Microsoft Endpoint Manager is Microsoft's unified endpoint management platform with numerous uses for device management and data security tasks in the cloud and on premises.
MEM contains all the different services and tools that IT can use to manage and monitor endpoint devices such as smartphones, tablets, desktops, laptops, virtual machines and even servers. These different management services and tools combine the strength of existing products, including Microsoft Intune, Configuration Manager, Desktop Analytics, Windows Autopilot, and the other services that were available via the Device Management Admin Console.
The offering is an extremely broad mix of mostly existing Microsoft tools and services, but the rebranding and renaming of these components can confuse Microsoft customers.
What does Microsoft Endpoint Manager include?
Microsoft Endpoint Manager is a rebrand of Microsoft services, which brings these existing products together in a single platform and a single management interface. This admin interface is available via the Microsoft Endpoint Manager admin center, which Microsoft previously provided via the Device Management Admin Console.
In addition to simplifying the admin experience, MEM makes the licensing process easier for customers. For example, a license for Configuration Manager also includes a license for Intune for MEM customers. This simplifies the path for organizations with all types of environments -- on premises, in the cloud or a hybrid model.
Here is a closer look at the products and tools that are part of Microsoft Endpoint Manager.
Microsoft Intune still exists -- both in name and product -- and is now part of MEM. Even as part of Microsoft Endpoint Manager, IT administrators can still use Intune as a separate management platform for mobile device management (MDM) and unified endpoint management (UEM).
IT administrators can manage configurations and verify compliance on Android, iOS, iPadOS, macOS and Windows 10 devices. IT can also configure apps and protect data in apps on Android, iOS, iPadOS and Windows 10 devices based on Windows Information Protection (WIP). Besides these built-in functionalities, Intune also provides many integrations with third-party products and, of course, other Microsoft products. The integrations can go a long way for organizations trying to meet industry compliance standards.
Previously known as System Center Configuration Manager, Configuration Manager is now part of Microsoft Endpoint Manager and Microsoft rebranded it to Microsoft Endpoint Configuration Manager. Even as part of Endpoint Manager, IT administrators can use Configuration Manager separate from MEM.
Configuration Manager is Microsoft's on-premises device management platform. IT administrators can use it to manage laptops, desktops and servers for organizations. IT can manage those devices on the intranet and the internet. It enables IT administrators to deploy apps, software updates and OSes. IT can also monitor compliance and query devices, among other tasks. To initiate a cloud migration, IT can attach Configuration Manager to the cloud provider, add more functionalities and move to the single administrative interface in the Microsoft Endpoint Manager admin center.
Microsoft's Desktop Analytics is a cloud-based platform that integrates directly with Configuration Manager to provide information about the update readiness of Windows 10 devices. IT can use this information to identify compatibility issues with apps and drivers and provide insights about security updates, apps and devices within the organization.
With the co-management service from Microsoft, IT admins have a bridge from an on-premises environment to a cloud environment. It enables IT administrators to combine Configuration Manager with Intune for Windows 10 endpoint management. With the simplified licensing that comes with Microsoft Endpoint Manager, this doesn't require any additional licenses.
Co-management means that IT manages devices with both Configuration Manager and Intune. That combination enables the patch to the cloud for organizations by switching workloads from Configuration Manager to Intune. Those workloads are simply groups of configuration options that IT switches from one device management product to another.
Windows Autopilot is a cloud-based platform that IT admins can use to configure Windows 10 devices for an out-of-the-box experience for end users. This way, organizations can quickly get devices up and running without manually imaging them.
During that experience, Windows Autopilot takes care of installing apps and applying configurations. Those configurations include options to join the devices to Azure Active Directory (Azure AD) and automatically enroll the devices to Intune or Configuration Manager. One of the most important configurations that IT will need to set via Windows Autopilot is the end-user device's account type -- standard or administrator.
What happened to Microsoft Intune?
The arrival of Endpoint Manager doesn't affect the position or usage of Intune. Intune is now part of the Endpoint Manager platform, but the standalone product has the same focus. Almost nothing changes for organizations that have deployed Intune before the arrival of Microsoft Endpoint Manager.
The main difference for the Intune administrators is the administrator experience. The IT administrator will now use the Microsoft Endpoint Manager admin center instead of the Device Management Admin Console, the Azure portal or, from even further back, the Silverlight portal. All the different configuration options are still available.
Bottom line: IT can use Intune as a standalone device management and app management platform without using the other products that are part of the MEM offering.
How can IT perform Intune management tasks?
The best thing about MEM for IT administrators is that it brings all of Microsoft's endpoint management tools and services into a single admin console with the Microsoft Endpoint Manager admin center. This offers a unified experience, especially once all the different management features become available via that same single admin console.
When IT administrators use Intune in combination with Configuration Manager, they can also access the information from the Configuration Manager managed devices via that same console. This way, IT can retrieve inventory information and configuration options from those devices through the admin interface.
At this moment, most Configuration Manager-related configuration options only require the Configuration Manager admin console. However, when looking at Intune specifically, all of its management tasks are available via the Microsoft Endpoint Manager admin center. It may be difficult for IT to find evidence of Intune within this console, but Intune is still the designated MDM and mobile application management (MAM) provider. The best place to verify that information is in the Tenant admin node under the Tenant status option. This will display information referring to Intune with the MDM authority and the Total Intune licenses (figure 1).
The main features of Intune focus on device management, app management and reporting, and each of them are critical for IT administrators to know.
IT can manage devices using the Devices node in the Microsoft Endpoint Manager admin center. That node includes configuring devices with restriction profiles, certificate profiles, VPN profiles, Wi-Fi profiles and much more. IT can also use this for device compliance policies that verify the device compared to the compliance baseline of the organization before granting access to company resources and data. The Endpoint Security node also contains nearly all security-related device configuration options. This currently overlaps with many settings that are available in the device restriction profiles as well.
IT can perform app management using the Apps node in the Microsoft Endpoint Manager admin center. From this node, IT can deploy, configure and protect apps. More specifically, IT can deploy company-specific apps to managed devices and to control apps on company and personal devices. That includes both managed and unmanaged devices. In the latter case, only the app is managed based on the identity of the user. That identity must exist in Azure AD.
MEM's reporting information is available via the Reports node in the admin center. IT can use this node to retrieve information about device compliance, updates, endpoint security and endpoint analytics. The latter is a very helpful Intune feature that provides insights into the device's performance and the app's performance on those devices. Besides that, the different nodes for Devices and Apps also contain the subnode Monitor for configuration and compliance information of the different policies and the status information for the app deployments.