Products and Capabilities

  • 27 minutes to read

Services and scenarios supported by FastTrack

This topic includes details on the workload scenarios supported by FastTrack and the source environment expectations necessary before we can begin. Based on your current setup, we work with you to create a remediation plan that brings your source environment up to the minimum requirements for successful onboarding.

FastTrack provides guidance to help you first with core capabilities (common for all Microsoft Online Services) and then with onboarding each eligible service:

Note

For information on source environment expectations for Office 365 US Government, see Source Environment Expectations for Office 365 US Government.

General

Service FastTrack guidance details Source environment expectations
Core onboarding We provide remote guidance on core onboarding, which involves service provisioning, tenant, and identity integration. It also includes steps for providing a foundation for onboarding services like Exchange Online, SharePoint Online, and Microsoft Teams, including a discussion on security, network connectivity, and compliance. Onboarding for one or more eligible services can begin once core onboarding is finished.

Identity Integration

We provide remote guidance for:

  • Preparing on-premises Active Directory Identities for synchronization to Azure Active Directory (Azure AD) including installing and configuring Azure AD Connect (single- or multi-forest) and licensing (including group-based licensing).
  • Creating cloud identities including bulk import and licensing including using group-based licensing.
  • Choosing and enabling the correct authentication method for your cloud journey, Password Hash Sync, Pass-through Authentication, or Active Directory Federation Services (AD FS).
  • Enabling AD FS for customers with a single Active Directory forest and identities synchronized with the Azure AD Connect tool. This requires Windows Server 2012 R2 Active Directory Federation Services 2.0 or greater.
  • Migrating authentication from AD FS to Azure AD using Password Hash Sync or Pass-through Authentication.
  • Migrating pre-integrated apps (like Azure AD gallery software-as-a-service (SaaS) apps) from AD FS to Azure AD for single sign-on (SSO).
  • Enabling SaaS app integrations with SSO from the Azure AD gallery.
  • Enabling automatic user provisioning for pre-integrated SaaS apps as listed in the App integration tutorial list (limited to Azure AD gallery SaaS apps and outbound provisioning only).
Network enablement
As part of the FastTrack benefit, we advise you as to best practices for connecting to cloud services to ensure the highest levels of performance of Microsoft 365. Active Directory forests These have the functional forest level set to Windows Server 2003 onward, with the following forest configuration:
  • A single Active Directory forest.
  • A single Active Directory account forest and resource forest (Exchange and/or Lync 2010, Lync 2013, or Skype for Business) topologies.
  • Multiple Active Directory account forests and resource forest (Exchange and/or Lync 2010, Lync 2013, or Skype for Business) topologies.
  • Multiple Active Directory account forests with one of the forests being a centralized Active Directory account forest that includes Exchange and/or Lync 2010, Lync 2013, or Skype for Business.
  • Multiple Active Directory account forests, each with its own Exchange organization.
  • Tasks required for tenant configuration and integration with Azure Active Directory, if needed. 
Important:
  • For multi-forest Active Directory scenarios, if Lync 2010, Lync 2013, or Skype for Business is deployed, it must be deployed in the same Active Directory forest as Exchange.
  • When implementing multiple Active Directory forests with multiple Exchange organizations in an Exchange multi-hybrid configuration, shared user principal name (UPN) namespaces between source forests aren't supported. Primary SMTP namespaces between Exchange organizations should also be separated. For more information, see Hybrid deployments with multiple Active Directory forests.
  • For all multiple forests configurations, Active Directory Federation Services (AD FS) deployment is out of scope. Contact a Microsoft Partner for assistance with this.
Microsoft 365 Apps We provide remote deployment guidance for:
  • Addressing deployment issues.
  • Assigning end-user and device-based licenses using the Microsoft 365 admin center and Windows PowerShell.
  • Installing Microsoft 365 Apps from the Office 365 portal using Click-to-Run.
  • Installing Office Mobile apps (like Outlook Mobile, Word Mobile, Excel Mobile, and PowerPoint Mobile) on your iOS or Android devices.
  • Configuring update settings using the Office 365 Deployment Tool.
  • Selection and setup of a local or cloud installation.
  • Creation of the Office Deployment Tool configuration XML with the Office Customization Tool or native XML to configure the deployment package.
  • Deployment using Microsoft Endpoint Configuration Manager, including assistance with the creation of Microsoft Endpoint Configuration Manager packaging. Additionally, if you have a macro or add-in that worked with prior versions of Office and you experience compatibility issues, we provide guidance to remediate the compatibility issue at no additional cost through the App Assure program. See the App Assure portion of Windows 10 for more details.
Network health We provide remote guidance with obtaining and interpreting key network connectivity data from your environment showing how aligned your organization’s sites are to Microsoft’s principles of network connectivity. This highlights your network score which directly impacts migration velocity, user experience, service performance, and reliability. We also guide you through any remediation steps highlighted by this data to help you improve your network score.

Office 365

Service FastTrack guidance details Source environment expectations
Exchange Online For Exchange Online, we guide you through the process to get your organization ready to use email. The exact steps depend on your source environment and your email migration plans. We provide remote guidance for:
  • Setting up Exchange Online Protection (EOP) features for all mail-enabled domains validated in Office 365.
  • Pointing your mail exchange (MX) records to Office 365.
  • Setting up the Office 365 ATP feature if it’s a part of your subscription service. For more information, see the Office 365 Advanced Threat Protection portion of this table.
  • Setting up the data loss prevention (DLP) feature for all mail-enabled domains validated in Office 365 as part of your subscription service. This is done once your MX records point to Office 365.
  • Setting up Office 365 Message Encryption (OME) for all mail-enabled domains validated in Office 365 as part of your subscription service. This is done once your MX records point to Office 365.
Note: The Mailbox Replication service (MRS) attempts to migrate Information Rights Managed (IRM) emails from your on-premises mailbox to the corresponding Exchange Online mailbox. Ability to read the protected content post-migration depends on the customer mapping and copying Active Directory Rights Managed Services (AD RMS) templates to the Azure Rights Management Service (Azure RMS).
  • Configuring firewall ports.
  • Setting up DNS, including the required Autodiscover, sender policy framework (SPF), DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC) and MX records (as needed).
  • Setting up email flow between your source messaging environment and Exchange Online (as needed).
  • Undertaking mail migration from your source messaging environment to Office 365.
  • Configuring mailbox clients (Outlook for Windows, Outlook on the web, and Outlook for iOS and Android).
Data migration
For information on using the FastTrack benefit for data migration to Office 365, see Data Migration. 		Your source environment must have one of the following minimum levels:
  • Single or multiple Exchange organizations with Exchange Server 2003 onward.
  • A single Internet Message Access Protocol (IMAP)-capable email environment.
  • A single G Suite environment (Gmail, Contacts, and Calendar only).
  • For information on Multi-Geo Capabilities, see Multi-Geo Capabilities in Exchange Online.
Online client software like Project for Office 365, Outlook for Windows, Outlook for iOS and Android, OneDrive for Business sync client, Power BI Desktop, and Skype for Business must be at a minimum level as defined in System requirements for Microsoft 365 Office.
Microsoft Information Governance We provide remote guidance for:
  • Information governance.
  • Retention labels and policies.
  • Records management.
  • Deletion policies.
  • Communication compliance.
  • Insider risk management.
  • Advanced eDiscovery.
Aside from the Core onboarding portion in General, there are no minimum system requirements.
Microsoft Information Protection We provide remote guidance for:
  • Data classification.
  • Sensitive information types.
  • Creating sensitivity labels.
  • Applying Sensitivity labels.
  • Unified labeling.
  • Trainable classifiers.
  • Knowing your data with content explorer and activity explorer.
  • Publishing labels using policies (manual and automatic).
  • Creating data loss prevention (DLP) policies for Microsoft Teams chats and channels.
  • Creating DLP policies for devices managed by Microsoft Endpoint Manager.
Aside from the Core onboarding portion in General, there are no minimum system requirements.
Microsoft Teams We provide remote guidance for:
  • Confirming minimum requirements in Exchange Online, SharePoint Online, Office 365 Groups, and Azure AD to support Teams.
  • Configuring firewall ports.
  • Setting up DNS.
  • Confirming Teams is enabled on your Office 365 tenant.
  • Enabling or disabling user licenses.
  • Network assessment for Teams:
    • Port and endpoint checks.
    • Connection quality checks.
    • Bandwidth estimates.
    • Configuring Teams app policy (Teams web app, Teams Desktop app, and Teams for iOS and Android app).
    If applicable, we also provide guidance for:
    • Microsoft Teams Room Devices:
      • Creation of online accounts needed for supported telephony and conference room devices listed in the Teams devices catalog.
      • Remote assistance with service-side configuration of certified Microsoft Teams Rooms devices.
      • Enabling Audio Conferencing:
      • Organization setup for conference bridge default settings.
      • Assignment of conference bridge to licensed users.
    • Phone System:
      • Organization setup for Cloud Voice default settings.
      • Calling Plans guidance (available markets):
        • Assignment of numbers to licensed users.
        • Local number porting guidance through user interface (UI) up to 999.
        • Local number porting service request (SR) support over 999.
      • Direct Routing guidance:
        • Organization setup guidance for Direct Routing design of partner-hosted scenarios, or customer-deployed scenarios for up to 10 sites.
        • Session Border Controller (SBC) configuration review.
        • Remote assistance with dial plan configuration.
        • Voice route configuration.
        • Media bypass and local media optimization.
    • Enabling Teams live events.
    • Organization setup and integration into Microsoft Stream.
    • Guidance for Skype for Business to Teams transition.
  • Identities enabled in Azure AD for Office 365.
  • Users enabled for SharePoint Online.
  • Exchange mailboxes are present (online and on-premises in an Exchange hybrid configuration).
  • Enabled for Office 365 Groups.
Note: If users aren't assigned and enabled with SharePoint Online licenses, they won't have OneDrive for Business storage in Office 365. File sharing continues to work in Channels, but users can't share files in Chats without OneDrive for Business storage in Office 365. Teams doesn't support SharePoint on-premises.
Note: The ideal state is for all users to have their mailboxes homed on Exchange Online. Users with mailboxes homed on-premises must have their identities synchronized to the Office 365 directory through Azure AD Connect. For these Exchange hybrid customers, if the user's mailbox is on-premises, the user cannot add or configure Connectors. The installers for the Microsoft Teams Windows and Mac desktop clients can be downloaded from https://go.microsoft.com/fwlink/?linkid=839411.
Office 365 Advanced Threat Protection (ATP) We provide remote guidance for:
  • Enabling Safe Links, Safe Attachments, and anti-phishing.
  • Configuring automation, investigation, and response.
  • Using Attack Simulator.
  • Reporting and threat analytics.
Aside from the Core onboarding portion in General, there are no minimum system requirements.
Outlook for iOS and Android We provide remote guidance for:
  • Identities enabled in Azure AD for Office 365.
  • Exchange Online configured and licenses assigned.
Power BI We provide remote guidance for:
  • Assigning Power BI licenses.
  • Deploying the Power BI Desktop app.
Online client software like Power BI Desktop must be at a minimum level as defined in the System requirements for Microsoft 365 and Office.
Project Online We provide remote guidance for:
  • Verifying basic SharePoint functionality that Project Online relies on.
  • Adding the Project Online service to your tenant (including adding subscriptions to users).
  • Setting up the Enterprise Resource Pool (ERP).
  • Creating your first project.
Online client software like Project for Office 365 must be at a minimum level as defined in the System requirements for Microsoft 365 and Office.
Project Online Professional and Premium We provide remote guidance for:
  • Addressing deployment issues.
  • Assigning end-user licenses using the Microsoft 365 admin center and Windows PowerShell.
  • Installing Project Online Desktop Client from the Office 365 portal using Click-to-Run.
  • Configuring update settings using the Office 365 Deployment Tool.
  • Setting up a single on-site distribution server for Project Online Desktop Client, including assistance with the creation of a configuration.xml file for use with the Office 365 Deployment Tool.
  • Connecting Project Online Desktop Client to Project Online Professional or Project Online Premium.
Online client software like Project for Office 365 must be at a minimum level as defined in the System requirements for Microsoft 365 and Office.
SharePoint Online and OneDrive for Business We provide remote guidance for:
  • Setting up DNS.
  • Configuring firewall ports.
  • Provisioning users and licenses.
  • Enabling site creation for your SharePoint Online admin.
  • Planning site collections.
  • Securing content and managing permissions.
  • Configuring SharePoint Online features.
  • Configuring SharePoint hybrid features, like hybrid search, hybrid sites, hybrid taxonomy, content types, hybrid self-service site creation (SharePoint Server 2013 only), extended app launcher, hybrid OneDrive for Business, and extranet sites.
  • Your migration approach.
Additional guidance is provided for OneDrive for Business depending on your SharePoint version, like:
  • Identifying integration options and reviewing on-premises and online network infrastructure and bandwidth.
  • Installing SharePoint Online 2013 SP1 (if applicable), planning and implementing sync and identity requirements, and identifying your OneDrive for Business sync client.
  • Planning and implementing a single rollout for all users (or a phased rollout).
  • Assigning licenses, redirecting My Sites and personal document libraries to Office 365 (applicable to SharePoint Online 2013), setting up audiences to control access to OneDrive (applicable to SharePoint Online 2013).
  • Redirecting or moving known folders to OneDrive.
  • Deploying the OneDrive for Business client sync.
Data migration
For information on using the FastTrack benefit for data migration to Office 365, see Data Migration.
For SharePoint hybrid:
  • SharePoint hybrid configuration includes configuring hybrid search, sites, taxonomy, content types, OneDrive for Business, an extended app launcher, extranet sites, and self-service site creation connected from on-premises to a single target SharePoint Online environment.
Note: Self-service site creation is not in scope with on-premises servers running SharePoint 2013.
  • To enable SharePoint hybrid, you must have one of the following on-premises SharePoint Server environments: 2013, 2016, or 2019.
Note: Upgrade of on-premises SharePoint environments to SharePoint Server is not in scope. Contact a Microsoft Partner for assistance. For more information, see Minimum public update levels for SharePoint hybrid features.
Note: For information on Multi-Geo Capabilities, see Multi-Geo Capabilities in OneDrive and SharePoint Online in Office 365.
Yammer Enterprise
    We provide remote guidance for enabling the Yammer Enterprise service.
Online client software must be at a minimum level as defined in the System requirements for Microsoft 365 and Office.

Enterprise Mobility & Security

Azure Active Directory (Azure AD) and Azure AD Premium We provide remote guidance for securing your cloud identities for the following scenarios.

Secure foundation infrastructure

  • Configuring and enabling strong authentication for your identities, including protecting with Azure Multi-Factor Authentication (MFA) (cloud only), the Microsoft Authenticator app, and combined registration for Azure MFA and self-service password reset (SSPR).
  • For non-Azure AD Premium customers, guidance is provided to secure your identities using security defaults.
  • For Azure AD premium customers, guidance is provided to secure your identities with Conditional Access.
  • Detecting and blocking the use of weak passwords with Azure AD Password Protection.
  • Securing remote access to on-premises web apps with Azure AD Application Proxy.
  • Enabling risk-based detection and remediation with Azure Identity Protection.
  • Enabling a customized sign-in screen, including logo, text, and images with custom branding.
  • Securely sharing apps and services with guest users using Azure AD B2B.
  • Managing access for your Office 365 admins using role-based access control (RBAC) built-in administrative roles and to reduce the number of privileged admin accounts.
  • Configuring hybrid Azure AD join.
  • Configuring Azure AD join.
Monitor and reporting
  • Enabling remote monitoring for AD FS, Azure AD Connect, and domain controllers with Azure AD Connect Health.
Governance
  • Managing your Azure AD identity and access lifecycle at scale with Azure AD entitlement management.
  • Managing Azure AD group memberships, enterprise app access, and role assignments with Azure AD access reviews.
  • Reviewing Azure AD Terms of Use.
  • Managing and controlling access to privileged admin accounts with Azure AD Privileged Identity Management.
Automation and efficiencies
  • Enabling Azure AD SSPR.
  • Allowing users to create and manage their own cloud security or Office 365 groups with Azure AD self-service group management.
  • Managing delegated access to enterprise apps with Azure AD delegated group management.
  • Enabling Azure AD dynamic groups.
  • Organizing apps in the My Apps portal using collections.
The on-premises Active Directory and its environment have been prepared for Azure AD Premium, including remediation of identified issues that prevent integration with Azure AD and Azure AD Premium features.
Azure Information Protection (P2 or EMS E5) We provide guidance on how to:
  • Activate and configure your tenant.
  • Create and set up labels and policies.
  • Apply information protection to documents.
  • Automatically classify and label information in Office apps (like Word, PowerPoint, Excel, and Outlook) running on Windows and using the Azure Information Protection client.
  • Use files at rest using the Azure Information Protection scanner.
  • Monitor emails in transit using Exchange Online mail flow rules.
We also provide guidance if you want to apply protection using Microsoft Azure Rights Management Services (Azure RMS), Office 365 Message Encryption (OME), and data loss prevention (DLP). 		You should already:
  • Use Azure AD.
  • Use either Windows or iOS (other operating systems are out of scope).
Note: Computers and mobile devices must run on an operating system that supports Azure Information Protection.
  • Have your main file share locations.
    • Note: Hybrid support requires the AD RMS connector.
  • Have an approved classification taxonomy.
  • Understand any regulatory restrictions for your protected key management.
    • Azure Information Protection scanner You should already:
    • Use Windows Server 2012 R2 or Windows Server 2016.
    • Have an internet connection.
    • Have Microsoft SQL Server 2012 onward in a local or remote instance.
    • Have a service account created for your on-premises Active Directory and synchronized with Azure AD.
    • Have downloaded AzInfoProtection.exe.
    • Have labels configured for Automatic Classification/Protection.
    Microsoft Intune We provide guidance on getting ready to use Intune as the cloud-based mobile device management (MDM) and mobile app management (MAM) provider for your apps and devices. The exact steps depend on your source environment and are based on your mobile device and mobile app management needs. The steps can include:
    • Licensing your end users.
    • Configuring identities to be used by Intune by leveraging either your on-premises Active Directory or cloud identities (Azure AD).
    • Adding users to your Intune subscription, defining IT admin roles, and creating user and device groups.
    • Configuring your MDM authority, based on your management needs, including:
      • Setting Intune as your MDM authority when Intune is your only MDM solution.
    • Providing MDM guidance for:
      • Configuring tests groups to be used to validate MDM management policies.
      • Configuring MDM management policies and services like:
        • App deployment for each supported platform through web links or deep links.
        • Conditional Access policies.
        • Deployment of email, wireless networks, and VPN)profiles if you have an existing certificate authority, wireless network, or VPN infrastructure in your organization.
        • Connecting to the Intune Data Warehouse.
        • Integrating Intune with:
          • Team Viewer for remote assistance (a Team Viewer subscription is required).
          • Mobile Threat Defense (MTD) partner solutions (an MTD subscription is required).
          • A telecom expense management solution (a telecom expense management solution subscription is required).
          • Microsoft Defender ATP (Windows E5 or Microsoft 365 E5 licenses are required).
        • Enrolling devices of each supported platform to Intune.
    • Providing app protection guidance on:
      • Configuring app protection policies for each supported platform.
      • Configuring Conditional Access policies for managed apps.
      • Targeting the appropriate user groups with the previously mentioned MAM policies.
      • Using managed-apps usage reports.
    • Providing migration guidance from legacy PC management to Intune MDM.
    Note: Legacy PC management is no longer supported from October 15, 2020 onward. Cloud-attach

    We guide you through getting ready to cloud-attach existing Configuration Manager environments with Intune. The exact steps depend on your source environment. These steps can include:

    • Licensing your end users.
    • Configuring identities to be used by Intune by leveraging your on-premises Active Directory and cloud identities.
    • Adding users to your Intune subscription, defining IT admin roles, and creating user and device groups.
    • Providing guidance setting up hybrid Azure AD join.
    • Providing guidance on setting up Azure AD for MDM auto-enrollment.
    • Providing guidance on how to set up cloud management gateway.
    • Configuring supported workloads that you want to switch to Intune.
    • Installing the Configuration Manager client on Intune-enrolled devices.

    Deploy Outlook mobile for iOS and Android securely
    We can provide guidance to help you deploy Outlook mobile for iOS and Android securely in your organization to ensure your users have all the required apps installed.
    The steps to securely deploy Outlook mobile for iOS and Android with Intune depends on your source environment. It can include:

    • Downloading the Outlook for iOS and Android, Microsoft Authenticator, and Intune Company Portal apps through the Apple App Store or Google Play Store.
    • Providing guidance on setting up:
      • The Outlook for iOS and Android, Microsoft Authenticator, and Intune Company Portal apps deployment with Intune.
      • App protection policies.
      • Conditional Access policies.
      • App configuration policies.
    Note: FastTrack doesn’t support securing Outlook for iOS and Android with Exchange mobile device mailbox policies. Contact a Microsoft Partner for assistance with this.     		IT admins need to have existing Certificate Authority, wireless network, and VPN infrastructures already working in their production environments when planning on deploying wireless network and VPN profiles with Intune. Note: The FastTrack service benefit doesn't include assistance for setting up or configuring Certificate Authorities, wireless networks, VPN infrastructures, or Apple MDM push certificates for Intune. Note: The FastTrack service benefit doesn't include assistance for setting up or upgrading either the Configuration Manager site server or Configuration Manager client to the minimum requirements needed to support cloud-attach. Contact a Microsoft Partner for assistance with this.

    Intune integrated with Microsoft Defender Advanced Threat Protection (ATP)

    Note: We provide assistance on integrating Intune with Microsoft Defender ATP and creating device compliance policies based on its Windows 10 risk level assessment. We don't provide assistance on purchasing, licensing, or activation. Contact a Microsoft Partner for assistance with this.

    Windows Autopilot

    IT admins are responsible for registering their devices to their organization by either having the hardware vendor upload their hardware IDs on their behalf or by uploading it themselves into the Windows Autopilot service.

    Deploy Outlook for iOS and Android securely with Intune

    • User identities enabled in Azure AD for Office 365.
    • Exchange Online or hybrid Exchange configured with user licenses assigned.

    Windows 10

    Service FastTrack guidance details Source environment expectations
    Windows 10 We provide guidance for upgrading from Windows 7 Professional and Windows 8.1 Professional to Windows 10 Enterprise. We provide remote guidance for:
    • Understanding your Windows 10 intention.
    • Assessing your source environment and the requirements (ensure that Microsoft Endpoint Configuration Manager is upgraded to the required level to support the Windows 10 deployment).
    • Deploying Windows 10 Enterprise and Microsoft 365 Apps using Microsoft Endpoint Configuration Manager or Microsoft 365.
    • Recommending options for you to assess your Windows 10 apps.
    • Enabling use of Desktop Analytics and guidance through creation of a Desktop Analytics deployment plan.
    • Microsoft 365 Apps compatibility assessment by leveraging the Office 365 readiness dashboard in Configuration Manager or with the stand-alone Readiness Toolkit for Office plus assistance deploying Microsoft 365 Apps.
    • Creating a remediation checklist on what you need to do to bring your source environment up to the minimum requirements for a successful deployment.
    • Providing upgrade guidance for your existing devices to Windows 10 Enterprise if they meet the needed device hardware requirements.
    • Providing upgrade guidance to support your existing deployment motion. FastTrack recommends and provides guidance for an in-place upgrade to Windows 10. Guidance is also available for Windows clean image installation and Windows Autopilot deployment scenarios.
    • Deploying Microsoft 365 Apps using Configuration Manager as part of the Windows 10 deployment.
    • Providing guidance to help your organization stay up to date with Windows 10 Enterprise and Microsoft 365 Apps using your existing Configuration Manager environment or Microsoft 365.
    The following is out of scope
    • Upgrading Configuration Manager to Current Branch.
    • Creating custom images for Windows 10 deployment.
    • Creating and supporting deployment scripts for Windows 10 deployment.
    • Converting a Windows 10 system from BIOS to Unified Extensible Firmware Interface (UEFI).
    • Enabling Windows 10 security features.
    • Configuring Windows Deployment Services (WDS) for Preboot Execution Environment (PXE) booting.
    • Using the Microsoft Deployment Toolkit (MDT) to capture and deploy Windows 10 images.
    • Using the User State Migration Tool (USMT).
    Contact a Microsoft Partner for assistance with these services.     		For PC upgrade, you must meet these requirements:
    • Source OS: Windows 7 Enterprise or Professional, Windows 8.1 Enterprise or Professional.
    • Devices: Desktop, notebook, or tablet form factor.
    • Target OS: Window 10 Enterprise.
    For infrastructure upgrade, you must meet these requirements:
    • Microsoft Endpoint Configuration Manager.
    • The Configuration Manager version must be supported by the Windows 10 target version. For more information, see the Configuration Manager support table at Support for Windows 10 in Configuration Manager.
    Microsoft Defender Advanced Threat Protection (ATP) Microsoft Defender Advanced Threat Protection (ATP) is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. We provide remote guidance for:
    • Deploying the technologies to secure your endpoints.
    • Configuring endpoint protection and device restriction profiles.
    • Assessing the OS version and device management (including Intune, Microsoft Endpoint Configuration Manager, Group Policy Objects (GPOs), and third-party configurations) as well as the status of your Windows Defender AV services or other endpoint security software.
    • Assessing the status of your Windows AV services or other endpoint security software.
    • Assessing proxies and firewalls restricting network traffic.
    • Enabling the Microsoft Defender ATP service by explaining how to deploy an ATP agent profile using an onboard endpoint.
    • Deployment guidance, configuration assistance, and education on:
      • Threat and vulnerability management.
      • Attack surface reduction.
      • Next-generation protection.
      • Endpoint detection and response.
      • Automated investigation and remediation.
      • Secure score.
    • Reviewing simulations and tutorials (like practice scenarios, fake malware, and automated investigations).
    • Overview of reporting and threat analytics features.
    • Integrating Office 365 ATP with Microsoft Defender ATP.
    • Conduct walkthroughs of the Microsoft Defender Security Center portal.
    • The following operating systems:
      • Windows 10.
      • Windows Server 2016.
      • Windows Server 2019.
      • Windows Server 2019 Core Edition.
      • Windows Server Semi-Annual Channel (SAC) version 1803.
      • macOS versions 10.13, 10.14, and 10.15.
    Note: All Windows Server versions must be managed by the latest version of System Center Configuration Manager 2012 (versions 1012 R2, 1511, or 1602) or Microsoft Endpoint Configuration Manager (version 2002 or greater).

    The following is out of scope

    • Project management of the customer's remediation activities.
    • On-site support.
    • Ongoing management and threat response.
    • Onboarding or configuration for the following Microsoft Defender ATP agents:
      • Windows Server 2008.
      • Windows Server 2012.
      • Linux.
      • Mobile devices (Android and iOS).
    • Server onboarding and configuration:
      • Configuring a proxy server for offline communications.
      • Configuring Configuration Manager deployment packages on down-level Configuration Manager instances and versions.
      • Onboarding servers to Azure Security Center.
      • Servers not managed by Configuration Manager.
    • macOS onboarding and configuration:
      • Manual Intune-based deployment.
      • JAMF-based deployment.
      • Other mobile device management (MDM) product-based deployment.
      • Manual deployment.
    • Configuration of the following attack surface reduction capabilities:
      • Hardware-based isolation.
      • App control.
      • Exploit protection.
      • Network firewall.
    • Enrollment or configuration of Microsoft Threat Experts.
    • Configuration or training reviewing API or security information and event management (SIEM) connections.
    • Enrollment or configuration of Microsoft Threat Protection (MTP).
    • Training or guidance covering advanced hunting.
    • Training or guidance covering the use of or creation of Kusto queries.
    Contact a Microsoft Partner for assistance with these services.

    Windows Virtual Desktop

    Service FastTrack guidance details Source environment expectations
    Windows Virtual Desktop

    We provide deployment guidance for onboarding to Windows Virtual Desktop (a desktop and app virtualization service). Windows Virtual Desktop takes advantage of Windows 10 multi-session experience and is optimized for Microsoft 365 Apps for Enterprise with integrated security and management for Microsoft 365.

    We provide remote guidance for:

    • Deploying your Windows Virtual Desktop environment with Windows 10 Enterprise multi-session and Microsoft 365 Apps for Enterprise using the following:
      • Azure Marketplace Image.
      • Shared image.
      • Office Deployment Toolkit (ODT).
    • Configuring FSLogix:
      • Deploying FSLogix Agent with Profile Container.
      • Deploying FSLogix Agent with Office Container.
      • Configuring FSLogix folder with content exclusions.
    • Deploying Microsoft Edge.
    • Deploying Microsoft Teams.
    • Connecting using Windows Virtual Desktop clients.

    The following is out of scope

    • Project management of the customer's Windows Virtual Desktop deployment.
    • On-site support.
    • Third-party app virtualization and deployment.
    • Custom images.
    • Migrations and scenarios involving VMware and Citrix.
    • Linux scenarios.
    • Conversion or migrations of user profiles.
    Contact a Microsoft Partner for assistance with these services.    		 You should already have the following:
    • Azure AD general setup:
      • Identity strategy (you can use only one of the following three options):
        • Active Directory with Azure AD Connect in Azure.
        • Active Directory with Azure AD Connect on-premises over VPN or ExpressRoute.
        • Active Directory Domain Services (AD DS).

    App Assure

    Service FastTrack guidance details Supported products
    App Assure App Assure is a service designed to address issues with Windows 10 and Microsoft 365 Apps app compatibility. When you request the App Assure service, we work with you to address valid app issues at no additional cost to you with an eligible subscription. We also provide guidance to customers who face compatibility issues when deploying Windows Virtual Desktop and the new Microsoft Edge and make every reasonable effort to resolve compatibility issues. We provide remediation assistance for apps deployed on the following Microsoft products:

    The following is out of scope

    • App inventory and testing to determine what does and doesn't work on Windows 10 and Microsoft 365 Apps. For more guidance on this process, visit the Desktop Deployment Center. If you're interested in an in-depth upgrade readiness assessment, complete the Customer Request for Modern Desktop Assessment form.
    • Researching third-party ISV apps for Windows 10 compatibility and support statements. For more information, see Desktop Analytics.
    • App packaging-only services. However, the App Assure team packages apps that we have remediated for Windows 10 to ensure they can be deployed in the customer's environment.

    Customer responsibilities include

    • Creating an app inventory.
    • Validating those apps on Windows 10 and Microsoft 365 Apps.
    Note: Microsoft can't make changes to your source code. However, the App Assure team can provide guidance to app developers if the source code is available for your apps.

    Contact a Microsoft Partner for assistance with these services.

    		Windows 10 and Microsoft 365 Apps
    • Apps that worked on Windows 7, Windows 8.1, Office 2010, and Office 2013 also work on Windows 10 and Microsoft 365 Apps.
    Windows 10 on ARM
    • Apps that worked on Windows 7, Office 2010, or later versions work on Windows 10 and Microsoft 365 Apps on ARM64 devices.
    Note: Windows 10 on ARM exclusions and limitations include:
    • Apps that rely on software drivers that aren’t compatible in ARM.
    • Apps that use OpenGL or OpenCL.
    • Apps only available in 64-bit (x64).
    The new Microsoft Edge
    • If your web apps or sites work on Internet Explorer 11, supported versions of Google Chrome, or any version of Microsoft Edge, they'll also work with the new Microsoft Edge.
    • As the web is constantly evolving, be sure to review this published list of known site compatibility-impacting changes for Microsoft Edge.
    Windows Virtual Desktop
    • Virtualized apps that run on Windows Server Remote Desktop Session Host (RDSH) also run on Windows 10 Enterprise multi-session as part of Windows Virtual Desktop.
    • Apps running on any Windows 7 or Windows 10 virtual desktop infrastructure (VDI) environment also run on Windows 7 Enterprise and Windows 10 Enterprise as part of Windows Virtual Desktop.
    • Apps running on Windows 7 or Windows 10 client devices also run on Windows 7 Enterprise and Windows 10 Enterprise as part of Windows Virtual Desktop.
    Note: Windows 10 Enterprise multi-session compatibility exclusions and limitations include:
    • Limited redirection of hardware.
    • A/V-intensive apps may perform in a diminished capacity.
    • 16-bit apps aren't supported for 64-bit Windows Virtual Desktop.

    The new Microsoft Edge

    Service FastTrack guidance details Source environment expectations
    Microsoft Edge (for Windows 10 Enterprise customers)
    • We provide remote deployment guidance and compatibility assistance for: Deploying the new Microsoft Edge on Windows 10 Enterprise with Microsoft Endpoint Manager (Microsoft Endpoint Configuration Manager or Intune).
    • Microsoft Edge configuration (using group policies or Intune app configuration and app policies).
    • Inventory the list of sites that may require use in Internet Explorer mode.
    • Enabling Internet Explorer mode with the existing Enterprise Site List. Additionally, if you have a web app or site that works with Internet Explorer or Google Chrome and you experience compatibility issues, we provide guidance to resolve the issue at no additional cost. See App Assure for more details.

    The following is out of scope

    • Project management of the customer's Microsoft Edge deployment.
    • On-site support.