Products and Capabilities

  • Article
  • 53 minutes to read

Services and scenarios supported by FastTrack

This topic includes details on the workload scenarios supported by FastTrack and the source environment expectations necessary before we can begin. Based on your current setup, we work with you to create a remediation plan that brings your source environment up to the minimum requirements for successful onboarding.

FastTrack provides guidance to help you first with core capabilities (common for all Microsoft Online Services) and then with onboarding each eligible service:

Note

For information on source environment expectations for Office 365 US Government, see Source Environment Expectations for Office 365 US Government.

General

Service FastTrack guidance details Source environment expectations
Core onboarding We provide remote guidance on core onboarding, which involves service provisioning, tenant, and identity integration. It also includes steps for providing a foundation for onboarding services like Exchange Online, SharePoint Online, and Microsoft Teams, including a discussion on security, network connectivity, and compliance.

Onboarding for one or more eligible services can begin once core onboarding is finished.

Identity Integration

We provide remote guidance for:

  • Preparing on-premises Active Directory Identities for synchronization to Azure Active Directory (Azure AD) including installing and configuring Azure AD Connect (single- or multi-forest) and licensing (including group-based licensing).
  • Creating cloud identities including bulk import and licensing including using group-based licensing.
  • Choosing and enabling the correct authentication method for your cloud journey, Password Hash Sync, Pass-through Authentication, or Active Directory Federation Services (AD FS).
  • Choosing and enabling a more convenient authentication experience for your users with passwordless authentication using Fast Identity Online (FIDO)2, Microsoft Authenticator App, or Windows Hello for Business cloud trust.
  • Providing planning guidance for Windows Hello for Business hybrid key or certificate trust.
  • Enabling AD FS for customers with a single Active Directory forest and identities synchronized with the Azure AD Connect tool. This requires Windows Server 2012 R2 Active Directory Federation Services 2.0 or greater.
  • Migrating authentication from AD FS to Azure AD using Password Hash Sync or Pass-through Authentication.
  • Migrating pre-integrated apps (like Azure AD gallery software-as-a-service (SaaS) apps) from AD FS to Azure AD for single sign-on (SSO).
  • Enabling SaaS app integrations with SSO from the Azure AD gallery.
  • Enabling automatic user provisioning for pre-integrated SaaS apps as listed in the App integration tutorial list (limited to Azure AD gallery SaaS apps and outbound provisioning only).
Network enablement
As part of the FastTrack benefit, we advise you as to best practices for connecting to cloud services to ensure the highest levels of performance of Microsoft 365. Active Directory forests These have the functional forest level set to Windows Server 2003 onward, with the following forest configuration:
  • A single Active Directory forest.
  • A single Active Directory account forest and resource forest (Exchange, Lync 2013, or Skype for Business) topologies.
  • Multiple Active Directory account forests and resource forest (Exchange, Lync 2013, or Skype for Business) topologies.
  • Multiple Active Directory account forests with one of the forests being a centralized Active Directory account forest that includes Exchange, Lync 2013, or Skype for Business.
  • Multiple Active Directory account forests, each with its own Exchange organization.
  • Tasks required for tenant configuration and integration with Azure Active Directory, if needed. 
Important
  • For multi-forest Active Directory scenarios, if Lync 2013 or Skype for Business is deployed, it must be deployed in the same Active Directory forest as Exchange.
  • When implementing multiple Active Directory forests with multiple Exchange organizations in an Exchange multi-hybrid configuration, shared user principal name (UPN) namespaces between source forests aren't supported. Primary SMTP namespaces between Exchange organizations should also be separated. For more information, see Hybrid deployments with multiple Active Directory forests.
  • For all multiple forests configurations, Active Directory Federation Services (AD FS) deployment is out of scope. Contact a Microsoft Partner for assistance with this.
Microsoft 365 Apps We provide remote deployment guidance for:
  • Addressing deployment issues.
  • Assigning end-user and device-based licenses using the Microsoft 365 admin center and Windows PowerShell.
  • Installing Microsoft 365 Apps from the Office 365 portal using Click-to-Run.
  • Installing Office Mobile apps (like Outlook Mobile, Word Mobile, Excel Mobile, and PowerPoint Mobile) on your iOS or Android devices.
  • Configuring update settings using the Office 365 Deployment Tool.
  • Selection and setup of a local or cloud installation.
  • Creation of the Office Deployment Tool configuration XML with the Office Customization Tool or native XML to configure the deployment package.
  • Deployment using Microsoft Endpoint Configuration Manager, including assistance with the creation of Microsoft Endpoint Configuration Manager packaging. Additionally, if you have a macro or add-in that worked with prior versions of Office and you experience compatibility issues, we provide guidance to remediate the compatibility issue at no additional cost through the App Assure program. See the App Assure portion of Windows 10 for more details.
Network health We provide remote guidance with obtaining and interpreting key network connectivity data from your environment showing how aligned your organization’s sites are to Microsoft’s principles of network connectivity. This highlights your network score which directly impacts migration velocity, user experience, service performance, and reliability. We also guide you through any remediation steps highlighted by this data to help you improve your network score.

Security and Compliance

Service FastTrack guidance details Source environment expectations
Azure Active Directory (Azure AD) and Azure AD Premium We provide remote guidance for securing your cloud identities for the following scenarios.

Secure foundation infrastructure

  • Configuring and enabling strong authentication for your identities, including protecting with Azure Multi-Factor Authentication (MFA) (cloud only), the Microsoft Authenticator app, and combined registration for Azure MFA and self-service password reset (SSPR).
  • For non-Azure AD Premium customers, guidance is provided to secure your identities using security defaults.
  • For Azure AD premium customers, guidance is provided to secure your identities with Conditional Access.
  • Detecting and blocking the use of weak passwords with Azure AD Password Protection.
  • Securing remote access to on-premises web apps with Azure AD Application Proxy.
  • Enabling risk-based detection and remediation with Azure Identity Protection.
  • Enabling a customized sign-in screen, including logo, text, and images with custom branding.
  • Securely sharing apps and services with guest users using Azure AD B2B.
  • Managing access for your Office 365 admins using role-based access control (RBAC) built-in administrative roles and to reduce the number of privileged admin accounts.
  • Configuring hybrid Azure AD join.
  • Configuring Azure AD join.
Monitor and reporting
  • Enabling remote monitoring for AD FS, Azure AD Connect, and domain controllers with Azure AD Connect Health.
Governance
  • Managing your Azure AD identity and access lifecycle at scale with Azure AD entitlement management.
  • Managing Azure AD group memberships, enterprise app access, and role assignments with Azure AD access reviews.
  • Reviewing Azure AD Terms of Use.
  • Managing and controlling access to privileged admin accounts with Azure AD Privileged Identity Management.
Automation and efficiencies
  • Enabling Azure AD SSPR.
  • Allowing users to create and manage their own cloud security or Office 365 groups with Azure AD self-service group management.
  • Managing delegated access to enterprise apps with Azure AD delegated group management.
  • Enabling Azure AD dynamic groups.
  • Organizing apps in the My Apps portal using collections.
The on-premises Active Directory and its environment have been prepared for Azure AD Premium, including remediation of identified issues that prevent integration with Azure AD and Azure AD Premium features.
Microsoft 365 Defender

Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against sophisticated attacks. We provide remote guidance for:

  • Providing an overview of the Microsoft 365 security center.
  • Reviewing cross-product incidents, including focusing on what's critical by ensuring the full attack scope, impacted assets, and automated remediation actions that are grouped together.
  • Demonstrating how Microsoft 365 Defender can orchestrate the investigation of assets, users, devices, and mailboxes that might have been compromised through automated self-healing.
  • Explaining and providing examples of how customers can proactively hunt for intrusion attempts and breach activity affecting your email, data, devices, and accounts across multiple data sets.
  • Showing customers how they can review and improve their security posture holistically using Microsoft Secure Score.

The following is out of scope

  • Project management of the customer's remediation activities.
  • Ongoing management, threat response, and remediation.
  • Deployment guidance or education on:
    • How to remediate or interpret the various alert types and monitored activities.
    • How to investigate a user, computer, lateral movement path, or entity.
    • Custom threat hunting.
  • Supporting GCC-High or GCC-DoD (Office 365 US Government).
  • Security information and event management (SIEM) or API integration.
Microsoft Defender for Cloud Apps Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across all your Microsoft and third-party cloud services. We provide remote guidance for:
  • Configuring the portal, including:
    • Importing user groups.
    • Managing admin access and settings.
    • Scoping your deployment to select certain user groups to monitor or exclude from monitoring.
    • How to set up IP ranges and tags.
    • Personalizing the end-user experience with your logo and custom messaging.
  • Integrating first-party services including:
    • Microsoft Defender for Endpoint.
    • Microsoft Defender for Identity.
    • Azure AD Identity Protection.
    • Microsoft Purview Information Protection.
  • Setting up cloud discovery using:
    • Microsoft Defender for Endpoints.
    • Zscaler.
    • iboss.
  • Creating app tags and categories.
  • Customizing app risk scores based on your organization’s priorities.
  • Sanctioning and unsanctioning apps.
  • Reviewing the Defender for Cloud Apps and Cloud Discovery dashboards.
  • Enabling the app governance add-on.
    • Guide the customer through the overview page and create up to five (5) app governance policies.
  • Connecting featured apps using app connectors.
  • Protecting apps with Conditional Access App Control in the Conditional Access within Azure AD and Defender for Cloud Apps portals.
  • Deploying Conditional Access App Control for featured apps.
  • Using the activity and file logs.
  • Managing OAuth apps.
  • Reviewing and configuring policy templates.
  • Providing configuration assistance with the top 20 use cases for CASBs (including the creation or updating of up to six (6) policies) except:
    • Auditing the configuration of your internet as a service (IaaS) environments (#18).
    • Monitoring user activities to protect against threats in your IaaS environments (#19).
  • Understanding incident correlation in the Microsoft 365 Defender portal.

The following is out of scope

  • Project management of the customer's remediation activities.
  • Ongoing management, threat response, and remediation.
  • Discussions comparing Defender for Cloud Apps to other CASB offerings.
  • Configuring Defender for Cloud Apps to meet specific compliance or regulatory requirements.
  • Deploying the service to a non-production test environment.
  • Deploying Cloud App Discovery as a proof of concept.
  • Supporting GCC-High or GCC-DoD (Office 365 US Government).
  • Setting up the infrastructure, installation, or deployment of automatic log uploads for continuous reports using Docker or a log collector.
  • Creating a Cloud Discovery snapshot report.
  • Blocking app usage using block scripts.
  • Adding custom apps to Cloud Discovery.
  • Connecting custom apps with Conditional Access App Control.
  • Onboarding and deploying Conditional Access App Control for any app.
  • Integrating with third-party identity providers (IdPs) and data loss prevention (DLP) providers.
  • Training or guidance covering advanced hunting.
  • Automated investigation and remediation including Microsoft Power Automate playbooks.
  • Security information and event management (SIEM) or API integration (including Microsoft Sentinel).
Microsoft Defender for Endpoint Microsoft Defender for Endpoint is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. We provide remote guidance for:
  • Assessing the OS version and device management (including Microsoft Endpoint Manager, Microsoft Endpoint Configuration Manager, Group Policy Objects (GPOs), and third-party configurations) as well as the status of your Windows Defender AV services or other endpoint security software.
  • Onboarding Microsoft Defender for Endpoint P1 and P2 customers (including those with Windows 365 Cloud PC).
  • Providing recommended configuration guidance for Microsoft traffic to travel through proxies and firewalls restricting network traffic for devices that aren't able to connect directly to the internet.
  • Enabling the Microsoft Defender for Endpoint service by explaining how to deploy a Microsoft Defender for Endpoint endpoint detection and response (EDR) agent profile using one of the supported management methods.
  • Deployment guidance, configuration assistance, and education on:
    • Threat and vulnerability management.
    • Attack surface reduction.*
    • Next-generation protection.
    • EDR.
    • Automated investigation and remediation.
    • Secure score for devices.
    • Microsoft Defender SmartScreen configuration using Microsoft Endpoint Manager.
    • Device discovery.**
    • Providing Windows 365 Cloud PC security baseline guidance specifically for:
      • Attack surface reduction rules.
      • Microsoft Defender.
      • Microsoft Defender Antivirus.
      • Microsoft Defender Antivirus exclusions.
      • Microsoft Defender SmartScreen
  • Reviewing simulations and tutorials (like practice scenarios, fake malware, and automated investigations).
  • Overview of reporting and threat analytics features.
  • Integrating Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps with Microsoft Defender for Endpoint.
  • Conduct walkthroughs of the Microsoft 365 Defender portal.
  • Onboarding and configuration of the following operating systems:
    • Windows 10/11.
    • Windows Server 2012 R2.***
    • Windows Server 2016.***
    • Windows Server 2019.***
    • Windows Server 2022.***
    • Windows Server 2019 Core Edition.***
    • Supported macOS versions (see System requirements for more details).
    • Android.****
    • iOS.****

*Only attack surface reduction rules, controlled folder access, and network protection are supported. All other attack surface reduction capabilities aren't in scope. See the following out of scope section for more details.

**Only some aspects are device discovery are supported. See the following out of scope section for more details.

***Windows Server 2012 R2 and 2016 support is limited to the onboarding and configuration of the unified agent. All Windows versions must be managed by Configuration Manager or Microsoft Endpoint Configuration Manager 2017 (with the latest hotfix updates or greater).

****See the following out of scope section for mobile threat defense details.

The following is out of scope

  • Onboarding and enablement guidance for preview features.
  • Project management of the customer's remediation activities.
  • Troubleshooting issues encountered during engagement (including devices that fail to onboard).
  • Management of break/fix issues.
  • Supporting GCC-High or GCC-DoD (Office 365 US Government).
  • Supporting Microsoft Defender for Business.
  • On-site support.
  • Ongoing management and threat response.
  • Onboarding or configuration for the following Microsoft Defender for Endpoint agents:
    • Windows Server 2008.
    • Linux.
    • Virtual Desktop Infrastructure (VDI) (persistent or non-persistent).
  • Server onboarding and configuration:
    • Configuring a proxy server for offline communications.
    • Configuring Configuration Manager deployment packages on down-level Configuration Manager instances and versions.
    • Servers not managed by Configuration Manager.
    • Integrating Defender for Endpoint with Defender for Servers (Defender for Cloud).
  • macOS onboarding and configuration:
    • JAMF-based deployment.
    • Other mobile device management (MDM) product-based deployment.
    • Manual deployment.
  • Mobile threat defense onboarding and configuration (Android & iOS):
    • Unmanaged bring your own devices (BYOD) or devices managed by other enterprise mobility management systems.
    • Set up app protection policies (like mobile app management (MAM)).
    • Android device admin-enrolled devices.
    • Assistence with co-existence of multiple VPN profiles.
    • Onboarding devices to Intune. For more information on onboarding assistance, see the Microsoft Intune section.
  • Configuration of the following attack surface reduction capabilities:
    • Hardware-based app and browser isolation (including Application Guard).
    • App control.
    • Device control.
    • Exploit protection.
    • Network and endpoint firewalls.
  • Configuration or management of account protection features like:
    • Credential Guard.
    • Local user group membership.
  • Configuration or management of BitLocker. Note: For information on BitLocker assistance with Windows 11, see Windows 11.
  • Configuration or management of network device discovery.
  • Configuration or management of the following device discovery capabilities:
    • Onboarding of unmanaged devices not in scope for FastTrack (like Linux).
    • Configuring or remediating internet-of-things (IoT) devices including vulnerability assessments of IoT devices through Defender for IoT.
    • Integration with third-party tooling.
    • Exclusions for device discovery.
    • Preliminary networking assistance.
    • Troubleshooting network issues.
  • Mobile devices, including:
    • Attack surface reduction rules.
    • Extended detection and response.
    • Automated investigation and remediation (including live response)
    • Secure configuration assessment and Secure Score
    • Web content filtering.
  • Attack simulations (including penetration testing).
  • Enrollment or configuration of Microsoft Threat Experts.
  • Configuration or training reviewing API or security information and event management (SIEM) connections.
  • Training or guidance covering advanced hunting.
  • Training or guidance covering the use of or creation of Kusto queries.
  • Training or guidance covering Microsoft Defender SmartScreen configuration using Group Policy Objects (GPOs), Windows Security, or Microsoft Edge.
  • Some Windows 365 features including:
    • Troubleshooting project management of customer Windows 365 deployment.
    • Configuration of Windows 365 Cloud PC.
    • Third-party app virtualization and deployment.
    • Custom images.
    • All other areas not listed as in-scope for Windows 365.
Contact a Microsoft Partner for assistance with these services. 		Onboarding requirements for Windows 365 include:
  • Microsoft Endpoint Manager as a deployed management tool.
  • All other Microsoft Defender for Endpoint FastTrack in-scope activities, including:
    • Threat and vulnerability management.
    • Attack surface reduction.
    • Next-generation protection.
    • EDR.
    • Automated investigation and remediation.
    Microsoft Defender for Identity Microsoft Defender for Identity is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. We provide remote guidance for:
    • Running the sizing tool for resource capacity planning.
    • Creating your instance of Defender for Identity.
    • Connecting Defender for Identity to Active Directory.
    • Deploying the sensor to capture and parse network traffic and Windows events directly from your domain controllers, including:
      • Downloading the sensor package.
      • Configuring the sensor.
      • Installing the sensor on your domain controller silently.
      • Deploying the sensor to your multi-forest environment.
      • Configuring the Windows Event Collector.
    • Configuring the portal, including:
      • Integrating Defender for Identity with Microsoft Defender for Cloud Apps (Defender for Cloud Apps licensing isn't required).
      • Configuring entity tags.
      • Tagging sensitive accounts.
      • Receiving email notifications for health issues and security alerts.
      • Configuring alert exclusions.
    • Providing deployment guidance, configuration assistance, and education on:
      • Understanding the Identity Security Posture Assessment report.
      • Understanding the User Investigation Priority Score and User Investigation ranking report.
      • Understanding the inactive user report.
      • Explanation of the remediation options on a compromised account.
    • Facilitating the migration from Advanced Threat Analytics (ATA) to Defender for Identity.

    The following is out of scope

    • Project management of the customer's remediation activities.
    • Ongoing management, threat response, and remediation.
    • Deploying Defender for Identity as a proof of concept.
    • Supporting GCC-High or GCC-DoD (Office 365 US Government).
    • Deploying or performing the following Defender for Identity sensor activities:
      • Manual capacity planning.
      • Running the Auditing tool.
      • Deploying the standalone sensor.
      • Deploying to Active Directory Federation Services (AD FS) servers.
      • Deploying the sensor using a Network Interface Card (NIC) Teaming adaptor.
      • Deploying the sensor through a third-party tool.
      • Connecting to the Defender for Identity cloud service through a web proxy connection.
    • Configuring the Microsoft account (MSA) in Active Directory.
    • Creation and management of honeytokens.
    • Enabling Network Name Resolution (NNR).
    • Configuration of Deleted Objects container.
    • Deployment guidance or education on:
      • Remediating or interpreting various alert types and monitored activities.
      • Investigating a user, computer, lateral movement path, or entity.
      • Threat or advanced hunting.
      • Incident response.
    • Providing a security alert lab tutorial for Defender for Identity.
    • Providing notification when Defender for Identity detects suspicious activities by sending security alerts to your syslog server through a nominated sensor.
    • Configuring Defender for Identity to perform queries using security account manager remote (SAMR) protocol to identify local admins on specific machines.
    • Configuring VPN solutions to add information from the VPN connection to a user’s profile page.
    • Security information and event management (SIEM) or API integration (including Microsoft Sentinel).
    • Aligned with Microsoft Defender for Identity prerequisites.
    • Active Directory deployed.
    • The domain controllers you intend to install Defender for Identity sensors on have internet connectivity to the Defender for Identity cloud service.
      • Your firewall and proxy must be open to communicate with the Defender for Identity cloud service (*.atp.azure.com port 443 must be open).
    • Domain controllers running on one of the following:
      • Windows Server 2008 R2 SP1.
      • Windows Server 2012.
      • Windows Server 2012 R2.
      • Windows Server 2016.
      • Windows Server 2019 with KB4487044 (OS Build 17763.316 or later).
    • Microsoft .NET Framework 4.7 or later.
    • A minimum of five (5) GB of disk space is required and 10 GB is recommended.
    • Two (2) cores and six (6) GB of RAM installed on the domain controller.
    Microsoft Defender for Office 365 Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. Defender for Office 365 includes:

    We provide remote guidance for:

    • Reviewing Defender for Office 365 Recommended Configuration Analyzer (ORCA).
    • Setting up evaluation mode.
    • Enabling Safe Links (including Safe Documents), Safe Attachments, anti-phishing, pre-set security, and quarantine policies.
    • Understanding reporting and threat analytics.
    • Reviewing automation, investigation, and response.
    • Using Attack Simulator.
    • Configuring user-reported message settings.
    • Understanding incident correlation in the Microsoft 365 Defender portal.

    The following is out of scope

    • Project management of the customer's remediation activities.
    • Ongoing management, threat response, and remediation.
    • Supporting GCC-High or GCC-DoD (Office 365 US Government).
    • Discussions comparing Defender for Office 365 to other security offerings.
    • Deploying Defender for Office 365 as a proof of concept.
    • Mail flow analysis.
    • Advanced delivery and enhanced filtering.
    • Training or guidance covering advanced hunting.
    • Integration with Microsoft Power Automate playbooks.
    • Security information and event management (SIEM) or API integration (including Microsoft Sentinel).
    		 Aside from the Core onboarding portion in General, there are no minimum system requirements.
    Microsoft Intune We provide remote guidance on getting ready to use Intune as the cloud-based mobile device management (MDM) and mobile app management (MAM) provider for your apps and devices. The exact steps depend on your source environment and are based on your mobile device and mobile app management needs. The steps can include:
    • Licensing your end users.
    • Configuring identities to be used by Intune by leveraging either your on-premises Active Directory or cloud identities (Azure AD).
    • Adding users to your Intune subscription, defining IT admin roles, and creating user and device groups.
    • Configuring your MDM authority, based on your management needs, including:
      • Setting Intune as your MDM authority when Intune is your only MDM solution.
    • Providing MDM guidance for:
      • Configuring tests groups to be used to validate MDM management policies.
      • Configuring MDM management policies and services like:
        • App deployment for each supported platform through web links or deep links.
        • Conditional Access policies.
        • Deployment of email, wireless networks, and VPN profiles if you have an existing certificate authority, wireless network, or VPN infrastructure in your organization.
        • Connecting to the Intune Data Warehouse.
        • Integrating Intune with:
          • Team Viewer for remote assistance (a Team Viewer subscription is required).
          • Mobile Threat Defense (MTD) partner solutions (an MTD subscription is required).
          • A telecom expense management solution (a telecom expense management solution subscription is required).
        • Enrolling devices of each supported platform to Intune.
    • Providing app protection guidance on:
      • Configuring app protection policies for each supported platform.
      • Configuring Conditional Access policies for managed apps.
      • Targeting the appropriate user groups with the previously mentioned MAM policies.
      • Using managed-apps usage reports.
    • Providing migration guidance from legacy PC management to Intune MDM.
    Certificate delivery

    We provide remote guidance for:

    • Simple Certificate Enrollment Protocol (SCEP) and the Network Device Enrollment Service (NDES).
      • Configuring Enterprise Certificate Authority-related items.
      • Creating and issuing a SCEP certificate template.
      • Installing and configuring NDES.
      • Installing and configuring the Microsoft Intune Connector for SCEP.
      • Installing and configuring Azure AD Application Proxy and Azure AD Application connectors.
      • Creating and assigning a trusted certificate device configuration profile in Microsoft Endpoint Manager.
      • Creating and assigning a SCEP certificate device configuration profile on Microsoft Endpoint Manager.
    • Public-Key Cryptography Standards (PKCS) and PFX (PKCS#12) certificates.
      • Configuring enterprise Certificate Authority-related items.
      • Creating and issuing a PKCS certificate template.
      • Installing and configuring a PFX certificate connector.
      • Creating and assigning a trusted certificate device configuration profile in Microsoft Endpoint Manager.
      • Creating and assigning a PKCS certificate device configuration profile in Microsoft Endpoint Manager.

    The following is out of scope

    • Helping customers with their public key infrastructure (PKI) certificates or enterprise Certificate Authority.
    • Supporting advanced scenarios, including:
      • Placing the NDES server in the customer's DMZ.
      • Configuring or using a Web Application Proxy server to publish the NDES URL externally to the corporate network. We recommend and provide guidance for using the Azure AD Application Proxy to accomplish this.
      • Using imported PKCS certificates.
      • Configuring Intune certification deployment using a hardware security module (HSM).

    Cloud-attach

    We guide you through getting ready to cloud-attach existing Configuration Manager environments with Intune. The exact steps depend on your source environment. These steps can include:

    • Licensing your end users.
    • Configuring identities to be used by Intune by leveraging your on-premises Active Directory and cloud identities.
    • Adding users to your Intune subscription, defining IT admin roles, and creating user and device groups.
    • Providing guidance setting up hybrid Azure AD join.
    • Providing guidance on setting up Azure AD for MDM auto-enrollment.
    • Providing guidance on how to set up cloud management gateway when used as a solution for co-management of remote internet-based device management.
    • Configuring supported workloads that you want to switch to Intune.
    • Installing the Configuration Manager client on Intune-enrolled devices.

    Deploy Outlook mobile for iOS and Android securely

    We can provide guidance to help you deploy Outlook mobile for iOS and Android securely in your organization to ensure your users have all the required apps installed.
    The steps to securely deploy Outlook mobile for iOS and Android with Intune depends on your source environment. They can include:

    • Downloading the Outlook for iOS and Android, Microsoft Authenticator, and Intune Company Portal apps through the Apple App Store or Google Play Store.
    • Providing guidance on setting up:
      • The Outlook for iOS and Android, Microsoft Authenticator, and Intune Company Portal apps deployment with Intune.
      • App protection policies.
      • Conditional Access policies.
      • App configuration policies.

    Endpoint analytics

    We can provide guidance to help you enable Endpoint analytics for your organization. The steps to do so depend on your source environment. They can include:

    • Confirming the licenses for your endpoints and users.
    • Confirming your organizational environments meet the prerequisites for Endpoint analytics features.
    • Configuring endpoints with correct policies to enable Endpoint analytics features.
    • Setting organizational baselines to track progress.
    • Providing guidance on using Proactive remediation within Endpoint analytics, including:
      • Using Microsoft-authored remediation scripts.
      • Creating custom remediation scripts.
    • IT admins need to have existing Certificate Authority, wireless network, and VPN infrastructures already working in their production environments when planning on deploying wireless network and VPN profiles with Intune.
    • The customer environment should have an existing healthy PKI before enabling PKCS and SCEP certificate delivery with Intune.
    • Endpoint devices must be managed by Intune.


      • Note: The FastTrack service benefit doesn't include assistance for setting up or configuring Certificate Authorities, wireless networks, VPN infrastructures, or Apple MDM push certificates for Intune.


      Note: The FastTrack service benefit doesn't include assistance for setting up or upgrading either the Configuration Manager site server or Configuration Manager client to the minimum requirements needed to support cloud-attach. Contact a Microsoft Partner for assistance with this.

      Intune integrated with Microsoft Defender for Endpoint


      Note: We provide assistance on integrating Intune with Microsoft Defender for Endpoint and creating device compliance policies based on its Windows 10 risk level assessment. We don't provide assistance on purchasing, licensing, or activation. Contact a Microsoft Partner for assistance with this.

      Windows Autopilot

      IT admins are responsible for registering their devices to their organization by either having the hardware vendor upload their hardware IDs on their behalf or by uploading it themselves into the Windows Autopilot service.
    Microsoft Purview Compliance Manager We provide remote guidance for:
    • Reviewing role types.
    • Adding and configuring assessments.
    • Assessing compliance by implementing improvement actions and determining how this impacts your compliance score.
    • Reviewing built-in control mapping and assessing controls.
    • Generating a report within an assessment.

    The following is out of scope

    • Custom scripting or coding.
    • Purview eDiscovery API.
    • Data connectors.
    • Compliance boundaries and security filters.
    • Data investigations.
    • Data subject requests.
    • Design, architect, and third-party document review.
    • Compliance with industry and regional regulations and requirements.
    • Hands-on implementation of recommended improvement actions for assessments in Purview Compliance Manager.
    		 Aside from the Core onboarding portion in General, there are no minimum system requirements.
    Microsoft Purview Information Protection We provide remote guidance for:
    • Activating and configuring your tenant.
    • Data classification (supported in E3 and E5).
    • Sensitive information types (supported in E3 and E5).
    • Creating sensitivity labels (supported in E3 and E5).
    • Applying sensitivity labels (supported in E3 and E5).
    • Trainable classifiers (supported in E5).
    • Exact Data Match (EDM) custom sensitive information types (supported in E5).
    • Knowing your data with content explorer and activity explorer (supported in E5).
    • Publishing labels using policies (manual and automatic) (supported in E5).
    • Creating Endpoint data loss prevention (DLP) policies for Windows 10 (and greater) devices (supported in E5).
    • Creating Endpoint DLP policies for macOS devices (supported in E5).
    • Creating DLP policies for Microsoft Teams chats and channels.
    • Creating and setting up labels and policies (supported in E3 and E5).
    • Applying information protection to documents (supported in E3 and E5).
    • Automatically classifying and labeling information in Office apps (like Word, PowerPoint, Excel, and Outlook) running on Windows and using the Microsoft Purview Information Protection client (supported in E5).
    • Extending sensitivity labels to Outlook appointments, invites, and Teams online meetings (supported in E5).
    • Discovering and labeling files at rest using the Microsoft Purview Information Protection scanner (supported in E3 and E5).
    • Monitoring emails in transit using Exchange Online mail flow rules.
    • Migration guidance from Azure Information Protection add-in to built-in labeling for Office apps
    • Creating and applying sensitivity labels to Power BI content (reports, dashboards, datasets, dataflows, and PBIX files).

    We also provide guidance if you want to apply protection using Microsoft Azure Rights Management Services (Azure RMS), Office 365 Message Encryption (OME), and DLP.

    The following is out of scope

    • Customer key.
    • Custom regular expressions (RegEx) development for sensitive information types.
    • Creation or modification of keyword dictionaries.
    • Interacting with customer data or specific guidelines for configuration of EDM-sensitive information types.
    • Custom scripting and coding.
    • Azure Purview.
    • Design, architect, and third-party document review.
    • Configuring Enterprise State Roaming.
    		 Aside from the Core onboarding portion in General, there are no minimum system requirements with the exception of Microsoft Purview Information Protection.

    Microsoft Purview Information Protection

    Customer prerequisite responsibilities include:
    Microsoft Purview Data Lifecycle Management and Records Management We provide remote guidance for:
    • Creating and applying retention policies (supported in E3 and E5).
    • Creating and publishing retention labels (supported in E3 and E5).
    • Creating and applying event-based retention labels (supported in E5).
    • Creating and applying adaptive policy scopes (supported in E5).
    • Reviewing file plan creation (supported in E5).
    • Reviewing dispositions (supported in E5).
    • Policy lookups (supported in E5).

    The following is out of scope

    • Development of a records management file plan.
    • Data connectors.
    • Development of information architecture in SharePoint.
    • Custom scripting and coding.
    • Design, architect, and third-party document review.
    • Importing PST files to Office 365.
    		 Aside from the Core onboarding portion in General, there are no minimum system requirements.
    Microsoft Purview Insider Risk Management Purview Insider Risk Management

    We provide remote guidance for:

    • Creating policies and reviewing settings.
    • Accessing reports and alerts.
    • Creating cases.

    Purview Communication Compliance

    We provide remote guidance for:

    • Creating policies and reviewing settings.
    • Accessing reports and alerts.
    • Creating notice templates.
    The following is out of scope
    • Creating and managing Power Automate flows.
    • Data connectors (beyond the HR connector).
    • Custom regular expression (RegEx) configurations.
    • Design, architect, and third-party document review.
    • Information barriers.
    • Privileged access management.
    		 Aside from the Core onboarding portion in General, there are no minimum system requirements.
    Microsoft Purview eDiscovery

    Purview eDiscovery (Premium)

    We provide remote guidance for:

    • Creating a new case.
    • Putting custodians on hold.
    • Performing searches.
    • Adding search results to a review set.
    • Running analytics on a review set.
    • Reviewing and tagging documents.
    • Exporting data from the review set.
    • Importing non-Office 365 data.

    Purview Audit (Premium) (only supported in E5)

    We provide remote guidance for:

    • Enabling advanced auditing.
    • Performing a search audit log UI and basic audit PowerShell commands.

    The following is out of scope

    • Custom scripting or coding.
    • Purview eDiscovery API.
    • Data connectors.
    • Compliance boundaries and security filters.
    • Data investigations.
    • Data subject requests.
    • Design, architect, and third-party document review.
    		Aside from the Core onboarding portion in General, there are no minimum system requirements.

    Office 365

    Service FastTrack guidance details Source environment expectations
    Exchange Online For Exchange Online, we guide you through the process to get your organization ready to use email. The exact steps depend on your source environment and your email migration plans. We provide remote guidance for:
    • Setting up Exchange Online Protection (EOP) features for all mail-enabled domains validated in Office 365.
    • Pointing your mail exchange (MX) records to Office 365.
    • Setting up the Microsoft Defender for Office 365 feature if it’s a part of your subscription service. For more information, see the Microsoft Defender for Office 365 portion of this table.
    • Setting up the data loss prevention (DLP) feature for all mail-enabled domains validated in Office 365 as part of your subscription service. This is done once your MX records point to Office 365.
    • Setting up Office 365 Message Encryption (OME) for all mail-enabled domains validated in Office 365 as part of your subscription service. This is done once your MX records point to Office 365.
    Note: The Mailbox Replication service (MRS) attempts to migrate Information Rights Managed (IRM) emails from your on-premises mailbox to the corresponding Exchange Online mailbox. Ability to read the protected content post-migration depends on the customer mapping and copying Active Directory Rights Managed Services (AD RMS) templates to the Azure Rights Management Service (Azure RMS).
    • Configuring firewall ports.
    • Setting up DNS, including the required Autodiscover, sender policy framework (SPF), DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC) and MX records (as needed).
    • Setting up email flow between your source messaging environment and Exchange Online (as needed).
    • Undertaking mail migration from your source messaging environment to Office 365.
    • Configuring mailbox clients (Outlook for Windows, Outlook on the web, and Outlook for iOS and Android).
    Data migration
    For information on using the FastTrack benefit for data migration to Office 365, see Data Migration.     		Your source environment must have one of the following minimum levels:
    • Single or multiple Exchange organizations with Exchange Server 2010 onward.
    • A single Google Workspace environment (Gmail, Contacts, and Calendar only).
    • For information on Multi-Geo Capabilities, see Multi-Geo Capabilities in Exchange Online.
    Online client software like Project for Office 365, Outlook for Windows, Outlook for iOS and Android, OneDrive for Business sync client, Power BI Desktop, and Skype for Business must be at a minimum level as defined in System requirements for Microsoft 365 Office.
    Microsoft Defender for Office 365 For more information, see Microsoft Defender for Office 365 in Security and Compliance.
    Microsoft Purview Data Lifecycle For more information, see Microsoft Purview Data Lifecycle in Security and Compliance.
    Microsoft Purview Information Protection For more information, see Microsoft Purview Information Protection in Security and Compliance.
    Microsoft Teams We provide remote guidance for:
    • Teams prerequisites:
      • Confirming minimum requirements in Exchange Online, SharePoint Online, Office 365 Groups, and Azure AD to support Teams.
      • Configuring firewall ports.
      • Setting up DNS.
      • Confirming Teams is enabled on your Office 365 tenant.
      • Enabling or disabling user licenses.
      • Baseline network guidance:
        • Port and endpoint checks.
        • Connection quality checks.
        • Bandwidth estimates.
        • Configuring Teams app policy (Teams web app, Teams Desktop app, and Teams for iOS and Android app).
    • Onboarding Teams:
      • Teams Core enablement, including chat, collaboration, and meetings.
      • Configuring Microsoft PowerBI with Call Quality Dashboard (CQD) templates.
      • Enabling Audio Conferencing.
        • Organization setup for conference bridge default settings.
        • Assignment of conference bridge to licensed users.
      • Enabling Teams live events.
    • Microsoft Teams Rooms:
      • Network preparation, including ports and firewall, proxy settings, optimization recommendations, and reporting guidance.
      • Creation and configuration of resource accounts needed for supported Teams Rooms devices including license assignment and mailbox settings.
      • Managing Teams Rooms devices including Teams admin center configurations and policies and Teams Rooms Pro Management.
      • Develop governance and compliance policies including hardware security and account security (like multi-factor authentication (MFA) guidance and password policies).
    • Microsoft Teams Phone:
      • Network preparation, including ports and firewall, proxy settings, optimization recommendations, and reporting guidance.
      • Developing governance and compliance policies including hardware security and account security (like MFA guidance and password policies).
      • Configuring Teams Phone features, including call queues, auto attendants, Calling Plan E911, voicemail, and voice policies.
      • Configuring Microsoft PowerBI with Call Quality Dashboard (CQD) templates.
      • Public Switched Telephone Network (PSTN) Connectivity:
        • Calling Plans guidance including number porting, Operator Connect (where available), and Direct Routing (including Media Bypass and Local Media Optimization).
        • Migration from Skype for Business on-premises to Teams Phone.

    The following is out of scope

    • A/V and conference rooms design and installation.
    • Device procurement.
    • Third-party integrations (like Cloud Video Interop (CVI)).
    • Session Border Controller (SBC) trunking to carrier or legacy PBX.
    • Troubleshooting existing deployments.
    • End-user training.
    • Hands-on keyboard support.
    • Identities enabled in Azure AD for Office 365.
    • Users enabled for SharePoint Online.
    • Exchange mailboxes are present (online and on-premises in an Exchange hybrid configuration).
    • Enabled for Office 365 Groups.

    Note: If users aren't assigned and enabled with SharePoint Online licenses, they won't have OneDrive for Business storage in Office 365. File sharing continues to work in Channels, but users can't share files in Chats without OneDrive for Business storage in Office 365. Teams doesn't support SharePoint on-premises.

    Note: The ideal state is for all users to have their mailboxes homed on Exchange Online. Users with mailboxes homed on-premises must have their identities synchronized to the Office 365 directory through Azure AD Connect. For these Exchange hybrid customers, if the user's mailbox is on-premises, the user cannot add or configure Connectors. The installers for the Microsoft Teams Windows and Mac desktop clients can be downloaded from https://go.microsoft.com/fwlink/?linkid=839411.
    Outlook for iOS and Android We provide remote guidance for:
    • Identities enabled in Azure AD for Office 365.
    • Exchange Online configured and licenses assigned.
    Power BI We provide remote guidance for:
    • Assigning Power BI licenses.
    • Deploying the Power BI Desktop app.
    		Online client software like Power BI Desktop must be at a minimum level as defined in the System requirements for Microsoft 365 and Office.
    Project Online We provide remote guidance for:
    • Verifying basic SharePoint functionality that Project Online relies on.
    • Adding the Project Online service to your tenant (including adding subscriptions to users).
    • Setting up the Enterprise Resource Pool (ERP).
    • Creating your first project.
    		Online client software like Project for Office 365 must be at a minimum level as defined in the System requirements for Microsoft 365 and Office.
    Project Online Professional and Premium We provide remote guidance for:
    • Addressing deployment issues.
    • Assigning end-user licenses using the Microsoft 365 admin center and Windows PowerShell.
    • Installing Project Online Desktop Client from the Office 365 portal using Click-to-Run.
    • Configuring update settings using the Office 365 Deployment Tool.
    • Setting up a single on-site distribution server for Project Online Desktop Client, including assistance with the creation of a configuration.xml file for use with the Office 365 Deployment Tool.
    • Connecting Project Online Desktop Client to Project Online Professional or Project Online Premium.
    		Online client software like Project for Office 365 must be at a minimum level as defined in the System requirements for Microsoft 365 and Office.
    SharePoint Online and OneDrive for Business We provide remote guidance for:
    • Planning site collections.
    • Securing content and managing permissions.
    • Configuring SharePoint Online features.
    • Configuring SharePoint hybrid features, like hybrid search, hybrid sites, hybrid taxonomy, content types, hybrid self-service site creation (SharePoint Server 2013 only), extended app launcher, hybrid OneDrive for Business, and extranet sites.
    • Your migration approach.
    • External user sharing.
    • Conditional Access.
    Additional guidance is provided for OneDrive for Business like:
    • Redirecting or moving known folders to OneDrive.
    • Deploying the OneDrive for Business sync client.
    Data migration
    For information on using the FastTrack benefit for data migration to Office 365, see Data Migration.
    For SharePoint hybrid:
    • SharePoint hybrid configuration includes configuring hybrid search, sites, taxonomy, content types, OneDrive for Business, an extended app launcher, extranet sites, and self-service site creation connected from on-premises to a single target SharePoint Online environment.
    • To enable SharePoint hybrid, you must have one of the following on-premises SharePoint Server environments: 2013, 2016, or 2019.
    Note: Upgrade of on-premises SharePoint environments to SharePoint Server is not in scope. Contact a Microsoft Partner for assistance. For more information, see Minimum public update levels for SharePoint hybrid features.
    Note: For information on Multi-Geo Capabilities, see Multi-Geo Capabilities in OneDrive and SharePoint Online in Office 365.
    Yammer Enterprise We provide remote deployment guidance for:
    • Configuring your Yammer network.
    • Customizing the look of your Yammer network.
    • Enforcing Office 365 identity for Yammer users.
    • Configuring Native Mode for Microsoft 365.
    • Configuring security and compliance in Yammer.
    • Configuring a Yammer usage policy.
    • Managing Yammer admins.
    • Working with Azure AD-business-to-business (B2B) guests in Yammer communities.
    • Joining and creating a community in Yammer.
    • Managing communities.
    • Creating a dynamic group in Yammer.
    • Configuring live events in Yammer.
    • Monitoring Yammer usage.
    • Including a Yammer feed in a SharePoint page.
    • Installing the Yammer Communities app for Microsoft Teams.
    		 Online client software must be at a minimum level as defined in the System requirements for Microsoft 365 and Office.

    Employee Experience

    Service FastTrack guidance details Source environment expectations
    Employee Experience scenario featuring Microsoft Viva Microsoft Viva is an employee experience platform that brings together communications, knowledge, learning, resources, and insights. Powered by Microsoft 365 and experienced primarily through Microsoft Teams, Microsoft Viva fosters a culture where people and teams are empowered to be their best from anywhere. The Employee Experience scenario includes:
    • Connection featuring Viva Connections and Viva Engage.
    • Insight featuring Viva Insights.
    • Growth featuring Viva Topics and Learning.

    We provide remote guidance for:

    • Confirming which modules and features within Microsoft Viva are needed to support your business objectives.
    • Assessing your source environment and scenario requirements.
    • How to run the Employee Experience Advanced Setup Guide, specifically what actions you need to take to bring your source environment up to the minimum requirements for successful scenario configuration and guide you through scenario configuration.

    The following is out of scope

    • Customer project management.
    • On-site support.
    • Custom development support.
      Microsoft Viva is built on top of the Microsoft 365 suite you currently use. Core deployments should include Office 365, Teams, modern SharePoint, and Yammer. Additional scenario configuration details are listed for each respective service in the following Microsoft Viva sections.
    Viva Connections Viva Connections encourages meaningful connections while fostering a culture of inclusion and aligning the entire organization around your vision, mission, and strategic priorities. We provide remote guidance for:
    • Creating a modern communication site for Viva Connections.
    • Branding of the SharePoint home site.
    • Configuring a news framework (for example, news posts, audience targeting, an d Yammer integration).
    • Configuring your SharePoint home site, global navigation, and app bar.
    • Enabling the Viva Connections feed.
    • Deploying the Viva Connections Teams app.
    Viva Engage Viva Engage delivers high-value experiences including community building, leadership engagement, knowledge sharing, and self-expression. We provide remote guidance for:
    • Configuring your Yammer networks.
    • Customizing the look of your Yammer network.
    • Enforcing Office 365 identity for Yammer users.
    • Configuring native mode for Microsoft 365.
    • Configuring security settings in Yammer.
    • Configuring a Yammer usage policy.
    • Managing Yammer admins.
    • Working with Azure Active Directory (Azure AD) business-to-business (B2B) guests in Yammer communities.
    • Joining and creating a community in Yammer.
    • Managing communities.
    • Creating a dynamic group in Yammer.
    • Managing live events in Yammer.
    • Monitoring Yammer usage.
    • Including a Yammer feed on a SharePoint page.
    • Configuring Storyline.
    • Rolling out the Viva Engage app for Microsoft Teams.
      Online client software must be at a minimum level as defined in the system requirements for Microsoft 365 and Office.
    Viva Insights Viva Insights helps individuals, managers, and business leaders gain personalized insights and actionable recommendations.

    We provide remote guidance for:

    • Assigning licenses to end users.
    • Assigning roles for admins.
    • Enabling personal insights.
    • Enabling teamwork habits and organization trends.
    • Deploying the Viva Insights Teams app.
    		 The customer must have their mailboxes in Exchange Online.
    Viva Topics Viva Topics empowers employees to find answers and experts and connect with others in their department and beyond. We provide remote guidance for:
    • Assigning licenses to end users.
    • Assigning roles for knowledge managers and admins.
    • Creating and configuring a topics center.
    • Setting up and managing topics.
    • Security trimming of SharePoint Online sites.
    • Deploying the Viva Topics Teams app.
    Viva Learning Viva Learning enables employees to discover, share, and track learning from various content sources. It enables business leaders to drive a culture of learning through empowered time manangement and coaching. We provide remote guidance for:
    • Assigning licenses to end users.
    • Assigning roles for knowledge admins.
    • Configuring settings for the learning content sources.
    • Configuring SharePoint as a learning content source.
    • Deploying the Viva Learning Teams app.
    Viva Goals Viva Goals immerses everyone in the company’s purpose and top priorities with a goal alignment solution that creates a culture of engaged employees achieving results. We provide remote guidance for:
    • Assigning licenses to users and groups.
    • Implementing organization creation rules.
    • Assigning Viva Goals admin roles.
    • Allowing Viva Goals integrations.
    • Allowing sites for dashboard embedding.
    • Assigning in-app Viva Goals organization admin roles.
    • Pinning Viva Goals in the Microsoft Teams app.
    • Objectives and key result (OKR) creation, rollout strategy, and training.
    • Planning and driving adoption of Viva Goals in your organization.
    • Promoting Viva Goals to employees and measuring engagement.
    • Connecting to support channels.

    Enterprise Mobility + Security

    Service FastTrack guidance details Source environment expectations
    Azure Active Directory (Azure AD) and Azure AD Premium For more information, see Azure Active Directory (Azure AD) and Azure AD Premium in Security and Compliance.
    Microsoft Purview Information Protection For more information on Microsoft Purview Information Protection, see Microsoft Purview Information Protection in Security and Compliance.
    Microsoft Intune For more information, see Microsoft Intune in Security and Compliance.

    Windows 11

    Service FastTrack guidance details Source environment expectations
    Windows 11 We provide guidance for updating to Windows 11 Enterprise from Windows 7 Professional, Windows 8.1 Professional, and Windows 10 Enterprise. Note: PCs must meet Windows 11 hardware requirements. We provide remote guidance for:
    • Understanding your Windows 11 intention.
    • Assessing your source environment and the requirements (ensure that Microsoft Endpoint Configuration Manager is upgraded to the required level to support the Windows 11 deployment).
    • Deploying Windows 11 Enterprise and Microsoft 365 Apps using Microsoft Endpoint Configuration Manager or Microsoft 365.
    • Recommending options for you to assess your Windows 11 apps.
    • Microsoft 365 Apps compatibility assessment by leveraging the Office 365 readiness dashboard in Configuration Manager or with the stand-alone Readiness Toolkit for Office plus assistance deploying Microsoft 365 Apps.
    • Creating a remediation checklist on what you need to do to bring your source environment up to the minimum requirements for a successful deployment.
    • Providing update guidance for your existing devices to Windows 11 Enterprise if they meet the needed device hardware requirements.
    • Providing update guidance to support your existing deployment motion. FastTrack recommends and provides guidance for an in-place upgrade to Windows 11. Guidance is also available for Windows clean image installation and Windows Autopilot deployment scenarios.
    • Deploying Microsoft 365 Apps using Configuration Manager as part of the Windows 11 deployment.
    • Providing guidance to help your organization stay up to date with Windows 11 Enterprise and Microsoft 365 Apps using your existing Configuration Manager environment or Microsoft 365.

    BitLocker

    We provide remote guidance for:

    • Assessing your Windows 11 environment and hardware for BitLocker configuration.
    • Recommending best practices for configuring BitLocker policies from Microsoft Endpoint Manager.
    • Enabling compliance reporting of BitLocker from Microsoft Endpoint Manager and Microsoft Endpoint Configuration Manager
    • Providing guidance on configuring BitLocker for Windows Autopilot scenarios.
    • Providing guidance on BitLocker key recovery best practices.

    Windows Hello for Business

    We provide remote guidance for:

    • Assessing your Windows 10/11 environment and hardware for Windows Hello for Business configuration.
    • Enabling Windows passwordless authentication using Windows Hello for Business cloud trust.
    • Planning guidance for Windows Hello for Business hybrid key or certificate trust.

    The following is out of scope

    • Upgrading Configuration Manager to Current Branch.
    • Creating custom images for Windows 11 deployment.
    • Creating and supporting deployment scripts for Windows 11 deployment.
    • Converting a Windows 11 system from BIOS to Unified Extensible Firmware Interface (UEFI).
    • Enabling Windows 11 security features.
    • Configuring Windows Deployment Services (WDS) for Preboot Execution Environment (PXE) booting.
    • Using the Microsoft Deployment Toolkit (MDT) to capture and deploy Windows 11 images.
    • Using the User State Migration Tool (USMT).
    Contact a Microsoft Partner for assistance with these services.

    Windows Autopatch

    We provide remote guidance for:

    • Helping you understand the features of the Windows Autopatch service, validating environment prerequisites, and how the service relates to other Microsoft update tools.
    • Assessing your readiness for Windows Autopatch onboarding using the Readiness Assessment tool and addressing issues identified by the tool.
    • Understanding the process to enroll into the Windows Autopatch service.
    • Registering physical and virtual devices into the Windows Autopatch service.
    • Validating device updates and understanding reports.
    		 For PC update, you must meet these requirements:
    • Source OS: Windows 10 Enterprise or Professional.
    • Devices: Desktop, notebook, or tablet form factor.
    • Target OS: Window 11 Enterprise.
    For infrastructure upgrade, you must meet these requirements:
    • Microsoft Endpoint Configuration Manager.
    • The Configuration Manager version must be supported by the Windows 11 target version. For more information, see the Configuration Manager support table at Support for Windows 11 in Configuration Manager.
    Microsoft Defender for Endpoint For more information, see Microsoft Defender for Endpoint in Security and Compliance.

    Windows 365 Enterprise

    Service FastTrack guidance details Source environment expectations
    Windows 365 Enterprise Remote deployment guidance is provided to Microsoft customers for onboarding to Windows 365 Enterprise. Windows 365 takes the operating system to the Microsoft Cloud, securely streaming the full Windows experience—including all your apps, data, and settings—to your personal or corporate devices. You can provision Cloud PCs (devices that are deployed on the Windows 365 service) instantly across the globe and manage them seamlessly alongside your physical PC estate using Microsoft Endpoint Manager. This desktop-as-a-service (DaaS) solution combines the benefits of desktop cloud hosting with the simplicity, security, and insights of Microsoft 365. We provide remote guidance for the following:
    • Assigning licenses to users.
    • Creating and modifying Azure network connections (ANCs).
    • Adding and deleting device images, including standard Azure Marketplace gallery images and custom images. Some guidance may be provided around deploying language packs with custom images using the Windows 365 language installer script.
    • Creating, editing, and deleting provisioning policies.
    • Assisting with dynamic query expressions for dynamic groups and filtering.
    • Deploying Windows Update policies for Cloud PCs using Intune.
    • Deploying apps (including Microsoft 365 Apps for enterprise and Microsoft Teams with media optimizations) to Cloud PCs using Intune.
    • Securing Cloud PCs, including Conditional Access, multi-factor authentication (MFA), and managing Remote Desktop Protocol (RDP) device redirections.
    • Managing Cloud PCs on Microsoft Endpoint Manager, including remote actions, resizing, and other administrative tasks.
    • Optimizing end user experience.
    • Finding additional support for Windows 365.
      • Note: See the Microsoft 365 Defender and Microsoft Defender for Endpoint sections in Security and Compliance for details about Microsoft Defender for Endpoint and the security baseline scope as it applies to Windows 365.

    The following is out of scope

    • Project management of the customer’s Windows 365 deployment.
    • On-site support.
    • Creation of Azure subscription features including Azure Virtual Networks (VNets), ExpressRoute, and Site-to-Site (S2S) VPN.
    • Support for advanced networking topics.
    • Customizing images for a Cloud PC on behalf of customers.
    • Standalone use of Configuration Manager for managing Cloud PCs.
    • Deploying Windows updates for Cloud PCs using Configuration Manager.
    • Migrating virtual desktop infrastructure (VDI) or Azure Virtual Desktop virtual machines to Windows 365.
    • Migrating Configuration Manager or Microsoft Deployment Toolkit (MDT) images to Azure.
    • Migrating user profiles to or from Windows PCs.
    • Configuring network appliances on behalf of customers.
    • Support for third party integrations.
    Contact a Microsoft Partner or Microsoft FastTrack for Azure for assistance with items out of scope and/or if source environment expectations aren't met. If facing concerns about app compatibility, contact Microsoft App Assure.     		You must have the following before onboarding:
    • Windows 365 Enterprise licensing requirements.
    • If you aren't using a Microsoft-hosted network:
      • An Azure subscription associated with the Azure AD tenant where licenses are deployed.
      • VNet deployed in a region that is supported for Window 365. The VNet should:
        • Have sufficient private IP addresses for the number of Cloud PCs you want to deploy.
        • Have connectivity to Active Directory (only for hybrid Azure AD joined configuration).
        • Have DNS servers configured for internal name resolution.

    Azure Virtual Desktop

    Service FastTrack guidance details Source environment expectations
    Azure Virtual Desktop Onboarding assistance for Azure Virtual Desktop is provided by FastTrack for Azure. Customers should contact FastTrack for Azure to check for eligibility. If the customer doesn't qualify, they should work with an Azure partner.
    Note: FastTrack for Azure has separate eligibility requirements.

    Universal Print

    Service FastTrack guidance details Source environment expectations
    Universal Print

    We provide remote guidance for:

    • Onboarding and configuring Universal Print.
    • Universal Print connector.
    • Universal Print-ready printers.
    • Deploying printers with Microsoft Endpoint Manager.
    • Printer and print job management. 
    • Configuring the Universal Print PowerShell module.

    The following is out of scope

    • Partner integrations.
    • Third-party app virtualization and deployment.
    • Creating custom scripts with the Universal Print PowerShell module​.
    • Universal Print developer features (including API).
    • Configuring Windows servers for printing.
    • One of the following licenses:
      • Microsoft 365 Enterprise F3, E3, or E5. 
      • Microsoft 365 Education A3 or A5. 
      • Microsoft 365 Business Premium.
      • Windows 10/11 Enterprise E3 or E5. 
      • Windows 10/11 Education A3 or A5.
    • Azure Active Directory (Azure AD) tenant set up (any edition). 
    • Universal Print connector host and/or Universal Print-ready printers. 
    • Client devices must be running Windows 11 or Windows 10 version 1903 or greater.

    App Assure

    Service FastTrack guidance details Source environment expectations
    App Assure App Assure is a service designed to address issues with Windows and Microsoft 365 Apps app compatibility and is available to all Microsoft customers. When you request the App Assure service, we work with you to address valid app issues. To request App Assure assistance, complete the App Assure service request.

    We also provide guidance to customers who face compatibility issues when deploying Windows 365 Cloud PC, Windows Virtual Desktop, and Microsoft Edge and make every reasonable effort to resolve compatibility issues. We provide remediation assistance for apps deployed on the following Microsoft products:

    Note: FastTrack’s eligibility criteria doesn't apply to App Assure services, subject to Microsoft’s discretion.

    The following is out of scope

    • App inventory and testing to determine what does and doesn't work on Windows and Microsoft 365 Apps. For more guidance on this process, see the Windows and Office 365 deployment lab kit. If you're interested in guidance for modernizing endpoints or deploying Windows 11, request assistance from FastTrack.
    • Researching third-party ISV apps for Windows compatibility and support statements.
    • App packaging-only services. However, the App Assure team packages apps that we have remediated for Windows to ensure they can be deployed in the customer's environment.
    • Although Android apps on Windows 11 are available to Windows Insiders, App Assure doesn't currently support Android apps or devices, including Surface Duo devices.

    Customer responsibilities include

    • Creating an app inventory.
    • Validating those apps on Windows and Microsoft 365 Apps.
    • Validating your apps with Test Base for Microsoft 365.
    Note: Microsoft can't make changes to your source code. However, the App Assure team can provide guidance to app developers if the source code is available for your apps.

    Contact a Microsoft Partner for assistance with these services.

    		Windows and Microsoft 365 Apps
    • Apps that worked on Windows 7, Windows 8.1, Windows 10, and Windows 11 also work on Windows 10/11.
    • Apps that worked on Office 2010, Office 2013, Office 2016, and Office 2019 also work on Microsoft 365 Apps (32-bit and 64-bit versions).
    Windows 365 Cloud PC
    • Apps that worked on Windows 7, Windows 8.1, Windows 10, and Windows 11 also work on Windows 365 Cloud PC.
    Windows on Arm
    • Apps that worked on Windows 7, Windows 8.1, Windows 10, and Windows 11 also work on Windows 10/11 on Arm64 devices.
    Note:
    • x64 (64-bit) emulation is available on Windows 11 on Arm devices.
    Microsoft Edge
    • If your web apps or sites work on Internet Explorer 11, supported versions of Google Chrome, or any version of Microsoft Edge, they'll also work with Microsoft Edge.
    • As the web is constantly evolving, be sure to review this published list of known site compatibility-impacting changes for Microsoft Edge.
    Note:
    • App Assure helps you configure IE mode to support legacy Internet Explorer web apps or sites. Support for development to modernize Internet Explorer web apps or sites to run natively on the Chromium engine isn't covered under this benefit.
    Windows Virtual Desktop
    • Apps running on Windows 7, Windows 8.1, Windows 10, Windows 11, or Windows Server (as virtualized apps) also run on:
      • Windows 10/11 Enterprise.
      • Windows 10/11 Enterprise multi-session.
    Note: Windows Enterprise multi-session compatibility exclusions and limitations include:
    • Limited redirection of hardware.
    • A/V-intensive apps may perform in a diminished capacity.
    • 16-bit apps aren't supported for 64-bit Windows Virtual Desktop.

    Microsoft Edge

    Service FastTrack guidance details Source environment expectations
    Microsoft Edge We provide remote deployment and adoption guidance and compatibility assistance for:
    • Deploying Microsoft Edge on Windows 10/11 with Microsoft Endpoint Manager (Microsoft Endpoint Configuration Manager or Intune).
    • Configuring Microsoft Edge (using group policies or Intune app configuration and app policies).
    • Inventorying the list of sites that may require use in Internet Explorer mode.
    • Enabling Internet Explorer mode with the existing Enterprise Site List. (For more information, see Engaging FastTrack. Additionally, if you have a web app or site that works with Internet Explorer or Google Chrome and you experience compatibility issues, we provide guidance to resolve the issue at no additional cost. To request compatibility support for App Assure, sign in to the FastTrack portal to start an engagement.
      • Publishing your Enterprise Site List to support IE mode in Microsoft Edge. This includes publishing the list on-premises or using the Cloud Site List Management feature in Microsoft 365.
      • Restricting Internet Explorer through policy.
    • Planning guidance for Edge adoption and configuration guidance for Microsoft Search bookmarks.

    The following is out of scope

    • Project management of the customer's Microsoft Edge deployment.
    • On-site support.

    Microsoft Surface

    Service FastTrack guidance details Source environment expectations
    Surface PC Remote deployment guidance is provided to eligible customers for deploying and onboarding their Surface PC devices to Microsoft 365 services. Chip-to-cloud security helps protect the customer's employees against security threats. Surface devices also help keep your company secure and compliant.

    We provide remote guidance for:

    • Assigning licenses to users.
    • Configuring device enrollment.
    • Configuring Windows Autopilot profiles and Enrollment Status Page (ESP), including user- and self-driven, hybrid Azure AD join, and Azure AD join.
    • Registering devices.
    • Configuring hybrid Azure AD join and certificate connectors.
    • Configuring policies, baselines, and configuration policies.
    • Configuring:
      • BitLocker profiles.
      • Security baselines.
      • ADMX templates.
      • Settings catalog.
      • Compliance policies.
      • Device Firmware Configuration Interface (DFCI) policies.
    • Deploying apps, including line of business (LOB), Win32, and the Microsoft Store (limit of one app per type listed here).
    • Deploying PowerShell scripts.
    • Enabling cloud-attach and deploying cloud management gateway (CMG).
    • Servicing devices through update rings and quality and feature update policies.
    • Understanding troubleshooting mechanisms (like diagnostics, graphs, and logs).
    • Validating the deployment in a production pilot.
    • Assistance with the Surface Management Portal.

    The following is out of scope

    • Project management of the customer’s deployment.
    • On-site support.
    • Customizing images.
    • Deploying Configuration Manager.
    • Standalone use of Configuration Manager for managing Surface devices.
    • Troubleshooting issues.
    • Imaging or reimaging devices.
    • Customer reimaged devices (the devices must have the factory image).
    • Deployment of app protection policies.
    • Software and app packaging.
    • Enabling Windows or third-party security features beyond the ones previously listed here.
    • Creation of scripts (like PowerShell custom scripts).
    • Configuring hybrid Azure AD join over VPN.

    Contact a Microsoft Partner or Microsoft FastTrack for Azure for assistance with items out of scope or if your source environment expectations aren't met. If you're dealing with concerns about app compatibility, contact Microsoft App Assure.
      You must have the following before onboarding:
      • Microsoft 365 Enterprise licensing requirements.
      • Devices are ready for deployment.
      • At least one (1) Surface PC device needs to be on-site.
      • Microsoft Endpoint Manager licenses.
      • An administrative account that has global admin role permissions.
      • For DFCI policies, Windows Autopilot partner registration is required.
    Surface Hub 2S devices We provide remote guidance for:
    • Planning and setting up device accounts for Microsoft 365 integration.
    • Tenant and licensing assignments for the resource account.
    • Creating the resource account and mailbox.
    • Configuring settings for the resource account (like auto accept, room info, and mail tips.).
    • Configuring the Exchange ActiveSync (EAS) policy for the resource account.
    • Configuring devices for Microsoft 365 and Azure AD join.
    • Configuring tenant and Azure AD whiteboard settings that prevent sharing.
    • Configuring experience settings (like timeouts and prior session resumption).
    • Configuring devices for Microsoft 365 multi-factor authentication (MFA) (including passwordless sign-in).
    • Integration with Microsoft Teams (including device access to Teams meetings).
    • Providing Microsoft Intune and provisioning package (PPKG) options (including proximity join configuration and A/V meeting join defaults).
    • Managing Intune using the SurfaceHub configuration service provider (CSP).
    • Deploying Microsoft Edge (non-Universal Windows Platform (UWP) versions).
    • Using Intune to review CSP policies for Windows 10 Team 2020.
    • Using device model attributes within Azure AD to help create dynamic groups to find and manage Surface Hub devices.
    • Deploying firmware updates using Windows Update for Business.
    • Upgrading to Windows 10 Team 2020, Windows 10 Pro, or Windows 10 Enterprise.

    The following is out of scope

    • Project management of the customer’s deployment.
    • On-site support.
    • Support for customers who are in restricted environments (like U.S. Government/GCC-High or that limit out-of-box (OOB) features).
    • Onsite unboxing, mounting, A/V, conference room system integration, or thrid-party teleconferencing integration (like Zoom and Cisco).
    • Integration of third-party identity, mobile device management (MDM), or mobile app management (MAM) systems.
    • Surface Hub health checks.
    • Unsupported or custom app installations.
    • Deployment of onsite resources.
    • Support for third-party identity providers.
    • Support for Wi-Fi infrastructure (like Network Policy Server (NPS), Remote Authentication Dial-In User Service (RADIUS), or public key infrastructure (PKI).
    • Surface Hub (v1) support.
    • Support for Microsoft Teams Rooms and Surface Hub 2S.
    Contact a Microsoft Partner or Microsoft FastTrack for Azure for assistance with items out of scope or if your source environment expectations aren't met. If you're dealing with concerns about app compatibility, contact Microsoft App Assure.
      You must have the following before onboarding:
      • Microsoft 365 Enterprise licensing requirements.
      • Devices are ready for deployment.
      • At least one (1) Surface Hub 2S device needs to be on-site.
      • Microsoft Endpoint Manager licenses.
      • An administrative account that has global admin role permissions.