Using Microsoft Endpoint Manager to manage all your devices


Microsoft Endpoint Manager (MEM) helps you solve the challenge of device management in today’s mobile and remote work environment. MEM is a secure and intelligent management solution that improves productivity and collaboration with the familiar experiences users expect and gives IT the flexibility to support diverse scenarios for both bring your own device (BYOD) and corporate owned devices. Learn how integrated solutions in MEM help manage devices in your organization.

Intune is a cloud-based enterprise mobility management (EMM) service that enables user productivity while keeping your corporate data protected. Intune integrates with Azure Active Directory for identity and access control, and Azure Information Protection for data protection. Intune can enforce security policies, wipe devices remotely, and deploy apps.

Use Intune to manage apps and mobile devices by “enrolling” devices. When you enroll, you can use profiles to manage different settings and features on devices. The following table shows the most common device profiles for Windows 10.

Profile Description
Email Manages Exchange ActiveSync settings on devices.
Wi-Fi Allows you to manage wireless network settings for users and devices. In Windows 10, managing settings for users allows them to connect to corporate Wi-Fi without having to configure the connection manually.
VPN Adds a virtual private network (VPN) with your organizational settings so your users' devices get network access quickly and easily.
Education Configures different options for the Take a Test app on Windows 10 devices in classroom environments.
Certificates Allows you to configure trust and certificates used for Wi-Fi, VPN, email profiles, and more.
Edition upgrade Upgrades Windows 10 devices to Windows 10 Enterprise, S mode, and more.
Endpoint protection Configures settings for BitLocker and Windows Defender.
Windows Information Protection Allows you to configure Windows Information Protection for data loss prevention.

Microsoft Endpoint Configuration Manager is an on-premises product used to manage Windows, macOS PCs, and servers. Configuration Manager has a rich set of capabilities that allow you to customize the following areas:

  • Application management
  • OS deployment
  • Software update management
  • Device compliance

Windows Autopilot simplifies the way devices get deployed, reset, and repurposed, with an experience that is zero touch for IT and that users will love. Windows Autopilot provides setup and pre-configuration services for new devices so they're ready to use right out of the box, including:

  • User driven mode which makes it easy for end users to set up new devices, without any IT involvement.
  • Self-deploying mode, which deploys Windows 10 to a kiosk, digital sign, or shared device, with little to no interaction.
  • Support for existing devices to easily deploy the latest version of Windows 10 to existing devices with apps installed and profiles synched so users can resume work right away.
  • White glove to empower partners or IT staff to pre-provision Windows 10 devices to be fully configured and business ready for organizations and users.
  • Enrollment status page to ensure devices are fully configured, compliant, and secure before users can access the desktop.

Desktop Analytics simplifies the end-to-end deployment and upgrade process by providing comprehensive inventory, application compatibility assessment, pilot recommendations, and actionable insights.

  • Pilot recommendations - Desktop Analytics makes it easy to get pilots right by recommending a list of minimal devices to pilot based on analysis of hardware and apps.
  • Compatibility analysis - Desktop Analytics not only identifies a comprehensive list of desktop apps and drivers for evaluation, it also does a risk level assessment, and provides possible remediation.
  • Data insights - Get insights and context by comparing your organization’s data with aggregated data from other Microsoft cloud-connected devices.
  • Simplified deployment planning - Easily plan deployments with step-by-step guidance from Desktop Analytics.

Microsoft Defender Advanced Threat Protection (ATP) delivers preventative protection, post-breach detection, automated investigation, and response. ATP helps you by providing:

  • Threat and Vulnerability Management to quickly discover, prioritize, and remediate vulnerabilities and misconfigurations.
  • Attack surface reduction capabilities that ensure configuration settings are properly set and exploit mitigation techniques are applied.
  • Next generation protection to further reinforce the security perimeter of your network and catch all types of emerging threats.
  • Endpoint detection and response to detect, investigate, and respond to advanced threats.
  • Automated investigation and remediation capabilities that help reduce the volume of alerts in minutes, at scale.
  • Configuration score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
  • Microsoft Threat Experts, Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately.
  • Centralized configuration and administration APIs to Integrate Microsoft Defender Advanced Threat Protection into your existing workflows.
  • Integration with Microsoft solutions.

Azure AD Premium is the central identity store used for all the applications in EMS and Microsoft 365. The P1 and P2 versions of Azure AD Premium include features that are important for unified endpoint management. Some of the additional features included with the P1 and P2 plans are:

  • Self-service password reset
  • Write-back from Azure AD to on-premises Active Directory Domain Services (meaning your cloud and on-premises data is linked)
  • Microsoft Azure Multi-Factor Authentication (MFA) for cloud and on-premises apps
  • Conditional access based on group, location, and device state
  • Conditional access based on sign-in or user risk (P2 plan only)