentication, conditional access, or application deployment to the Microsoft Managed Desktop Service Accounts.</li><li>Not reset the password or use the credentials.</li><li>Open a Sev C support request to Microsoft Managed Desktop Operations if suspicious activity is observed in Intune or Azure audit logs, related to these service accounts.</li></ul>

-| Device Groups | <li> Implement and assign the membership of devices within Microsoft Managed Desktop groups.</li><li>Use the Microsoft Managed Desktop groups to manage the assignment and release of configuration and updates to devices.</li></ul> | <ul><li>Create a support request requesting information for a planned configuration change. Include configuration details, scope, timeline, and other pertinent details for Microsoft to review.</li><li>Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.</li><li>Only assign devices to any Microsoft Managed Desktop group following the steps described in [Assign devices to a deployment group](../working-with-managed-desktop/assign-deployment-group.md).</li><li>Only use the groups to assign corporate certificates for services such as VPN, Windows Hello for Business or email encryption, or corporate wifi profile configuration.</li><li>Where co-management exists, explicitly exclude all Microsoft Managed Desktop groups when deploying the Configuration Manager client.</li></ul>

-| Policies | <ul><li>Implement and manage the Microsoft Managed Desktop policies that govern the configuration state of devices within service.</li><li> Deploy updates, to policy or Windows, incrementally using Device Groups.</li><li>Explicitly exclude targeting non-Microsoft Managed Desktop groups.</li></ul> | <ul><li>Create a support request requesting information for a planned configuration change. Include configuration details, scope, timeline, and other pertinent details for Microsoft to review.</li><li>Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.</li><li>Not edit or assign Microsoft Managed Desktop policies to devices or users not managed by the Microsoft Managed Desktop service.

-Microsoft 365 Defender for Endpoint.</li></ul> | Monitor and investigate devices within the scope of the Microsoft Managed Desktop service. | <ul><li>Create a support request requesting information for a planned configuration change. Include configuration details, scope, timeline, and other pertinent details for Microsoft to review.</li><li>Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.</li></ul>

-| Microsoft Store for Business | Configure and maintain the Windows Autopilot profile for the Microsoft Managed Desktop service. | <ul><li>Create a support request requesting information for a planned configuration change. Include configuration details, scope, timeline, and other pertinent details for Microsoft to review.</li><li>Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.</li><li>Not modify the configuration of the Microsoft Managed Desktop Windows Autopilot profile or add/remove assigned devices.</li></ul>

-| Certificates | | <ul><li>Create a support request 60 days prior to a certificate expiring, requesting information for a planned configuration change. Include configuration details, scope, timeline, and other pertinent details for Microsoft to review.</li><li>Only apply a change once Microsoft Managed Desktop Operations has assessed and advised.</li><li>Update all certificates that are required to configure certificate profiles, VPN profiles, and Wi-Fi profiles.</li></ul>|

-## Device wipe with factory reset

-The Microsoft Managed Desktop Operations team can perform a factory reset of devices enrolled in the service when required. Resetting is helpful if you need to give a device to a different employee, or if an employee leaves your company.

-There are a few requirements:

-Managed Desktop Operations team will:

-> [!NOTE]

-> Do not remove the user account from Azure AD before the device is reset. If the user isn't in Azure AD, Intune can't send the factory reset command to the device.

-The device will boot into the "out of box experience," and all preinstalled applications and settings will be applied again. The user of the device needs to provide initial setup information again.

-When the device has been reset, you can give it to a different person in your organization. None of the previous user's data or enterprise data will be on the device. The next user will go through the same process that the previous person did with a new Microsoft Managed Desktop device.

-BitLocker is a key component of data security in this process. With BitLocker encryption on Microsoft Managed Desktop devices, data on the drive remains secure even after the device has been factory-reset. Any data that was on the drive won't be available to the next user of the device. For more information, see [BitLocker overview](/windows/security/information-protection/bitlocker/bitlocker-overview).

-For more information, see [Factory reset a device](/intune/remote-actions/devices-wipe#factory-reset-a-device).

-description: Details the data collected, stored, and used by the service

-keywords: GDPR, retention, deletion, storage, retention, processing, security, auditing

-ms.sitesec: library

-# Privacy

-Microsoft Managed Desktop is an IT-as-a-Service (ITaaS) service for enterprise cloud customers designed to keep employees' Windows devices deployed and updated.

-It also provides IT service management and operations, monitors security and incident response, and user support. This article provides more details on data platform and privacy compliance for Microsoft Managed Desktop.

-## Microsoft Managed Desktop data sources and purpose

-Microsoft Managed Desktop provides its service to enterprise customers, and properly administers customers' enrolled devices by using data from various sources.

-These sources include Azure Active Directory, Microsoft Intune, Microsoft Windows 10, and Microsoft Defender for Endpoint. They provide a comprehensive view of the devices that Microsoft Managed Desktop manages. The service also uses these Microsoft services to enable Microsoft Managed Desktop to provide ITaaS capabilities:

-| Data source | Purpose |

-| | |

-| [Microsoft Windows 10 Enterprise](/windows/windows-10/) | Management of device setup experience, managing connections to other services, and operational support for IT pros. |

-| [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) | Uses Windows 10 Enterprise diagnostic data to provide additional information on Windows 10 update. |

-| [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) | Device management and to keep your data secure. The following data sources fall under Microsoft Endpoint

-| [Microsoft Managed Desktop](https://endpoint.microsoft.com/#home) | Data provided by the customer or generated by the service during running of the service. |

-| [Microsoft 365 apps for enterprise](https://www.microsoft.com/en-us/microsoft-365/enterprise/compare-office-365-plans?rtc=1)| Management of Microsoft 365 Apps.

-## Microsoft Managed Desktop data process and storage

-Microsoft Managed Desktop relies on data from multiple Microsoft products and services to provide its service to enterprise customers.

-To protect and maintain enrolled devices, we process and copy data from these services to Microsoft Managed Desktop. When we process data, we follow the documented directions you provide, as referenced in the [Online Services Terms](https://www.microsoft.com/licensing/product-licensing/products) and [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement).

-Microsoft Managed Desktop's processor duties include ensuring appropriate confidentiality, security, and resilience. Microsoft Managed Desktop employs additional privacy and security measures to ensure proper handling of personal identifiable data.

-## Microsoft Managed Desktop data storage and staff location

-Microsoft Managed Desktop stores its data in the Azure data centers in the United States.

-Personal data obtained by Microsoft Managed Desktop and other services are required to keep the service operational. If a device is removed from Microsoft Managed Desktop, we keep personal data for a maximum of 30 days. However, alert data, collected by Microsoft Defender for Endpoint, is stored for 180 days for security purposes. For more information on data retention, see [Data retention, deletion, and destruction in Microsoft 365](/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview).

-Microsoft Managed Desktop Engineering Operations and Security Operations teams are located in the United States, India and Romania.

-### Microsoft Windows 10 diagnostic data

-Microsoft Managed Desktop uses [Windows 10 Enhanced diagnostic data](/windows/privacy/windows-diagnostic-data) to keep Windows secure, up to date, troubleshoot problems, and make product improvements.

-The enhanced diagnostic data setting includes more detailed information about the devices enrolled in Microsoft Managed Desktop and their settings, capabilities, and device health. When enhanced diagnostic data is selected, data, including required diagnostic data, are collected. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection) about the Windows 10 diagnostic data setting and data collection.

-The diagnostic data terminology will change in future versions of Windows. Microsoft Managed Desktop is committed to processing only the data that the service needs. While this will mean the diagnostic level will change to **Optional**, Microsoft Managed Desktop will implement the limited diagnostic policies to fine-tune diagnostic data collection required for the service. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection).

-Microsoft Managed Desktop only processes and stores system-level data from Windows 10 optional diagnostic data that originates from enrolled devices such as application and device reliability, and performance information. Microsoft Managed Desktop doesn't process and store customers' personal data such as chat and browser history, voice, text, or speech data.

-For more information about the diagnostic data collection of Microsoft Windows 10, see the [Where we store and process personal data](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) section of the Microsoft Privacy Statement.

-### Microsoft Windows Update for Business

-Microsoft Windows Update for Business uses data from Windows diagnostics to analyze update status and failures. Microsoft Managed Desktop uses this data and uses it to mitigate, and resolve problems to ensure that all registered devices are up to date based on a predefined update cadence.

-### Microsoft Azure Active Directory

-Identifying data used by Microsoft Managed Desktop is stored by Azure Active Directory (Azure AD) in a geographical location. The geographical location is based on the location provided by the organization upon subscribing to Microsoft online services, such as Microsoft Apps for Enterprise and Azure. For more information on where your Azure AD data is located, see [Azure Active Directory - Where is your data located?](https://msit.powerbi.com/view?r=eyJrIjoiODdjOWViZDctMWRhZS00ODUzLWI4MmQtNWM5NjBkZTBkNjFlIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9)

-### Microsoft Intune

-Microsoft Intune collects, processes, and shares data to Microsoft Managed Desktop to support business operations and services. For more information about the data collected in Intune, see [Data collection in Intune](/mem/intune/protect/privacy-data-collect)

-For more information on Microsoft Intune data locations, see [Where your Microsoft 365 customer data is stored](/microsoft-365/enterprise/o365-data-locations). Intune respects the storage location selections made by the administrator for customer data.

-### Microsoft Defender for Endpoint

-Microsoft Defender for Endpoint collects and stores information for devices enrolled in Microsoft Managed Desktop for administration, tracking, and reporting purposes. Information collected includes:

-For more information on Microsoft Defender for Endpoint's data collection and storage locations, see [Microsoft Defender for Endpoint data storage and privacy](/microsoft-365/security/defender-endpoint/data-storage-privacy#what-data-does-microsoft-defender-atp-collect).

-### Microsoft 365 Apps for Enterprise

-Microsoft 365 Apps for Enterprise collects and shares data with Microsoft Managed Desktop to ensure those apps are up to date with the latest version. These updates are based on predefined update channels managed by Microsoft Managed Desktop. For more information on Microsoft 365 Apps's data collection and storage locations, see [Microsoft Defender for Endpoint data storage and privacy](/microsoft-365/security/defender-endpoint/data-storage-privacy#what-data-does-microsoft-defender-atp-collect).

-## Major data change notification

-Microsoft Managed Desktop follows a change control process as outlined in our service communication framework.

-We notify customers through the Microsoft 365 Message Center, and Microsoft Managed Desktop Admin portal of both security incidents and major changes to the service.

-Changes to the types of data gathered and where it's stored are considered a material change. We'll provide a minimum of 30 days of advanced notification of this change as is standard practice for Microsoft 365 products and services. For more information, see [Service changes and communication](/microsoft-365/managed-desktop/service-description/servicechanges).

-## Compliance

-Microsoft Managed Desktop has undergone external audits and obtained a comprehensive set of compliance offerings. You can find more information in [Compliance](/microsoft-365/managed-desktop/intro/compliance). Audit reports are available for download at the Microsoft [Service Trust Portal](https://aka.ms/stp), which serves as a central repository for Microsoft Enterprise Online Services. Microsoft Managed Desktop is listed within these documents under the "Monitoring and Management" category.

-### Data subject requests

-Microsoft Managed Desktop follows GDPR and CCPA privacy regulations, which give data subjects specific rights to their personal data.

-These rights include:

-For more general information about Data Subject Requests (DSRs), see [Data Subject Requests and the GDPR and CCPA](/compliance/regulatory/gdpr-data-subject-requests).

-To exercise data subject requests on data collected by the Microsoft Managed Desktop case management system, see the following data subject requests:

-| Data subject requests | Description |

-| | |

-| Data from Microsoft Defender for Endpoint alerts | Your security administrator can request deletion, or extraction of personal data related to Microsoft Defender for Endpoint alerts by submitting a report request in the [Admin Portal](https://aka.ms/memadmin). <br><br> Provide the following information: <br><ul><li>Request type: Change request</li><li>Category: Security</li><li>Subcategory: Other</li><li>Description: Provide the relevant device names.</li></ul> |

-| Data from Microsoft Managed Desktop support requests | Your IT administrator can request deletion, or extraction of personal data related support requests by submitting a report request at the [Admin Portal](https://aka.ms/memadmin). <br><br> Provide the following information: <ul><li>Request type: Change request</li><li>Category: Security</li><li>Subcategory: Other</li><li>Description: Provide the relevant device names or user names.</li></ul>

-For DSRs from other products related to the service, see the following articles:

-## Legal

-**Microsoft's privacy notice to end users of products provided by organizational customers**:

-The [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) notifies end users that when they sign in to Microsoft products with a work account:

-1. Their organization can control and administer their account (including controlling privacy-related settings), and access and process their data.

-1. Microsoft may collect and process the data to provide the service to the organization and end users.

-description: The various profiles that admins can assign to devices

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Device profiles

-You can think of device profiles as being part of a hierarchy of device configuration options.

-| Device configuration options | Description

-| -- | -- |

-| Your configurations | At the top are your own configurations, such as network details or applications. A device can have any number of these configurations, which aren't managed or blocked by Microsoft Managed Desktop. |

-| Customizations | The next higher level is additional [customizations](customizing.md). Each device can have one or more (or no) customizations. The customizations can either modify a lower-level layer (Device profiles or the foundational configuration), or be an entirely new request that's layered on top of the standard configuration. |

-| Device profiles | Every Microsoft Managed Desktop device must have one, and only one, profile assigned. Admins can select which profile a device is assigned.<br><br>You can assign different pre-set profiles to devices. Each profile is optimized for the needs of specific types of users. Three device profiles are available:<ul><li>Standard</li><li>Sensitive Data</li><li>Power user</li> |

-| Foundation | Fundamentally, every Microsoft Managed Desktop device has a foundation that includes:<br><ul><li>Standard security baseline</li><li>Compliance policies</li><li>Windows Update settings</li><li>Groups</li></ul><br>To work with Microsoft Managed Desktop, every device must include all of these elements. These elements can't be changed by admins. You must submit a request to Microsoft Managed Desktop. |

-## Device profile details

-The following table summarizes the settings and their default values for each setting configured by device profiles. Behind the scenes, these settings are configured with OMA-URIs by using Custom Configuration Profiles in Microsoft Endpoint Manager.

-<br>

-****

-| Feature | Sensitive Data | Power User | Standard |

-| -- | :--: | :--: | :--: |

-|**Block External Storage**| Yes | Yes | No |

-|**[Cloud Block Level](/windows/client-management/mdm/policy-csp-defender#defender-cloudblocklevel)**| High | High | High |

-|**Disable Microsoft Accounts**| Yes | Yes | No |

-|**Disable personal OneDrive**| Yes | Yes | No |

-|**[Switch to secure desktop for elevation](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation)**| No | Yes | No |

-|**Microsoft Defender for Endpoint Device Tag**| M365Managed-SensitiveData | M365Managed-PowerUser | M365Managed-Standard |

-|**Admin on the device?**| No | Yes | No |

-|**Autopilot Profile**| MMD Standard | MMD Power User | MMD Standard |

-|**AppLocker**| Yes | No | No |

-|**Block Public Store**| Yes | Yes | No |

-|

-Each device profile also involves these items:

-> [!IMPORTANT]

-> Don't modify the membership of these groups directly. Use the interface as described in [Reassign profiles](../working-with-managed-desktop/change-device-profile.md).

-## Limitations

-You can request exceptions to the device profiles and their details as you would with any other policy.

-Keep in mind that you can only have one of each device profile in your Azure Active Directory organization ("tenant"). For example, you can't request that the Sensitive data device profile disables AppLocker for only some of your users. All devices with the sensitive data device profile must have the same configuration.

-Each device can only have one profile. If a given device is used by more than one user, all users on that device will have the same configuration.

-description: Regions supported by Microsoft Managed Desktop

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Microsoft Managed Desktop supported regions

-This article provides details about which regions support Microsoft Managed Desktop.

-You can still use managed devices outside of these regions without interruption to the Microsoft Managed Desktop service. For example, an employee in the United Kingdom can work securely and receive updates on their managed device while traveling to Asia, Europe, or South America.

-For more information about languages supported by Microsoft Managed Desktop, see [Localize devices for users](../get-started/localization.md).

-For more information about user support with Microsoft Managed Desktop, see [Support for Microsoft Managed Desktop](support.md).

-## Service availability

-Organizations in the following countries can subscribe to Microsoft Managed Desktop:

-description: Services and processes provided by the Security Operations Center

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Security operations in Microsoft Managed Desktop

-The Microsoft Managed Desktop Security Operations Center (SOC) partners with your information security staff to keep your desktop environment secure. Our team receives and responds to all security alerts on managed devices with expert analysis. When needed, we drive security incident response activities. For more information about working with the SOC, review operational documentation in your Admin portal.

-The SOC offers 24/7/365 coverage from Microsoft full-time employees with expertise in the current and emerging threat landscape, including common attack methods through software, network, or human adversaries.

-The SOC provides these

-| Service | Description |

-| | |

-| Quick and accurate response to detected events | <ul><li>Analyze data to identify the impact.</li><li>Assess the overall risk to a device or your environment.</li></ul>

-| Device management and isolation actions | <ul><li>Protect your environment from known or suspected compromises</li><li>Reduce the risk by preventing spread.</li></ul>

-| Drive the security incident response | Ensure timely and accurate communication with your security team. |

-| Analysis and recommendations | Provide analysis and recommendations based on threat, and vulnerability data to identify and address risks before they're exploited.

-| Advanced hunting | Across the managed devices to identify indicators and entities for both known and potential threats.|

-## Processes

-| Process | Description |

-| | |

-| Microsoft Managed Desktop Security Operations | Microsoft Managed Desktop Security Operations is staffed by full-time Microsoft employees in partnership with Microsoft's [Cyber Defense Operations Center](https://www.microsoft.com/msrc/cdoc). |

-| SOC | Our SOC uses collective signals from across our company, both internal and external, to protect your devicesΓÇöeven from things we haven't yet seen in Microsoft Managed Desktop.

-| Microsoft security solutions | Microsoft security solutions align to many cybersecurity protection standards. SOC operations are based on the National Institute of Standards and Technology Computer Security Incident Response Handling Guide (NIST 800-61 r2). <br><br> The process allows for proper collection of information and evidence, for analysis and documentation and post-recovery insights into ways to better defend your environment through these phases: <ul><li>Preparation, detection, and analysis</li><li>Containment</li><li>Eradication</li><li>Recovery</li><li>Post-incident activity</li></ul>

-| Microsoft Threats Experts service | Microsoft Managed Desktop customers are eligible to enroll in the Microsoft Threat Experts service. The SOC liaises with this service to understand better the complex threats affecting your organization, including: <br><ul><li>Alert inquiries</li><li>Potentially compromised devices</li><li>Root cause of a suspicious network connection</li><li>Other threat intelligence regarding ongoing advanced persistent threat campaigns.</li></ul><br>For more information, see [Microsoft Threat Experts](/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts).|

-| SOC's Threat and Vulnerability Management | SOC's Threat and Vulnerability Management process uses some of Microsoft's services to help inform recommendations for your organization to protect against threats. <br><br>The SOC consumes data from your Microsoft Defender for Endpoint Security Center and from relevant vulnerability data sources, within and outside of Microsoft, to discover vulnerabilities and misconfigurations to provide actionable reporting. |

-description: Technologies used for device security, identity and access management, network security, and information security

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Security technologies in Microsoft Managed Desktop

-<!--Security, also Onboarding doc: data handling/store, privileged account access -->

-Microsoft Managed Desktop uses several Microsoft technologies to help secure managed devices and data. In addition, the Microsoft Managed Desktop Security Operations Center uses various [processes](security-operations.md) with these technologies. Specifically:

-| Process | Description |

-| | |

-| [Device security](#device-security)| Security and protection on Microsoft Managed Desktop devices. |

-| [Identity and Access Management](#identity-and-access-management) | Managing secure use of devices through Azure Active Directory identity services. |

-| [Network security](#network-security)| VPN information and Microsoft Managed Desktop recommended solution and settings. |

-| [Information security](#information-security)| Optional available services to further protect sensitive information. |

-For information about data storage, usage, and security practices used by Microsoft Managed Desktop, see our whitepaper at [https://aka.ms/mmd-data](https://aka.ms/mmd-data).

-## Device security

-Microsoft Managed Desktop ensures all managed devices are secured and protected, and detects threats as early as possible using the following

-| Service | Description |

-| -- | -- |

-| Antivirus | Microsoft Defender Antivirus is installed and configured<br>Microsoft Defender Antivirus definitions are up to date. |

-| Full Volume Encryption | Windows BitLocker is the volume encryption solution for Microsoft Managed Desktop devices.<br><br>Once an organization is enrolled into the service, devices will be encrypted using Windows BitLocker with built-in Trust Platform Module (TPM) to prevent unauthorized access to local data when the device is in sleep mode, or off.

-| Monitoring | Microsoft Defender for Endpoint is used for security threat monitoring across all Microsoft Managed Desktop devices. Defender for Endpoint allows enterprise customers to detect, investigate, and respond to advanced threats in their corporate network. For more information, see [Microsoft Defender for Endpoint.](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) |

-| Operating system updates | Microsoft Managed Desktop devices are always secured with the latest security updates. |

-| Secure Device Configuration | Microsoft Managed Desktop implements the Microsoft Security Baseline. For more information, see [Windows security baselines.](/windows/security/threat-protection/windows-security-baselines)|

-## Identity and access management

-Identity and access management protects corporate assets and business-critical data. Microsoft Managed Desktop configures devices to ensure secure use with Azure Active Directory (Azure AD) managed identities. It's the customer's responsibility to maintain accurate information in their Azure AD tenant.

-| Service | Description |

-| -- | -- |

-| Biometric Authentication | Windows Hello allows users to sign in by using their face or a PIN, making passwords harder to forget or steal. Customers are responsible for implementing the necessary pre-requisites for their on-premises Active Directory to use this service in a hybrid configuration. For more information, see [Windows Hello.](/windows-hardware/design/device-experiences/windows-hello) |

-| Standard user permission | To protect the system and make it more secure, the user will be assigned Standard User Permissions. This permission is assigned as part of the Windows Autopilot out-of-box experience.

-## Network security

-Customers are responsible for network security.

-| Service | Description |

-| -- | -- |

-| VPN | Customers own their VPN infrastructure, to ensure limited corporate resources can be exposed outside the intranet.<br><br>Minimum requirement: Microsoft Managed Desktop requires a Windows 10 compatible and supported VPN solution. If your organization needs a VPN solution, it needs to support Windows 10 and be packaged and deployable through Intune. Contact your software publisher for more information.<br><br>Recommendation:<br><ul><li> Microsoft recommends a modern VPN solution that could be easily deployed through Intune to push VPN profiles. This approach provides an always-on, seamless, reliable, and secure way to access corporate network. For more information, see [VPN settings in Intune](/intune/vpn-settings-configure).</li><li>Thick VPN clients, or older VPN clients, aren't recommended by Microsoft while using Microsoft Managed Desktop as it can affect the user environment.</li><li>Microsoft recommends that the outgoing web traffic goes directly to Internet without going through the VPN to avoid any performance issues.</li><li>Ideally, Microsoft recommends the use of Azure Active Directory App Proxy instead of a VPN.</li></ul>

-## Information security

-You can configure these optional services to help protect corporate high-value assets.

-| Service | Description |

-| -- | -- |

-| Data recovery | Information stored in key folders on the device is backed up to OneDrive for Business. Microsoft Managed Desktop isn't responsible for data that isn't synchronized with OneDrive for Business.

-| Windows Information Protection | For companies that require high levels of information security, we recommend [Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip) and [Azure Information Protection.](https://www.microsoft.com/cloud-platform/azure-information-protection)

-description: How changes to the service occur and are communicated

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Service changes and communication

-Sometimes, Microsoft might need to change details about the way Microsoft Managed Desktop works. Similarly, you might need to make changes that would affect the service as well. We handle such changes differently depending on how significant they are. This article defines the changes we consider as major changes, and explains how we handle them versus other changes.

-## Changes made by Microsoft

-We'll give you notice at least 30 days ahead of time for any major change that requires action. We'll let you know by using the Microsoft Managed Desktop Admin portal messaging system.

-**Major changes** are those that might affect any of these areas:

-> [!NOTE]

-> We might have to make changes to mitigate incidents or security issues that would be excluded from the 30-day notification policy.

-We'll routinely make other changes to the service to improve user experience, security, reliability, and reporting. Some examples of these changes include:

-We'll communicate these changes by using established channels. If you have any questions about any changes, contact the Microsoft Managed Desktop [Operations team](../working-with-managed-desktop/admin-support.md). Changes to the service are also documented as needed in the [change history](../change-history-managed-desktop.md).

-Microsoft Managed Desktop changes and communications are governed by two Microsoft policies:

-## Changes you make

-Some changes that you might make in your environment could affect Microsoft Managed Desktop.

-For these major changes, we ask that you give us at least 30 days notice by submitting a support request in the Microsoft Managed Desktop Admin portal. For instructions, see [Admin support for Microsoft Managed Desktop](../working-with-managed-desktop/admin-support.md). This allows us adequate time to plan and prepare for the change to avoid disruptions.

-**Major changes** are those that might affect any of these areas:

-These changes aren't likely to be disruptive, so you don't need to let us know about them ahead of time:

-description: How and when to use shared device mode

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Shared devices

-Microsoft Managed Desktop allows you to register devices in "shared device mode," similar to the shared device mode offered by [Microsoft Intune](/mem/intune/configuration/shared-user-device-settings).

-Devices in this mode are optimized for situations where users aren't tied down to a single desk and are frequently changing devices. For example, frontline workers such as bank tellers or nursing staff. You can apply any of the Microsoft Managed Desktop [profiles](profiles.md) to devices in this mode. Devices registered in this mode have some important differences:

-Because you make the choice to use shared device mode at the point of registration in Microsoft Managed Desktop, if you want to change out of this mode later, you must de-register it and register it again.

-## When to use shared device mode

-Use shared device mode in situations where users are frequently changing devices.

-For example, bank tellers might be in one location managing deposits, but move to a back office to help customers with a mortgage. In each of those locations, the device runs different applications and is optimized for those tasks, though they're used by multiple people.

-Nursing staff typically move between rooms and offices as they interact with patients. They can sign into a workstation in an office, but connect to their remote desktop and take notes, and repeat this process in a different room with a different patient.

-## When not to use shared device mode

-Shared device mode isn't a good choice in these situations:

-## Register new devices using the Windows Autopilot self-deploying mode profile

-Whether you or a partner are handling device registration, you can choose to use the [Windows Autopilot self-deploying mode](/mem/autopilot/self-deploying) profile in Microsoft Managed Desktop.

-### Before you begin

-Review the Windows Autopilot self-deploying mode requirements:

-> [!IMPORTANT]

-> You cannot automatically re-enroll a device through Autopilot after an initial deployment in self-deploying mode. Instead, delete the device record in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). To delete the device record from the admin center, select **Devices** > **All devices** > select the devices you want to delete > **Delete**. For more information, see [Updates to the Windows Autopilot sign-in and deployment experience](https://techcommunity.microsoft.com/t5/intune-customer-success/updates-to-the-windows-autopilot-sign-in-and-deployment/ba-p/2848452).

-#### Trusted Platform Module

-Self-deploying mode uses a device's TPM 2.0 hardware to authenticate the device into an organization's Azure Active Directory tenant. Therefore, devices without TPM 2.0 can't use this mode. Devices must also support TPM device attestation. All new Windows devices should meet these requirements. The TPM attestation process also requires access to a set of HTTPS URLs that are unique for each TPM provider. For more information, see the entry for Autopilot self-deploying mode and Autopilot pre-provisioning in [Networking requirements](/mem/autopilot/self-deploying#requirements). For more information about Windows Autopilot software requirements, see [Windows Autopilot software requirements](/mem/autopilot/software-requirements).

-> [!TIP]

-> If you attempt to deploy self-deploying mode on a device that doesn't have TPM 2.0 support or it's on a virtual machine, the process will fail when verifying the device with the following error: 0x800705B4 timeout error (Hyper-V virtual TPMs are not supported). Also note that Windows 10 version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10 version 1809. Since Windows 10 Enterprise 2019 LTSC is based on Windows 10 version 1809, self-deploying mode is also not supported on Windows 10 Enterprise 2019 LTSC.

->

-> For more information about other known issues and review solutions, see [Windows Autopilot known issues](/mem/autopilot/known-issues) and [Troubleshoot Autopilot device import and enrollment](/mem/autopilot/troubleshoot-device-enrollment).

-### Steps to register devices to use the Windows Autopilot self-deploying mode profile

-If you're registering devices yourself, you must import new devices into the Windows Autopilot Devices blade.

-**To import new devices into the Windows Autopilot Devices blade:**

-1. Collect the [hardware hash](../get-started/manual-registration.md#obtain-the-hardware-hash) for new devices you want to assign the Windows Autopilot Self-deployment mode profile to.

-2. Go to the [Microsoft Endpoint Manager portal](https://endpoint.microsoft.com).

-2. Select **Devices** from the left navigation menu.

-3. In the **By platform** section, select **Windows**. Then, select **Windows Enrollment**.

-4. In the **Windows Autopilot Deployment Program** section, select **Devices**.

-5. [Import](../get-started/manual-registration.md#register-devices-by-using-the-admin-portal) the .CSV file containing all hardware hashes collected in step #1.

-6. After you've uploaded the Windows Autopilot devices, you must edit the imported devices' group tag attribute so Microsoft Managed Desktop can register them using the Windows Autopilot self-deploying mode profile. See below for the group tag attributes. You must append **-Shared** to the group tag, as shown in the table below:

-| Device profile | Autopilot group tag (standard mode) | Group tag (shared device mode) |

-| -- | -- | -- |

-| Sensitive data | Microsoft365Managed_SensitiveData | Microsoft365Managed_SensitiveData-Shared |

-| Power user | Microsoft365Managed_PowerUser | Not supported |

-| Standard | Microsoft365Managed_Standard | Microsoft365Managed_Standard-Shared |

-> [!WARNING]

-> Don't try to edit the group tab attribute by appending **-Shared** to devices previously imported to Windows Autopilot. Devices already imported into Windows Autopilot, using one of the Microsoft Managed Desktop group tags starting with *Microsoft365Managed_*, but without **-Shared** initially appended, are already part of a different Azure Active Directory group. This Azure Active Directory group doesn't have the Windows Autopilot self-deploying mode profile assigned to it. If you must re-purpose an existing device to be a shared device, you must delete and re-register the device into Windows Autopilot again.

-If you're having a partner enroll devices, follow the steps in [Partner registration](../get-started/partner-registration.md), but append **-Shared** to the group tag, as shown in the table above.

-## Consequences of shared device mode

-### Device storage

-Users of shared devices must have their data backed up onto the cloud so it can follow them to other devices. Once you've registered devices in shared device mode, be sure to enable OneDrive's [Files On-Demand](https://support.microsoft.com/office/save-disk-space-with-onedrive-files-on-demand-for-windows-10-0e6860d3-d9f3-4971-b321-7092438fb38e#:~:text=%20Turn%20on%20Files%20On-Demand%20%201%20Make,files%20as%20you%20use%20them%20box.%20More%20) and [known-folder redirection](/onedrive/redirect-known-folders) features. This approach minimizes the effect that each user profile has on device storage. Devices in shared device mode automatically delete user profiles if the free disk space drops below 25%. This activity is scheduled for midnight at the device's local time, unless storage becomes critically limited.

-Microsoft Managed Desktop uses the [SharedPC](/mem/intune/configuration/shared-user-device-settings-windows) CSP to do these operations, so make sure you don't use those CSPs yourself.

-> [!IMPORTANT]

-> Train your users that after they have downloaded a large file they should confirm that they see the green check icon on the file before they sign out. If their account gets deleted as part of the cleanup operations and the file isn't completely uploaded in OneDrive, the file will be permanently lost.

-### Deletion of inactive accounts

-Shared device mode removes any accounts that haven't been signed into for more than 30 days.

-### Guest accounts

-Devices in shared device mode only allow accounts that are joined to a domain. If you need guest accounts on a device, you can file a [change request](../working-with-managed-desktop/admin-support.md) to request them to be enabled.

-### Microsoft 365 Apps for enterprise

-[Microsoft 365 Apps for enterprise](/microsoft-365/managed-desktop/get-started/m365-apps) typically allows a given user to install those apps on only five devices at the same time. In shared device mode, the apps don't count against the limit, so they can use them while roaming between devices. Deployment and updates of Microsoft 365 Apps for enterprise work as usual.

-### Device profiles

-In shared device mode, you can have only one [device profile](profiles.md) on a given device. Also, the Power user device profile isn't currently supported in shared device mode.

-### Apps and policies assigned to users

-On shared devices, you should assign any apps or policies that you're managing yourself to *device groups*, not user groups. Assigning to device groups ensures that each user has a more consistent experience. The exception is [Company Portal](#deploying-apps-with-company-portal).

-## Limitations of shared device mode

-### Windows Hello

-Windows Hello uses smart card emulation to securely [cache user PINs](/windows/security/identity-protection/hello-for-business/hello-faq), minimizing the number of times users have to authenticate. However, Windows only allows 10 smart cards at a time on a given device. When an 11th user signs in for the first time, one of the existing accounts will lose their smart card. They'll be able to sign in, but their PIN won't be cached.

-### Universal print

-When Universal print installs a printer for a single user on a shared device that printer becomes available to all users of that device. There's no way to isolate printers between users on shared devices.

-## Limitations of shared device mode in the public preview release

-### Primary user

-Each Microsoft Intune device has a primary user, which is assigned when a device is set up by Autopilot. But when devices are shared, Intune requires that the primary user is removed.

-> [!IMPORTANT]

-> While shared device mode is in public preview, be sure to remove the primary user by following these steps: sign in to the Microsoft Endpoint Manager admin center, select **Devices**>**All devices**, select a device, then select **Properties**>**Remove primary user**, and delete the user listed there.

-### Deploying apps with Company Portal

-Some apps probably don't need to be present on all devices, so you might prefer that users only install those apps when they need them from [Company Portal](/mem/intune/user-help/install-apps-cpapp-windows).

-Microsoft Managed Desktop disables Company Portal by default for devices in shared device mode. If you want the Company Portal enabled, you can file a [change request](../working-with-managed-desktop/admin-support.md). However, you should be aware of some limitations in this feature in this public preview:

-> [!CAUTION]

-> Company Portal doesn't support applications assigned to device groups as available.

-### Redeployment of Microsoft 365 Apps for Enterprise

-During public preview, if Microsoft 365 Apps must be redeployed, users must contact their local support staff to request an agent elevate and reinstall Microsoft 365 Apps for enterprise on that device.

-### Microsoft Teams

-When a user starts Teams for the first time, they'll be prompted to update the app before they can use it. Once they allow the update, Teams will keep itself updated in the background.

-description: Describes proactive and reactive incident management for Microsoft Managed Desktop.

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Admin support

-Microsoft will provide proactive and reactive incident management.

-Microsoft tracks incidents in the Microsoft Managed Desktop Admin portal. They're classified according to the [severity definitions](../working-with-managed-desktop/admin-support.md#support-request-severity-definitions).

-Customers can contact Microsoft Managed Desktop operations for:

-## What's included?

-| Support for | Includes |

-| | |

-| Microsoft Managed Desktop | <ul><li>A team of engineers dedicated to Microsoft Managed Desktop devices.</li><li>Support options for users with Microsoft Managed Desktop devices.</li><li>Grants limited administrative access to Microsoft Managed Desktop devices for engineers managing Microsoft Managed Desktop devices.</li></ul> |

-| Products | <ul><li>Windows 10 with Microsoft 365 Defender for Endpoint.</li><li>The following Microsoft 365 Apps for Enterprise apps: Outlook, Word, PowerPoint, Excel, Skype for Business client, Microsoft Teams.</li><li>Microsoft Store for Business.</li><li>OneDrive client.</li></ul> |

-| Geography | Currently, the United States, Canada (excluding Quebec), United Kingdom, Belgium, Luxembourg, the Netherlands, Australia, and New Zealand (24x7x365) are supported. |

-| Language |English is the only supported language for phone and chat conversations with customers. |

-| HelpDesk | We're partnering with, not replacing, your corporate helpdesk; line-of-Business (LOB) apps, network resources, etc. are still handled by your helpdesk. |

-| Test group and other devices | Microsoft Managed Desktop devices in the "Test" group and devices not part of Microsoft Managed Desktop are out of scope. |

-## Related articles

-description: Keeping Microsoft Managed Desktop up to date is a balance of speed and stability.

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# How updates are handled in Microsoft Managed Desktop

-<!--This topic is the target for a "Learn more" link in the Admin Portal (aka.ms/update-rings); do not delete.-->

-<!--Update management -->

-Microsoft Managed Desktop connects all devices to a modern cloud-based infrastructure.

-Keeping Windows, Office, drivers, firmware, and Microsoft Store for Business applications up to date is a balance of speed and stability. We use update groups to ensure operating system updates and policies are rolled out in a safe manner. For more information, see the video [Microsoft Managed Desktop Change and Release Process](https://www.microsoft.com/videoplayer/embed/RE4mWqP).

-Updates released by Microsoft are cumulative and are categorized as quality or feature updates. For more information, see [Windows Update for Business: Update types](/windows/deployment/update/waas-manage-updates-wufb#update-types).

-## Update groups

-Microsoft Managed Desktop uses four Azure AD groups to manage updates:

-| Group | Description |

-| | |

-| Test | Used to validate Microsoft Managed Desktop policy changes, operating system updates, feature updates, and other changes pushed to the Azure AD organization ("tenant"). The Test group is: <br><ul><li>Best for testing or users who can provide early feedback.</li><li>Exempt from any established service level agreements and user support.</li><li>Available to validate compatibility of applications with new policy or operating system changes.</li></ul> |

-| First | Contains early software adopters and devices that could be subject to pre-release updates. <br><br> Devices in this group might experience outages if there are scenarios that weren't covered during testing in the test ring. |

-| Fast | Prioritizes speed over stability. The Fast group is: <br><ul><li>Useful for detecting quality issues before they're offered to the Broad group.</li> <li>The next layer of validation, and is typically more stable than the Test and First groups.</li></ul> |

-| Broad | This group is the last group to have feature and quality updates available. <br><br> The Broad group contains most of users in the Azure AD organization, and therefore favors stability over speed in deployment. Testing of apps should be done with this group because the environment is the most stable. |

-### Moving devices between update groups

-You might want some devices to receive updates last and others that you want to go first. To move these devices into the appropriate update group, see [Assign devices to a deployment group](../working-with-managed-desktop/assign-deployment-group.md).

-For more information on roles and responsibilities within these deployment groups, see [Microsoft Managed Desktop Roles and responsibilities](../intro/roles-and-responsibilities.md)

-### Using Microsoft Managed Desktop update groups

-There are parts of the service that you manage, like app deployment, where it might be necessary to target all managed devices.

-## Update deployment

-Below describes how update deployment works.

-| Step | Description |

-| | |

-| Step 1 | Microsoft Managed Desktop deploys a new feature or quality update according to the schedule specified in the following table.|

-| Step 2 | During deployment, Microsoft Managed Desktop monitors for signs of failure, or disruption based on diagnostic data and the user support system. If any are detected, we immediately pause the deployment to all current and future groups.<br><br> For example, if an issue is discovered while deploying a quality update to the First group, then update deployments to First, Fast, and Broad groups will be paused until the issue is mitigated. <br><br> You can report compatibility issues by filing a ticket in the Microsoft Managed Desktop Admin portal. <br><br> Feature and quality updates are paused independently. The pause is in effect for 35 days by default. However, it can be reduced or extended depending on whether the issue is mitigated. |

-| Step 3 | Once the groups are unpaused, deployment resumes according to the schedule in the table. |

-| Step 4| Users are empowered to respond to restart notifications for a set period. This period is known as the deadline, and it's measured from the time the update is offered to the device. <br><br> During this time, the device will only automatically restart outside active hours. After this period expires, the deadline has been reached and the device will restart at the next available opportunity, regardless of active hours. <br><br> The deadline for quality updates is three days; for feature updates it's five days. |

-> [!NOTE]

-> This deployment process applies to both feature and quality updates, though the timeline varies for each.

-## Deployment settings

-Update deployment settings listed below:

-| Update type | Test | First | Fast | Broad |

-| | | | | |

-| Quality updates for operating system | Zero days | Zero days | Zero days | Seven days |

-| Feature updates for operating system | Zero days | 30 days | 60 days | 90 days |

-| Drivers/firmware | Follows the schedule for quality updates. | Follows the schedule for quality updates. | Follows the schedule for quality updates. | Follows the schedule for quality updates. |

-| Anti-virus definition | Updated with each scan. | Updated with each scan. | Updated with each scan. | Updated with each scan. |

-| Microsoft 365 Apps for Enterprise | [Learn more](../get-started/m365-apps.md#updates-to-microsoft-365-apps) | [Learn more](../get-started/m365-apps.md#updates-to-microsoft-365-apps) | [Learn more](../get-started/m365-apps.md#updates-to-microsoft-365-apps) | [Learn more](../get-started/m365-apps.md#updates-to-microsoft-365-apps) |

-| Microsoft Edge | [Learn more](../get-started/edge-browser-app.md#updates-to-microsoft-edge) | [Learn more](../get-started/edge-browser-app.md#updates-to-microsoft-edge) | [Learn more](../get-started/edge-browser-app.md#updates-to-microsoft-edge) | [Learn more](../get-started/edge-browser-app.md#updates-to-microsoft-edge) |

-| Microsoft Teams | [Learn more](../get-started/teams.md#updates) | [Learn more](../get-started/teams.md#updates) | [Learn more](../get-started/teams.md#updates) | [Learn more](../get-started/teams.md#updates) |

->[!NOTE]

->These deferral periods are intentionally designed to ensure high security and performance standards for all users.<br><br> Based on data gathered across all Microsoft Managed Desktop devices and the varying scope and impact of updates, Microsoft Managed Desktop reserves flexibility to modify the length of the above deferral periods for any and all deployment groups on an ad hoc basis.

->

->Microsoft Managed Desktop conducts an independent assessment of each Windows feature release to evaluate its necessity and usefulness to its managed tenants. Consequently, Microsoft Managed Desktop might or might not deploy all Windows feature updates.

-## Windows Insider Program

-Microsoft Managed Desktop doesn't support devices that are part of the Windows Insider program.

-The Windows Insider program is used to validate pre-release Windows software. It's intended for devices that aren't mission critical. While it's an important Microsoft initiative, it's not intended for broad deployment in production environments.

-Any devices found with Windows Insider builds might be put into the Test group. These devices will be exempt from update service level agreements and user support from Microsoft Managed Desktop.

-## Bandwidth management

-We use [Delivery Optimization](/windows/deployment/update/waas-delivery-optimization) for all operating system and driver updates. Delivery Optimization minimizes the download size from the Windows Update service by seeking updates from peers within the corporate network.

-description: Explains the options for customer-led and partner-led support.

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# User support

-Your Microsoft Managed Desktop users can get support either from your organization ("customer-led" support) or from a selected partner ("partner-led" support).

-We aim to provide a consistent experience for users while keeping devices secure with both support options. No matter which option you choose, these same principles apply:

-## Roles and responsibilities

-To ensure the quality of service without compromising security, the support provider, IT admins, and Microsoft Managed Desktop have different roles and responsibilities.

-| Role | Responsibilities |

-| | |

-| Support provider | Whoever provides support (either you for customer-led support or a partner for partner-led) is responsible for these items: <ul><li>Provide all user support and technical assistance from first contact through to resolution for the user.</li><li>Fulfill all service-level agreements for user support established by your organization, or in partnership with your chosen support provider.</li><li>Perform specific troubleshooting actions, such as requesting elevated device privileges as described in [Getting help for users](../working-with-managed-desktop/end-user-support.md).</li><li>Troubleshoot and remediate user problems including: <ul><li>Operating system (Windows)</li><li>Microsoft Apps for enterprise</li><li>Browser features</li><li>Device problems</li><li>Problems with infrastructure, such as printers, drivers, and VPNs</li><li>Line-of-business applications</li></ul></ul> |

-| IT admin | Your IT admin is responsible for these items: <ul><li>Work with the support provider to set and manage service level agreements for user support</li><li>Manage elevated access privileges for approved support staff. For more information, see [Enable user support features](../get-started/enable-support.md).</li><li>If there are device issues affecting users, escalate the issues by using the Microsoft Managed Desktop admin support process. For more information, see [Admin support for Microsoft Managed Desktop](../working-with-managed-desktop/admin-support.md).</li><li>Route hardware-related issues to the appropriate vendor or supplier.</li><li>Maintain and protect device security policy settings on Microsoft Managed Desktop devices. Don't change the policies we set. </li></ul> |

-| Microsoft Managed Desktop |As the service provider, we're responsible for these items: <ul><li>Provide the means for elevated device access and issue escalation including documentation.</li><li>Keep this information about the roles and responsibilities current.</li><li>Respond to admin support requests in accordance with the severity definitions.</li><li>Provide threat monitoring and mitigation for all enrolled devices all day every day.</li></ul> |

-## Workflow for support providers

-Whether support is customer-led or partner-led, the flow of activity for a user support request follows this path:

-Integrating your existing processes with this workflow for Microsoft Managed Desktop devices is flexible, so the details could be different. Typically, the support provider follows an existing tier-based or handoff approach. The support provider designates specific users, who have the ability to elevate permissions or escalate issues, to Microsoft Managed Desktop Operations. It's best to keep this group smaller than the broader support team.

-If an issue must be escalated to Microsoft Managed Desktop, it's helpful to identify which team the issue should be directed to. We can transfer cases appropriately, but it saves time to route them to the right place from the start.

-| Problem | Contact this team |

-| | |

-| Problems specific to Microsoft Managed Desktop | For example, a policy or setting that's deployed by the service itself. Escalate directly to the Operations team by creating a new support request. For more information, see [Getting help for users](../working-with-managed-desktop/end-user-support.md).

-| Hardware problems | Direct to your hardware supplier or vendor.

-| Other problems| Escalate through existing support channels, whether that's a Unified or Premier subscription.

-## Provided support framework

-### Elevation portal

-Since Microsoft Managed Desktop devices run on standard user by default, some tasks require elevation of privileges. For more information about user account control, see [User account control](/windows/security/identity-protection/user-account-control/user-account-control-overview). In order for support staff to be able to [perform tasks](../working-with-managed-desktop/end-user-support.md#elevation-requests) while troubleshooting issues for users, we provide "just-in-time" access to an admin account. This password is accessed securely by only users you designate, and rotates every couple of hours.

-For steps on how to set up users for access to this portal, see [Enable user support features](../get-started/enable-support.md).

-For steps on submitting an elevation request, see [Elevation requests](../working-with-managed-desktop/end-user-support.md#elevation-requests).

-### Escalation portal

-If an issue requires escalation to the Microsoft Managed Desktop Operations team, designated support staff might direct similar to an IT admin support request.

-> [!NOTE]

-> Only Sev C support requests can be filed in this manner. For an issue matching the description of other severities, it's recommended to contact the appropriate IT admin to file. For more info, see [Support request severity definitions](../working-with-managed-desktop/admin-support.md#support-request-severity-definitions).

-For steps on how to set up users for access to this portal, see [Enable user support features](../get-started/enable-support.md).

-For steps on submitting an escalation request, see [Escalation requests](../working-with-managed-desktop/end-user-support.md#escalation-requests).

-description: How admins can get help with the service

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Admin support for Microsoft Managed Desktop

-You can submit support tickets or feedback requests to Microsoft using the Microsoft Managed Desktop Admin portal. Support requests are always prioritized over feedback submissions.

-## Open a new support request

-Support requests are triaged and managed according to severity outlined in the [severity definition table](#support-request-severity-definitions). Feedback is reviewed and a response provided where requested.

-**To open a new support request:**

-1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant administration** menu.

-2. In the **Microsoft Managed Desktop** section, select **Service requests**.

-3. In the **Service requests** section, select **+ New support request**.

-4. Select the **Request type** that matches the help you need. The table below outlines the options.

-5. Select the **Severity** level. For more information, see [severity definition table](#support-request-severity-definitions).

-6. Provide as much information about the request as possible to help the team respond quickly. Depending on the type of request, you may be required to provide different details.

-7. Review all the information you provided for accuracy.

-8. When you're ready, select **Create**.

-### Support request types

-| Support request type | When to use |

-| -- | -- |

-Incident | You require the Microsoft Managed Desktop Operations team to investigate a user issue. For example, a widespread impact of a change or service outage.

-Request for information | You're planning a change in networking, proxy configuration, VPN systems, certificate expiration, or just need some information about the service. A response from the Microsoft Managed Desktop Operations team is advised when communicating a change within your organization.

-Change request | You require the Microsoft Managed Desktop Operations team to make a change, such as moving devices between update groups. All change requests are treated as severity C.

-> [!IMPORTANT]

-> When you create a support request you will need to provide a primary contact. This person is responsible for working with our Service Engineers to resolve the issue or answer any questions about a requested change. We also require that you have previously [set up an Admin contact](../get-started/add-admin-contacts.md) who will be copied on all case notifications for their relevant area of focus. This person will be asked to take over a case if the primary contact for a case is unreachable.

-## Manage an active support request

-The primary contact for a case (and any [Admin contact](../get-started/add-admin-contacts.md) for that area of focus) will receive email notifications when a case is **Created**, **Assigned** to a Service Engineer to investigate, and **Resolved**. If, at any point, you have a question about the case, the best way to get in touch with our team is to reply directly to one of those emails. If we have questions about your request or need more details, we'll email the primary contact listed on the support requests. All relevant admin contacts are copied in the email.

-### View all your active cases

-Email is the recommended approach to interact with our team. You can see the summary status of all your support requests. At any time, you can use the portal to see all Active support requests in the last six months.

-**To view all your active cases:**

-1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant Administration** menu.

-2. In the **Microsoft Managed Desktop** section, select **Service request**.

-3. From this view, you can export the summary view or select any case to view the details.

-### Edit case details

-You can edit case details, for example, updating the primary case contact or changing the severity.

-**To edit case details:**

-1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant Administration** menu.

-1. In the **Service requests** section, use the search bar or filters to find the case you want to edit.

-1. Select the case to open up the request's details.

-1. Scroll to the bottom of the request details and select **Edit**.

-1. Update the editable information, add attachments to the case, or add a note for the Service Engineering team.

-1. Select **Save**.

-Once a case is resolved, it can no longer be edited. If a request has been resolved for less than 24 hours, you'll see the option to **reactivate** instead of **Edit**. Once reactivated, you can again edit the request.

-> [!NOTE]

-> The severity level can only be set for certain support request types. If selecting a severity level wasn't an option when you created the support request, you won't be able to edit your support request.

-### Provide feedback

-We appreciate your feedback and use it to improve the admin support experience.

-When you're the primary contact on for a support request, you'll receive an email from Microsoft Managed Desktop Operations. The email will ask about your experience after your issue has been resolved. Feedback is actively monitored and shared with engineering to improve the service and prioritize future features. Be sure to focus on your experience and not include personal information in the feedback form. For more information about privacy, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement).

-## Support request severity definitions

-The initial response time is the period from when you submit your support request until a Microsoft Managed Desktop engineer contacts you, and starts working on your support request. The initial response time varies with the business impact of the request. It's based on the severity of the request.

-> [!NOTE]

-> In this table, "admin support hours" means, that Microsoft Managed Desktop support for admins is available, for most countries, 24 hours a day **Monday through Friday**. Severity A issues can be worked 24 hours a day all seven days of the week.

-| Severity level | Situation | Initial response time | Expected response from you |

-| -- | -- |-- | -- |

-| **Severity A: <br> Critical Impact** | **Critical business impact** <br>Your business has significant loss or degradation of services and requires immediate attention.<p>**Major application compatibility impact**<br>Your entire business is experiencing financial impact due to devices not responding or loss of critical functionality. | **Initial:** < 1 hour <p> **Update**: 60 minutes <br> 24-hour support every day is available.</p> | When you select Severity A, you confirm that the issue has critical business impact, with severe loss and degradation of services. <br><br> The issue demands an immediate response, and you commit to continuous engagement every day with the Microsoft team until resolution. Otherwise, Microsoft can, at its discretion, decrease the Severity to level B.<br><br> You also ensure that Microsoft has your accurate contact information.

-**Severity B: <br> Moderate Impact** | **Moderate business impact**<br>Your business has moderate loss or degradation of services, but work can reasonably continue in an impaired manner.<p>**Moderate application compatibility impact**<br>A specific business group is no longer productive, due to devices not responding or loss of critical functionality.| **Initial**: < 4 hours. <p> **Update**: 12 hours; 24 hours a day during admin support hours (Monday through Friday).| When you select Severity B, you confirm that the issue has moderate impact to your business with loss and degradation of services. However, workarounds enable reasonable, albeit temporary, business continuity. <br><br> The issue demands an urgent response. If you select *all day every day support* when you submit the support request, you commit to continuous engagement every day with the Microsoft team until resolution. Otherwise, Microsoft might, at its discretion, decrease the severity to level C. If you select *admin support-hours support* when you submit a Severity B incident, Microsoft will contact you during admin support hours only.<br><br>You also ensure that Microsoft has your accurate contact information.

-**Severity C: <br> Minimal Impact** | **Minimum business impact**<br> Your business is functioning with minor impediments of services.<p>**Minor application compatibility impact**<br>Potentially unrelated users experience minor compatibility issues that don't prevent productivity. | **Initial**: < 8 hours.<p> **Update**: 24 hours; Support 24 hours a day during admin support hours (Monday through Friday). | When you select Severity C, you confirm that the issue has minimum impact to your business with minor impediment of service.<br><br> For a Severity C incident, Microsoft will contact you during admin support hours only.<br><br> You also ensure that Microsoft has your accurate contact information.

-### More support request information

-Below is a list of extra conditions to be aware of when submitting a support request.

-| Request condition | Description |

-| | |

-| Support languages | All support is provided in English. |

-| Severity level changes | Microsoft might downgrade the severity level if you aren't able to provide adequate resources, or responses for us to continue to resolve the problem. |

-| Application compatibility | For an application compatibility issue to be considered, there must be a reproducible error. The error must use the same version of the application, between the previous and current version of Windows, or Microsoft 365 Apps for enterprise. <br><br> To resolve application compatibility issues, we require a point of contact in your organization to work with. The contact must work directly with our Fast Track team to investigate and resolve the issue. |

-| Customer response time | If you aren't able to meet the expected response requirements, we'll downgrade the request by one severity level to the minimum severity level (Severity C). <br><br> If you're unresponsive to requests for action, we'll mitigate and close the support request within 48 hours of the last request. |

-## More resources

-description: How to use the app usage report

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# App usage report

-This report helps you understand how applications are being used across your Microsoft Managed Desktop devices. It can also act as a reference to help you assess any effect on your users when application issues are discovered.

-The information in this report includes:

-| Column name | Description |

-| | |

-| Application name | Applications with any amount of reported usage will appear in this list. |

-| Foreground usage | Time spent interacting with the foreground application shown in hours. |

-| Average weekday usage | Average usage per device excluding weekends.

-| Device count | The number of reporting devices contributing to usage per application.

-| % of reporting devices | The percentage of total reporting devices that have used this application.

-> [!IMPORTANT]

-> For devices to report data, they must be set to the Optional diagnostic data level. Learn more about [how Microsoft Managed Desktop uses Windows diagnostic data](../service-description/privacy-personal-data.md).\

-description: How to specify which deployment group you want devices to be in

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Assign devices to a deployment group

-Microsoft Managed Desktop will assign devices to the various deployment groups. You can specify or change the group a device is assigned to using the Admin portal. You change the assignment after a device is registered or after a user has enrolled.

-> [!IMPORTANT]

-> If you change the assignment, policies that are specific to that group will be applied to the device. The change might install the latest version of Windows 10 (including any new feature or quality updates). It's best to move just a few devices at first and then check the resulting user experience. Be aware that certain updates will restart the device. Double-check that you've selected the right devices to assign. It can take up to 24 hours for the assignment to take effect.

-**To assign devices to a deployment group:**

-If you want to move separate devices to different groups, repeat these steps for each group.

-1. In Microsoft Endpoint Manager, select **Devices** in the left pane.

-1. In the **Microsoft Managed Desktop** section, select **Devices**.

-1. Select the devices you want to assign. All selected devices will be assigned to the group you specify.

-1. Select **Device actions** from the menu.

-1. Select **Assign device to group**. A fly-in opens.

-1. Use the dropdown menu to select the group to move devices to, and then select **Save**. The **Group assigned by** column will change to **Pending**.

-When the assignment is complete, **Group assigned by** column will change to **Admin** (indicated that you made the change) and the **Group** column will show the new group assignment.

-> [!NOTE]

-> You can't move devices to other groups if they're in the "error" or "pending" registration state.

->

->If a device hasn't been properly removed, it could show a status of "ready." If you move such a device, it's possible that the move won't complete. If you don't see **Group assigned by** column change to **Pending** in Step 5, check that the device is available by searching for it in Intune. For more information, see [See device details in Intune](/mem/intune/remote-actions/device-inventory).

-description: How to change a device profile for a device

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Change the device profile

-You can change the [Device profiles](../service-description/profiles.md) assigned to a device using the Admin Portal.

-The selected device profile will be applied to all devices you select in the first step.

-**To change the device profile:**

-1. In Microsoft Endpoint Manager, select **Devices** in the left pane.

-1. In the **Microsoft Managed Desktop** section, select **Devices**.

-1. Select the checkboxes for the devices you want to modify.

-1. Select **Change device profile**. A fly-in opens.

-1. Use the dropdown menu to select the new device profile.

-1. Check that the **Reset device** slider is set the way you want.

-1. Select **Change profile**.

-To move separate devices to different profiles, you'll need to repeat this process for each device profile.

-description: Deploy and track configurable settings changes in Microsoft Managed Desktop.

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation, deploy, staged deployment, configurable settings

-# Deploy and track configurable settings - Microsoft Managed Desktop

-After you make changes to your setting categories and stage a deployment, the Deployment status page allows you to begin deploying your settings to groups. This page shows a summary of each configurable setting. When opening a setting category, you can deploy settings to groups and track the progress of these deployments.

-## Deployment statuses

-The following are the statuses you'll see for each deployment.

-Status | Explanation

- |

-Deploy | Your change is waiting to be deployed to this group.

-In progress | The change is being applied to active devices in this group.

-Complete | The change completed on all active devices in this group.

-Failed | The change failed on 10 percent of active devices in the group. The deployment was stopped.<br><br> A support request will be automatically opened with Microsoft Managed Desktop operations to troubleshoot the deployment.

-Reverted | The change was reverted to the last change that was successfully deployed to all deployment groups.

-## Deploy changes

-As an example, we'll use a desktop background picture in these instructions. After you've staged a deployment, you deploy changes from the Deployment status page.

-**To deploy changes:**

-1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu.

-2. In the Microsoft Managed Desktop section, select **Settings**.

-3. In the **Deployment status** workspace, select the setting you want to deploy. Then, select the staged deployment to deploy.

-4. Select **Deploy** to deploy the change to one of the deployment groups.

-> [!NOTE]

-> The orange caution icon indicates there is a previous group available for deployment as it's recommended to roll out in order.

-<!-- Needs picture updated to show MEM  -->

-We recommend deploying to deployment groups in this order: Test, First, Fast, and then Broad.

-When changes complete in each group, the status changes to **Complete**.

-<!-- Needs picture updated to show MEM  -->

-## Revert deployment

-After you've deployed a change, you can revert from **Deployment status**. When you revert a change that is **In progress** or **Complete**, the current deployment stops. The setting will revert to the last version that was deployed to all groups.

-As an example, we'll revert the desktop background picture.

-**To revert a change:**

-1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu.

-2. In the Microsoft Managed Desktop section, select **Settings**.

-3. In the **Deployment status** workspace, select the setting you want to revert. Then, select the staged deployment to revert.

-4. Under **Need to revert this change?**, select **Revert deployment**.

-<!-- Needs picture updated to show MEM  -->

-## Additional resources

-description: Info on configurable settings with Microsoft Managed Desktop

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation, settings, configurable settings

-# Configurable settings - Microsoft Managed Desktop

-Microsoft Managed Desktop deploys settings and policies that are applied to all devices managed by Microsoft Managed Desktop. For more information, see [Device configuration](../service-description/device-policies.md).

-Configurable settings in Microsoft Managed Desktop give IT admins a way to customize and deploy settings that are unique to their organization and business needs. These settings are in addition to device configuration settings and policies that are managed by Microsoft Managed Desktop.

-Configurable setting changes are made in the cloud. They're applied to your Microsoft Managed Desktop devices in defined deployment groups. This process is similar to how Microsoft Managed Desktop manages changes to device configuration settings and policies that are defined and managed by the service. By using the same process that Microsoft Managed Desktop uses for deploying changes, you continue to move your organization forward, using modern IT management practices.

-## When to use configurable settings?

-Use configurable settings in the following scenarios:

-| Scenario | Description |

-| | |

-| Onboarding process | Microsoft Managed Desktop recommends that you customize configurable settings when you onboard to the Microsoft Managed Desktop service, or when you onboard a large number of devices (20 or more). <br><br>Setting categories are configured in Microsoft Managed Desktop admin portal. After you onboard and have access to the admin portal, you can decide which setting categories you want to customize for your organization. After, make the changes, stage a deployment, and then deploy your changes. |

-| Maintain settings | Review your settings regularly and make needed updates. You might need to make changes to support a change in your business. |

-## Setting categories

-The following are the configurable settings categories that you can customize:

-| Category | Description |

-| | |

-| [Desktop background picture](config-setting-ref.md#desktop-background-picture) | Customize the desktop background picture for Microsoft Managed Desktop devices. |

-| [Browser start pages](config-setting-ref.md#browser-start-pages) | Add start pages to use with Microsoft Edge. |

-| [Enterprise mode site list](config-setting-ref.md#enterprise-mode-site-list-location) | Add sites, and their compatibility mode. Sites on the list will start in Internet Explorer. |

-| [Trusted sites](config-setting-ref.md#trusted-sites) | Add trusted sites and set security zones for each site. |

-| [Proxy site exceptions](config-setting-ref.md#proxy) | Set up your proxy server address number and port number, and add proxy site exceptions. |

-Each setting category can be customized and deployed on its own. You can deploy changes to multiple setting categories at the same time. However, you can only deploy one change at a time to a setting category.

-For example:

-## Configurable setting process

-Microsoft Managed Desktop recommends following a process like the one below when using configurable settings for your organization:

-| Step | Process |

-| | |

-| **Step 1: Plan** | <ol type="1"><li>Learn about configurable settings and decide which setting categories you want to configure for your organization.</li> <li>Create a timeline when you expect to deploy changes to each group.</li> <li>Plan communication to your users that meets your internal change management processes. For example, if you're adding browser start pages, inform your users they'll have a new set of start pages in their browser after the deployment.</li></ol> |

-| **Step 2: Configure and stage deployment** | <ol type="1"><li>Make changes to configurable settings in Microsoft Managed Desktop admin portal.</li><li>Stage the changes so theyΓÇÖre ready to deploy.</li> <li>Remember to inform your users about the changes, and how the changes will change their device experience.</li><li>Configure and stage changes in the Microsoft Managed Desktop admin portal. For more information, see [Customize configurable settings](config-setting-ref.md).</li></ol>|

-| **Step 3: Communicate changes** | <ol type="1"><li>Communicate information about upcoming changes to your users.</li> <li>For each deployment, complete the communication that is part of your change management processes. You should clearly communicate any change that impacts how a user works, or what they'll see on their devices.</li></ol> |

-| **Step 4: Deploy changes** | Deploy your changes, starting with the Test group. The Test group allows you to validate and troubleshoot any issues in a group with fewer devices, before deploying changes to larger groups of devices. <br><br>If you run into any issues, you can revert the change, update the setting, and stage a new deployment. Microsoft Managed Desktop recommends that you follow the structured approach and deploy to groups in this order: Test, First, Fast, and then Broad. <br><br>All configurable settings are managed using the Microsoft Managed Desktop admin portal. For more information, see [Deploy changes](config-setting-deploy.md). |

-| **Step 5: Track changes** | Track the progress for your changes in the Deployment status section. For each setting, you can: <ul><li>**Track progress:** Track status after you deploy the change. The status will change to **In progress**, and then either **Complete**, or **Failed**. If a deployment fails, a support request is automatically opened for Microsoft Managed Desktop Operations to investigate the issue.</li> <li>**See version deployed:** Each deployed change has a version number.</li><li>**Revert changes:** Reverting a change stops the current deployment. It reverts all groups to the last changes that were deployed to all groups. You're rolling back to the last-known-good setting value.</li><li>**Validate changes:** After the deployment is complete, validate the changes were applied as you expected.</li></ul> |

-If a deployment failed, or you can't revert a change, [open a support request](admin-support.md) with Microsoft Managed Desktop Operations.

-For more information, see [Deploy and track configurable settings](config-setting-deploy.md).

-## Additional resources

-description: Setting categories for configurable settings in Microsoft Managed Desktop

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Configurable settings reference - Microsoft Managed Desktop

-This article lists the settings categories that customers can configure with Microsoft Managed Desktop. Each setting category includes information on requirements, best practices, and how to customize the setting category.

-> [!NOTE]

-> This page contains information for commonly requested settings. It applies to the legacy Edge browser.

-## Desktop background picture

-You can customize the desktop background picture for Microsoft Managed Desktop devices in your organization. You might use the desktop background picture to apply a company brand or marketing material.

-### Requirements

-These requirements must be met for a desktop background picture:

-### Customize and deploy desktop background picture

-**To add a custom desktop background picture:**

-1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu.

-2. In the Microsoft Managed Desktop section, select **Settings**.

-3. In the **Settings** workspace, select **Desktop background picture**.

-4. Enter the location of the picture you want to use.

-5. Select **Stage deployment** to save your changes and deploy them to the Test group.

-## Browser start pages

-Browser start pages open in individual tabs when your users start Microsoft Edge. If you want to make it easy for your users to open a set of sites they use frequently, add a browser start page for each site.

-### Requirements

-You must provide the fully qualified domain name (FQDN) for intranet or Internet sites for your browser start pages. If internal sites are configured, inform users that access is only allowed when connected to the internal network, or when connected via VPN.

-### Customize and deploy browser start pages

-**To add a browser start page:**

-1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu.

-2. In the Microsoft Managed Desktop section, select **Settings**.

-3. In the **Settings** workspace, select **Browser start pages**.

-4. Select **Add start page**.

-5. In **Add browser start page**, enter the URL for the site you want to use, and then select **Add start page**.

-6. Repeat steps 1-5 for to add more browser start pages.

-7. Select **Stage deployment** to save your changes and deploy them to the Test group.

-## Enterprise mode site list location

-If you have specific websites and apps that have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list to automatically open the websites in Internet Explorer 11. Also, if you know your intranet sites don't work correctly with Microsoft Edge, you can set all intranet sites to open automatically in Internet Explorer 11.

-Using Enterprise Mode means you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working in Internet Explorer 11. For more information on enterprise mode site lists, see [Enterprise Mode and Enterprise Mode Site Lists](/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode).

-You can specify an `https://` location, or the location for an internal share where youΓÇÖve hosted your enterprise mode site list.

-### Requirements

-These requirements must be met for the enterprise mode site list file:

-### Best practices

-These best practices are offered to help customers make decisions to modernize their IT infrastructure:

-| Practice | Description |

-| | |

-| Choose a limited number of sites | Microsoft Managed Desktop uses Microsoft Edge as the preferred browser to improve overall security for your organization and usability for your users. Most sites in this list are for legacy web apps that need an older version of a browser. It won't include as many security features. |

-| Consider an alternate | Consider a different site, or web app that doesn't require an older browser. Or, consider updating the site so that it can use newer browsers. Newer browsers use the latest technology and help improve security. |

-### Customize and deploy Enterprise site mode list location

-**To add an enterprise site mode list location:**

-1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu.

-2. In the Microsoft Managed Desktop section, select **Settings**.

-3. In the **Settings** workspace, select **Enterprise mode site list location**.

-4. Enter the https location for your site list.

-5. Select **Stage deployment** to save your changes and deploy them to the Test group.

-## Trusted sites

-Trusted sites allow you to customize security zones, or where a site can be used, for different sites. Security zones include:

-### Requirements

-Provide the fully qualified domain name (FQDN) for intranet or Internet sites for each trusted site.

-### Customize and deploy trusted sites

-**To add a trusted site:**

-1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu.

-2. In the Microsoft Managed Desktop section, select **Settings**.

-3. In the **Settings** workspace, select **Trusted sites**, and then select **Add trusted site**.

-4. On **Add trusted site**, enter the URL, choose a security zone, and then select **Add trusted site**.

-5. Repeat steps 1-4 for each trusted site you want to add.

-6. Select **Stage deployment** to save your changes and deploy them to the Test group.

-**To remove a trusted site:**

-1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu.

-2. In the Microsoft Managed Desktop section, select **Settings**.

-3. In **Settings** workspace, select **Trusted sites**.

-4. Select the site that you want to delete, and then select **Delete**.

-5. Repeat steps 1-4 for each trusted site you want to delete.

-6. Select **Stage deployment** to save your changes and deploy them to the Test group.

-## Proxy

-You can manage network proxy settings for your organization. Add your proxy server and port number, and then add your proxy site exceptions.

-Microsoft Managed Desktop includes a set of default proxy exceptions that are required for the service to operate. The default exclusion list may only be modified by the Microsoft Managed Desktop service. For more information, see [Network configuration for Microsoft Managed Desktop](../get-ready/network.md).

-The proxy site exceptions added in the Microsoft Managed Desktop portal are added to the default proxy exceptions included with the Microsoft Managed Desktop service.

-> [!NOTE]

-> Updating the default proxy exception list is always prioritized over customer deployments. This means that your staged deployment will be paused if there is a deployment for the default proxy exception list.

-### Requirements

-These requirements must be met for proxy server and proxy site exceptions:

-### Customize and deploy proxies

-**To add an individual proxy site exception:**

-1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu.

-2. In the Microsoft Managed Desktop section, select **Settings**.

-3. In the **Settings** workspace, select **Proxy**.

-4. Enter the **Address** and **Port number** for you proxy server, and then select **Add proxy exception**.

-5. Enter the URL of a valid http site, and then select **Add proxy exception**.

-6. Repeat steps 1-5 for each trusted site you want to add.

-7. Select **Stage deployment** to save your changes and deploy them to the Test group.

-## Additional resources

-description: This article describes the Device inventory report

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Device inventory report

-In the **Devices** view, you can select the **Export all** tab to download a comma-delimited file including this information:

-

-description: Explains device status

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Device status report

-This report aggregates the status of all your registered devices to show your use of the Microsoft Managed Desktop service.

-We categorize devices based on their activity over the last 28 days, and on our ability to keep the device updated.

-To be updated by Windows Update as soon as possible, a device must:

-Although it's possible that a device that doesn't meet these requirements will be updated. Devices that meet them have the highest likelihood of being updated.

-## Device status labels

-We report device status using the following labels:

-| Device status label | Description |

-| | |

-| Ready for user | Devices that have been successfully registered with our service, and ready to be given to a user.|

-| Active | Devices that are being used. <ul><li>They've met the activity criteria (six hours, two continuous) for the most recent security update release.</li> <li>They've checked in with Microsoft Intune at least once in the past five days.</li></ul> |

-| Synced | Devices that are being used and have checked in with Intune within the last 28 days.

-| Out of sync | Devices that are being used but haven't checked in with Intune in the last 28 days. |

-| Other | The label aggregates several error states that can occur, typically during device registration. For more information, see [Troubleshooting device registration](../get-started/manual-registration.md#troubleshooting-device-registration). |

-description: How users can get help with the service and devices

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Getting help for users

-If you've reached the point in the [workflow](../service-description/user-support.md) where you need to request elevated device access or escalation to Microsoft, follow these steps:

->[!NOTE]

->These support options are not available for devices in the Test group.

-## Elevation requests

-Before you request elevated access to a device, it's best to review which actions are best suited.

-| Actions | Examples |

-| | |

-| **Typical actions** are intended for the elevation request process. It is performed routinely when troubleshooting problems with Microsoft Managed Desktop devices. | <ul><li>Elevating built-in system troubleshooters, the command prompt, or Windows PowerShell Troubleshooting line-of-business applications.</li><li>Using a workaround to correct something that should function by design (such as BitLocker activation or system time not updating).</li><li>Elevating Device Manager to do things like update drivers, uninstall a device, or scan for new changes.</li></ul>

-| **Actions that aren't recommended** | <ul><li>Installing software or browsers.</li><li>Installing drivers outside of Windows settings, including drivers for peripherals.</li><li>Installing .msi or .exe files.</li><li>Installing Windows features.</li></ul>

-| **Actions that aren't supported** | <ul><li>Installing software or features that conflict with Microsoft Managed Desktop security or management capabilities or operations.</li><li>Disabling a Windows feature that is required for Microsoft Managed Desktop, such as BitLocker.</li><li>Modifying settings managed by your organization.</li><ul>

-**To request elevation:**

-1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu.

-1. In the **Microsoft Managed Desktop** section, select **Devices**, which contains two tabs: the **Devices** tab and the **Elevation requests** tab.

-1. To create a new elevation request on the **Device** tab, select a single device that you want to elevate.

-1. From the Device actions dropdown menu, select **Request elevation**. A new elevation request fly-in will appear with the deviceΓÇÖs name pre-populated in that field.

-1. Instead, to create a new elevation request in the **Elevations requests** tab, select **+New elevation request.**

-1. Provide these details:

- - **Support ticket ID**: This is from your own support ticketing system.

- - **Device name**: This is only when creating request from the **Elevation requests** tab. Enter the device serial number and then select the device from the menu.

- - **Category**: Select the category that best fits your issue. If no option seems close, then select **Other**. It's best to select a category if at all possible.

- - **Title**: Provide a short description of the issue on the device.

- - **Plan of action**: Provide the troubleshooting steps you plan to take once elevation is granted.

-1. Select **Submit**.

-1. The list and details of all active and closed requests can be seen on the **Elevation requests** tab.

-## Escalation requests

-**To [escalate](../service-description/user-support.md#escalation-portal) an issue to Microsoft:**

-1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant administration** menu.

-2. In the Microsoft Managed Desktop section, select **Service requests**.

-3. In the **Service requests** section, select **+ New support request**.

-4. Provide a brief description in the **Title** field. Then, set the **Request type** to **Incident**.

-5. Select the **Category** and **Sub-category** that best fits your issue. Then, select **Next**.

-6. In the **Details** section, provide the following information:

- - **Description**: Add any extra details that could help our team understand the problem. If you need to attach files, you can do that by coming back to the request after you submit it.

- - **Primary contact information**: Provide information about how to contact the main person responsible for working with our team.

-7. Select the **Severity** level. For more information, see [Support request severity definitions](../working-with-managed-desktop/admin-support.md#support-request-severity-definitions).

-8. Provide as much information about the request as possible to help the team respond quickly. Depending on the type of request, you may be required to provide different details.

-9. Review all the information you provided for accuracy.

-10. When you're ready, select **Create**.

-description: Landing page for the "working with" section

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Working with Microsoft Managed Desktop

-This section includes information about your day-to-day life with the service:

-description: Info about how to update line-of-business apps that are deployed to Microsoft Managed Desktop devices

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Manage line-of-business apps in Microsoft Managed Desktop

-<!--Application management -->

-There are a couple of ways to manage app updates, and deploy the updates to your Microsoft Managed Desktop devices. You can make app updates in Microsoft Managed Desktop portal, or Intune.

-<span id="update-app-mmd" />

-## Update line-of-business apps in Microsoft Managed Desktop

-**To update your line-of-business apps in Microsoft Managed Desktop portal:**

-1. Sign in to [Microsoft Managed Desktop Admin portal](https://aka.ms/mmdportal).

-1. Under **Inventory**, select **Apps**.

-1. Select the app you want to updates, and then select **Edit**.

-1. Under **Manage**, select **Properties**.

-1. Select **App package file**, and then browse to upload a new app package file.

-1. Select **App package file**.

-1. Select the folder icon and browse to the location of your updated app file. Select **Open**. The app information is updated with the package information.

-1. Verify that **App version** reflects the updated app package.

-The updated app will be deployed to your user's devices.

-<span id="update-app-intune" />

-## Update line-of-business apps in Intune

-**To update your line-of-business apps in Intune:**

-1. Sign in to [Azure portal](https://portal.azure.com).

-2. Select **All Services** > **Intune**. Intune is in the **Monitoring + Management** section.

-3. Select **Client Apps > Apps**.

-4. Find and select your app in the list of apps.

-5. In the **Overview** section, select **Properties**.

-6. Select **App package file**.

-7. Select the folder icon and browse to the location of your updated app file. Select **Open**. The app information is updated with the package information.

-8. Verify that **App version** reflects the updated app package.

-<span id="roll-back-app-mmd" />

-## Roll back an app to a previous version

-When a new version of an app is deployed, and an error is found, you can roll back to a previous version. The process outlined below is for apps where the type is listed as **Windows MSI line-of-business app** or **Windows app (Win 32) - preview**

-**To roll back a line-of-business app to a previous version:**

-1. Sign in to [Microsoft Managed Desktop Admin portal](https://aka.ms/mmdportal).

-2. Under **Inventory**, select **Apps**.

-3. Select the app you need to roll back, and then select **Edit**.

-4. Under **Manage**, select **Properties**.

- - For **Windows MSI line-of-business app** apps, select **App information**, and then under **Ignore app version**, select **Yes**.

- - For **Windows app (Win 32) - preview** apps, select **App information**, select **Detection rules**, and then select **Add**.

- If there's an MSI rule, verify that **MSI product version check** is set to **No**.

-5. [Upload a previous version of the app source file](../get-started/deploy-apps.md) to Microsoft Managed Desktop Admin portal.

-description: Remove devices from Microsoft Managed Desktop management

-# Remove devices

-You can remove devices from Microsoft Managed Desktop management by using the Admin portal. This action is permanent, but you can register them with Microsoft Managed Desktop again by following the [manual registration steps](../get-started/manual-registration.md).

-When you remove a device, all of the following occur:

-When you remove a device, you can also remove it from Azure Active Directory (Azure AD) and Microsoft Intune.

-

-> [!CAUTION]

-> Removing the objects related to a device from Azure AD and Microsoft Intune is permanent. If you remove the objects, you won't be able to view or manage the devices from the Intune and Azure portals. The devices won't be able to access their company's corporate resources. Company data might be deleted from them if the devices try to sign in after they're deleted.

-**To remove a device:**

-1. In [Microsoft Endpoint Manager](https://endpoint.microsoft.com/), select **Devices** in the left navigation pane.

-2. In the **Microsoft Managed Desktop** section, select **Devices**.

-3. In the **Microsoft Managed Desktop Devices workspace**, select the devices you want to delete.

-4. Select **Device actions**, and then select **Delete Device** which opens a fly-in to remove the devices.

-5. In the fly-in, review the selected devices and then select **Remove devices**. If you want to also remove the Azure AD and Intune objects at the same time, select the checkbox. Device removal can take a few minutes to complete.

-> [!NOTE]

-> You can't remove devices that are in a **pending** registration state.

-description: The various reports available in Microsoft Managed Desktop

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Work with reports

-The Microsoft Endpoint Manager console brings together reporting from several products into a single location to help you monitor, and investigate issues with your Azure AD organization ("tenant") configuration and devices.

-Microsoft Managed Desktop has a section in the **Reports** menu where you can find reports specific to Microsoft Managed Desktop's management of the registered devices. In several locations throughout Microsoft Endpoint Manager, you can filter reports from other product groups. You can include or exclude devices that are managed by Microsoft Managed Desktop.

-## Microsoft Managed Desktop reports

-Microsoft Managed Desktop provides several reports and dashboards. IT admins, in your organization, can use these reports and dashboards to understand various aspects of the population of devices. In Microsoft Endpoint Manager, navigate to the Reports section, under Microsoft Managed Desktop, select Managed devices.

-In the **Summary** tab, you'll find quick metrics about device updates. Select **View details** of any metric to download additional information for offline analysis, including the underlying dataset for the metric.

-When you select the **Reports** tab, you'll see descriptions for the available detailed reports. These reports are more comprehensive and support data visualization and filtering in the portal. You can also export the underlying data for offline analysis or distribution. The following reports are available today:

-| Report | Description |

-| | |

-| [**Device status** report](device-status-report.md) (*in preview*) | This report shows your use of the Microsoft Managed Desktop service based on device activity and usage. |

-| **Device status trend** (*in preview*) | This monitors trends in device status over the last 60 days for your Microsoft Managed Desktop devices. Trends can help you associate device status with other changes over time, for example, new deployments. |

-| [**Windows security updates** report](security-updates-report.md) (*in preview*) | This report shows how Windows security updates are released across your Microsoft Managed Desktop devices. |

-| [**Application usage** report](app-usage-report.md) | This report provides information about typical app usage across your Microsoft Managed Desktop devices. For devices to provide data to this report, they must be set to the Optional diagnostic data level. |

-| [**Service Metrics Report**](service-metrics-report.md) (*in preview*) | This report provides straightforward summaries of key metrics for Microsoft Managed Desktop month over month. |

-## Endpoint analytics

-Microsoft Managed Desktop is now integrated with [Endpoint analytics](/mem/analytics/overview). These reports give you insights for measuring how your organization is working and the quality of the experience delivered to your users. You can find Endpoint analytics in the **Reports** menu of [Microsoft Endpoint Manager](https://endpoint.microsoft.com/). To pivot a score to only include devices being managed by Microsoft Managed Desktop, go to any report, select the **Filter** dropdown, and then select **Microsoft Managed Desktop devices**.

-If Endpoint analytics weren't automatically configured for your Azure AD organization ("tenant") during enrollment, you can do that yourself. For more information, see [Onboard in the Endpoint analytics portal](/mem/analytics/enroll-intune#bkmk_onboard). You can enroll all of your devices, or, if you want to include only Microsoft Managed Desktop devices, select the **modern workplace device** groups for Test, First, Fast, and Broad. These reports might require different permissions. For more information, see [Permissions](/mem/analytics/overview#permissions) to ensure you have roles appropriately assigned.

-> [!NOTE]

-> To better respect user privacy, there must be more than 10 Microsoft Managed Desktop devices enrolled with Endpoint analytics to use this filter.

-## Intune reports

-Microsoft Intune is one of the services we use to manage devices on your behalf.

-In some cases, it can be helpful to use Intune reports to specifically monitor administration of your Microsoft Managed Desktop devices. You can exclude the devices we manage from the report you use to manage other devices. The following reports let you filter capability to include or exclude Microsoft Managed Desktop devices.

-> [!NOTE]

-> Custom Microsoft Managed Desktop roles guarantee access only to the Microsoft Managed Desktop reports. To access other parts of Microsoft Endpoint Manager, such as **All devices**, see [Role-based access control with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control).

-## Microsoft Managed Desktop inventory data

-In addition to the other reports, you can export information about the devices managed by Microsoft Managed Desktop. In Microsoft Endpoint Manager, navigate to the **Devices** section, under Microsoft Managed Desktop, select **Devices** and use the **Export all** tab to [download a detailed inventory report](device-inventory-report.md).

-description: Explains the info presented in this report

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Windows security updates report

-This report provides an overview of the deployment progress, of a given Windows security update, for your Microsoft Managed Desktop devices.

-At the beginning of each security update release cycle, Microsoft Managed Desktop takes a snapshot of all the enrolled devices. The deployment target is set to 95% of **Active** devices from that population. The graph shows your deployment progress for a selected release date compared to the Microsoft Managed Desktop average.

-While we focus on the Active population, you can also pivot this report to show your **Active + Synced** and **Out of sync** device populations. You can view the deployment progress for previous releases by changing the available filters, but device level details are only available for the current release. Device information in the table following the graph is also exportable for offline analysis.

-Typically, Microsoft releases security updates every second Tuesday of the month. However, they can be released at other times when needed. Each release adds important updates for known security vulnerabilities

-Microsoft Managed Desktop ensures 95% of its active devices are updated with the latest available security update every month. When security updates are released, at other times to urgently address new threats, Microsoft Managed Desktop deploys these updates similarly.

-## Status categories

-We categorize the status of security update versions using the following terms:

-| Status of security update | Description |

-| | |

-| Current | Devices that are running the update released in the current month. |

-| Previous | Devices running the update that was released in the previous month. |

-| Older | Devices running any security update released prior to the previous month. |

-> [!NOTE]

-> There should only be a few devices in the **Older** category. A large or growing **Older** population probably indicates a systemic problem that you should report to Microsoft Managed Desktop for investigation.

-description: How to use the service metrics report

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Service metrics report

-This report provides straightforward summaries of key metrics for Microsoft Managed Desktop month over month.

-This report will be published each month to Microsoft Endpoint Manager and contain aggregate information about the previous month. Historical reports will continue to be available to you through the same portal for month-over-month comparisons.

-## What's covered in the report

-Below are the data summaries provided in the report.

-| Data summary | Description |

-| | |

-| Service consumption | Learn how Microsoft Managed Desktop devices are being used in your organization. Watch this trend over time to ensure that most of your enrolled devices are Active or Synced. |

-| Windows feature updates | Review the distribution of feature update versions across your device estate. |

-|Windows quality updates | Quality updates are typically released on the second Tuesday of each month. You can see how quickly the last update was deployed to your Active devices, and review the quality update version of your entire device estate. |

-| Case management | Review trends for case creation, case closure, and average age based of the support request you create with our service engineers and security analysts. |

-| Incidents | Look at the summary stats for customer raised incidents and service raised incidents that were opened in the last month. |

-| Change requests | Review how many change requests your admins raised with our team last month, and see aggregate statistics on how quickly they were carried out. |

-| Request for information | Our team responds to requests for information in the order in which they're received (except for security related questions). You can see what categories admins are asking about the most in the last month. |

-| Security operations | Review the work of our security analysts to understand how many alerts they've investigated in the last month. Specific details of these cases won't be available in this report, but admins can check out alert specifics in the Microsoft 365 Security portal. |

-| User support | Occasionally, elevated access is required for user support scenarios in your organization. You can review the number of times the local admin password has been retrieved for your Microsoft Managed Desktop devices. |

-> [!NOTE]

-> Content included in this report may change slightly each month. We are always looking for the best way to share these details with you and will make updates to keep the most relevant information in this report.

-**To download a copy of the report:**

-1. In the **Reports** menu, navigate to the **Microsoft Managed Desktop** section. Then, select **Managed devices**.

-1. Select the **Reports** tab. In this view, you'll see all the types of Microsoft Managed Desktop reports available to you.

-1. Select **Service reports** to see the list of service metrics reports that have been published for your tenant. Once downloaded, it can be viewed or shared with your organization offline and outside of the portal.

-description: How to get Windows 11 in your environment

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Preview and test Windows 11 with Microsoft Managed Desktop

-This article explains how to enroll and participate in the Windows 11 compatibility testing program within your Microsoft Managed Desktop environment. For more general information about Windows 11 and Microsoft Managed Desktop, see [Windows 11 and Microsoft Managed Desktop](../intro/win11-overview.md).

-## Add devices to the Windows 11 test group

-We've created the device group (**Modern Workplace - Windows 11 Pre-Release Test Devices**) for testing and evaluating Windows 11. Despite "pre-release" in the name, devices in this group receive Windows 11 General Availability builds, and Microsoft Managed Desktop baseline configurations as they become available. They're monitored for reliability issues.

-You can use new devices or any existing devices for Windows 11 testing. However, you shouldn't enroll production devices in this group until youΓÇÖre confident in the test devices' compatibility and overall experience.

-## Prioritize applications to submit to the Test Base

-Business-critical applications are the best candidates for more validation in a closed Windows 11 environment. We can help you decide on apps for Windows 11 testing based on usage and reliability data. To request our recommendations, follow these steps:

-1. Open a new support request with the Microsoft Managed Desktop Service Engineering team. If you need more info on how to file the request, see [Admin support](admin-support.md).

-2. Use these values for the fields:

- - Title: Windows 11 Test Base candidates

- - Request type: Request for information

- - Category: Apps

- - Subcategory: Other

-## Report issues

-If you find Windows 11 compatibility issues with your line-of-business or Microsoft 365 apps, report them to us for investigation and remediation. To report an issue, follow these steps:

-1. Open a new support request with the Microsoft Managed Desktop Service Engineering team.

-2. Use these values for the fields:

- - Title: Windows 11 compatibility testing

- - Request type: Incident

- - Category: Devices

- - Subcategory: Windows Upgrade/Update

-3. Describe the behavior and how severely it would hinder your business in a production environment.

-Microsoft Managed Desktop triages and handles Windows 11 issues based on the effect on productivity. When the request is opened, we'll communicate, with customer admins, to ensure issues that block user productivity are resolved before starting broader Windows 11 migrations within any given tenant.

-description: Learn how to manage app control.

-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation

-# Work with app control

-Once app control has been deployed in your environment, both you and Microsoft Managed Desktop Operations have ongoing responsibilities. For example, you might want to add a new app in the environment, or add (or remove) a trusted signer. To improve security, all apps should be code-signed before you release them to users. An app's publisher details includes information about the signer.

-## Add a new app

-**To add a new app:**

-1. Add the app to [Microsoft Intune](/mem/intune/apps/apps-win32-app-management).

-1. Deploy the app to any device in the Test ring.

-1. Test your app according to your standard business processes.

-1. Check the Event Viewer under **Application and Services Logs\Microsoft\Windows\AppLocker**. Look for any **8003** or **8006** events. These events indicate that the app would be blocked. For more information about all App Locker events and their meanings, see [Using Event Viewer with AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker).

-1. If you find any of these events, open a signer request with Microsoft Managed Desktop Operations.

-## Add (or remove) a trusted signer

-When you open a signer request, you'll need to provide some important publisher details first.

-**To add (or remove) a trusted signer:**

-1. [Gather publisher details](#gather-publisher-details).

-1. Open a ticket with Microsoft Managed Desktop Operations to request the signer rule and include following details:

- - Application name

- - Application version

- - Description

- - Change type ("add" or "remove")

- - Publisher details (for example: `O=<publisher name>,L=<location>,S=State,C=Country`)

-> [!NOTE]

-> To remove trust for an app, follow the same steps, but set the **Change type** to *remove*.

-Operations will progressively deploy policies to deployment groups following this schedule:

-|Deployment group|Policy type|Timing|

-||||

-|Test|Audit|Day 0|

-|First|Enforced|Day 1|

-|Fast|Enforced|Day 2|

-|Broad|Enforced|Day 3|

-You can pause or roll back the deployment at any time during the rollout. To pause or roll back, open another support request with Microsoft Managed Desktop Operations.

-> [!NOTE]

-> If you pause the release of a signer rule, that rule must be either rolled back or completed before another rollout can start.

-## Gather publisher details

-**To access the publisher data for an app:**

-1. Find a Microsoft Managed Desktop device in the Test ring that has an Audit Mode policy applied.

-1. Attempt to install the app on the device.

-1. Open the Event Viewer on that device.

-1. In the Event Viewer, navigate to **Application and Services Logs\Microsoft\Windows**, and then select **AppLocker**.

-1. Find any **8003** or **8006** event, and then copy information from the event:

- - Application name

- - Application version

- - Description

- - Publisher details (for example: `O=<publisher name>, L=<location>, S=State, C=Country`)

-description: Understand the differences between Defender for Business and Defender for Endpoint. Knowing what's included in each plan can help you make an informed decision for your company.

-> [!IMPORTANT]

-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.

->

-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.

-Microsoft Defender for Business is available as a standalone offering or as part of Microsoft 365 Business Premium (beginning March 1, 2022).

-> This article is intended to provide a high-level overview of threat protection features included in Microsoft Defender for Business (as a standalone plan) and Microsoft 365 Business Premium (which includes Defender for Business). This article is not intended to serve as a service description or licensing contract document. For more information, see [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance)

-**Beginning March 1, 2022, Defender for Business will start rolling out as part of Microsoft 365 Business Premium. Defender for Business as a standalone offering is still in preview.**

-The following table compares security features and capabilities in Defender for Business (standalone) to Microsoft 365 Business Premium.

-|Feature/Capability|[Microsoft Defender for Business](mdb-overview.md)<br/>(standalone; currently in preview)|[Microsoft 365 Business Premium](../../business/microsoft-365-business-overview.md)<br/>(includes Defender for Business)|

-Defender for Business brings enterprise-grade capabilities of Defender for Endpoint to small and medium-sized businesses.

-The following table compares security features and capabilities in Defender for Business to the enterprise offerings, Microsoft Defender for Endpoint Plans 1 and 2.

-|Feature/Capability|[Defender for Business](mdb-overview.md)<br/>(standalone; currently in preview)|[Defender for Endpoint Plan 1](../defender-endpoint/defender-endpoint-plan-1.md)<br/>(for enterprise customers) |[Defender for Endpoint Plan 2](../defender-endpoint/microsoft-defender-endpoint.md)<br/>(for enterprise customers) |

-(<a id="fn1">1</a>) Onboard and manage devices in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) or with Microsoft Endpoint Manager ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)).

-(<a id="fn6">6</a>) During the preview program, Windows client devices are supported for onboarding in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). You can use the local script method. See [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md).

-description: Get Microsoft Defender for Business

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

-If you have signed up for a trial, after you receive your acceptance email, you can [activate your trial and assign user licenses](#activate-your-trial), and then proceed to your [next steps](#next-steps).

-## Work with a Microsoft Solution Provider

-Microsoft has a list of solution providers who are authorized to sell offerings, including Microsoft 365 Business Premium and Microsoft Defender for Business.

-To find a solution provider in your area, take the following steps:

-1. Go to the **Microsoft Solution Providers** page ([https://www.microsoft.com/solution-providers](https://www.microsoft.com/solution-providers)).

-

-2. In the search box, fill in your location and company size.

-3. In the **Search for products, services, skills, industries** box, put `Microsoft 365`, and then select **Go**.

-4. Review the list of results. Select a provider to learn more about their expertise and the services they provide. Your provider can help you sign up for Defender for Business.

-See [Try or buy Microsoft 365 Business Premium](../../business-premium/get-microsoft-365-business-premium.md).

-## Sign up for the preview program

-Participating in the preview program enables you to try out Defender for Business as a standalone subscription. The preview program is available to:

-Here's how to sign up:

-1. Visit [https://aka.ms/MDB-Preview](https://aka.ms/MDB-Preview).

-2. Select **Customer** or **Microsoft Partner**.

-3. Review and accept the terms of the Microsoft Defender for Business Preview Agreement, and then choose **Next**.

-4. Fill out the form with your contact information.

- - If you're a customer who is working with a Microsoft partner, in the **Other** box, fill in the company name of the partner. Then choose **Submit**.

- - If you're a Microsoft partner, make sure to indicate your partnership type and information about customers you're planning to work with.

-5. When you have finished filling out the form, choose **Submit**.

-## What to expect after applying

-We'll review your application and make a determination. You'll then receive an email that either includes your promo code or that explains why we're not able to offer you the trial program at this time.

-If you're accepted, your email will contain a license code that you'll use to activate your Defender for Business trial.

-> [!IMPORTANT]

-> If you're a partner, after you have been accepted into the preview program, you must have each customer complete the process described in the section, [Sign up for the preview program](#sign-up-for-the-preview-program). Make sure the customer specifies your Microsoft partner name in the **Other** box.

-## Two portals for setup

-When you're ready to start your trial, you'll work with two main portals to get things set up. The following table summarizes the two main portals you'll use: <br/><br/>

-|Portal |Description |

-|||

-| The Microsoft 365 admin center ([https://admin.microsoft.com/](https://admin.microsoft.com/)) | Use the Microsoft 365 admin center to activate your trial and sign in for the first time.<br/><br/> You'll also use the Microsoft 365 admin center to: <br/>- Add or remove users<br/>- Assign user licenses<br/>- View your products and services<br/>- Complete setup tasks for your Microsoft 365 subscription <br/><br/> To learn more, see [Overview of the Microsoft 365 admin center](../../admin/admin-overview/admin-center-overview.md). |

-| The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) | Use the Microsoft 365 Defender portal to set up and configure Defender for Business. <br/><br/>You'll use the Microsoft 365 Defender portal to: <br/>- View your devices and device protection policies<br/>- View detected threats and take action<br/>- View security recommendations and manage your security settings <br/><br/>To learn more, see [Get started using the Microsoft 365 Defender portal](mdb-get-started.md). |

-If your company is using Microsoft 365 Business Premium, then you have Microsoft Intune (part of Microsoft Endpoint Manager), and you might be using the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com/](https://endpoint.microsoft.com/)). Endpoint Manager enables you to manage devices and configure security settings as well. To learn more, see [Microsoft Intune is an MDM and MAM provider for your devices](/mem/intune/fundamentals/what-is-intune).

-## Activate your trial

-## Next steps

-1. [Use the setup wizard in Microsoft Defender for Business](mdb-use-wizard.md) or [See the setup and configuration process for Defender for Business](mdb-setup-configuration.md).

-2. [See how to get help and support for Defender for Business](mdb-get-help.md) (just in case you need help)

-description: Learn how to add users and assign licenses

-description: Configure your security policies in Microsoft Defender for Business

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

-## Overview

-2. [View or edit your next-generation protection policies](#view-or-edit-your-next-generation-protection-policies).

-3. [View or edit your firewall policies and custom rules](#view-or-edit-your-firewall-policies-and-custom-rules).

-6. [View and edit other settings in the Microsoft 365 Defender portal](#view-and-edit-other-settings-in-the-microsoft-365-defender-portal).

-Defender for Business features a [simplified configuration process](mdb-simplified-configuration.md) that helps streamline the setup and configuration process. If you select the simplified configuration process, you can view and manage your security policies in the Microsoft 365 Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)). However, you're not limited to this option. If you've been using Microsoft Endpoint Manager (which includes Microsoft Intune), you can keep using your Endpoint Manager.

-| **Use the Microsoft 365 Defender portal** (*recommended*) | The Microsoft 365 Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)) can be your one-stop shop for managing your company's devices, security policies, and security settings. You can access your security policies and settings, use your [Threat & Vulnerability Management dashboard](mdb-view-tvm-dashboard.md), and [view and manage incidents](mdb-view-manage-incidents.md) all in one place. <br/><br/>If you're using Microsoft Endpoint Manager, devices that you onboard to Defender for Business and your security policies are visible in Endpoint Manager. To learn more, see the following articles:<br/>- [Defender for Business default settings and Microsoft Endpoint Manager](mdb-next-gen-configuration-settings.md#defender-for-business-default-settings-and-microsoft-endpoint-manager)<br/>- [Firewall in Microsoft Defender for Business](mdb-firewall.md) |

-| **Use Microsoft Endpoint Manager** | If your company is already using Endpoint Manager (which includes Microsoft Intune) to manage security policies, you can continue using Endpoint Manager to manage devices and security policies. To learn more, see [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy). <br/><br/>If you decide to switch to the [simplified configuration process in Defender for Business](mdb-simplified-configuration.md), you'll be prompted to delete any existing security policies in Endpoint Manager to avoid [policy conflicts](mdb-troubleshooting.yml) later. |

-> If you are managing security policies in the Microsoft 365 Defender portal, you can *view* those policies in Endpoint Manager, listed as Antivirus or Firewall policies. When you view your firewall policies in Endpoint Manager, you'll see two policies listed: one policy for your firewall protection, and another for custom rules.

-Depending on whether you're using the Microsoft 365 Defender portal or Microsoft Endpoint Manager to manage your next-generation protection policies, use one of the procedures in the following table:

-| Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) | 1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in. You're now in the Microsoft Endpoint Manager admin center.<br/><br/>2. Select **Endpoint security**.<br/><br/>3. Select **Antivirus** to view your policies in that category. <br/><br/>To get help managing your security settings in Microsoft Endpoint Manager, start with [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security). |

-Depending on whether you're using the Microsoft 365 Defender portal or Microsoft Endpoint Manager to manage your firewall protection, use one of the procedures in the following table:

-| Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) | 1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in. You're now in the Microsoft Endpoint Manager admin center.<br/><br/>2. Select **Endpoint security**.<br/><br/>3. Select **Firewall** to view your policies in that category. Custom rules that are defined for firewall protection are listed as separate policies.<br/><br/>To get help managing your security settings in Microsoft Endpoint Manager, start with [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security). |

-3. Select categories to block. Use the expand icon to fully expand each parent category and select specific web content categories.

- To set up an audit-only policy that does not block any websites, do not select any categories.

-| Automated Investigation <br/>(turned on by default) | As alerts are generated, automated investigations can occur. Each automated investigation determines whether a detected threat requires action, and then takes (or recommends) remediation actions (such as sending a file to quarantine, stopping a process, isolating a device, or blocking a URL). While an investigation is running, any other related alerts that arise are added to the investigation until it completes. If an affected entity is seen elsewhere, the automated investigation expands its scope to include that entity, and the investigation process repeats.<br/><br/>You can view investigations on the **Incidents** page. Select an incident, and then select the **Investigations** tab.<br/><br/>[Learn more about automated investigations](../defender-endpoint/automated-investigations.md). |

-| Live Response | Defender for Business includes the following types of manual response actions: <br/>- Run antivirus scan<br/>- Isolate device<br/>- Stop and quarantine a file<br/>- Add an indicator to block or allow a file <br/><br/>[Learn more about response actions](../defender-endpoint/respond-machine-alerts.md). |

-| Live Response for Servers | (This setting is currently not available in Defender for Business) |

-| Live Response unsigned script execution | (This setting is currently not available in Defender for Business) |

-| Enable EDR in block mode<br/>(turned on by default) | Provides added protection from malicious artifacts when Microsoft Defender Antivirus is not the primary antivirus product and is running in passive mode on a device. EDR in block mode works behind the scenes to remediate malicious artifacts that were detected by EDR capabilities. Such artifacts might have been missed by the primary, non-Microsoft antivirus product. For devices running Microsoft Defender Antivirus as their primary antivirus, EDR in block mode provides an extra layer of defense by allowing Microsoft Defender Antivirus to take automatic actions on post-breach, behavioral EDR detections.<br/><br/>[Learn more about EDR in block mode](../defender-endpoint/edr-in-block-mode.md). |

-| Allow or block a file <br/>(turned on by default) | Enables you to allow or block a file by using [indicators](../defender-endpoint/indicator-file.md). This capability requires Microsoft Defender Antivirus to be in active mode and [cloud protection](../defender-endpoint/cloud-protection-microsoft-defender-antivirus.md) to be turned on.<br/><br/>Blocking a file will prevent it from being read, written, or executed on devices in your organization. <br/><br/>[Learn more about indicators for files](../defender-endpoint/indicator-file.md). |

-| Custom network indicators<br/>(turned on by default) | Enables you to allow or block an IP address, URL, or domain by using [network indicators](../defender-endpoint/indicator-ip-domain.md). This capability requires Microsoft Defender Antivirus to be in active mode and [network protection](../defender-endpoint/enable-network-protection.md) to be turned on.<br/><br/>You can allow or block IPs, URLs, or domains based on your own threat intelligence. You can also warn users with a prompt if they open a risky app. The prompt won't stop them from using the app, but you can provide a warning for users.<br/><br/>[Learn more about network protection](../defender-endpoint/network-protection.md). |

-| Tamper protection<br/>(we recommend turning this setting on) | Tamper protection prevents malicious apps taking actions such as:<br/>- Disabling virus and threat protection<br/>- Disabling real-time protection<br/>- Turning off behavior monitoring<br/>- Disabling cloud protection<br/>- Removing security intelligence updates<br/>- Disabling automatic actions on detected threats<br/><br/>Tamper protection essentially locks Microsoft Defender Antivirus to its secure, default values, and prevents your security settings from being changed by apps and unauthorized methods. <br/><br/>[Learn more about tamper protection](../defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md). |

-| Show user details<br/>(turned on by default) | Enables people in your organization to see details, such as employees' picture, name, title, and department. These details are stored in Azure Active Directory (Azure AD).<br/><br/>[Learn more about user profiles in Azure AD](/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal). |

-| Skype for Business integration<br/>(turned on by default) | Skype for Business was retired in July 2021. If you haven't already moved to Microsoft Teams, see [Set up Microsoft Teams in your small business](/microsoftteams/deploy-small-business). <br/><br/>Integration with Microsoft Teams (or the former Skype for Business) enables one-click communication between people in your business. |

-| Web content filtering<br/>(turned on by default) | Block access to websites containing unwanted content and track web activity across all domains. See [Set up web content filtering](#set-up-web-content-filtering). |

-| Microsoft Intune connection<br/>(we recommend turning this setting on if you have Intune) | If your organization's subscription includes Microsoft Intune (part of Microsoft Endpoint Manager, and included in [Microsoft 365 Business Premium](../../business/index.yml)), this setting enables Defender for Business to share information about devices with Intune. |

-| Device discovery<br/>(turned on by default) | Enables your security team to find unmanaged devices that are connected to your company network. Unknown and unmanaged devices introduce significant risks to your network - whether it's an unpatched printer, network devices with weak security configurations, or a server with no security controls. <br/><br/>Device discovery uses onboarded devices to discover unmanaged devices, so your security team can onboard the unmanaged devices and reduce your vulnerability. <br/><br/>[Learn more about device discovery](../defender-endpoint/device-discovery.md). |

-| Preview features | Microsoft is continually updating services, such as Defender for Business, to include new feature enhancements and capabilities. If you opt in to receive preview features, you'll be among the first to try upcoming features in the preview experience. <br/><br/>[Learn more about preview features](../defender-endpoint/preview.md). |

-description: Learn about device groups in Microsoft Defender for Business

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

-If you select this option, all devices that are enrolled in Microsoft Endpoint Manager (which includes Microsoft Intune) will receive the policy that you are creating or editing by default.

-description: Custom rules provide exceptions to firewall policies. You can use custom rules to block or allow specific connections in Microsoft Defender for Business

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

-description: Set up email notifications to tell people about alerts and vulnerabilities with Microsoft Defender for Business

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

-description: Learn about Windows Defender Firewall in Microsoft Defender for Business, including configuration settings

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

-description: Find out how to get help or contact support in Microsoft Defender for Business

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

-If you don't see the answer to your question, you can open a support ticket.

-description: See how to get started using the Microsoft 365 Defender portal. Learn how to navigate the portal, and view your current security status and recommendations

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

-

-description: Learn how Microsoft Defender for Business integrates with Microsoft 365 Lighthouse

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

-If you're a Microsoft Cloud Solution Provider (CSP) and you have [Microsoft 365 Lighthouse](../../lighthouse/m365-lighthouse-overview.md), you can manage security for your customers (small and medium-sized businesses). Microsoft Defender for Business is designed to integrate with Microsoft 365 Lighthouse. When these capabilities become available, you'll be able to view security incidents across tenants in your Microsoft 365 Lighthouse portal ([https://lighthouse.microsoft.com](https://lighthouse.microsoft.com)).

-description: Learn how to manage devices in Microsoft Defender for Business

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

-description: Understand configuration settings for next-generation protection in Microsoft Defender for Business

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

-Next-generation protection in Defender for Business includes robust antivirus and antimalware protection. Your default policies are designed to protect your devices and users without hindering productivity; however, you can also customize your policies to suit your business needs. And, if you're using Microsoft Endpoint Manager, you can use that to manage your security policies.

-## Defender for Business default settings and Microsoft Endpoint Manager

-The following table describes settings that are preconfigured for Defender for Business and how those settings correspond to what you might see in Microsoft Endpoint Manager (or Microsoft Intune). If you're using the [simplified configuration process in Defender for Business](mdb-simplified-configuration.md) (preview), you don't need to edit these settings.

-description: Learn about how to remove a device from Microsoft Defender for Business

-2. Right click on Microsoft Defender for Business, and then choose **Move to Trash**. <br/><br/> or <br/><br/> Use the following command: `sudo '/Library/Application Support/Microsoft/Defender/uninstall/uninstall'`.

-description: Learn about device onboarding options in Microsoft Defender for Business

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

-1. Select the tab for your operating system:

- - Windows clients

- - macOS computers

- - mobile devices

-You can use a local script to onboard Windows client devices. When you run the onboarding script on a device, it creates a trust with Azure Active Directory (if that trust doesn't already exist), enrolls the device in Microsoft Endpoint Manager (if it isn't already enrolled), and then onboards the device to Defender for Business. The local script method works even if you don't currently have Endpoint Manager (or Microsoft Intune). We recommend onboarding up to 10 devices at a time using this method.

-### Endpoint Manager for Windows clients

-If your subscription includes [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), you can onboard Windows clients and other devices in the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)). For example, if you have [Microsoft 365 Business Premium](../../business/index.yml), you have Endpoint Manager as part of your subscription. Endpoint Manager includes [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Mobile Device Management capabilities](/mem/intune/fundamentals/what-is-device-management).

-3. Configure the MDM User scope and the MAM user scope.

-To view the list of devices that are onboarded to Defender for Business, in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, under **Endpoints**, choose **Device invetory**.

-When you run the local script on a macOS device, it creates a trust with Azure Active Directory (if that trust doesn't already exist), enrolls the device in Microsoft Endpoint Manager (if it isn't already enrolled), and then onboards the device to Defender for Business. The local script method works even if you don't currently have Endpoint Manager (or Microsoft Intune). We recommend onboarding up to 10 devices at a time using this method.

-### Endpoint Manager for macOS

-If your subscription includes [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), you can onboard macOS devices in the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)). For example, if you have [Microsoft 365 Business Premium](../../business/index.yml), you have Endpoint Manager as part of your subscription. Endpoint Manager includes [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Mobile Device Management capabilities](/mem/intune/fundamentals/what-is-device-management).

-You'll need Microsoft Intune to onboard mobile devices, such as Android and iOS/iPadOS devices. If you have [Microsoft 365 Business Premium](../../business/index.yml), you have Endpoint Manager as part of your subscription. Endpoint Manager includes [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Mobile Device Management capabilities](/mem/intune/fundamentals/what-is-device-management).

-description: Learn about Microsoft Defender for Business, including setup, getting started, and how to use the services

-# Overview of Microsoft Defender for Business

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

- - [Try preview scenarios, tutorials, and simulations](mdb-tutorials.md)

- - [Manage devices](mdb-manage-devices.md)

- - [Manage custom rules for firewall policies](mdb-custom-rules-firewall.md)

-description: Learn about order of priority with policies in Microsoft Defender for Business

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

-description: Get an overview of the reports that are available in Microsoft Defender for Business

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

-| Subscription | Microsoft 365 Business Premium <br/> or <br/>Microsoft Defender for Business (standalone; currently in preview). <br/><br/> See [How to get Microsoft Defender for Business](get-defender-business.md).<br/><br/>Note that if you have multiple subscriptions, the highest subscription takes precedence. For example, if you have Microsoft Defender for Endpoint Plan 2 (purchased or trial subscription), and you get Microsoft Defender for Business, Defender for Endpoint Plan 2 takes precedence. In this case, you won't see the Defender for Business experience. |

-| User accounts | User accounts are created in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com))<br/><br/>Microsoft Defender for Business licenses are assigned in the Microsoft 365 admin center<br/><br/>To get help with this task, see [Add users and assign licenses](mdb-add-users.md). |

-| Operating system | To manage devices in Microsoft Defender for Business, your devices must be running one of the following operating systems: <br/>- Windows 10 Business or later <br/>- Windows 10 Professional or later <br/>- Windows 10 Enterprise or later <br/>- macOS (the three most current releases are supported)<br/><br/>Make sure that [KB5006738](https://support.microsoft.com/topic/october-26-2021-kb5006738-os-builds-19041-1320-19042-1320-and-19043-1320-preview-ccbce6bf-ae00-4e66-9789-ce8e7ea35541) is installed. <br/><br/>If you're already managing devices in Microsoft Intune (or Microsoft Endpoint Manager), you can onboard those devices to Defender for Business. |

-> - If you are using [Microsoft 365 Business Premium](../../business/index.yml) when you start your Defender for Business trial, you will have the option to manage devices in Microsoft Intune.

-description: As threats are detected, you can take actions to respond to and mitigate those threats.

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

-description: View remediations that were taken automatically or that are awaiting approval in the Action center

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

-description: Learn how to assign roles and permissions in Microsoft Defender for Business

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

-description: Get an overview of the setup and configuration process for Microsoft Defender for Business

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

-| 5 | [Configure your security settings and policies](mdb-configure-security-settings.md) | You can choose from several options to configure your security settings and policies, including a simplified configuration process or Microsoft Endpoint Manager. See [Configure your security settings and policies](mdb-configure-security-settings.md). |

-description: Learn about the simplified configuration process in Microsoft Defender for Business

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

-| The simplified configuration experience in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) <br/>(*This is the recommended option for most customers*) | The simplified configuration experience includes a wizard-like experience to help you set up and configure Defender for Business. Simplified configuration also includes default security settings and policies to help you protect your company's devices as soon as they are onboarded to Defender for Business. <br/><br/>With this experience, your security team uses the Microsoft 365 Defender portal to: <br/>- Set up and configure Defender for Business <br/>- View and manage incidents<br/>- Respond to and mitigate threats<br/>- View reports<br/>- Review pending or completed actions <br/><br/> The Microsoft 365 Defender portal is your one-stop shop for your company's security settings and threat protection capabilities. You get a simplified experience to help you get started quickly and efficiently. To learn more, see [Use the wizard to set up Microsoft Defender for Business](mdb-use-wizard.md).<br/><br/>And, you can edit your settings or define new policies to suit your company's needs.<br/><br/>To learn more, see [View or edit device policies in Microsoft Defender for Business](mdb-view-edit-policies.md). |

-| The Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) | Microsoft Endpoint Manager includes Microsoft Intune, a cloud-based mobile device management (MDM) and mobile application management (MAM) provider for apps and devices. [Microsoft 365 Business Premium](../../business-premium/index.md) customers already have Endpoint Manager. <br/><br/>Many companies use Intune to manage their devices, such as mobile phones, tablets, and laptops. To learn more, see [Microsoft Intune is an MDM and MAM provider for your devices](/mem/intune/fundamentals/what-is-intune). <br/><br/>If you're already using Microsoft Intune or Microsoft Endpoint Manager, you can continue using that solution. |

-| Your non-Microsoft device management solution | If you're using a non-Microsoft productivity and device management solution, you can continue to use that solution with Defender for Business. <br/><br/>When devices are onboarded to Defender for Business, you'll see their status and alerts in the Microsoft 365 Defender portal. To learn more, see [Onboarding and configuration tool options for Defender for Endpoint](../defender-endpoint/onboard-configure.md). |

-**We recommend using the simplified configuration process in Microsoft Defender for Business** for most customers. The simplified configuration process is streamlined especially for small and medium-sized businesses. Defender for Business is designed to help you protect your company's devices on day one, without requiring deep technical expertise or special knowledge. With default security settings and policies, your devices are protected as soon as they're onboarded.

-Defender for Business is designed to provide strong protection while saving you time and effort in configuring your security settings. The streamlined experience in the Microsoft 365 Defender portal makes it simple to onboard devices and manage them. In addition, default policies are included so that your company's devices are protected as soon as they're onboarded. You can keep your default settings as they are, or make changes to suit your business needs. You can also add new policies to manage devices as needed.

-description: Learn about several tutorials to help you get started using Defender for Business

-> [!IMPORTANT]

-> Microsoft Defender for Business is now in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. We will onboard an initial set of customers and partners in the coming weeks and will expand the preview leading up to general availability. Note that preview will launch with an [initial set of scenarios](#try-these-preview-scenarios), and we will be adding capabilities regularly.

->

-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.

-If you've just finished setting up Microsoft Defender for Business, you might be wondering where to start to learn about how Defender for Business works. This article describes preview scenarios to try, and several tutorials and simulations that are available for Defender for Business. These resources are designed to help you see how Defender for Business can work for your company.

-## Try these preview scenarios

-| Onboard devices using a local script <br/>(*not for production deployment*) | In Defender for Business, you can onboard up to ten Windows 10 and 11 devices using a script that you download and run on each device. Suitable for evaluating how Defender for Business will work in your environment, the script creates a trust with Azure Active Directory (Azure AD) and enrolls the device with Microsoft Intune. To learn more, see [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md). |

-| Onboard devices using Microsoft Intune | If you were already using Microsoft Intune before getting Defender for Endpoint, you can continue to use Microsoft Intune to onboard devices. Try onboarding macOS, iOS, and Android devices with Microsoft Intune. To learn more, see [Device enrollment in Microsoft Intune](/mem/intune/enrollment/device-enrollment). |

-| Edit security policies | If you're managing your security policies in Defender for Business, use the **Device configuration** page to view and edit your policies. To learn more, see [View or edit policies in Microsoft Defender for Business](mdb-view-edit-policies.md). |

-| Execute a simulated attack | Several tutorials and simulations are available in Defender for Business. These tutorials and simulations are designed to show you firsthand how the threat protection features of Defender for Business can work for your company. To try one or more of the tutorials, see [Recommended tutorials for Microsoft Defender for Business](#recommended-tutorials-for-defender-for-business). |

-| View incidents in Microsoft 365 Lighthouse | If you are a [Microsoft Cloud Solution Provider](/partner-center/enrolling-in-the-csp-program) using Microsoft 365 Lighthouse, you will be able to view incidents across your customers' tenants in your Microsoft 365 Lighthouse portal soon. To learn more, see [Microsoft 365 Lighthouse and Microsoft Defender for Business](mdb-lighthouse-integration.md). |

-description: Defender for Business includes a wizard-like setup and configuration process. Use the wizard to save time and effort.

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

-2. **Set up email notifications**. In this step, you can set up email notifications for your security team. Then, when an alert is generated or a new vulnerability is discovered, your security team won't about it even if they're away from their desk. [Learn more about email notifications](mdb-email-notifications.md).

- - **If you're already using Microsoft Endpoint Manager** (which includes Microsoft Intune), and your company has devices enrolled in Endpoint Manager, you'll be asked whether you want to use [automatic onboarding](#what-is-automatic-onboarding) for some or all of your enrolled Windows devices. Automatic onboarding sets up a connection between Endpoint Manager and Defender for Business, and then onboards Windows devices to Defender for Business seamlessly.

- - **If you're not already using Endpoint Manager**, you can [onboard devices to Defender for Business](mdb-onboard-devices.md).

-4. **Configure your security policies**. Defender for Business includes default security policies for next-generation protection and firewall protection that can be applied to your company's devices. These default policies use recommended settings and are designed to provide strong protection for your devices. You can also create your own security policies. And, if you're already using Endpoint Manager, you can continue using that to manage your security policies.

-Automatic onboarding is a simplified way to onboard Windows devices to Defender for Business. Automatic onboarding is only available for Windows devices that are already enrolled in Microsoft Endpoint Manager (or Microsoft Intune).

-While you're using the setup wizard, the system will detect whether Windows devices are already enrolled in Endpoint Manager. You'll be asked if you want to use automatic onboarding for all or some of those devices. You can onboard all Windows devices at once, or select specific devices to start with, and then add more devices later.

-> - We recommend selecting the "all devices enrolled" option. That way, when Windows devices are enrolled in Endpoint Manager later on, they'll be onboarded to Defender for Business automatically.

-> - If you've been managing security policies and settings in Endpoint Manager, we recommend switching to the Microsoft 365 Defender portal to manage your devices, policies, and settings. To learn more, see [Choose where to manage security policies and devices](mdb-configure-security-settings.md#choose-where-to-manage-security-policies-and-devices).

-description: Learn how to view, edit, create, and delete next-generation protection policies in Microsoft Defender for Business

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

-description: Learn how to view & manage alerts, respond to threats, manage devices, and review remediation actions

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

-description: Use your threat & Threat & Threat & Vulnerability Management dashboard to see important items to address.

-> [!NOTE]

-> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).

-## Use Advanced Hunting on discovered devices

-You can use Advanced Hunting queries to gain visibility on discovered devices.

-Find details about discovered Endpoints in the DeviceInfo table, or network-related information about those devices in the DeviceNetworkInfo table.

-Device discovery leverages Microsoft Defender for Endpoint onboarded devices as a network data source to attribute activities to non-onboarded devices. This means that if a Microsoft Defender for Endpoint onboarded device communicated with a non-onboarded device, activities on the non-onboarded device can be seen on the timeline and through the Advanced hunting DeviceNetworkEvents table.

-New events are Transmission Control Protocol (TCP) connections-based and will fit to the current DeviceNetworkEvents scheme. TCP ingress to the Microsoft Defender for Endpoint enabled device from a non-Microsoft Defender for Endpoint enabled.

-The following action types have also been added:

-[Advanced Hunting](run-advanced-query-api.md) | Run queries from API.

-If you are an admin, you can now host firewall reporting to the [Microsoft 365 Defender portal](https://security.microsoft.com). This feature enables you to view Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022 firewall reporting from a centralized location.

-> [!div class="mx-imgBorder"]

-> :::image type="content" source="\images\host-firewall-reporting-page.png" alt-text="The Host firewall reporting page" lightbox="\images\host-firewall-reporting-page.png":::

-> [!div class="mx-imgBorder"]

-> :::image type="content" source="\images\firewall-reporting-blocked-connection.png" alt-text="The Computers with a blocked connection page" lightbox="\images\firewall-reporting-blocked-connection.png":::

-> [!div class="mx-imgBorder"]

-> :::image type="content" source="\images\firewall-reporting-filters-button.png" alt-text="The Filters button" lightbox="\images\firewall-reporting-filters-button.png":::

-> [!div class="mx-imgBorder"]

-> :::image type="content" source="\images\firewall-reporting-advanced-hunting.png" alt-text="The Open Advanced hunting button" lightbox="\images\firewall-reporting-advanced-hunting.png":::

- inflating: MicrosoftDefenderATPOnboardingLinuxServer.sh

-1. Copy MicrosoftDefenderATPOnboardingLinuxServer.sh to the target device.

-2. Run MicrosoftDefenderATPOnboardingLinuxServer.sh.

- sudo bash MicrosoftDefenderATPOnboardingLinuxServer.sh

-| fg `<command ID>` | Place the specified job in the foreground in the foreground, making it the current job. NOTE: fg takes a 'command ID` available from jobs, not a PID | Y | Y | Y |

- - `fileinfo` limit: 10 GB

-In alignment with macOS evolution, we are preparing a Microsoft Defender for Endpoint on Mac update that leverages system extensions instead of kernel extensions. For relevant details, see [What's new in Microsoft Defender for Endpoint on Mac](mac-whatsnew.md).

-> Soon, Microsoft Defender for Endpoint will be available in two plans. This article describes the features and capabilities that are included in Microsoft Defender for Endpoint Plan 2. [Learn more about Microsoft Defender for Endpoint Plan 1 and Plan 2](defender-endpoint-plan-1-2.md).

-keywords: Network protection, exploits, malicious website, ip, domain, domains

-Network protection extends the protection in [Web protection](web-protection-overview.md) to the operating system level. It provides web protection functionality in Edge to other supported browsers and non-browser applications. In addition, network protection provides visibility and blocking of indicators of compromise (IOCs) when used with [Endpoint detection and response](overview-endpoint-detection-response.md). For example, network protection works with your [custom indicators](manage-indicators.md) that you can use to block specific domains or hostnames.

-<br>

-|Windows version|Microsoft Defender Antivirus|

-|||

-|Windows 10 version 1709 or later <p> Windows 11 <p> Windows Server 1803 or later|[Microsoft Defender Antivirus real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled|

-|

-After you have enabled the services, you might need to configure your network or firewall to allow the connections between the services and your devices (also referred to as endpoints).

-Here is an example query for advanced hunting:

-<br>

-1. Network protection is a device-wide feature and cannot be targeted to specific user sessions.

-query = 'RegistryEvents | limit 10' # Paste your own query here

- - Microsoft 365 E5