
kras99 - stock.adobe.com
How to deploy Microsoft Endpoint Manager step by step
Organizations looking to deploy Microsoft Endpoint Manager must make sure to set up this platform correctly, and they should follow these steps for setup in different scenarios.
Microsoft Endpoint Manager provides plenty of desktop management utilities as an on-premises platform with Configuration Manager, a cloud platform with Microsoft Intune and a bridge from on-premises to the cloud with co-management.
Co-management allows organizations to transition to cloud management at their own pace by combining Configuration Manager and Intune on the same Windows 10 management plane.
Desktop administrators should familiarize themselves with the Microsoft Endpoint Manager (MEM) setup process to ensure they have a solid grasp of the setup process and the capabilities of this platform.
Setting up a Microsoft Endpoint Manager deployment
One of the main benefits of deploying Microsoft Endpoint Manager is that the admin center functions as the single location for many administrative tasks. IT has to set up an Intune tenant to get started with the Microsoft Endpoint Manager admin center. Even organizations that already use Configuration Manager should set up an Intune tenant to begin the co-management setup process.
The Intune tenant requires at least an Intune subscription for standalone usage. Some alternatives to this license are an Enterprise Mobility + Security (EMS) subscription or a Microsoft 365 subscription. For testing and evaluation purposes, it's also possible to start with a free trial.
The following steps walk through the basics for setting up a new Intune tenant. However, these steps are much more straightforward for organizations that already have a presence in Azure Active Directory (Azure AD).
- Open the Intune setup page and walk through the following four steps, if needed:
- Let's set up your account. This step requires the IT administrator to specify an email address. The setup wizard will recognize if organizations are already using other Microsoft services -- Azure AD in particular -- and the IT administrator can choose to sign in and use that account. An existing account linked to Microsoft services would save the IT administrator from going through the next steps.
- Tell us about yourself. This step requires the IT administrator to specify some personal information and information about the organization. Intune will use this info to create a new account.
- Create your business identity. This step requires the IT admin to specify a domain name to represent the organization. Intune will add that domain name in front of .onmicrosoft.com, and the setup wizard will immediately verify the availability of the domain name. Keep in mind that organizations cannot duplicate an existing domain name. Also, IT admins can adjust this placeholder name to a fully custom domain name at a later point in the setup process. This step also requires the IT administrator to create a username and password for accessing the tenant.
- You're all set. This step doesn't require any additional actions from the IT administrator. Microsoft then creates the tenant, and the IT administrators can use the account they just created to sign in.
- Open the Microsoft Endpoint Manager admin console portal and sign in with the new username and password.
- Verify the MDM authority in the Microsoft Endpoint Manager admin console portal by navigating to Tenant administration. The MDM authority should be Microsoft Intune.
- Configure the mentioned custom domain name (optional). This will eventually enable users to enroll devices with an @organizationname.com address instead of an @organizationname.onmicrosoft.com address. This would allow for a single user principal name for all Microsoft 365 services. IT can add a custom domain name via the Microsoft 365 admin center; the first step is to sign in using the previously-created administrative username and password. IT should then navigate to Setup > Domains > Add domain. From there, add the custom domain name and verify the ownership of that domain name.
To start testing with the new Intune tenant, IT administrators have to create user accounts or synchronize user accounts and then provide those accounts with a valid license. Without a license, the users will not be able to enroll devices into Intune.
Integrating Microsoft Endpoint Manager with existing infrastructure
Organizations moving from a Configuration Manager environment to Microsoft Endpoint Manager admin center or transitioning management workloads to Intune have two main options. These are tenant attach and co-management.
Tenant attach
Tenant attach can connect a Configuration Manager environment to the cloud and the Intune tenant. This allows IT administrators to bring the devices from the on-premises environment to the Microsoft Endpoint Manager admin center without manually re-enrolling them. From there, IT administrators have a single place to perform the most important management tasks on all enrolled devices within the organization, on premises and in the cloud. To enable tenant attach, the IT administrator should walk through the following steps:
- Open the Microsoft Endpoint Configuration Manager admin console and navigate to Administration > Overview > Cloud services > Co-management.
- In the ribbon on the Home tab, click Configure co-management to open the Co-management Configuration Wizard.
- On the Tenant onboarding page, configure the following:
- Azure environment: Select AzurePublicCloud.
- Click Sign-in to sign in with a global administrator account in the tenant and click Yes in the prompt to register an app in Azure AD to authorize the synchronization of data.
- Select Upload to Microsoft Endpoint Manager admin center.
- Click Next once the configurations are complete.
- On the Configure upload page, configure the devices that should upload to Microsoft Endpoint Manager admin center and, if needed, configure those devices for Endpoint Analytics.
- On the Summary page, verify the configured settings and click Next.
- On the Completion page, click Close.
Co-management
On the other hand, co-management focuses on fully transitioning device management functions from Configuration Manager to Intune. IT can perform this transition at whatever pace fits the organization, as this method allows admins to easily switch workloads between Configuration Manager and Intune. This way, IT has full control over those workloads and can run devices to the Configuration Manager and Intune clients side-by-side. To enable co-management, the IT administrator should walk through the following steps that use the same wizard as tenant attach.
- Open the Microsoft Endpoint Configuration Manager admin console and navigate to Administration > Overview > Cloud services > Co-management.
- In the ribbon, on the Home tab, click Configure co-management to open the Co-management Configuration Wizard.
- On the Tenant onboarding page, configure the following:
- Azure environment: Select AzurePublicCloud.
- Click Sign-in to sign in with a global administrator account in the tenant and click Yes in the prompt to register an app in Azure AD to authorize the synchronization of data.
- Select Enable automatic client enrollment for co-management.
- Click Next.
- On the Enablement page, set the configuration for autoenrollment of Intune-managed devices by choosing between no devices, all devices, or a pilot group of devices. Then click Next.
- On the Workloads page, configure the workloads for the devices and the management platform that will be responsible for the workload.
- On the Staging page, configure the collection that MEM should use as the pilot collection for switching workloads between management platforms.
- On the Summary page, verify the configured settings and click Next.
- On the Completion page, click Close.
Once the IT administrator has configured tenant attach and co-management, the whole admin team can view and manage devices under Configuration Manager's control via the Microsoft Endpoint Manager admin center. It's important to remember that the user account for performing device actions is a synched user object with the required permissions within Configuration Manager and Intune. Besides that, Configuration Manager-enrolled devices still require the infrastructure and the different channels of Configuration Manager for management tasks.
A tour of Microsoft Endpoint Manager's functionalities
When an organization uses Microsoft Endpoint Manager -- on premises, in the cloud or both -- the IT administrators have many options available for device management. After IT configures co-management and tenant attach, many more features become available in the Microsoft Endpoint Manager admin center. This includes functionalities for enrolling, configuring and managing devices.
- Device enrollment. For device enrollment, IT administrators can rely on Windows Autopilot to ensure that the device joins with Azure AD, Intune, and, if necessary, Configuration Manager.
- Device configuration profiles. For configuring Intune-managed devices, IT administrators can rely on various configuration profiles. The profiles can cover many subjects such as Wi-Fi, VPNs, certificates, device restrictions and even custom profiles.
- Device compliance profiles. For verifying compliance of Intune-managed devices, IT administrators can use compliance policies to define a minimum baseline that devices should meet. The baseline can focus on subjects such as encryption, app versions and the patch-level of the OS. The devices' compliance status can determine access to company data and resources.
- Device information. For viewing device info, IT administrators have access to the information that Intune and Configuration Manager provides. A lot of useful information about the hardware and the software is available to guide IT's decisions.
- Endpoint security. IT can manage device security for Intune and Configuration Manager-managed devices via different security policies that focus on encryption, antivirus and firewall.
- Apps. IT administrators can take advantage of Intune's many supported app types. This includes the most common app types such as MSI, MSIX, Microsoft Store and Win32 apps.
- Reporting. This is for viewing and verifying information about the devices and deployment statuses for apps, policies and profiles. IT administrators gain insight into devices through the multiple built-in reports with MEM.
- Endpoint analytics. To verify the performance of Intune-managed devices, IT administrators can rely on the information these analytics provide -- numerous insights that even include app crash information. Besides that, MEM can run proactive remediations to address potential issues.