How Microsoft Endpoint Manager is Bringing Intune and Configuration Manager Together

As people get access to more and more devices, the way that businesses operate has been rapidly evolving to keep up with the technology. And with more of these devices having access to a business’ data, this can help to improve productivity.

The problem, however, is that this can easily create a situation that puts the entire organization’s network at risk.

 So a solution is necessary.

One that can enable a business to get the most it can from the devices that are available to its employees without compromising data security. This is why you need a platform like Microsoft Endpoint Manager that can bring together the most effective device management tools.

Creating the solution

Microsoft already had plenty of products available to help businesses with device management. And these products included the two that we’ll be focusing on today: Intune and Configuration Manager. So why did they feel the need to change things, to add yet another product?

What Microsoft Endpoint Manager (MEM) seeks to address is the need for a comprehensive management solution. MEM can help to reduce client confusion over the multiple products that are available by giving you a unified platform for all your devices including Windows 10, macOS, iOS, and Android. By using MEM, businesses can among other things:

  • proactively manage all of their devices,
  • maintain systems and software,
  • limit exposure and respond to security threats,
  • distribute settings, and much more.

Microsoft Intune

With Intune, what you are getting is a 100% cloud-based mobile device management (MDM) and mobile application management (MAM) provider for your apps and devices. Using it enables you to have control over the features and settings on Windows 10, Apple, and Android devices.

Also, if you have on-prem infrastructure, there will be Intune connectors available. Namely the Intune Connector for Active Directory and the Intune certificate connector.

And by making it a part of MEM, Microsoft allows you to use Intune to create and check for compliance, as well as deploy apps, features, and settings to your devices using the cloud.

Configuration Manager

Whereas Intune is a 100% cloud-based solution, Configuration Manager gives you the on-premises management solution. With this, businesses can manage desktops, servers, and laptops that are on their network or internet-based. It is a flexible solution that you can cloud-enable if you want to integrate with Intune, Azure Active Directory (AD), Microsoft Defender for Endpoint, and other cloud services.

Furthermore, Configuration Manager gives you a great tool for the deployment of apps, software updates, and operating systems. Not only that, but you can also stay on top of queries and compliance issues so that you can act in real-time.

What are the requirements?

The beauty of Microsoft Endpoint Manager is that there is no complicated configuration or migration that you need to worry about. And this goes for the licensing as well.

If you have an existing Configuration Manager license then you can continue to use it, while simultaneously taking advantage of the Microsoft cloud-based security and compliance benefits of Intune.

Combining these two solutions has allowed Microsoft to avail Configuration Manager to clients with Intune licenses and vice versa. All of this without the usual roadblocks that you previously had to deal with.

This simplifies the process of giving clients a more comprehensive management platform. For management of non-Windows devices, however, you will need an Intune license, an Enterprise Mobility & Security (EMS) license, or a Microsoft 365 E3 or higher license

Taking advantage of MEM

There are plenty of reasons why any business should consider using MEM to improve the way it operates. As mentioned above, people now have access to plenty of different devices and businesses should benefit from that.

But, with the complexities that are involved in device management, there is no single tool that can meet all the requirements.

This is why bringing together Intune and Configuration Manager can work so well. By supporting a diverse BYOD ecosystem, MEM makes it easy to manage all endpoints. Whether they are on-premises and remote, corporate-owned and personal, desktop and mobile, MEM can handle them.

In addition, MEM is flexible enough to meet you where you are in your cloud journey and will not disrupt your existing processes. Your business can also leverage the integrations with other platforms such as Microsoft 365 and Azure AD to enhance productivity.

Combining products gives clients a lot to look forward to. Especially when you consider the simplified licensing arrangement. Overall, this combination will vastly improve the end-user experience and also allow IT teams to save costs and function more efficiently.

Addressing concerns

We all have our preferred tools that we use and that enable our businesses to operate optimally. So naturally, there will be concerns about combining Intune and Configuration Manager. What exactly does it mean for these products?

By bringing these products together under one umbrella, Microsoft is not doing away with Configuration Manager as many think. And the choice of name allows Microsoft to keep adding features to the platform.

Therefore if you have solutions that are built on Configuration Manager and want to continue using it, you are free to do so. But, the difference is that you’ll also get to leverage the intelligence of the Microsoft 365 cloud.

Basically, starting in version 1910 Configuration Manager now falls under the Microsoft Endpoint Manager branding. And as for the other components of the System Center suite, there are no changes to report.              

Wrap up

The solutions that businesses use need to continuously evolve to allow us to boost productivity and enhance data security. We need solutions that can offer the deployment of a seamless, end-to-end management solution.

And by combining Microsoft Intune and Configuration Manager into Microsoft Endpoint Manager, we can get just that. A solution that gives clients modern management and security while integrating with other Microsoft products in a way that optimizes device management.

How Endpoint Analytics Just Got Better

End-users commonly experience challenges such as long boot times, application crashes, and so on. These problems may be the result of a lack of optimized software configurations, legacy hardware, and issues that may arise due to configuration changes and updates.

By using Endpoint Analytics, you can begin addressing these issues.

You’ll be able to improve user productivity as well as reduce IT costs because of the insights that you’ll receive. The latter will give you information about device setup, startup and sign-in times, and overall system performance.

Not only that, but the introduction of new features can enhance the user experience even more.

Benefits of Endpoint Analytics

Introduced in September 2020, Endpoint Analytics is the tool that can help your organization to gather significant amounts of data and thus help you to view and understand the performance of your managed Windows 10 estate. At the initial release, Microsoft Endpoint Analytics had three main areas of focus:

  1. Startup performance: the insights provided help you understand your devices’ reboot and sign-in times and this enables IT to get users from power-on to productivity quickly without lengthy boot and sign-in delays.
  2. Proactive remediation scripting: swiftly fix common issues before they become problematic for end-users.
  3. Recommended software: recommendations for providing the best user experience.

To make the product even better, Microsoft has added two new features to give IT greater visibility in order to enhance the overall end-user experience.

The application reliability report

The first of the two new features is called the application reliability report (APR). This is something that will provide you with insights into potential issues for desktop applications on managed devices.

Utilizing this feature helps you to quickly identify the top applications that are impacting end-user productivity. Moreover, it also enables you to view aggregate app usage along with app failure metrics for these applications.

To take advantage of this feature, devices should be enrolled in Endpoint Analytics. And for devices enrolled from Configuration Manager, they’ll need client version 2006 or later installed.

To view the APR, you won’t need to do anything if your devices are Intune managed or co-managed. You’ll easily locate it beside the rest of the Endpoint Analytics reports in the Microsoft Endpoint Manager admin center console.

On the other hand, if you have devices enrolled through tenant attach, you need to upgrade to Configuration Manager 2006 for this report to populate.

How it works

To find your app reliability score, head over to the overview page. Here, you’ll also get the baseline score which is the median across all organizations. Below that you get a list of the apps most likely to have reduced user productivity during the previous 14 days. And then on the right column are app reliability Insights and Recommendations prioritized by which are most likely to boost your score.

To view the list of all your organization’s apps, you can go to the App performance tab. You can sort out these apps according to various criteria such as name, publisher, active devices, and app reliability score. In addition, you may also sort apps out using the mean time to failure, which is the average number of times the app can be used across the organization between crashes.

In order to see your organization’s application reliability performance, you can also leverage other pivots like the model, and OS version deployed, as well as troubleshoot application reliability issues with individual devices.

Devices will be given a device app health score that you find in device performance. This score is determined by the frequency of app crashes on a particular device during the last 14 days. To help you with troubleshooting, you can view a timeline of app crash and app hang events by clicking into each device.

Restart frequency feature

The second of the two recent additions to Endpoint Analytics is the restart frequency feature. This tool provides you with information regarding when devices are being rebooted and why.

You also get an improvement for the existing startup performance report thus helping to improve the user experience even further. All of this should enable operational and helpdesk departments to be more proactive and provide insights on end-user devices.

The data provided aims to clarify the type of reboots that occur. To achieve that, these reboots will be classified as either normal or abnormal. When we talk of normal restarts, this refers to restarts that go through the normal Windows shutdown processes such as Windows update installations.

And when we talk about abnormal restarts, this refers to those that don’t follow normal Windows shutdown processes. Because abnormal restarts can be potentially problematic they need to be looked into further. There are three categories of them:

  • Blue screens: This type of abnormal restart type is also known as a stop error. On average, one may expect no more than two stop errors per device per year.
  • Long power button press: Occurs when you hold down the power button to force a restart. This type happens less frequently than blue screens.
  • Unknown: The last category is for shutdowns that cannot be placed in either of the two previous categories.

Wrap up

Deployment of new laptops and desktops to users in an organization is a constantly ongoing process for a lot of businesses. As such, IT departments need efficient ways of managing devices and ensuring the optimization of the end-user experience.

And this is why if you’re not already enrolled you should be considering Endpoint Analytics.

End-users may face various issues in their day-to-day work that they will not report. Because of this, the user experience suffers and this will inevitably affect productivity. But, by utilizing Endpoint Analytics and its great new features, organizations can get high-level visibility into these various issues enabling them to address them quickly and efficiently.

Microsoft Endpoint Manager – New, Exciting Features To Know About

When it comes to Microsoft Endpoint Manager (MEM), there’s always a steady stream of new features that clients should be paying attention to.

Technology is constantly changing and the products that we use need to improve as well. Especially if we consider the recent surge in cybercrime as seen in the FBI’s 2020 internet crime report.

No business is immune and as such, technology companies have to consistently enhance their products to ensure that clients’ data is secure. With that said, let’s take a look at the exciting new features that Microsoft is bringing to the MEM platform.

Enhancing security through filters

Microsoft Endpoint Manager has now made it possible for IT admins to use filters to target apps, policies, and other workload types to specific devices.

By utilizing these filters, IT admins get more flexibility and can better protect data within applications, simplify app deployments, and speed up software updates.

Furthermore, it is now easier for admins to comply with their organizational policies and compliance requirements by deploying:

  • A Windows 10 device restriction policy only to the corporate devices of users in a particular department without including personal devices,
  • An iOS app to only the iPad devices for users in another department,
  • An Android compliance policy for mobile phones to all users in the company but exclude Android-based meeting room devices that don’t support the settings in that mobile phone policy.

To see how to make use of these filters, check out this video.

Windows 10 Enterprise multi-session support

Windows 10 Enterprise multi-session is a new Remote Desktop Session Host exclusive to Windows Virtual Desktop on Azure which allows multiple concurrent user sessions. With this feature, users get the benefit of a familiar Windows 10 experience. In addition, IT can benefit from the cost savings that a multi-session allows and use existing per-user Microsoft 365 licensing.

By leveraging Intune, you can manage multi-session remote desktops with device-based configurations like a shared, user-less Windows 10 client. Moreover, you can enroll Hybrid Azure AD joined VMs in Intune automatically and target with OS scope policies and apps.

This means that now you can:

  • Host multiple concurrent user sessions using the Windows 10 Enterprise multi-session SKU exclusive to Windows Virtual Desktop on Azure.
  • Manage multi-session remote desktops with device-based configurations like a shared, user-less Windows 10 Enterprise client.
  • Automatically enroll Hybrid Azure AD-joined virtual machines in Intune and target them with device scope policies and apps.

Policy management made simpler

Using the settings catalog simplifies the process of customizing, setting, and managing device and user policy settings. Managing policy configuration through custom Open Mobile Alliance Uniform Resource Identifier (OMA-URI) policy is not the easiest of tasks to undertake.

And so what the 2105 service release does is support your move from Group Policy Objects (GPO) or custom OMA-URI to cloud-based consolidated policies.

Clients will be happy to note that 5,000 settings have been added to the settings catalog for Edge, Office, and OneDrive, including additional settings for macOS and Windows.

Microsoft Tunnel Gateway changes

There are a couple of changes to note for the Microsoft Tunnel Gateway:

  • Microsoft Tunnel Gateway (MTG) is now out of preview and thus is generally available. However, while the MTG server component is out of preview, the following Microsoft Tunnel apps are not – Microsoft Tunnel standalone app (for both Android and iOS) and Microsoft Defender for Endpoint with support for Microsoft Tunnel for Android.
  • Custom setting support in VPN profiles for Microsoft Tunnel for Microsoft Defender for Endpoint for Android. New changes here mean that you can now use custom settings in the VPN Profile for Microsoft Tunnel to configure Microsoft Defender for Endpoint when using the Microsoft Defender for Endpoint as your Microsoft Tunnel client app for Android and as an MTD app.

Device security

Another update that is certain to make MEM clients happy is that conditional access on Jamf-managed macOS devices for Government Cloud is now available.

By using Intune’s compliance engine, you can now evaluate Jamf-managed macOS devices for Government Cloud.

All one has to do to achieve this is to activate the compliance connector for Jamf. The steps on how to do that can be found here.

New settings available

There are new settings now available when creating a device restrictions policy for iOS/iPadOS (14.5 devices and newer). Here are the updates that have been introduced:

  • Block Apple Watch auto unlock: You can set this to Yes and this will prevent users from unlocking their device with Apple Watch.
  • Allow users to boot devices into recovery mode with unpaired devices: If you want to allow users to boot their device into recovery with an unpaired device, you can set this one to Yes.
  • Block Siri for dictation: To disable connections to Siri servers so that users can’t use Siri to dictate text, set to Yes.

To view these settings you can go here.

App management

Clients will now get new tiles that show the number of app installation failures for the tenant. You can find these in the Home, Dashboard, and Apps Overview panes. All one has to do is follow a few simple steps:

  • Go to the Microsoft Endpoint Manager admin center,
  • To view the Home pane select Home,
  • Alternatively, if you want to view the Dashboard pane select Dashboard.
  • And to view the Apps Overview pane, select Apps > Overview.

Wrap up

Microsoft Endpoint Manager has many different ways that various companies can use it. It gives you a fantastic platform to gather end-point information. Also, it gives you the ability to push out Microsoft Desktop apps, Microsoft Edge as well as several other apps. And by consistently updating the features, Microsoft can help your business to operate more efficiently and enhance your data security and privacy.

Why Cloud Management Gateway Is So Important Now

With the prevailing global situation requiring more and more people to work from home, businesses need to ensure that productivity does not suffer. And to do that, you need to effectively manage remote devices. Hence the need for technology such as the Cloud Management Gateway (CMG).

By utilizing the CMG, your business has an alternative to IBCM that most would consider a significant upgrade. This creates a favorable environment that allows your organization to eliminate the obstacles of having a remote workforce. Needless to say but the CMG can play a massive role in your organization and its importance is certainly worth discussing.

Requirements

Before you can use the Cloud Management Gateway you need to meet the following requirements:

  • An Azure subscription to host the CMG,
  • You need a Full administrator or Infrastructure administrator user account in Configuration Manager,
  • During the initial creation of certain components, the participation of an Azure admin is needed,
  • You need at least one on-premises Windows server to host the CMG connection point,
  • A server authentication certificate for the CMG,
  • There needs to be an integration of the site with Azure AD to deploy the service with Azure Resource Manager,
  • Depending on your client OS version and authentication model, other certificates may be required,
  • Clients are required to use IPv4.

When is it useful?

There are several scenarios where the CMG could come in handy and they include the following:

  • For management of traditional Windows 10 clients using modern identity which can either be hybrid or pure cloud domain-joined with Azure AD.
  • For management of traditional Windows clients with Active Directory domain-joined identity. The clients included are Windows 8.1 and Windows 10.
  • For installation of the Configuration Manager client on Windows 10 devices over the internet.
  • For new device provisioning with co-management.

Benefits to your business

CMG enables your Enterprise admins to perform several actions. Among the things they can do, they can manage the following over the internet:

  • Push software updates and enable endpoint protection,
  • Inventory and client status,
  • Compliance settings,
  • Software distribution,
  • Windows 10 in-place upgrades,
  • Manage branch office devices over less expensive internet instead of across expensive WAN or VPN connections.

Eliminates complications

Although Internet-based client management (IBCM) has been around for years, a lot of users tend to find it complicated. CMG aims to be a simpler solution. It is an Azure-hosted service that manages internet-based clients through a new role called the cloud management gateway connector point.

By adding the CMG to your environment, you’ll get an intermediary cloud solution. And this can be your bridge to a full cloud management solution of your Windows 10 devices through Microsoft Intune.

Also, your organization doesn’t need to expose on-premises infrastructure to the internet and neither will you require additional infrastructure. So by using the CMG, you get rid of a lot of what users don’t like about IBCM.

Manage internet clients

Cloud Management Gateway helps you to easily and effectively manage clients that are on the internet. Often, there are going to be events in your environment that will require a swift response.

However, previously this was problematic for clients that would not be currently on-premises. By leveraging the CMG, you can manage clients all over the world as long as they have an internet connection.

Furthermore, it doesn’t require you to buy any additional IT infrastructure. So unlike IBCM that would need additional hardware that you need to maintain, for the CMG you just need to have Azure.

Strengthen your security

The moment you have systems that are not directly connected to your IT infrastructure, your data security is at an increased risk. This is particularly evident with remote work.

Although a lot of businesses have responded by using VPNs, you cannot adequately protect workstations through VPN channels. Hence the importance of the Cloud Management Gateway.

With it, you can better manage devices connected to the Internet and thus improve your corporate security posture. This is further enhanced by the fact that you can leverage Microsoft Azure services so that there is no need to expose your infrastructure to the internet.

Cost management

Whenever you use cloud services, you will incur costs associated with your usage. And the Cloud Management Gateway is no exception. Fortunately for clients, Microsoft intends to help you to keep those costs under control. You can do this through client settings, for instance, where you can determine which clients can access the CMG.

Another feature you can leverage is virtual machine configuration. The latter enables you to choose between 1 and 16 virtual machines per instance of Cloud Management Gateway. Also, if you want to, you can stop the CMG so that it’s no longer serving clients.

Therefore, to optimize user experience for all clients, the CMG helps to reduce the unavoidable costs that come with cloud services.

Constantly evolving

Another reason why the CMG is so important is how the technology is constantly evolving. There has been a lot of innovation taking place such as the ability to automatically do a client install through the CMG.

This is a great option to have because it eliminates the need for the client to be on the intranet. In addition, the platform is adaptable to your organization’s needs. So it can handle several scenarios such as:

  • Traditional PC management (Windows 7, 8.1, 10),
  • Modern PC management (Windows 10 with modern identity),
  • Internet client installs.

Wrap up

Every organization should be looking for ways to make the most of its IT investments. Thus from the information available, we can see that every environment that uses ConfigMgr can benefit from using the Cloud Management Gateway. And you can leverage the CMG for clients all across the globe. The convenience that this provides you cannot be overstated. As the world changes and technology evolves, we need platforms that can help organizations to become more efficient and enhance productivity.

Benefits of Being Able to View Hardware Inventory in MEM

In July 2020, Microsoft announced the release of update 2007 for the Technical Preview Branch of Microsoft Endpoint Configuration Manager (MECM). And with that, came a feature that now allows you to view hardware inventory for a tenant-attached Configuration Manager device in the admin center. With most pieces of hardware in offices today being connected to the internet, being able to view hardware inventory is extremely important. Microsoft Endpoint Manager (MEM) now offers that capability and thus gives your business several advantages.

Getting set up

Before you can use this feature, there are several requirements that you will need to meet:

  • You need to have an environment that’s tenant attached with uploaded devices,
  • You need either Microsoft Edge (version 77 and later) or Google Chrome,
  • You need a user account that has been discovered with both Active Directory user discovery and Azure Active Directory (Azure AD) user discovery. Simply put, this means that the user account should be a synced user object in Azure.

In addition, the user account will require the following permissions:

  • Admin User role for the Configuration Manager Microservice application in Azure AD. This role will be added in Azure AD from:

Enterprise applications  >  Configuration Manager Microservice  >  Users and groups  >  Add user.

If you have Azure AD premium, groups will be supported.

Network security

The security of your network should be something of great concern. Especially in a world where cybercrime is increasing at an alarming rate. Having said that, we can begin to see why a hardware inventory in MEM feature could come in very handy.

Keeping track of all the hardware in your organization is no mean feat. Particularly for businesses that have also employed bring-your-own-device (BYOD) policies.

You need to have a system that can readily provide you with the necessary information on all devices. This helps your IT team to maintain high levels of network security, prevent breaches, and manage any potential issues that may arise.

Optimize productivity

By leveraging the hardware inventory feature in Microsoft Endpoint Manager, you can keep track of how devices are performing. The last thing your organization needs is to have computers worth tens of thousands of dollars operating at subpar levels.

With accurate information on hardware inventory, you can easily see how the devices in your organization are performing. You can then address any issues that may arise to ensure that productivity is optimized from top to bottom. If you are going to invest in expensive, high-tech devices, you need them to operate as they should.

Reduce overhead costs

Well-managed IT infrastructure can help your organization to reduce overhead costs. The ability to view hardware inventory in MEM is going to give IT a bird’s eye view of all your IT infrastructure. And this enables you to effectively manage all hardware from procurement till retirement.

Doing this will cut your costs by doing away with issues such as IT overspend and non-compliance. Working in this manner will fully optimize your productivity, as mentioned above, which all businesses will be happy with.

Lifecycle management

MEM’s view hardware inventory feature helps you to keep track of hardware from purchase, how it is used, and finally to its retirement. With this kind of actionable data readily available, it simplifies the decisions that you will need to make in the future such as new purchases, upgrades, and so on.

Moreover, you can easily keep track of contracts with vendors and thus know when to renew those contracts or make purchase orders. All these things add significant benefits to your business by increasing operational efficiency while minimizing risks.

Enhance IT efficiency

If there is anything that is abundantly clear from what your organization will gain from MEM’s view hardware feature it’s that it will simplify life for IT teams. Significantly. With the data available to them, it makes it far less likely for any issues to arise during audits. Also, it creates less workload by eliminating the need for manual tracking and scanning of devices. Your IT department will inevitably operate more efficiently by being able to easily keep tabs on all hardware.

Asset protection

Another key advantage that comes with being able to keep track of your organization’s hardware is increased asset protection. Keeping track of devices allows you to not only get performance-related data but location data as well.

And having this information will help to mitigate the risk of loss or theft of devices. Therefore, utilizing the view hardware inventory in MEM tool helps your organization to easily stay on top of the work status of an asset, its physical location, and disposition.

Better overall governance

Viewing hardware inventory is going to give you an increased degree of visibility. Because of the accurate data at your disposal concerning your IT infrastructure, you’ll have a better handle of key assets. Therefore, they are less likely to be misplaced, misused, or underutilized.

And so with all these advantages, it simplifies the process of coming up with more effective governance protocols. This is something that will hugely benefit the entire organization from top to bottom and not just your IT department.

Keeping track of assets

There’s no denying that keeping tabs on your hardware is just as important as the software management side of things. After all, technology is a huge investment for any business. And so how you keep track of your hardware will inevitably affect your bottom line.

Having real-time, accurate information about your assets goes a long way in the optimization of productivity. Not to mention enhancing the overall security of your business. Viewing hardware inventory in Microsoft Endpoint Manager is an incredible tool that should help your business become more efficient. The benefits are clear for us all to see.