A week ago Microsoft announced their new service offering called Microsoft Managed Desktop, which is essentially a service where Microsoft will manage your endpoints trough a lifecycle management together with an OEM vendors (Currently only Microsoft based devices) So think about all the products in EMS E5, such as Intune, Azure AD, Autopilot, Windows Defender ATP and Windows 10 with Office this is the core of what they will actually manage for your. This means that they will be managing updates as part of Windows 10, security patches and so on. As of now the service requires Microsoft 365 E5 License. The reason behind this is that Microsoft uses these services as part of E5 to handle security and such, but ill get back to that.
Now as part of the service, you can also buy devices directly, purchases are done trough Microsoft Store for Business which is part of their lifecycle. If you have a like a faulty drive they will ship a replacement drive for you.
What’s included?
This picture belov basically sums up what is included in the service. So it is essentially managing devices, security, lifecycle management and together with IT support.
As part of their service desk offering, when an end-user, they can contact Microsoft Managed Desktop support (provided by Microsoft) through a custom chat app. As of now this support is only in the US and UK.
- Windows 10 with Windows Defender Advanced Threat Protection (WDATP)
- Subset of the Microsoft 365 E5 suite: Outlook, Word, PowerPoint, Excel, Skype for Business client
- Microsoft Store for Business
- OneDrive for Business client
Security:
When a device is enrolled into Microsoft Managed Desktop they will as part of it get a set of baseline policies.
- Security Baseline (Part of MDM in Intune)
- Microsoft Managed Desktop recommended security template
- Device compliance
- Update deployment
- Telemetry (Devices will be set to provide Enhanced diagnostic data to Microsoft)
Also Microsoft will be storing a set of data as part of the service they offer, there are some limitations in the early preview bits.
“Data transmitted from your tenant is stored in Azure SQL databases in the Microsoft tenant hosted in the USA. Your data is stored and meets requirements for Azure security positioning.”
Also Microsoft will default to having Windows Defender Application Guard running to ensure the security, which also means that applications will need to be signed to ensure that. They also have a seperate policy which blocks a lot of the built-in stuff like macros, Office Addon’s and such.
Microsoft will also monitor trough using Windows Defender Advanced Threat Protection to ensure that the endspoints are safe.
What about applications?
For applications that are being deployed trough the services, Microsoft will provide support for Microsoft Authored Applications (for example, Office). that is essentially all applications that are being deployed trough the Intune portal. If a customer has LOB applications, the customer is still responsible for packaging of those applications and testing them properly. Then Microsoft will ensure that the application is properly deployed.
What will Microsoft not cover?
If there are any services or products that is not covered as part of the software suite within Microsoft 365, Microsoft will not provide any support or assistance to it. Let’s say for instance setting up a VPN solution, Microsoft can deploy or configure the VPN policies but they require that you setup the VPN solution backend and that it is supported by the Intune VPN solution. If you need to create a custom LOB application to deploy trough Intune, well then you need to do it yourself.
Also Microsoft does not cover mobile devices, it is this Windows 10 devices.
Where do Partners fit in ?
Well looking into the section above, Microsoft is now entereing into partner territory, and entereing into the Client as a Service market. Of course in this model, there are still a lot of things that needs to be taken care of such as LOB applications, and the ecosystem around. Including mobile devices and not to mention other features that are part of E5 that Microsoft is not managing such as Cloud App Security and other serices like Azure ATP.
Conclusion so far…
Now it is an interesting move from Microsoft, looking at the requirements that Microsoft and in order for them to scale this service all customers need to fit and have the same level of requirements. One of the most important things, regardless of how well management is configured, is how end-user support is. Microsoft doesn’t have the best reputation for support so It is going to be interesting to see how that is going to work in real-life. Now this model might work for some, but I’m pretty sure that most customers won’t fit into this model since all of them have different requirements, endpoints and such and therefore won’t fit into Microsoft’s box