What is Microsoft Managed Desktop (MMD)?

Device services under MMD

As a device management offering, MMD included a host of device-related services. Microsoft delivered these services using the cloud to organizations that purchased an MMD subscription.

The services offered covered five key areas:

1. Device setup.
2. Inventory.
3. Firmware and driver updates.
4. Accessories.
5. Support.

Under device setup, Microsoft preconfigured devices with the then-current version of Windows (Windows 10 or 11). Organizations would also receive apps and configurations for those devices using the cloud. For device provisioning (naming, configuration), Microsoft used Windows Autopilot to limit downtime and deliver a seamless user experience. Microsoft also used Microsoft Endpoint Manager and Microsoft Entra ID for device configuration and management.

To facilitate device inventory management using MMD, Microsoft tracked all devices. All managed devices were monitored continuously for security issues. Microsoft also updated the device status in the admin center of Microsoft Intune -- the company's command center for managing and securing endpoints and reducing the complexity of IT and security operations.

All MMD devices received the latest firmware and driver updates from Windows Update by default to keep the devices running smoothly and securely. Microsoft also managed proactively the most secure and stable versions of Windows 10/11 and Microsoft 365 Apps for enterprise and created a security baseline to keep users and devices secure in accordance with its own security best practices.

Under MMD, any accessories accompanying MMD-covered devices were covered by the same services as the device itself. However, the warranty terms for the device and its accessories could differ so Microsoft advised users to check the warranty terms when selecting one or more devices for MMD.

Support was the fifth key MMD pillar. Microsoft's support agents addressed customers' questions about device functionality and helped diagnose device issues. Dedicated service engineers provided service management and operational support; a team of security specialists provided device security monitoring and remediation services.

MMD brought together Microsoft 365 Enterprise (including Windows 10/11 Enterprise and Office apps). On purchasing an MMD subscription, users would continue to get the latest versions of Windows 10, Windows 11 and Microsoft 365 Apps for enterprise. The service integrated with the Microsoft App Assurance program to help Microsoft's experts diagnose and remediate application compatibility issues for devices.

Certain services were not included in MMD:

• Personalizing and customizing devices and any accessories provided with the MMD service.
• Recovery of data stored on the device's internal storage system.
• Powering on and setting up devices.

Note: Support for Windows 10 will end in October 2025, so Windows 10 users are advised to transition to Windows 11 as soon as possible.

Benefits of MMD

Organizations that purchased the MMD subscription found a key benefit in technical and operational support from Microsoft experts. Microsoft's Service Engineering (operations) team responded to support requests related to incidents, requests for information (RFI) and change requests.

Organizations also received support from Microsoft's Security Operations Center (SOC) team. The team's main objective was to protect MMD devices and data, so an MMD subscription included device security monitoring and incident response.

The SOC team used numerous tools and technologies related to device security and Identity and Access Management (IAM), including the Microsoft Security Baseline, Microsoft Entra managed identities, biometric authentication and predefined device profiles. To further secure MMD devices, SOC security engineers installed Microsoft Defender antivirus and used a volume encryption solution (Windows BitLocker). Additionally, they used Microsoft Defender for Endpoint for security threat monitoring and secured devices with the latest security updates.

MMD also provided visibility into device and app performance. The SOC team monitored security threats and used data from the latest threats to respond to security alerts and manage security incidents. Through proactive monitoring, MMD remediated common security issues, including issues related to stop errors, Microsoft Defender Firewall and BitLocker. The service also monitored devices, provided insights about device health and provided early warnings about security issues. In this way, MMD provided nonstop protection for MMD devices.

MMD ensured that devices were automatically in sync with the latest Windows quality updates. Admins and users could focus on other, more important tasks.

On purchasing a subscription for MMD, organizations could configure additional optional services, especially if they needed to protect high-value corporate assets. They could back up important information on the device to OneDrive for Business. Microsoft would ensure the secure functionality of the OneDrive client and sync all data toward OneDrive for Business back end in Microsoft 365 Apps. Companies that required high levels of information security could purchase Windows Information Protection (WIP) or Azure Information Protection. Microsoft deprecated WIP starting in July 2022. Azure Information Protection is now known as Microsoft Purview Information Protection.

Cloud-based infrastructure and deployment rings of MMD

Through the MMD service, Microsoft connected devices to a modern cloud-based infrastructure. All functionalities and services under MMD were delivered using the cloud including the following:

• Device provisioning.
• Device configuration.
• Device management (including updates).
• Device security monitoring.
• Incident response.
• ITSM and operations.

To safely roll out operating system updates and policies, Microsoft used update groups; to manage Windows quality updates, MMD used four deployment rings. Under this four-ring system, MMD created four Microsoft Entra ID assigned groups that were then used to segment devices into update groups.

The four MMD deployment rings were as follows:

• Modern Workplace Devices -- Test. Deployment ring for testing update deployments before production rollout.
• Modern Workplace Devices -- First. Production deployment ring for early adopters.
• Modern Workplace Devices -- Fast. Deployment ring for fast production rollout and adoption.
• Modern Workplace Devices -- Broad. Deployment ring for broad, organizationwide rollout.

MMD "calculated" the rings, determining which device should be assigned to which ring, during device registration based on the existing managed device size of the MMD tenant. Each of these four rings aligned with different update deployment policies to control and streamline the rollout of updates to the devices registered under MMD. The assignment of MMD devices to one of the four rings also ensured that the service would have the proper representation of the device diversity across the organization.

MMD monitored the devices in each ring to provide automated deployment ring remediation functions. These functions were meant to minimize the vulnerability of devices to security threats. The devices could be in a vulnerable state if they were not assigned to a deployment ring during the device registration process or if IT admin made changes to objects created during MMD tenant enrollment.

Roles and responsibilities under MMD

The MMD service provided a range of roles and responsibilities, some of which belonged to Microsoft and others assigned to the customer. The roles that belonged to Microsoft included the following:

• MMD service support. The MMD Operations team was responsible for technical remediation, change requests and incident management for the organization's MMD environment. This team was also in charge of creating and managing devices and user groups.
• Mobile Device Management (MDM) policy management. Microsoft applied appropriate and proven MDM policies and optimized the configuration of MDM devices during setup.
• Security monitoring and update monitoring. Microsoft actively monitored MMD devices to mitigate threats and ensure that the latest updates (quality and features) were installed for the devices.
• Change management. Microsoft notified MMD customers when Microsoft planned to make changes to the MMD environment, such as feature updates, new features, new applications, client hotfixes for issues, security updates or feature deprecations.
• User support. In case of device issues affecting users, IT teams could raise support requests to Microsoft; Microsoft was obligated to respond to these issues in accordance with severity definitions.

Certain roles and responsibilities were assigned to MMD customer organizations and not provided by Microsoft. For example, organizations were required to have their own change management process and take responsibility for all identity management tasks. Customers were also responsible for the following:

• Managing Microsoft 365 services and policies.
• Collaboration tools, SharePoint server administration and domain management.
• Providing user support directly or using a designated support partner.
• Security monitoring and incident response of non-MMD devices.

While AI has the potential to transform ITSM, organizations face several potential challenges when implementing these technologies. Also, see how to create an incident response playbook with template.