Microsoft Managed Desktop technologies
This article lists the technologies and apps used in Microsoft Managed Desktop.
Microsoft 365 Enterprise licensing is required for all Microsoft Managed Desktop users. For more information on licensing requirements for the service, see Prerequisites for Microsoft Managed Desktop.
This article summarizes the components included in the required Enterprise licenses, and how the service uses each component with Microsoft Managed Desktop devices. Specific roles and responsibilities for each area are detailed throughout Microsoft Managed Desktop documentation.
Office 365 E3 or E5
| Product | Information |
|---|---|
| Microsoft 365 Apps for enterprise (64-bit) | The following Office applications will be shipped with the device:
The 64-bit full versions of Microsoft Project and Microsoft Visio aren't included. However, since the installation of these applications depends on the Microsoft 365 Apps for Enterprise installation, Microsoft Managed Desktop created default Microsoft Intune deployments, and security groups that you can use to deploy these applications to licensed users. For more information, see Install Microsoft Project or Microsoft Visio on Microsoft Managed Desktop devices. |
| OneDrive | Azure Active Directory Single Sign On is enabled for users when they first sign in to OneDrive. Known Folder Redirection for Desktop, Document, and Pictures folders are included. These folders are enabled and configured by Microsoft Managed Desktop. |
| Store Apps | Microsoft Sway and Power BI aren't shipped with the device. These apps are available for download from Microsoft Store. |
| Win32 Applications | Teams isn't shipped with the device, but it's packaged and provided by Microsoft for Microsoft Managed Desktop devices. Azure Information Protection Client isn't shipped with the device, but you can have it packaged for deployment. |
| Web Applications | The following web applications aren't shipped with the device:
Users can access the web version of these applications with a browser. |
Windows 10 Enterprise E5 or E3 with Microsoft Defender for Endpoint
We recommend that your IT admins configure the following settings.
Note
These settings aren't included or managed as part of Microsoft Managed Desktop.
| Product | Information |
|---|---|
| Windows Hello for Business | You should implement Windows Hello for Business to replace passwords with strong two-factor authentication for Microsoft Managed Desktop devices. For more information, see Windows Hello for Business. |
| Application Virtualization | You can deploy Application Virtualization (App-V) packages using the Intune Win32 app management client. For more information, see Application Virtualization. |
| Microsoft 365 data loss prevention | You should implement Microsoft 365 data loss prevention to monitor the actions taken on items you've determined to be sensitive, and to help prevent the unintentional sharing of those items. For more information, see Microsoft 365 data loss prevention. |
Features included and managed as part of Microsoft Managed Desktop:
| Product | Information |
|---|---|
| BitLocker Drive Encryption | BitLocker Drive Encryption is used to encrypt all system drives. For more information, see BitLocker Drive Encryption. |
| Windows Defender System Guard | Protects the integrity of the system at startup, and validates that system integrity has truly been maintained. For more information, see Windows Defender System Guard. |
| Windows Defender Credential Guard | Windows Defender Credential Guard uses Virtualization-based security to isolate secrets so that only privileged system software can access them. For more information, see Windows Defender System Guard. |
| Microsoft Defender for Endpoint - Endpoint Detection and Response | Microsoft Managed Desktop Security Operations responds to alerts and takes action to remediate threats using Endpoint Detection and Response. For more information, see Microsoft Defender for Endpoint - Endpoint Detection and Response. |
| Microsoft Defender for Endpoint - Threat Experts | Microsoft Managed Desktop integrates with Threat Experts insights and data through targeted attack notifications. You must provide additional consent before this service is enabled. For more information, see Microsoft Defender for Endpoint - Threat Experts. |
| Microsoft Defender for Endpoint - Threat and Vulnerability Management | Required for future use in the Microsoft Managed Desktop service plan. For more information, see Microsoft Defender for Endpoint - Threat and Vulnerability Management. |
| Microsoft Defender for Endpoint - Attack Surface Reduction | Targets risky software behaviors that are often abused by attackers. For more information, see Microsoft Defender for Endpoint - Attack Surface Reduction. |
| Microsoft Defender for Endpoint - Exploit Protection | Protects against malware that uses exploits to infect devices, and spreads by automatically applying exploit mitigation techniques to operating system processes and apps. For more information, see Microsoft Defender for Endpoint - Exploit Protection. |
| Microsoft Defender for Endpoint - Network Protection | Expands the scope of Microsoft Defender SmartScreen to block all outbound HTTP and HTTPS traffic that attempts to connect to low-reputation sources. For more information, see Microsoft Defender for Endpoint - Network Protection. |
| Microsoft Defender Tamper Protection | Windows Tamper Protection is used to prevent security settings such as anti-virus protection from being changed. For more information, see Microsoft Defender Tamper Protection. |
| Microsoft Defender Antivirus Behavior-based, heuristic, and real-time antivirus protection | Always on to scan for file and process threats that may not be detected as malware. For more information, see Microsoft Defender Antivirus Behavior-based, heuristic, and real-time antivirus protection. |
| Microsoft Defender Antivirus Cloud-delivered Protection | Provides dynamic near-instant, automated protection against new and emerging threats. For more information, see Microsoft Defender Antivirus Cloud-delivered Protection. |
| Microsoft Defender for Endpoint - "Block at first sight" | Provides detection and blocking of new malware when Windows detects a suspicious or unknown file. For more information, see Microsoft Defender for Endpoint - Block at first sight. |
| Microsoft Defender Antivirus Potentially Unwanted Applications | Used to block apps that can cause your machine to run slowly, display unexpected ads, or, at worst, install other software that might be unexpected or unwanted. For more information, see Microsoft Defender Antivirus Potentially Unwanted Applications. |
| Windows Defender Firewall with Advanced Security | Host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. For more information, see Windows Defender Firewall with Advanced Security. |
| User Account Control | User Account Control switches to the Secure Desktop when a task or action requires the administrator account-type access. Microsoft Managed Desktop users are assigned Standard user access at enrollment. For more information, see User Account Control. |
Enterprise Mobility + Security E5
| Product | Information |
|---|---|
| Enterprise Mobility + Security E3 Azure Active Directory Premium P2 |
You can use all features of Enterprise Mobility + Security E3 to manage MDM devices. You can use Azure Active Directory Premium P2 as an optional feature with Microsoft Managed Desktop. |
| Microsoft Defender for Cloud Apps | You can use this optional feature with Microsoft Managed Desktop. |
| Azure Information Protection P2 | You can use this optional feature with Microsoft Managed Desktop. |