Adjust settings after enrollment

After you've completed enrollment in Microsoft Managed Desktop, some management settings might need to be adjusted. To check and adjust if needed, follow these steps:

  1. Review the Microsoft Intune and Microsoft Entra settings described in the next section.
  2. If any of the items apply to your environment, make the adjustments as described.

Note

As your operations continue in following months, if you make changes after enrollment to policies in Microsoft Intune, Microsoft Entra ID, or Microsoft 365 that affect Microsoft Managed Desktop, it's possible that Microsoft Managed Desktop could stop operating properly. To avoid problems with the service, check the specific settings described in Fix issues found by the readiness assessment tool before you change the policies listed there.

Microsoft Intune settings

Setting Description
Autopilot deployment profile If you use any Autopilot policies, update each one to exclude the Modern Workplace Devices -All Microsoft Entra group.

To update the Autopilot policies:

Under Assignments, in the Excluded groups, select the Modern Workplace Devices -All Microsoft Entra group that was created during Microsoft Managed Desktop enrollment.

Microsoft Managed Desktop will also have created an Autopilot profile, which will have "Modern Workplace" in the name (the Modern Workplace Autopilot Profile). When you update your own Autopilot profiles, ensure that you don't exclude the Modern Workplace Devices -All Microsoft Entra group from the Modern Workplace Autopilot Profile that was created by Microsoft Managed Desktop.
Conditional Access policies If you create any new conditional access policies related to Microsoft Entra ID, Microsoft Intune, or Microsoft Defender XDR for Endpoint after Microsoft Managed Desktop enrollment, exclude the Modern Workplace Service Accounts Microsoft Entra group from them. For more information, see Conditional Access: Users and groups. Microsoft Managed Desktop maintains separate conditional access policies to restrict access to these accounts.

To review the Microsoft Managed Desktop conditional access policy (Modern Workplace – Secure Workstation):

Go to the Microsoft Intune admin center and navigate to Conditional Access in Endpoint Security. Don't modify any Microsoft Entra Conditional Access policies created by Microsoft Managed Desktop that have "Modern Workplace" in the name.
Multi-factor authentication If you create any new multi-factor authentication requirements in conditional access policies related to Microsoft Entra ID, Intune, or Microsoft Defender XDR for Endpoint after Microsoft Managed Desktop enrollment, exclude the Modern Workplace Service Accounts Microsoft Entra group from them. For more information, see Conditional Access: Users and groups. Microsoft Managed Desktop maintains separate conditional access policies to restrict access to members of this group.

To review the Microsoft Managed Desktop conditional access policy (Modern Workplace -):

Go to the Microsoft Intune admin center and navigate to Conditional Access in Endpoint Security.
Windows 10 update ring For any Windows 10 update ring policies you've created, exclude the Modern Workplace Devices -All Microsoft Entra group from each policy. For more information, see Create and assign update rings.

Microsoft Managed Desktop will also have created some update ring policies, all of which will have "Modern Workplace" in the name. For example:
  • Modern Workplace Update Policy [Broad]
  • Modern Workplace Update Policy [Fast]
  • Modern Workplace Update Policy [First]
  • Modern Workplace Update Policy [Test]

When you update your own policies, ensure that you don't exclude the Modern Workplace Devices -All Microsoft Entra group from those that Microsoft Managed Desktop created.

Microsoft Entra settings

Self-service password reset: if you use self-service password reset for all users, adjust the assignment to exclude Microsoft Managed Desktop service accounts.

To adjust this assignment:

  1. Create a Microsoft Entra dynamic group for all users except Microsoft Managed Desktop service accounts
  2. Use that group for assignment instead of "all users."

To help you find and exclude the service accounts, here's an example of a dynamic query you can use:

(user.objectID -ne null) and (user.userPrincipalName -ne "MSADMIN@TENANT.onmicrosoft.com") and (user.userPrincipalName -ne "MSADMININT@TENANT.onmicrosoft.com") and (user.userPrincipalName -ne "MWAAS_SOC_RO@TENANT.onmicrosoft.com") and (user.userPrincipalName -ne "MWAAS_WDGSOC@TENANT.onmicrosoft.com") and (user.userPrincipalName -ne "MSTEST@TENANT.onmicrosoft.com")

In this query, replace @TENANT with your tenant domain name.