Standard operating procedures

The Microsoft Managed Desktop service is implemented and operated by Microsoft in your Microsoft cloud instance where you might conduct other administrative activities. Microsoft is solely responsible for Microsoft Managed Desktop-specific setup, configuration, and operation.

For on-premises products, your organization takes on all the responsibility for managing setup, and configuration and operational activities.

Categories	Microsoft will	Customer will
Network (proxy, packet inspection, VPN)	Advise and plan with customers to minimize risk to business users	Submit a support request requesting information for a planned configuration change. Include the configuration details, scope, timeline, and other pertinent details for Microsoft to review Only apply a change once Microsoft Managed Desktop Operations has assessed and advised
Service accounts	Implement, securely store, and manage the credentials	Submit a support request requesting information for a planned configuration change. Include configuration details, scope, timeline, and other pertinent details for Microsoft to review Only apply a change once Microsoft Managed Desktop Operations has assessed and advised Not assign policy, multi-factor authentication, conditional access, or application deployment to the Microsoft Managed Desktop service accounts Not reset the password or use the credentials Open a Sev C support request to Microsoft Managed Desktop Operations if suspicious activity is observed in Intune or Azure audit logs, related to these service accounts
Deployment rings	Implement the initial Microsoft Managed Desktop deployment ring membership for newly registered Microsoft Managed Desktop devices Use the Microsoft Managed Desktop deployment rings to manage the assignment and release of configuration and updates to devices	Submit a support request requesting information for a planned configuration change. Include configuration details, scope, timeline, and other pertinent details for Microsoft to review Only apply a change once Microsoft Managed Desktop Operations has assessed and advised Only assign devices to Microsoft Managed Desktop deployment rings Only use the deployment rings to assign corporate certificates for services such as VPN, Windows Hello for Business or email encryption, or corporate WiFi profile configuration In the case of co-management, all workloads must be set to Intune for Microsoft Managed Desktop devices with Configuration Manager client installed. Otherwise, should any workload be set to Configuration Manager, exclude client installation for Microsoft Managed Desktop devices
Policies	Implement and manage the Microsoft Managed Desktop policies that govern the configuration state of devices within service Deploy updates, to policy or Windows, incrementally using deployment rings Explicitly exclude non-Microsoft Managed Desktop devices	Submit a support request requesting information for a planned configuration change. Include configuration details, scope, timeline, and other pertinent details for Microsoft to review Only apply a change once Microsoft Managed Desktop Operations has assessed and advised Not edit or assign Microsoft Managed Desktop policies to devices or users not managed by the Microsoft Managed Desktop service
Microsoft Defender XDR for Endpoint	Monitor and investigate devices within the scope of the Microsoft Managed Desktop service	Submit a support request requesting information for a planned configuration change. Include configuration details, scope, timeline, and other pertinent details for Microsoft to review Only apply a change once Microsoft Managed Desktop Operations has assessed and advised
Device updates	Govern the update deployment schedule and settings for Windows quality updates within the Microsoft Managed Desktop deployment rings Govern the Feature update policies deployment schedule and settings for Windows feature updates within the Microsoft Managed Desktop deployment rings Govern the Microsoft 365 Apps for enterprise update policies deployment schedule and settings for Office application suite within the Microsoft Managed Desktop deployment rings Govern the Microsoft Edge update policies deployment schedule and settings for Microsoft Edge within the Microsoft Managed Desktop deployment rings	Submit a support request requesting information for a planned configuration change. Include configuration details, scope, timeline, and other pertinent details for Microsoft to review Only apply a change once Microsoft Managed Desktop Operations has assessed and advised Ensure network availability of required Microsoft 365 network endpoints required for client updates Submit a support request in the event of updates not being business ready for the organization being managed. Microsoft Managed Desktop Operations will pause updates for the duration specified
Certificates		Submit a support request 60 days prior to a certificate expiring, requesting information for a planned configuration change. Include configuration details, scope, timeline, and other pertinent details for Microsoft to review Only apply a change once Microsoft Managed Desktop Operations has assessed and advised Update all certificates that are required to configure certificate profiles, VPN profiles, and Wi-Fi profiles
Application management	Govern the installation of Microsoft apps required by Microsoft Managed Desktop devices daily operation	Submit a support request requesting information for a planned Microsoft application change. Include configuration details, scope, timeline, and other pertinent details for Microsoft to review Only apply a change once Microsoft Managed Desktop Operations has assessed and advised