Get started with app control

Before you enable app control in your environment, be sure to review and understand how Microsoft Managed Desktop implements it and your roles and responsibilities.

Microsoft Managed Desktop simplifies app control by taking care of the more challenging aspects of getting a secure base policy. Your IT Administrators must still test your apps in the Test ring and review the logs for any warnings or errors. If an app needs an exemption, you can file a request, or Microsoft Managed Desktop Operation might, depending on who detects it first.

Initial deployment of apps

When you first deploy apps, Microsoft Managed Desktop needs to assess their current behavior. The exact steps for enabling app control depend on whether devices have already been deployed in your environment.

Devices not yet in use

If you don't yet have any devices in use, open a service ticket with Microsoft Managed Desktop Operations requesting that we turn on app control. Operations will progressively deploy policies to deployment groups following this schedule:

Deployment group Policy type Timing
Test Audit Day 0
First Enforced Day 1
Fast Enforced Day 2
Broad Enforced Day 3

You can always open another service request to pause or roll back part of this deployment at any time during the rollout.

Devices already in use

If already have at least one Microsoft Managed Desktop device in use, follow these steps:

  1. Open a service ticket with Microsoft Managed Desktop Operations requesting that we turn on app control. Operations will deploy an Audit policy to all devices.
  2. Test your applications to see if any would be blocked. If an application would be blocked, open a signer request.
  3. Once you have completed your testing (whatever the results), notify Operations, noting any pending signer requests. Operations will progressively deploy policies to deployment groups following this schedule:
Deployment group Policy type Timing
Test Audit Day 0
First Enforced Day 1
Fast Enforced Paused, rollout on request
Broad Enforced Paused, rollout on request

You can always open another service request to pause or roll back part of this deployment at any time during the rollout.

Steps to get started with Microsoft Managed Desktop

  1. Access admin portal.
  2. Add and verify admin contacts in the Admin portal.
  3. Adjust settings after enrollment.
  4. Deploy and assign Intune Company Portal.
  5. Assign licenses.
  6. Deploy apps.
  7. Set up devices.
  8. Set up first-run experience with Autopilot and the Enrollment Status Page.
  9. Enable user support features.
  10. Get your users ready to use devices.
  11. Get started with app control (this article).