Security and access management technologies

Microsoft Managed Desktop uses several Microsoft technologies to help secure managed devices and data. In addition, the Microsoft Managed Desktop Security Operations Center uses various processes with these technologies. Specifically:

Process Description
Device security Security and protection on Microsoft Managed Desktop devices.
Identity and Access Management Managing secure use of devices through Microsoft Entra identity services.
Network security VPN information and Microsoft Managed Desktop recommended solution and settings.
Information security Optional available services to further protect sensitive information.

For information about data storage, usage, and security practices used by Microsoft Managed Desktop, see our whitepaper.

Device security

Microsoft Managed Desktop ensures managed devices are secured and protected, and detects threats as early as possible using the following services:

Service Description
Antivirus Microsoft Defender Antivirus is installed and configured
Microsoft Defender Antivirus definitions are up to date.
Full volume encryption Microsoft Managed Desktop uses Windows BitLocker as the volume encryption solution.

We offer XTS AES 128 system drive encryption with allowed exceptions for 256. By default, PIN/KEY isn't required, but you can request for the PIN/KEY to be required. Removable media is set to encrypt AES CBC 128.
Monitoring Microsoft Defender for Endpoint is used for security threat monitoring across all Microsoft Managed Desktop devices. Defender for Endpoint allows enterprise customers to detect, investigate, and respond to advanced threats in their corporate network.
Operating system updates Microsoft Managed Desktop devices are always secured with the latest security updates. For more information, see software update management.
Secure Device Configuration Microsoft Managed Desktop implements the Microsoft Security Baseline. For more information, see Windows security baselines.. For Microsoft Managed Desktop default settings, see Microsoft Managed Desktop security baseline settings.

Identity and access management

Identity and access management protects corporate assets and business-critical data. Microsoft Managed Desktop configures devices to ensure secure use with Microsoft Entra managed identities. It's the customer's responsibility to maintain accurate information in their Microsoft Entra tenant.

Service Description
Biometric Authentication Microsoft Managed Desktop offers the configuration option to ensure secure authentication powered by Windows Hello for Business. Windows Hello for Business offers biometric security which is stronger than username and password-based authentication. Customers are responsible for implementing the necessary prerequisites for their on-premises Microsoft Entra ID to use this service in a hybrid configuration.
Device profiles To protect the system and make it more secure, the end user will be assigned one of the following device profiles:
  • Standard User
  • Power User
  • Sensitive Data User
  • Kiosk

Device profiles are assigned as part of the Windows Autopilot out-of-box experience.

Network security

Customers are responsible for network security.

Service Description
VPN Customers own their VPN infrastructure to ensure limited corporate resources can be exposed outside the intranet.

Microsoft Managed Desktop requires:

  • Windows 10 compatible and supported VPN solution
  • The device must support Windows 10 and be packaged and deployable through Intune

Contact your software publisher for more information.

Recommendations:

  • Microsoft recommends a modern VPN solution that could be easily deployed through Intune to push VPN profiles. This approach provides an always-on, seamless, reliable, and secure way to access corporate network. For more information, see VPN settings in Intune.
  • Thick VPN clients, or older VPN clients, aren't recommended by Microsoft while using Microsoft Managed Desktop as it can affect the user environment.
  • Microsoft recommends that the outgoing web traffic goes directly to the Internet without going through the VPN to avoid any performance issues.
  • Ideally, Microsoft recommends the use of Microsoft Entra application proxy instead of a VPN.

Information security

You can configure these optional services to help protect high-value corporate assets.

Service Description
Data recovery Information stored in key folders on the device is backed up to OneDrive for Business. Microsoft Managed Desktop is responsible for the secure functionality of the OneDrive client and its data sync towards OneDrive For Business back end in Microsoft 365 Apps. However, the actual data being secured isn’t the responsibility of the Microsoft Managed Desktop support teams. You must contact OneDrive support.
Windows Information Protection For companies that require high levels of information security, we recommend Windows Information Protection and Azure Information Protection.