Many organizations’ IT environments today are mixed. They use a cloud attached approach, meaning they use a combination of both cloud and on-premises technologies as organizations move towards full cloud enablement. Endpoint Manager can support a hybrid or fully remote workforce. You can also use Endpoint Manager to manage PCs for both hybrid and onsite workers.
It’s common for organizations to transition from on-premises only to cloud attached and finally to their end goal of being fully cloud based. In today’s post-pandemic workforce many companies face the challenge of how they can manage remote computers and users. They need to be able to implement security policies, deploy applications, and manage company data. This is where Microsoft Endpoint Manager comes in to provide a solution to this challenge.
In 2019, Microsoft rebranded two existing products, Intune and Configuration Manager, to the Endpoint Manager suite of products, which now encompasses their device management products. Intune is their cloud-based device manager. Configuration Manager is an on-premises management tool that can be co-managed with the cloud via Intune. Desktop analytics is a feature which can give insight into the state of your devices and applications. Autopilot is a feature which helps preconfigure devices. And lastly, Azure Active Directory (Azure AD) is used as an identity provider for devices, allowing users to authenticate to their devices.
Azure AD and Intune
I’d like to start by discussing Azure AD and Intune. Azure AD, or AAD is a cloud-based identity and access management service. This service helps your employees access external resources, such as Microsoft 365, the Azure portal, and thousands of other applications.
Azure AD is what allows us to enforce multifactor authentication (MFA) via conditional access policy. This protects user accounts with MFA, but also allows bypass of MFA for safe locations. Linking PCs to Azure AD is what provides company management of the computers, depending on your Azure AD join type. This can allow users to sign into their PCs with their M365 credentials providing identity management.
This is one of the biggest benefits for companies that may have been forced to use workgroup PCs for remote computers that rarely have contact with their on-premises domain control. Azure AD PCs can provide a way to enforce secure sign and methods like a standard password or Windows Hello for Business, which supports biometrics such as fingerprint scanning or face ID.
Azure AD Join Types
There are three different join types for Azure AD. “Azure AD Joined” is for corporate owned and managed devices. If it’s Azure AD joined, users will authenticate using a corporate ID that exists in Azure active directory, which is typically just their M365 email and password. Authentication is only through Azure AD with their M365 credentials.
Next, we have hybrid Azure AD joined devices. These are for corporate owned and managed devices, and they authenticate using a corporate ID that exists at a local active directory level on your domain controller. And ideally, you’d be syncing your user objects to Azure AD using AAD Connect. Authentication is done through the domain controller or through Azure AD.
And then lastly, we have “Azure AD registered devices.” These are personally owned computers or devices but corporate enabled. Users will authenticate to the device using their own local account, possibly their own personal Microsoft account, but authentication to corporate resources such as applications is done using their User ID in Azure AD.
Intune is the device management solution in Endpoint Manager. One of its primary features are device configurations. These are much like a modern version of group policy, allowing you to push out new applications and Windows settings to new and existing computers. It also includes the ability to manage Windows updates on enrolled PCs, letting you determine the update schedule, the action Windows takes when the updates are released, either installing or delaying them for specified amount of time.
You can also set what actions are taken when a PC is falling behind on updates, which could be to force the update to install the next time the PC reboots or take a less intrusive route and automatically notify your IT staff so that they can follow up. Additionally, Intune can give you the ability to remotely wipe a PC. This can be useful, not just for situations where a PC is reported loss or stolen, but also for troubleshooting. Intune is the service that will complete the configuration in Windows, but at its core, it’s a device management solution. It can be used to automate the deployment of applications and apply device configurations.
Examples of this are things like enforcing encryption via BitLocker, configuring the Windows firewall, and enforcing power settings. You can replicate many of the configurations that you can do from an on-premises group policy via Intune.
Besides being used for the initial configuration of devices, Intune gives you the bonus of being able to deploy future applications and configurations, or remove them, from any of your devices that are being actively used. IT Admins can utilize Intune and Azure AD alone to manage their remote computers.
What is Autopilot? Entire books have been written on Autopilot; I’m only going to briefly touch base on it. Autopilot is used to streamline the Windows out of box experience (OOBE). This is when you complete the initial prompts when you first boot up a new out of the box computer or a freshly wiped computer.
OOBE will include things like accepting the terms of service, setting up a username and password, and connecting to networks. Configuring Autopilot allows you to predetermine all these choices and settings on behalf of the user. For a PC that’s registered in Autopilot, none of those options are ever seen by the end user.
The first prompt they reach is to connect to the internet. After that they’re presented with the company name and a prompt to enter their credentials. If a user is setting up a computer themselves due to being remote, this makes the process a lot less intimidating. Additionally, if your IT staff is deploying many PCs at once, this can be a big-time saver.
Once credentials are entered, the PC will automatically join to the domain or join to Azure AD, depending on your environment, and automatically enroll in Intune. It will then start configuring the computer for you. Whatever policies and applications you have configured in Intune after signing in with Autopilot will automatically be configured.
Below are two examples where we’ve used a mix of Endpoint Manager features to provide a solution for our clients’ needs.
Azure AD and Intune Solution
For client A we utilized an Azure AD and Intune solution. The client had servers that were hosted in the cloud. They were using a domain controller for authentication and a remote desktop server which was mainly being used for QuickBooks. They had a main office along with dozens of remote users all over the country. The remote users had no connection to the main office or the domain controller. They were just workgroup PCs.
They were paying to support a complex environment that no longer suited their needs. The first thing we did was migrate them to QuickBooks Online, which removed the need for the remote desktop server. Then we configured Intune policies that mimic their existing environment. Then we migrated all their users and all the computers to be Azure AD PCs.
Finally, we were able to decommission their cloud hosted servers. Now remote PCs, which were originally workgroup PCs, were managed through Azure AD, which provides better security and identity management. Additionally, this project resulted in thousands of dollars of savings as we were able to decommission those cloud servers. They’re no longer paying to support that environment.
Autopilot and Azure AD Solution
For client B we utilized an Autopilot and Azure AD solution. We took on a new client that did not have any existing server infrastructure. All their applications were already web or cloud based. They had no sort of PC management, so what we did was set them up with our standard Intune policies to enforce security standards and identity protection.
We configured all their apps that they were using to be deployed via Intune and Autopilot. Now anytime that they hire a new user, we register the device in Autopilot. We can then ship it directly to the user. They sign in, and within an hour, they have all the applications that they need and they’re able to start working.
We’ve also used Microsoft Endpoint Manager in situations where clients have an existing on-premises server infrastructure that needs to remain intact. We’ve deployed hybrid Autopilot to PCs that remain domain joined, but still receive policies from Azure AD to automatically push those applications and policies.
The main goal here is to prepare them for the future when they are ready to move to the cloud.
Endpoint Manager Licensing
What licenses are needed? Licensing needs are going to vary from company to company, depending on multiple factors. The following are three of the most common licenses that we use when deploying an endpoint manager solution. The most important factor here is that each of these licenses includes an Intune license, which is needed for Endpoint Manager:
- M365 Business Premium – $22 per user per month | Requires an annual commitment.
- M365 E3 – $36 per user per month | Requires an annual commitment.
- M365 E5 – $57 per user per month | Requires an annual commitment.
If you plan to deploy Endpoint Manager across your organization, I advise that you consult with a reseller to ensure that you’re making the best financial choice for licensing.
Endpoint Manager Admin Center
And now we’ll get into an overview of the Endpoint Manager admin center.
First, go to portal.office.com, sign in, and on the left side, if you’re a global admin or have the proper permission, you’ll have an admin button, which will then take you to the admin center. Under the admin center tab, Endpoint Manager is an option. One thing to note is that if you come in here and you don’t see Endpoint Manager underneath your admin centers, it’s because you do not have an Intune license in your tenant.
The first thing to understand about Endpoint Manager is how we manage the users and computers with groups. There are two main groups. You can name them whatever you want, but typically in our standard deployment we have “Intune Managed Users” and “Intune Managed Windows 10.” Both groups we configure as dynamic groups. We’re able to configure dynamic syntax rules that will automatically add Intune licensed users and Intune managed computers to these two groups. This allows us to apply policies to each group with less overhead.
The users tab of Endpoint Manager is where you can manage all your users within the organization. One feature Endpoint Manager does support is self-service password reset. You can lock it down to a security group, configure the authentication methods that users have to go through for resetting their passwords, or enable notifications for users and admins when passwords get reset. This is useful for remote users. If they get locked out of their PC, they can reset the passwords themselves.
Under the devices tab there is an overview of all the devices in the tenant. We can see enrollment alerts, compliance status, and many other reports related to desktop analytics.
In the devices tab is where we can manage configuration profiles. Keep in mind it’s easiest to think of configuration profiles as group policies. Some common policies we implement are:
- BitLocker – Enforce encryption on OS and Data drives. Backup recovery key to Azure AD.
- OneDrive – Silently sign users into OneDrive using their windows credentials. Require users to confirm large delete operations. Move windows known folders to OneDrive. Disable the tutorial. Enable OneDrive files on demand.
- Power settings – control when the computer goes to sleep, whether it’s plugged in, not plugged in on battery when the display gets turned off force that it requires a password. When the computer wakes up.
- PowerShell script block logging – Enabled.
- Self-service password reset at Sign in Screen – Configures a reset password link at the lock screen. It opens a secure browser at that lock screen which takes the user directly to the M365 password reset website and allows them to go through self-service password reset.
Configuration profiles support a lot of different options. The purpose of this blog is to focus on Windows 10 computers, but Endpoint Manager does support other platforms such as Android, iOS, and Mac.
Configuring Update Policies
Endpoint Manager supports configuring update policies. This provides options like: How long do we defer a feature update? How long do we defer our quality update? Do we want to allow Microsoft product updates? What are your active hours? Do we want users to be able to pause updates? Do we want them to be able to check updates themselves? Then we can configure actions if a PC falls behind like forcing the update or marking the device non-compliant.
Upload Custom Scripts
Another feature of Endpoint Manger is that it supports uploading custom scripts. This is useful for IT Admins for a variety of reasons. Sometimes a PowerShell script is the best deployment option, and Endpoint Manager provides a way to do it.
Compliance policies are another option in Endpoint Manager. We can configure a variety of different compliance settings. One common practice we utilize for compliance policies is to ensure BitLocker is enabled on company computers. The cool thing about compliance policies is we can configure actions for non-compliant computers. Typically, this involves emailing the user and IT admins for them to act accordingly.
Conditional Access is another option within Endpoint Manager. You configure conditional access to control when, who, and where has access to M365 resources. One conditional access policy that we use often is MFA Bypass. What this does is we configure safe locations using the public IP of each office. If users are in the offices, they won’t be prompted for MFA when they’re trying to access M365 resources, but if they are outside of the office the user will be prompted for MFA.
App Deployment in Endpoint Manager
Endpoint Manger supports deploying applications automatically to managed computers. Typically, we’ll configure applications like Microsoft 365, Google Chrome, remote monitoring agents, and many more. The most common way to deploy an app in Endpoint Manager is with the use of Win32 Apps. This process includes running a PowerShell script to create an intunewin file, then uploading that to Endpoint Manager and configuring the installation settings. For more information on that process see https://docs.microsoft.com/en-us/mem/intune/apps/apps-win32-app-management.
Endpoint Manager supports configuring dependencies for apps, so if you have the need for apps to install in a specific order, Endpoint Manager can do that.
Endpoint manager can support environments that are hybrid or fully remote. Utilizing Azure AD and Intune we can deploy security policies, identity management, and applications to workstations. We’re able to support a wide range of environments and needs with the features of Endpoint Manager.
So how can Sikich help you? If you’re interested in Endpoint Manager, we can help you deploy all these policies and applications. We’ve helped many clients in many different situations either migrating them from on-premises to cloud only and everything in between. Please contact us to help your organization securely manage your users’ PCs.