A Guide to Microsoft Endpoint Manager

Microsoft defines the term “modern workplace” as being able to work securely from anywhere on any device, using tools that enhance the quality and effectiveness of your work. According to WFH Research as quoted in Forbes, 12.7% of full-time employees work from home, and 28.2% work a hybrid model. Remote work has increased over the past few years, but most workers still operate in office. This separation can create challenges for companies looking to manage users and PCs on-site and remotely.

Companies need a solution that allows them to deploy applications efficiently and effectively and securely manage company data. Microsoft Endpoint Manager supports remote, hybrid, and onsite workforces, allowing companies to fully manage PCs in any work environment.

Microsoft Endpoint Manager Device Management Products

Endpoint Manager encompasses Microsoft device management products, including Intune, Configuration Manager, Desktop Analytics, Autopilot, and Azure AD (soon-to-be Microsoft Entra ID).

Microsoft Azure AD/Entra ID

Azure AD is a cloud-based identity and access management service that helps employees access external resources, such as Microsoft 365, the Azure portal and more. Azure AD uses multifactor authentication (MFA) and conditional access to protect data.

• MFA adds an additional layer of protection by requiring a secondary verification process, such as a generated verification code provided by an authenticator app.
• Conditional access allows users to bypass MFA when the PC or application identifies a known safe location.

Connecting company PCs to Azure AD allows companies to manage the computers and sign-in methods depending on the Azure AD join type. This increases security for remote PCs that rarely have contact with the on-premises domain control.

Azure AD offers three join types:

• Azure AD Joined – for corporate-owned and managed devices, users must authenticate using a corporate ID in the Azure active directory.
• Hybrid Azure AD – for corporate-owned and managed devices that require authentication from a corporate ID that exists on a local active directory level on the domain controller.
• Azure AD Registered Devices – for personally owned devices that are corporately enabled. Users must authenticate the device using their local account, but authentication to corporate resources requires a user ID in Azure AD.

Intune

Intune is a device management solution that allows companies to control device configurations, such as new applications, Windows settings, Windows updates and remotely wiping a computer. The solution grants access to deploy new applications and device configurations.

It is commonly used when sending out new devices, setting the initial configuration of the devices, and deploying future applications and configurations, including removing them from any device. Intune with Azure AD allows companies and IT teams to control and manage remote computers.

Intune uses the Configuration Manager and Desktop Analytics tools to enhance its capabilities. Configuration Manager is an on-premises management tool that can be co-managed with the cloud and is part of the Microsoft Intune family of products.

Desktop Analytics is a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows clients.

Autopilot

Autopilot streamlines the Windows out-of-the-box experience (the initial prompts when first booting up a computer fresh out of the box or freshly wiped).

The out-of-the-box experience includes accepting the terms of service, setting up a username and password and connecting to networks. Configuring Autopilot allows companies to predetermine these choices on behalf of the user.

Users accessing a fresh computer registered to Autopilot will never see those options appear. Instead, the first prompt they will receive is to connect to the internet and then to enter their login credentials provided by the company. Once the credentials are entered, the user will be automatically connected to the domain or Azure AD, depending on the environment. Then, the computer will connect to Intune and automatically configure the computer to align with the predetermined choices made by the company in Intune.

Autopilot allows remote users to access their computers with minimal stress and interaction. Additionally, IT staff can roll out large numbers of new computers at once without the hassle of configuring each one individually.

Microsoft Endpoint Manager Licensing

Sikich can help companies secure licensing and ensure the best financial decision for their organization.

Microsoft offers three licensing options for Endpoint Manager:

• M365 Business Premium – $22/user per month and requires an annual commitment
• M365 E3 – $36/user per month and requires an annual commitment
• M365 E5 – $57/user per month and requires an annual commitment

Each of these licensing options includes an Intune license, a must when deploying Endpoint Manager.

How to Use Microsoft Endpoint Manager Admin Center

Companies and IT staff must know how to navigate and use the Endpoint Manager Admin Center to use Microsoft Endpoint Manager.

Endpoint Manager Overview

Administrators must have access to the Admin Center, and appropriate licensing must be in place. Visit portal.office.com, sign in, and if you have the proper administration, you will see an Admin button on the left sign of the page.

Under the Admin Center tab, the Endpoint Manager option will appear. If this option doesn’t appear for you, you do not have the proper license.

The following are options for administrators:

Groups

• To understand how to manage Endpoint users and computers, administrators must understand groups work. Groups are used to manage users and computers through two main groups. These groups can be given any label; however, at Sikich, we label these groups as “Intune Managed Users” and “Intune Managed Windows 10.”
• Both groups must be dynamic groups to be able to configure dynamic syntax rules that automatically add Intune-licensed users and Intune-managed computers to the group.

Users Tab

• This tab allows settings to be applied to all users within the company.
• For remote users, administrators can configure the authentication methods users must use to reset passwords. Microsoft Endpoint allows users to reset their passwords with additional security measures, such as enabling notifications when a password is reset or attempted to be reset. This allows remote users to access their accounts without IT staff help if they get locked out.

Devices Tab

• Under the devices tab is an overview of all the devices in the tenant. Administrators can see enrollment alerts, compliance status and other desktop-related analytics from here.
• In addition, the devices tab is where configuration profiles are managed. Common configuration policies include:
  • BitLocker – a Windows disk encryption feature designed to protect data by encrypting entire volumes. BitLocker will enforce encryption on OS and Data drives and back up the recovery key to Azure AD.
  • OneDrive – configure users to be silently signed into OneDrive using their Windows credentials. Admins can require users to confirm large delete operations.
  • Power Settings – set up when the computer goes to sleep, depending on whether it’s plugged in. Configure settings to require a password whenever the display comes back on or after the computer wakes up.
  • PowerShell – enable script blog logging.
  • Self-service Password Reset – enable password reset at the sign-in screen. This setting will open a secure browser at the lock screen to take the user to the M365 password reset webpage, allowing users to reset their passwords.

Update Policies

• Microsoft Endpoint allows administrators to dictate the update policies for user computers. Update options include delaying, pausing and forcing updates if users fall behind or the device becomes non-compliant.

Custom Scripts

• This feature allows IT administrators to upload custom scripts.

Compliance Policies

• Endpoint allows for certain policies to be enabled. In addition, if specific compliance policies aren’t met, administrators can set up actions to occur, such as emailing the user and IT staff to act accordingly.

Conditional Access

• Conditional access allows administrators to determine who, when and where users can access M365 resources. A common conditional access feature is an MFA bypass. This allows for configuring safe, known locations to bypass MFA, such as company offices.

App Deployment

• Endpoint Manager supports automatically deploying applications to managed computers. Applications such as Microsoft 365, Google Chrome, remote monitoring agents and others can be managed by administrators.
• Deploying applications is most commonly accomplished through the use of Win32 Apps. The process includes running a PowerShell script to create an intunewin file, then uploading that to Endpoint Manager and configuring the installation settings. For more information on that process, see https://docs.microsoft.com/en-us/mem/intune/apps/apps-win32-app-management.

How Sikich Can Support Endpoint Manager Adoption

With remote and hybrid work on the rise, companies must provide streamlined and secure ways to manage their employees’ computers.

Sikich can help you navigate deployment, policies, and application setup. Contact our experts today to help your company securely manage your user PCs.