Operations

End-to-end MSP workflow

From the moment an order arrives to the day a customer offboards — the 12-stage SOP behind every Managed Virtual Computer we run.

Twelve stages

1Order intake & qualification
2Design & planning
3Provisioning & build
4Acceptance testing & pilot
5Go-live & user onboarding
6Steady-state operations
7Support workflow — tickets, SLAs, escalation
8Change management
9Billing & contracts
10Customer account management
11Offboarding & account closure
12Compliance & audit overlays

Operationalize it

30–45 day rollout Queues & routing Standard changes Email templates One-page flow Retention defaults Tailor to your stack

Stage 1

Order intake & qualification

A customer submits an Order Virtual Computer request or SOW. Sales and the Project Coordinator validate the order and stand up the project in our PSA.

Validate order data: org, contacts, user count, go-live, apps, data location, compliance flags (HIPAA/PCI/FERPA), peripherals, networking, MFA/SSO needs.
Check prerequisites: Microsoft licensing, tenant ownership, acceptable use, security baseline acceptance.
Convert opportunity to project in the PSA (Autotask/ConnectWise) — milestones, CIs, contract/subscription, and Implementation/Networking/App-packaging tickets.
Schedule kickoff; assign Solutions Architect (design) and Provisioning Engineer (build).

DeliverablesApproved OrderProject planCustomer checklist

Stage 2

Design & planning

A 45–60 minute design workshop produces a Low-Level Design and Implementation Plan, signed off by the customer.

Identity: Entra ID / AAD tenant, groups, RBAC, MFA / SSO provider.
Desktop profile: vCPU/RAM baseline, FSLogix profile size, OS image, language and time zone.
Applications: list, versions, packaging, licensing, app-owner sign-off.
Data: file shares, OneDrive / SharePoint paths, permissions.
Security: EDR, CIS hardening, patch windows, GPO / Intune, conditional access.
Networking: private connectivity, allowlists, DNS, printing.
Backups / DR: RPO / RTO targets and retention.
Support: named approvers, escalation paths, maintenance windows.

DeliverablesLow-Level Design (LLD)Implementation PlanChange window

Stage 3

Provisioning & build

The Provisioning Engineer builds tenancy, network, identity, golden image, host pool, profiles, apps, backups, monitoring and security controls.

Tenancy: subscriptions / resource groups, naming, tagging, key vaults.
Network: vNet/VPC, subnets, private endpoints, firewall rules, route tables, site-to-site or zero-trust connector.
Identity: VDI-Users / VDI-Admins groups, conditional access (MFA required), domain or AAD join.
Golden image: patched, hardened, EDR + Office + RMM + FSLogix + LOB apps; sysprep and capture.
Host pool / session hosts deployed to sizing with autoscale and diagnostics.
Profiles on premium storage, with quotas and exclusions.
Apps packaged as MSIX / Win32 with app-masking rules.
Backups: snapshots / vault enabled, restore tested.
Monitoring & alerts wired to PSA ticket automation.
Secure baseline: legacy protocols off, TLS tuned, EDR policy, patch rings.
Initial accounts created, groups assigned, MFA registration instructions issued.
Security review of logs, RBAC, and baseline compliance checklist.

DeliverablesBuild checklistChange recordRollback plan

Stage 4

Acceptance testing & pilot

1–3 pilot users validate login, profile persistence, apps, printing, performance, and latency. Security checks run against the image.

Validate login / MFA, profile persistence, app launches, printing, scanning, mapped drives, performance.
Vulnerability scan of image, EDR check-in, missing patches, CIS spot-check.
Fix issues; re-seal image if needed.
Customer signs UAT form.

DeliverablesUAT sign-offGo-live date confirmed

Stage 5

Go-live & user onboarding

Remaining seats are deployed, backups are enabled site-wide, and Hypercare covers the first 5–10 business days.

PE deploys remaining seats; confirms autoscale; enables backups across all hosts.
Onboarding package: client URL, install, MFA steps, acceptable use, support hours, logoff vs disconnect tips.
Service Desk stands up Hypercare queue; P1 / P2 incidents prioritized.

DeliverablesOnboarding templatesHypercare plan

Stage 6

Steady-state operations

Service Desk owns incidents and requests under SLA. Provisioning handles infrastructure changes. Customer Success owns adoption, QBRs and expansions.

Patching: monthly image updates, weekly session-host patch window, out-of-band for criticals.
Backups: daily, with monthly restore tests.
Monitoring: daily health review with ticket auto-generation on thresholds.
Capacity: monthly review of CPU / RAM, storage, profile sizes — right-size as needed.
Security cadence: quarterly access review, credential rotation, conditional-access and sign-in-risk log review.

DeliverablesRunbookMaintenance calendar

Stage 7

Support workflow — tickets, SLAs, escalation

Portal, email and phone intake feed an auto-triaged queue with documented SLAs and escalation paths.

Intake auto-triage: Access/Login, Performance, App Issue, Printing, Profile/Storage, New User, Change Request.
L1 triage: verify identity, check known issues / maintenance, capture impact, attach logs.
Decision trees: profile reset vs repair, host drain / restart, app repair, printer mapping.
L2 (PE) for persistent performance, image / package fixes, capacity.
L3 (SA / vendor) for platform faults or code defects.
Incident comms: P1 customer updates every 60 minutes; post-incident review for P1 / P2.

DeliverablesSLA matrixTriage playbooksComms templates

Priority	Scope	Response	Restore
P1	Outage, many users	15 min	4 hours
P2	Single user blocked	1 hour	8 hours
P3	Degraded / minor	Same business day	3 days
P4	How-to / question	1 business day	—

Example SLAs — tuned to each contract.

Stage 8

Change management

Adds, moves, changes, and expansions follow a risk-based process with a standard-change catalog and RFC template for medium / high risk.

Customer submits via portal with business impact, deadline, and approver.
Low-risk: standard change implemented in target window.
Medium / high risk: SA raises RFC with implementation, rollback, maintenance window, customer approval.
Image versioning with semver (e.g., JD-Image 2026.05.1) and published change log.
Pricing: pro-rata adds from activation; NRC for setup per rate card.

DeliverablesRFC templateStandard-change catalogApproval matrix

Stage 9

Billing & contracts

Per-user-per-month plus add-ons. Activation events from the PSA start billing. Monthly in advance for seats, in arrears for usage.

Activation: Fin receives Seats Activated event from PSA; billing starts at go-live (or 7 days post-UAT if staged).
Pro-rata for mid-cycle adds; credits for downgrades next cycle unless SLA-missed.
Collections: Net 15 / 30, dunning workflow, defined service-suspension policy.
Renewals: CSM reviews usage and right-sizing 60 days prior.

DeliverablesRate cardBilling rulesDunning policy

Stage 10

Customer account management

30-day health check after go-live, then quarterly QBRs covering adoption, ticket volume, security posture, and cost optimization.

Metrics: adoption, ticket categories, performance, MFA coverage, patch compliance, capacity / cost.
Quarterly user and admin access review; stale accounts removed; attestations recorded.
Customer runbook maintained: network diagrams, image versions, app list, backup schedule, contact matrix.
Feature requests captured and prioritized with product / engineering.

DeliverablesQBR deck templateHealth scorecard

Stage 11

Offboarding & account closure

A 30-day plan handles access freeze, data export, license cleanup, security teardown, secure deletion, and financial close.

Freeze new changes except critical fixes.
Disable user access on agreed date; export profiles / data to customer storage; transition DNS / VPN.
Final snapshot and media handover; confirm retention and secure-deletion dates.
De-allocate seats, remove groups, revoke tokens / keys, break peering and privileged access.
Certificate / key destruction; audit-log export on request; compliance attestation.
Retain backups per contract, then cryptographically shred with deletion certificate.
Final pro-rata invoice, credit reconciliation, deposit return.

DeliverablesOffboarding checklistData deletion certificateFinal sign-off

Stage 12

Compliance & audit overlays

Evidence maintained per customer and mapped to frameworks (SOC 2, HIPAA, PCI) with quarterly artifact folders.

Access reviews, change approvals, incident timelines, backup tests, patching reports, vulnerability scans.
Per-customer folders with quarterly artifacts mapped to relevant frameworks.

DeliverablesEvidence libraryFramework mapping

RACI snapshot

Who owns what across the lifecycle.

Role	Ownership
Sales / PC	Intake, project setup, kickoff
Solutions Architect	Design, risk, complex changes
Provisioning Engineer	Build, image, infrastructure, escalations
Service Desk	Day-to-day support, standard changes
Security / Compliance	Baselines, access, audits
Customer Success	Relationship, QBRs, renewals
Billing / AR	Contracts, invoicing, collections

Artifacts we maintain

Intake form with all required order fields
Low-Level Design and UAT templates
Build checklist and change / rollback template
SLA / Support guide (PDF + web)
Standard-change catalog and rate card
Onboarding and hypercare email templates
Offboarding checklist and deletion attestation

30–45 day plan

Immediate rollout

Governance, plumbing, templates, tooling and pilot — in order.

Week 1–2

Governance & plumbing

Confirm named owners per role (Sales, PC, SA, PE, Sec, SD, CSM, Fin); publish RACI in the IT wiki.
PSA boards: Implementation, Networking, App Packaging, Hypercare, Service Desk, Changes (RFC), Problem, Vendor.
Ticket categories: Access/Login, Performance, App Issue, Printing, Profile/Storage, New User, Change Request, Incident, Request, Problem.
SLA policies for P1–P4 with business hours, escalation timers, breach alerts.
Auto-route by category, auto-create child tickets for Provisioning, auto-open P1 comms template on Major Incident.
CMDB: CI classes for Virtual Desktop Seat, Golden Image, Host Pool, FSLogix Storage Profile, Backup Policy, Network Link.
Standard-change catalog plus RFC template for medium/high risk.
Security baseline: CIS/Intune docs, EDR policy, CA rules, break-glass accounts, key rotation, logging destinations.
Finance: products/rate card (Seat, GPU, storage tiers, backup, premium support, NRC); billing rules and dunning cadence.

Week 3–4

Templates, tooling & pilot hygiene

Templates finalized and loaded into PSA and wikis.
Golden image pipeline: Packer / Azure Image Builder or repeatable manual checklist; semver naming (e.g., JP-AVD-Image 2026.05.1).
Monitoring thresholds: CPU > 85% for 10m, RAM > 85% for 10m, FSLogix profile > 80% quota, login-failure spikes, failed backups.
Alerts routed to PSA with category mapping and SLA-aligned severity.
Backup policy applied; monthly test-restore runbook created and scheduled.
Pilot: 3-user test tenant, UAT checklist run, image iterated once.

Week 5+

First customer onboard

Execute the 12-stage SOP on the first paying customer.
Run Hypercare 5–10 business days.
Transition to steady-state ops cadence.

PSA / ITSM

Queues, categories & routing

Ready-to-paste configuration for Autotask, ConnectWise, or any modern ITSM.

Queues / boards

Implementation
Networking
App Packaging
Hypercare
Service Desk (Incidents/Requests)
Changes (RFC)
Problem
Vendor Cases
Finance/Billing

Category routing rules

Access / Login
Service Desk; priority auto-set by user impact (P2 if blocked).
Performance
Service Desk; auto-notify L2 after 2 failed KB steps.
App Issue
App Packaging if packaging/install; Service Desk for user-scope fixes.
Printing / Peripherals
Service Desk; escalate to PE if driver/image defect.
Profile / Storage
Service Desk; auto-attach FSLogix logs; L2 after one repair attempt.
New User
Service Desk standard change; auto-create checklist subtasks.
Change Request
Changes board; auto-spawn RFC if risk > low.
Major Incident
If outage + affected users > 5: auto-flag P1, open comms ticket, start 60-min updates.

Escalation automation

P1 not updated in 55 min → page on-call PE + SA; post to MI channel.
P2 not assigned in 60 min → auto-assign to L2 pool.
Any incident with vendor dependency → create linked Vendor Case ticket.

Catalog

Standard-change catalog

Anything outside this set flows to RFC with risk and rollback.

Change	Steps	Target
New user provision to AVD seat	Create account, assign VDI-Users group, license, FSLogix quota, MFA enrollment email, welcome pack.	1 business day
Printer mapping for user / group	Intune / scripted mapping; test page; document.	Same day
Profile repair (non-destructive)	FSLogix compact, clear temp caches, validate ODFC / Outlook OST.	4 hours
App assignment to user / group (existing packaged app)	Scope to group, verify install, UAT by app owner.	1 business day
Session host drain / restart during maintenance	Drain mode on, sign-off, patch, verify, rejoin pool.	Scheduled window

Copy-ready

Email & comms templates

Paste into the PSA, then tune for each customer.

Subject

Your Jackie Poole Managed Virtual Computer — Access Instructions

Hi <First Name>,

Your virtual computer is ready.

1) Sign in
  • Web client: https://aka.ms/avd
  • Client app (optional): https://aka.ms/avdclient

2) Credentials and MFA
  • Username: <user@yourdomain.com>
  • Temporary password: <temp>
  • On first sign-in you'll be prompted to set up MFA.

3) Tips
  • Choose "Sign out" when done to save resources; avoid "Disconnect" for long periods.
  • Storage: your profile and Documents are saved; don't store files on C:.

4) Support
  • Hours: <hours / timezone>
  • Portal: <portal URL>
  • Email: support@jackiepoole.com
  • Phone: <number>

Acceptable Use: <link>

Thank you,
Service Desk

Subject

[P1] Virtual Desktop Service Incident — <Customer Name>

Status: Investigating
Impact: <scope / users / regions>
Start time: <UTC / local>
Current actions:
  • <bullet>
  • <bullet>
Next update: in 60 minutes or sooner.

Subject

UAT Sign-off — Managed Virtual Computer

Please validate:
  • Login / MFA
  • Profile persistence
  • Required apps launch
  • Printing / scanning
  • Mapped drives / data access
  • Performance acceptable

Reply "Approved" or list issues to remediate.

Subject

Dunning cadence — Finance

Day 1 past due: Friendly reminder with invoice link.
Day 10: Second notice; suspension policy reminder.
Day 20: Final notice; suspension date set (5 business days).

At a glance

One-page flow

1Order intake → project, contracts and tickets auto-created → kickoff.
2Design (SA) → LLD + Implementation Plan → customer approval.
3Build (PE) → security review → pilot / UAT → go-live → Hypercare.
4Steady-state ops (SD / PE / CSM) with monitoring, backups, patching, capacity.
5Changes via standard catalog or RFC; image versioning tracked.
6Billing from activation; renewals reviewed at T-60.
7Offboarding → data export → deletion attestation → financial close.

Data handling

Retention & deletion defaults

Override per customer contract.

Standard

30 days rolling profiles and backups.

Regulated

90 days rolling unless contract specifies otherwise.

Post-termination

Customer-configured hold, then cryptographic shred + deletion certificate.

What we need from you

To tailor this 1:1

Your PSA / RMM stack (Autotask vs ConnectWise; Intune / RMM tool; ticket email).
Preferred SLA hours / timezone and P1 / P2 paging method.
Default desktop sizes / SKUs for the rate card.
Backup retention defaults and DR targets (RPO / RTO) by tier.
Branding links: portal URL, support email / phone, AUP, privacy policy.
Compliance overlays to standardize (SOC 2, HIPAA, PCI) and evidence cadence.

Want this tailored to your stack?

Share your PSA / RMM stack and target SLAs — we'll tune ticket categories, automation, email templates, and a one-page flow diagram.

Talk to us