Device configuration

When a new Microsoft Managed Desktop device is being set up, we ensure that it has the right configuration optimized for Microsoft Managed Desktop. This includes a set of default policies that are set as part of the onboarding process. To avoid conflicts, do not alter these policies.

Devices will arrive with a signature image, and then join the Azure Active Directory domain when the first user logs in. The device will automatically install required policies and applications without any IT intervention needed.

Why MDM over Group Policy

There are a few reasons to use mobile device management (MDM) instead of Group Policy:

  • Security - MDM policies are more secure. Group Policy is designed to work best with on-premises identity while MDM designed to work best with cloud identity management (Azure Active Directory).
  • Reliability - MDM policies provide more reliable policy deployment. Also, MDM settings overwrite Group Policy Object (GPO) policies. Starting with Windows 10, version 1803, MDM settings are prioritized over the Group Policy values, which supports customers moving to modern management.
  • Align with Microsoft Managed Desktop vision - Provides more comprehensive monitoring on policy deployment and supports group-based approach to gradually rollout policy changes with capability to pause / resume deployment when necessary.

For more information, see Mobile Device Management.

Default policies

This table highlights the default policies that are applied to all Microsoft Managed Desktop devices during device provisioning. All detected changes not approved by Microsoft Managed Desktop Operations Team to objects managed by Microsoft Managed Desktop will be reverted.

Policy Description
Security baseline Microsoft security baseline for MDM is configured for all Microsoft Managed Desktop devices. This baseline is the industry-standard configuration. It is publicly released, well tested, and has been reviewed by Microsoft security experts to keep Microsoft Managed Desktop devices and apps secure in the modern workplace.

To mitigate threats in the constantly evolving security threat landscape, the Microsoft security baseline will be updated and deployed to Microsoft Managed Desktop devices with each Windows 10 feature update.

For more information, see Security baseline for Windows 10.
Microsoft Managed Desktop recommended security template A set of recommended changes to the security baseline that optimize user experience. These changes are documented in the Security Addendum. Updates to the policy addendum occur on an as needed basis.
Update deployment Use Windows Update for Business to perform gradual deployment of software updates. IT admins can’t modify settings for the deployment group policies. For more information on group-based deployment, see How updates are handled.
Diagnostic data Devices will be set to provide enhanced diagnostic data to Microsoft under a known commercial identifier. As part of Microsoft Managed Desktop, IT admins can not change these settings. For customers in General Data Protection Regulation (GDPR) regions, end users can reduce the level of diagnostic data that is provided, but there will be a reduction in service. For example, Microsoft Managed Desktop will be unable to collect the data necessary to iterate on settings and policies to best serve performance and security needs. For more information, see Configure Windows diagnostic data in your organization.
Metered connections By default, updates over metered connections (such as LTE networks) are turned off, though each user can independently turn on this feature in Settings > Updates > Advanced options. If you want to allow all users to enable updates over metered connections, submit a change request, which will turn on this setting for all devices.

Security addendum

This section outlines the policies that will be deployed in addition to the standard Microsoft Managed Desktop policies listed in Default policies. This configuration is designed with financial services and highly regulated industries in mind, optimizing for the highest security while maintaining user productivity.

Additional security policies

These policies are added to increase security for highly regulated industries.

  • Security monitoring: Microsoft will monitor devices using Microsoft Defender Advanced Threat Protection. If a threat is detected, Microsoft will notify the customer, isolate the device, and rectify the issue remotely.
  • Disable PowerShell V2: Microsoft removed PowerShell V2 in August 2017. This feature has been disabled on all Microsoft Managed Desktop devices. For more information on this change, see Windows PowerShell 2.0 Deprecation.