Microsoft Endpoint Manager is used for maintaining, monitoring, and protecting your end users and endpoints. Whether you are using the cloud or using an on-p remises networks, Microsoft Endpoint Manager will help keep your data safe and secure. It consists of the tools and services that you can use to monitor and maintain your endpoints. Endpoints include:
■ Apps
■ Desktop computers
■ Embedded devices
■ Mobile devices
■ Servers
■ Shared devices
■ Virtual machines
Microsoft Endpoint Manager includes a variety of services:
■ Azure Active Directory (Azure AD)
■ Co- management
■ Configuration Manager
■ Desktop Analytics
■ Endpoint Manager Admin Center
■ Microsoft Intune
■ Windows Autopilot
Endpoint Manager uses Azure Active Directory (Azure AD) to identify devices, groups, multifactor authentication (MFA), and users.
Co-m anagement is used to join an already existent on- premises Configuration Manager asset to the cloud by using either Intune or another Microsoft 365 cloud service. As an administrator, you will determine which service will be the management authority.
Desktop Analytics is a cloud- based service that works in conjunction with Configuration Manager. It helps you make important decisions regarding the update readiness of a Windows client. Desktop Analytics looks at the data from your company along with data collected from millions of other devices that are connected to the Microsoft cloud to help provide information on apps, security updates, and more. Desktop Analytics is used to keep Windows 10 devices current.
The Endpoint Manager Admin Center is a comprehensive website that you can use to manage devices and create policies. It is where you can locate the Microsoft Intune service, as well as other device management–related settings.
Microsoft Intune is a cloud- based mobile device management (MDM) and mobile application management (MAM) provider that you use for apps and devices. Using the cloud, Intune can create and check for compliance, deploy apps, and change features and settings on a variety of devices.
Windows Autopilot is used to streamline the way devices get deployed, reset, and repurposed by using a deployment method that requires no interaction from the IT department. Autopilot is used to preconfigure devices and to automatically enroll devices in Intune. Your users simply unbox the device and turn it on, and Windows Autopilot will configure it from the cloud using just a few steps.
What deployment method should you use? This is a question that is often asked. There really is no right or wrong answer. Use what works best for you and your organization and consider what you wish to accomplish. You can start with Windows Autopilot if you are continually provisioning new devices, or you can use Intune if you add rules and control settings for your apps, devices, and users.
Endpoint Manager can be thought of in three separate parts:
Cloud All your data is stored in Azure. This method provides you with the benefits of mobility on the cloud as well as the security advantages that are provided by Azure.
On- premises If you aren’t ready to use the cloud, then you can keep your existing systems in house. All hardware and software applications are hosted onsite.
Hybrid These environments use a combination of both cloud and on- premises solutions.
There are a number of benefits to using Microsoft Endpoint Manager to manage and protect your endpoints. You can:
■ Confirm that user devices are configured and protected according to corporate policies.
■ Confirm that your corporate security rules are in place.
■ Ensure that corporate services are available to your end users and on all of their devices.
■ Ensure that your company is using correct credentials in order to access and share corporate information.
■ Protect the apps and devices that access your resources.
■ Protect the data that your users are accessing.
If you have Microsoft Endpoint Configuration Manager and Microsoft Intune, then you already have Microsoft Endpoint Manager. These are all now one management system.
Using Mobile Device Management
Mobile device management (MDM) is basically a way in which administrators can manage mobile devices. It refers to a set of functions and features that regulate the use of mobile devices to make sure they are compliant with corporate policies.
MDM allows you to maintain, secure, and enforce mobile endpoint policies. You can use it to set up Windows 10/11 policies that can incorporate a wide variety of scenarios, such as the ability to control a user’s access to the Windows Store or the ability to access the corporate VPN.
To help you manage corporate security policies and business applications, Windows 10 and Windows 11 provide an enterprise management solution that consists of two parts:
■ The enrollment client, which enrolls and configures the device to communicate with the enterprise management server
■ The management client, which synchronizes with the management server to check for updates and apply policies
MDM administers mobile devices without joining them to an on- premises Active
Directory Domain Service (AD DS). In order to manage a device using MDM, implement MDM by using an MDM authority and MDM clients. Microsoft offers two MDM authority solutions:
■ Basic Mobility and Security (Microsoft 365)
■ Microsoft Intune
Once the device is enrolled, you can still implement policies and profiles to manage the device. Each of these solutions use Microsoft 365 Endpoint Manager for administering the MDM solutions. They each manage enrolled devices, but they provide distinct capabilities.
MDM client functionality is included with the Windows 10/11 operating system. MDM includes the delivery of applications, settings, and data to devices that are enrolled to MDM. Windows 10/11 devices can be enrolled in MDM by any of these methods:
■ Being enrolled into Azure AD (if Azure AD and MDM are configured)
■ Using Group Policies in a hybrid environment
■ Using a provisioning package
■ Using the Settings app
■ Manually configuring
MDM authority, such as Intune, can provide these capabilities:
Application Management You can install apps and manage settings by using both MDM and Mobile Application Management (MAM).
Configuring Devices You can use profiles and policies to configure devices, control what users can access, and set device settings to comply with corporate policies.
Device Enrollment MDM can only manage supported devices that have been enrolled. In order to manage a device, the device can either include the MDM client functionality, such as Windows 10, or you must install a Company Portal app (for example, on Android or iOS devices).
Monitoring and Reporting With the MDM management tool, you can get a notification if a device is having an issue or if a policy was not properly applied. Enrolled devices can also be added to groups. You can also configure Windows Autopilot device deployment by using Intune.
Selective Delete Data Should a device ever get lost or stolen, or if a user leaves your company, you can wipe the corporate data is that is on the device. A wipe is basically just erasing the data from the hard disk on the device. You have the option to either wipe all the data on the device or perform a selective wipe, which will leave the user’s personal data on the device intact.
Even if a device isn’t a member of the domain, the device can be managed by MDM. If you have a Windows 10/11 device that is a member of the domain, then you can manage it by using Group Policy and MDM simultaneously. With Windows 10 version 1803 and newer, you can specify whether a Group Policy setting or an MDM policy setting will take precedence if there is a conflict.
You can manage the following Windows 10/11 configuration areas by using MDM:
■ Application management
■ Device configuration and security
■ Enrollment
■ Inventory
■ Remote assistance
■ Unenrollment
Application management benefits include:
■ Custom Windows Store
■ Business Store Portal (BSP) app deployments; license reclaim
■ Enterprise app management
■ Line- of- business (LOB) app management
■ Win32 (MSI) app management
■ App inventory (LOB/Store apps)
■ App allow/deny lists using AppLocker
■ Windows Information Protection (WIP)
Device configuration and security benefits include:
■ Device update control
■ Email provisioning
■ Enterprise Wi- Fi
■ Extended set of policies for client certificate management
■ Kiosk, Start screen, Start Menu configuration, and control
■ MDM push
■ VPN management
Enrollment benefits include:
■ Azure AD integration
■ Bulk enrollment
■ Converged protocol
■ Provisioning
■ Simple bootstrap
Inventory benefits include additional device inventory. Remote Assistance benefits include:
■ Enhanced inventory for compliance decisions
■ Full device wipe
■ Remote lock, PIN reset, ring and find Unenrollment benefits include:
■ Removal of enterprise configuration (apps, certs, profiles, policies) and enterprise- encrypted data (with EDP)
■ Unenrollment with alerts