This is the first of a three-part step-by-step series on Microsoft Endpoint Manager. We’ll show how to set it up and optimize it’s settings to get you up-and-running fast. Bookmark the page to catch parts two and three! Let’s dive in.
Microsoft Endpoint Manager (MEM) is a one-piece solution for managing computers, servers, virtual machines, virtual desktops, and mobile devices.
Microsoft Endpoint Manager includes:
Azure Intune – a 100%-cloud MDM/MAM solution for iOS, Android, macOS and Windows management. I will cover Intune features in detail below.
Azure Active Directory – Microsoft’s identity and access management service helps users sign in and access their corporate data, on-premises cloud services and apps.
Microsoft Endpoint Configuration Manager – (MECM is also known as Configuration Manager or ConfigMgr, formerly SCCM) on-premise service to manage desktop and servers (application deployment, OS deployment, OS updates management and a lot of other important features) that can be integrated with cloud-services like Azure AD and Microsoft Defender ATP. Also, a co-management scenario can bring “cloud benefits” to on-premise infrastructure like Azure AD Conditional Access for compliant devices (Intune compliance policies).
Windows Autopilot – helps with computer provisioning and preparation for use. During the provisioning process, pre-installed Microsoft Windows 10 joins to Azure AD and the computer downloads all required settings (policies, apps, scripts, etc.) from Intune.
Desktop Analytics – a cloud solution integrated with MECM which provides information about deployed security updates, helps with app compatibility issues, and Windows 10 implementation planning.
Let’s get started with the first in a series of blogs on how to manage Windows 10 with Azure Intune.
First, let me explain Microsoft Intune features which we can configure:
- Device restrictions
- Device compliance policies
- Administrative templates (similar to GPO in Active Directory)
- Endpoint protection – firewall, Defender and Bitlocker
- Security and feature updates
- Managing apps
- Basic software and hardware inventory
- Remote management – wipe, lock, restart, etc.
- Security baseline
- Windows Hello for Business
- PowerShell scripts
- App protection policies
- VPN, Wi-Fi, certificates, and email profiles
High-level architecture for Microsoft Intune
As you see Azure Intune and cloud apps use Azure AD as the identity and authorization service, so we need to have the Azure AD tenant first. For both labs and demo environments I prefer to use Microsoft 365 Developer Program that gives you a fully functioned trial Azure AD and Intune tenant:
Click on Join now and then on Set up E5 subscription. You need to provide a user name, your Azure AD domain name, password and region:
Your first domain will have a name yourtenant.onmicrosoft.com and you cannot change it later, but you can add your own domain like company.com later if needed.
Then add your phone number for security:
After registration is completed you get a fully functioning trial tenant with almost 60(!) different licenses available for 25 users:
The most important licenses for us are:
- Azure Active Directory Premium P2
- Azure Information Protection Premium P2
- Exchange Online (Plan 2)
- Microsoft 365 Apps for enterprise
- Microsoft 365 Defender
- Microsoft Azure Multi-Factor Authentication
- Microsoft Cloud App Security
- Microsoft Intune
This means we can join our Windows 10 machines to Azure AD, enroll them to Intune, protect them with Defender, deploy Microsoft 365 apps, and many other options.
Let’s do a basic configuration of our Azure AD and Intune. Go to Azure portal and click on Azure Active Directory:
Then choose Mobility (MDM and MAM):
We need to make Intune our MDM solution for this Azure AD tenant. Click on Microsoft Intune and configure:
- MDM user scope – All
- MAM user scope – All
And Save it.
Then repeat it for Microsoft Intune Enrollment:
This means all devices joined to Azure AD will be automatically enrolled into Intune.
All users you create in your Azure AD will have accounts like email@example.com. If you want to change domains from onmicrosoft.com to your own, you can add it on Microsoft 365 admin center – Settings – Domains – Add domain:
Provide your domain name, click Use this domain, and then choose an option for how you want to verify your domain. I chose Add a TXT record to the domain’s DNS records:
Then I need to create a TXT record using the administrative console which my hosting company provides:
After that, we need to come back on the Verify you own this domain step and click Verify. Click Continue, remove a checkbox from Exchange and Exchange Online Protection, click Continue again, and Done.
That takes care of installation and basic configuration. Read Part II here where we get into Users, Groups and Licenses of Microsoft Endpoint Manager. See you soon!
If you want to be the first to know when articles are published, get on our email list using the form at the bottom of the page. Have a more specific question about this topic or something else? Hit the chat button and you’ll be talking to one of experts in seconds!