Adjust settings after enrollment

After you've completed enrollment in Microsoft Managed Desktop, some management settings might need to be adjusted. To check and adjust if needed, follow these steps:

  1. Review the Microsoft Intune and Azure Active Directory settings described in the next section.
  2. If any of the items apply to your environment, make the adjustments as described.

Note

As your operations continue in following months, if you make changes after enrollment to policies in Microsoft Intune, Azure Active Directory, or Microsoft 365 that affect Microsoft Managed Desktop, it's possible that Microsoft Managed Desktop could stop operating properly. To avoid problems with the service, check the specific settings described in Fix issues found by the readiness assessment tool before you change the policies listed there.

Microsoft Intune settings

Setting Description
Autopilot deployment profile If you use any Autopilot policies, update each one to exclude the Modern Workplace Devices -All Azure AD group.

To update the Autopilot policies:

Under Assignments, in the Excluded groups, select the Modern Workplace Devices -All Azure AD group that was created during Microsoft Managed Desktop enrollment.

Microsoft Managed Desktop will also have created an Autopilot profile, which will have "Modern Workplace" in the name (the Modern Workplace Autopilot Profile). When you update your own Autopilot profiles, ensure that you don't exclude the Modern Workplace Devices -All Azure AD group from the Modern Workplace Autopilot Profile that was created by Microsoft Managed Desktop.
Conditional Access policies If you create any new conditional access policies related to Azure AD, Microsoft Intune, or Microsoft 365 Defender for Endpoint after Microsoft Managed Desktop enrollment, exclude the Modern Workplace Service Accounts Azure AD group from them. For more information, see Conditional Access: Users and groups. Microsoft Managed Desktop maintains separate conditional access policies to restrict access to these accounts.

To review the Microsoft Managed Desktop conditional access policy (Modern Workplace – Secure Workstation):

Go to Microsoft Endpoint Manager and navigate to Conditional Access in Endpoint Security. Don't modify any Azure AD conditional access policies created by Microsoft Managed Desktop that have "Modern Workplace" in the name.
Multi-factor authentication If you create any new multi-factor authentication requirements in conditional access policies related to Azure AD, Intune, or Microsoft 365 Defender for Endpoint after Microsoft Managed Desktop enrollment, exclude the Modern Workplace Service Accounts Azure AD group from them. For more information, see Conditional Access: Users and groups. Microsoft Managed Desktop maintains separate conditional access policies to restrict access to members of this group.

To review the Microsoft Managed Desktop conditional access policy (Modern Workplace -):

Go to Microsoft Endpoint Manager and navigate to Conditional Access in Endpoint Security.
Windows 10 update ring For any Windows 10 update ring policies you've created, exclude the Modern Workplace Devices -All Azure AD group from each policy. For more information, see Create and assign update rings.

Microsoft Managed Desktop will also have created some update ring policies, all of which will have "Modern Workplace" in the name. For example:
  • Modern Workplace Update Policy [Broad]
  • Modern Workplace Update Policy [Fast]
  • Modern Workplace Update Policy [First]
  • Modern Workplace Update Policy [Test]

When you update your own policies, ensure that you don't exclude the Modern Workplace Devices -All Azure AD group from those that Microsoft Managed Desktop created.

Azure Active Directory settings

Self-service password reset: if you use self-service password reset for all users, adjust the assignment to exclude Microsoft Managed Desktop service accounts.

To adjust this assignment:

  1. Create an Azure AD dynamic group for all users except Microsoft Managed Desktop service accounts
  2. Use that group for assignment instead of "all users."

To help you find and exclude the service accounts, here's an example of a dynamic query you can use:

(user.objectID -ne null) and (user.userPrincipalName -ne "MSADMIN@TENANT.onmicrosoft.com") and (user.userPrincipalName -ne "MSADMININT@TENANT.onmicrosoft.com") and (user.userPrincipalName -ne "MWAAS_SOC_RO@TENANT.onmicrosoft.com") and (user.userPrincipalName -ne "MWAAS_WDGSOC@TENANT.onmicrosoft.com") and (user.userPrincipalName -ne "MSTEST@TENANT.onmicrosoft.com")

In this query, replace @TENANT with your tenant domain name.

Steps to get started with Microsoft Managed Desktop

  1. Access admin portal.
  2. Add and verify admin contacts in the Admin portal.
  3. Adjust settings after enrollment (this article).
  4. Deploy and assign the Intune Company Portal.
  5. Assign licenses.
  6. Deploy apps.
  7. Prepare devices.
  8. Set up first-run experience with Autopilot and the Enrollment Status Page.
  9. Turn on user support features.
  10. Get your users ready to use devices.
  11. Get started with app control.