Get user support

Your Microsoft Managed Desktop users can get support either from your organization ("customer-led" support) or from a selected partner ("partner-led" support).

We aim to provide a consistent experience for users while keeping devices secure with both support options. No matter which option you choose, these same principles apply:

  • Flexible integration of Microsoft Managed Desktop devices with your existing support processes.
  • Clear roles and responsibilities between the support provider, IT admins, and Microsoft Managed Desktop.
  • Defined escalation paths.
  • Documentation provided by Microsoft Managed Desktop, along with a portal, where you can request elevated device access and escalation to our support staff, if needed.
  • Threat monitoring and mitigation provided by Microsoft Managed Desktop all day every day.

Roles and responsibilities

To ensure the quality of service without compromising security, the support provider, IT admins, and Microsoft Managed Desktop have different roles and responsibilities.

Role Responsibilities
Support provider Whoever provides support (either you for customer-led support or a partner for partner-led) is responsible for these items:
  • Provide all user support and technical assistance from first contact through to resolution for the user.
  • Fulfill all service-level agreements for user support established by your organization, or in partnership with your chosen support provider.
  • Perform specific remediation actions, such as requesting elevated device privileges as described in Elevation requests.
  • Remediate user problems including:
    • Operating system (Windows)
    • Microsoft Apps for enterprise
    • Browser features
    • Device problems
    • Problems with infrastructure, such as printers, drivers, and VPNs
    • Line-of-business applications
IT admin Your IT admin is responsible for these items:
  • Work with the support provider to set and manage service level agreements for user support
  • Manage elevated access privileges for approved support staff. For more information, see Turn on user support features.
  • If there are device issues affecting users, escalate the issues by submitting a support request.
  • Route hardware-related issues to the appropriate vendor or supplier.
  • Maintain and protect device security policy settings on Microsoft Managed Desktop devices. Don't change the policies we set.
Microsoft Managed Desktop As the service provider, we're responsible for these items:
  • Provide the means for elevated device access and issue escalation including documentation.
  • Keep this information about the roles and responsibilities current.
  • Respond to admin support requests in accordance with the severity definitions.
  • Provide threat monitoring and mitigation for all enrolled devices all day every day.

Escalation paths

Whether support is customer-led or partner-led, the flow of activity for a user support request follows this path:

When a user contacts support, they'll work through your tiered staff system as you've designed. It's important to designate a group of support staff that will be given the abilities for elevation and escalation, known as the support escalation team. For specific Microsoft Managed Desktop issues, they can escalate to our Operations team. Or for other Microsoft issues, they can route to your existing support channel, Unified or Premier. Hardware issues should always be routed to your established provider or supplier

Integrating your existing processes with this workflow for Microsoft Managed Desktop devices is flexible, so the details could be different. Typically, the support provider follows an existing tier-based or handoff approach. The support provider designates specific users, who have the ability to elevate permissions or escalate issues, to Microsoft Managed Desktop Operations. It's best to keep this group smaller than the broader support team.

If an issue must be escalated to Microsoft Managed Desktop, it's helpful to identify which team the issue should be directed to. We can transfer cases appropriately, but it saves time to route them to the right place from the start.

Problem Contact this team
Problems specific to Microsoft Managed Desktop For example, a policy or setting that's deployed by the service itself. Escalate directly to the Operations team by creating a new support request. For more information, see escalation request.
Hardware problems Direct to your hardware supplier or vendor.
Other problems Escalate through existing support channels, whether that's a Unified or Premier subscription.

Support framework


These support options are not available for devices in the Test group.

Elevation portal

Since Microsoft Managed Desktop devices run on standard user by default, some tasks require elevation of privileges. For more information about user account control, see User account control. In order for support staff to be able to perform tasks while fixing issues for users, we provide "just-in-time" access to an admin account. This password is accessed securely by only users you designate, and rotates every couple of hours.

For steps on how to set up users to access to this portal, see Turn on user support features.

For steps on submitting an elevation request, see Elevation requests.

Escalation portal

If an issue requires escalation to the Microsoft Managed Desktop Operations team, designated support staff might direct similar to an IT admin support request.


Only Sev C support requests can be filed in this manner. For an issue matching the description of other severities, it's recommended to contact the appropriate IT admin to file. For more info, see Support request severity definitions.

For steps on how to set up users for access to this portal, see Turn on user support features.

For steps on submitting an escalation request, see Escalation requests.

Submit an elevation or escalation request


Ensure you've set up user support before you submit an elevation or escalation request.

If you've reached the point in the escalation path where you need to request elevated device access or escalation to Microsoft, use the following steps:

Submit an elevation request

Before you request elevated access to a device, it's best to review which actions are best suited.

Actions Examples
Typical actions are intended for the elevation request process. It's performed routinely when fixing problems with Microsoft Managed Desktop devices.
  • Elevating built-in system fixes, the command prompt, or Windows PowerShell Troubleshooting line-of-business applications.
  • Using a workaround to correct something that should function by design (such as BitLocker activation or system time not updating).
  • Elevating Device Manager to do things like update drivers, uninstall a device, or scan for new changes.
Actions that aren't recommended
  • Installing software or browsers.
  • Installing drivers outside of Windows settings, including drivers for peripherals.
  • Installing .msi or .exe files.
  • Installing Windows features.
Actions that aren't supported
  • Installing software or features that conflict with Microsoft Managed Desktop security or management capabilities or operations.
  • Disabling a Windows feature that is required for Microsoft Managed Desktop, such as BitLocker.
  • Modifying settings managed by your organization.

    To request elevation:

    1. Go to the Microsoft Intune admin center and navigate to the Devices menu.
    2. In the Microsoft Managed Desktop section, select Devices, which contains two tabs: the Devices tab and the Elevation requests tab.
    3. To create a new elevation request on the Device tab, select a single device that you want to elevate.
    4. From the Device actions dropdown menu, select Request elevation. A new elevation request fly-in will appear with the device’s name pre-populated in that field.
    5. Instead, to create a new elevation request in the Elevations requests tab, select +New elevation request.
    6. Provide these details:
      • Support ticket ID: This is from your own support ticketing system.
      • Device name: This is only when creating request from the Elevation requests tab. Enter the device serial number and then select the device from the menu.
      • Category: Select the category that best fits your issue. If no option seems close, then select Other. It's best to select a category if at all possible.
      • Title: Provide a short description of the issue on the device.
      • Plan of action: Provide the remediation steps you plan to take once elevation is granted.
    7. Select Submit.
    8. The list and details of all active and closed requests can be seen on the Elevation requests tab.

    Submit an escalation request

    To escalate an issue to Microsoft:

    1. Go to the Microsoft Intune admin center and navigate to the Tenant administration menu.
    2. In the Microsoft Managed Desktop section, select Service requests.
    3. In the Service requests section, select + New support request.
    4. Provide a brief description in the Title field. Then, set the Request type to Incident.
    5. Select the Category and Sub-category that best fits your issue. Then, select Next.
    6. In the Details section, provide the following information:
      • Description: Add any extra details that could help our team understand the problem. If you need to attach files, you can do that by coming back to the request after you submit it.
      • Primary contact information: Provide information about how to contact the main person responsible for working with our team.
    7. Select the Severity level. For more information, see Support request severity definitions.
    8. Provide as much information about the request as possible to help the team respond quickly. Depending on the type of request, you may be required to provide different details.
    9. Review all the information you provided for accuracy.
    10. When you're ready, select Create.