KEMBAR78
MECM | PDF | Windows 10 | Ios
0% found this document useful (0 votes)
491 views86 pages

MECM

Microsoft Endpoint Manager brings together Configuration Manager and Intune into a single console called the Microsoft Endpoint Manager admin center. It provides an integrated solution for managing all devices. Windows Autopilot allows deploying, provisioning, and managing devices with little infrastructure needed. It simplifies the Windows device lifecycle from initial deployment to retirement through features like self-deploying, pre-provisioning, and support for existing devices.

Uploaded by

Nsrk Krishna
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
491 views86 pages

MECM

Microsoft Endpoint Manager brings together Configuration Manager and Intune into a single console called the Microsoft Endpoint Manager admin center. It provides an integrated solution for managing all devices. Windows Autopilot allows deploying, provisioning, and managing devices with little infrastructure needed. It simplifies the Windows device lifecycle from initial deployment to retirement through features like self-deploying, pre-provisioning, and support for existing devices.

Uploaded by

Nsrk Krishna
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 86

Microsoft Endpoint Manager Microsoft Endpoint Manager

✓ Microsoft Endpoint Manager – MEM

✓ Microsoft Endpoint Configuration Manager – MECM

✓ Microsoft Endpoint Manager Configuration Manager - MEMCM

✓ Microsoft Endpoint Manager Microsoft Intune - MEMMI


Microsoft Endpoint Manager
Microsoft
Intune
~10+
Hours
Endpoint
Configuration
Manager Admin
Manager
Center
~50+ Hours
~12+ Hours

Azure
Active Co-Management
Directory ~3+ Hours
~1+

Windows
Desktop
Autopilot
Analytics
3+ Hours
Microsoft Endpoint Manager
Microsoft Endpoint Manager
Build a Resilient business with Microsoft Endpoint Manager Microsoft Endpoint Manager
Microsoft Endpoint Manager Microsoft Endpoint Manager
Microsoft Endpoint Manager
Microsoft Endpoint Manager
Microsoft Endpoint Manager Microsoft Endpoint Manager
Microsoft Endpoint Manager
Microsoft Endpoint Manager
Microsoft Endpoint Manager
Microsoft Endpoint Manager
Microsoft Endpoint Manager
Microsoft Endpoint Manager
Microsoft Endpoint Manager
Microsoft Endpoint Manager
Microsoft Endpoint Manager
Microsoft Endpoint Manager
Microsoft Endpoint Manager
Microsoft Endpoint Manager
Microsoft Endpoint Manager
Microsoft Endpoint Manager
Microsoft Endpoint Manager Microsoft Endpoint Manager
Build a Resilient business with Microsoft Endpoint Manager Microsoft Endpoint Manager
Microsoft Endpoint Manager Microsoft Endpoint Manager
Microsoft Endpoint Manager

Microsoft Endpoint Manager is an integrated solution for managing all of your devices. Microsoft brings together
Configuration Manager and Intune into a single console called Microsoft Endpoint Manager admin center
Microsoft Endpoint Manager
Autopilot Deployment

❑ Its Cloud-based services, Windows Autopilot


❑ Windows Autopilot is a collection of technologies used
to set up and pre-configure new devices, getting them
ready for productive use.
❑ You can also use Windows Autopilot to reset, repurpose,
and recover devices.
❑ This solution enables an IT department to achieve the
above with little to no infrastructure to manage, with a
process that's easy and simple.
❑ Windows Autopilot simplifies the Windows device
lifecycle, for both IT and end users, from initial
deployment to end of life
❑ Reduces the time IT spends on deploying, managing, and
retiring devices.
❑ Reduces the infrastructure required to maintain the
devices.
❑ Maximizes ease of use for all types of end users.
Microsoft Endpoint Manager
Autopilot Deployment
Once deployed, you can manage Windows 10 devices with:
❑ Microsoft Intune
❑ Windows Update for Business
❑ Microsoft Endpoint Configuration Manager
✓ Automatically join devices to Azure Active Directory (Azure AD)
or Active Directory (via Hybrid Azure AD Join).
✓ Auto-enroll devices into MDM services, such as Microsoft
Intune
✓ Restrict the Administrator account creation.
✓ Create and auto-assign devices to configuration groups based
on a device's profile.
✓ Customize OOBE content specific to the organization.
1. Self-Deploying Mode for kiosks, digital signage, or a shared
device
2. Pre-provisioning enables partners or IT staff to pre-
provision a Windows 10 PC so that it's fully configured and
business-ready
3. Autopilot for existing devices enables you to easily deploy
the latest version of Windows 10 to your existing devices
4. User Driven Mode for traditional users.
Microsoft Endpoint Manager
Autopilot Deployment

Once deployed, you can manage Windows 10 devices with:


❑ Microsoft Intune
❑ Windows Update for Business
❑ Microsoft Endpoint Configuration Manager

✓ Automatically join devices to Azure Active Directory (Azure AD)


or Active Directory (via Hybrid Azure AD Join).
✓ Auto-enroll devices into MDM services, such as Microsoft
Intune
✓ Restrict the Administrator account creation.
✓ Create and auto-assign devices to configuration groups based
on a device's profile.
✓ Customize OOBE content specific to the organization.
Microsoft Endpoint Manager
Autopilot Deployment

1. Self-Deploying Mode for kiosks, digital signage, or a shared


device
2. Pre-provisioning enables partners or IT staff to pre-
provision a Windows 10 PC so that it's fully configured and
business-ready
3. Autopilot for existing devices enables you to easily deploy
the latest version of Windows 10 to your existing devices
4. User Driven Mode for traditional users.
Microsoft Endpoint Manager
Autopilot Deployment
Self-Deploying Mode
1. Self-Deploying Mode for kiosks, digital signage, or a shared
device

❑ Joins the device to Azure Active Directory.


❑ Enrolls the device in Intune (or another MDM service) using Azure AD for automatic MDM enrollment.
❑ Makes sure that all policies, applications, certificates, and networking profiles are provisioned on the device.
❑ Uses the Enrollment Status Page to prevent access until the device is fully provisioned.
❑ Combining self-deploying mode with MDM policy

➢ All devices will be joined to Azure Active Directory


➢ Self-deploying mode uses a device’s TPM 2.0
hardware to authenticate the device into an
organization’s Azure AD tenant
➢ Hyper-V virtual TPMs are not supported
➢ Window 10, version 1903 or later is required
Microsoft Endpoint Manager
Autopilot Deployment
Pre-Provisioning
2. Pre-provisioning With Windows Autopilot for pre-
White Glove
provisioned deployment, the provisioning process is
split. The time-consuming portions are done by IT,
partners, or OEMs. The end user simply completes a
few necessary settings and policies and then they can
begin using their device.

❑ User-driven deployments with Azure AD Join. The


device will be joined to an Azure AD tenant.
❑ User-driven deployments with Hybrid Azure AD ➢ The Windows Autopilot white glove feature has
Join. The device will be joined to an on-premises been renamed to Windows Autopilot for pre-
Active Directory domain, and separately registered provisioned deployment
➢ Physical devices that support TPM 2.0 and device
with Azure AD.
attestation.
➢ Virtual machines aren't supported.
➢ Pre-provisioned deployments use Microsoft Intune
in Windows 10, version 1903
Microsoft Endpoint Manager
Autopilot Deployment
Autopilot for Existing
3. Windows Autopilot Deployment for existing devices
for kiosks, digital signage, or a shared device

Self-deploying profiles are not supported

➢ Windows Autopilot existing device task sequence


template
➢ Create the JSON file
➢ Needs Endpoint Manager Current Branch
➢ Windows Autopilot for existing devices only
supports user-driven Azure Active Directory and
Hybrid Azure AD profiles. Self-deploying profiles
are not supported.
Microsoft Endpoint Manager
Autopilot Deployment
Autopilot for Existing
Windows Autopilot Deployment for Existing Devices

Configure Windows AutoPilot pre- Create an Autopilot profile JSON file Create a Task Sequence and Target to a Test the
requirements Create a SCCM Package, Dynamic Group Collection results

➢ Windows Autopilot existing device task sequence template


➢ Create the JSON file
➢ Needs Endpoint Manager Current Branch
➢ Windows Autopilot for existing devices only supports user-driven
Azure Active Directory and Hybrid Azure AD profiles. Self-deploying
profiles are not supported.
Microsoft Endpoint Manager
Autopilot Deployment
Autopilot for Existing
Windows Autopilot Deployment for Existing Devices
Configure Windows AutoPilot pre-requirements

❑ Device Settings for Joining to Azure AD


❑ Licenses
❑ Company Branding
Configure Windows AutoPilot Profiles and
Automatic Assignments

❑ Create a Dynamic Device Group (device.devicePhysicalIDs -any _ -contains "[ZTDId]")


❑ Enrollment Status Page – Optional Settings
❑ Create AutoPilot Deployment Profiles

➢ Windows Autopilot existing device task sequence template


➢ Create the JSON file
➢ Needs Endpoint Manager Current Branch
➢ Windows Autopilot for existing devices only supports user-driven
Azure Active Directory and Hybrid Azure AD profiles. Self-deploying
profiles are not supported.
Microsoft Endpoint Manager
Autopilot Deployment
User Driven Mode
4. Windows Autopilot user-driven mode lets you
configure new Windows 10 devices to automatically
transform them from their factory state to a ready-to-
use state

✓ Unbox the device, plug it in, and turn it on.


✓ Choose a language (only required when multiple
languages are installed), locale, and keyboard.
✓ Connect it to a wireless or wired network with internet
access. If using wireless, the user must establish the
Wi-Fi link.
✓ Specify your e-mail address and password for your
organization account.

➢ Windows 10, version 1809 or later


Microsoft Endpoint Manager
Autopilot Deployment

1. Self-Deploying Mode for kiosks, digital signage, or a shared


device
2. Pre-provisioning enables partners or IT staff to pre-
provision a Windows 10 PC so that it's fully configured and
business-ready
3. Autopilot for existing devices enables you to easily deploy
the latest version of Windows 10 to your existing devices
4. User Driven Mode for traditional users.
Microsoft Endpoint Manager
Autopilot Deployment
User Driven Mode
Windows Autopilot user-driven mode lets you configure new Windows 10 devices to automatically transform
them from their factory state to a ready-to-use state

Intune Connector OU creation and


Dynamic user Group Create Profile - For
Installation - For grant permission -
Creation Hybrid Domain Join
Hybrid AD Join For Hybrid AD Join

Validate User
(Optional) Create Autopilot
targeted
End user Experience Enrollment Status Deployment Profile
Applications and
Page - ESP – User Driven Mode
User licenses
Microsoft Endpoint Manager
Adding Devices to Windows Autopilot

✓ Before deploying a device using Windows Autopilot, the device must be registered with the Windows
Autopilot deployment service
✓ Registration is performed by the OEM, reseller, or distributor from which the devices were purchased

Device Identification
Device's Unique Hardware Hash

❑ Manufacturer
❑ Model
❑ Device serial number
❑ Hard drive serial number
❑ Details about when the ID was generated
❑ Many other attributes that can be used to uniquely identify the device

New-Item -Type Directory -Path "C:\HWID"


Set-Location -Path "C:\HWID"
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutoPilotInfo
Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv
Microsoft Endpoint Manager
Enroll Android Devices
Microsoft Endpoint Manager
Enroll Android Devices

Android Enterprise Android Device


Offering Administrator(DA)
Microsoft Endpoint Manager
Enroll Android Devices

Android Enterprise Android Device


Offering Administrator(DA)

❑ Consistent, reliable management


❑ Flexible, simple & safe application management
❑ Zero-day support for new features and
functionality
❑ Secure by default
❑ A solid foundation on which to build
Microsoft Endpoint Manager
Enroll Android Devices

Android Enterprise Android Device


Offering Administrator(DA)

1. Android Enterprise Personally-Owned with a work profile: (BYOD) For personal devices granted permission to
access corporate data. Admins can manage work accounts, apps, and data. Personal data on the device is kept
separate from work data and admins don't control personal settings or data.
2. Android Enterprise Corporate-Owned with a work profile (COPE): For corporate-owned, single user devices
intended for corporate and personal use
3. Android Enterprise Fully Managed (COBO): For corporate-owned, single user devices used exclusively for work
and not personal use. Admins can manage the entire device and enforce policy controls unavailable to personally-
owned/corporate-owned work profiles.
4. Android Enterprise Dedicated (COSU): For corporate-owned, single use devices, such as digital signage, ticket
printing, or inventory management. Admins lock down the usage of a device for a limited set of apps and web
links. It also prevents users from adding other apps or taking other actions on the device.
Microsoft Endpoint Manager
Android Enterprise Offering
Microsoft Endpoint Manager
Android Enterprise Offering

1 2 3 4

Corporate-owned,
fully managed user
devices (COBO)

Corporate-owned
dedicated devices
(COSU)
This is also called This is also called
Personally-owned Corporate-owned,
devices with work personally enabled
profile user devices.
Microsoft Endpoint Manager
Android Enterprise Personally-Owned with a work profile (BYOD) – Work Profile

✓ The end-user needs to install the Company Portal app manually from the
Google Play Store.
✓ This is done on a device that is already up-and-running.
✓ The other three solutions enroll in Intune during the out-of-the-box
experience. Which seems a no-go in my opinion for BYOD Devices.
✓ This solution has a big focus on the Privacy Of The End-user.
✓ Corporate apps are installed in a managed (encrypted) container.
✓ This way personal and corporate apps are strictly separated.
✓ Corporate apps are marked with a Briefcase Icon, so it is clear to the user
which apps are corporate apps.
✓ The company has full control over the work profile container, but not
over the device itself. The Google Play Store inside the work profile is
restricted to the apps made available via Intune. Public apps are available
in the Store in the personal part of the device.
✓ A wipe action from the Intune portal would wipe and remove the work
profile container but does not wipe the device itself.
Microsoft Endpoint Manager
Corporate-owned, Personally Enabled User Devices
Corporate-owned Devices with Work Profile

✓ The solution is also known as Corporate-owned, personally enabled user


devices
✓ The enrollment is done during the out-of-the-box experience (OOBE)
✓ By default you can enroll a device by scanning a QR code
✓ Samsung devices a zero-touch deployment can be achieved with Knox
Mobile Enrollment
✓ Android device types can be enrolled by using Googles zero-touch
deployment solution

❑ Compared to the BYOD solution with Work profile, the corporate-owned version is
controlled on the Device Level. The device is fully managed with Intune, a device
wipe action resets the device to Factory Defaults.
❑ But as with the BYOD version, corporate apps and data are stored in a separate
work profile container and strictly separated from the personal apps.
Microsoft Endpoint Manager
Corporate-owned, Fully Managed User Devices
✓ Enrollment in Intune is done during the out-of-the-box-experience when enrolling as
fully managed user device.
✓ The device is fully managed, but there is no separation between personal and corporate
apps and data

❑ The admin is able to set restrictions on the device level, such as preventing the user to
perform a factory reset. As an admin, you can restrict access to the Google Play store to
only allow apps made available via Intune, or leave the store open for public apps.

❑ Fully managed user devices are associated to one single user, in contrast to dedicated
devices.
Microsoft Endpoint Manager
Corporate-owned Dedicated Devices

✓ Corporate-owned dedicated devices are devices for a single purpose.


✓ Example use case, think of a ticket scanner or a digital signage device.
✓ Enrollment is done during the out-of-the-box-experience, but no
authentication needs to be done during the enrollment process. The device
is not associated with a user.
✓ Apps on the device are fully managed using Intune, the Google Play Store is
not available.
Microsoft Endpoint Manager
Mobile Application Management

✓ Mobile Application Management is done using App Protection


Policies (APP)

✓ In such a policy we set data protection and access requirements to keep


corporate data save.

✓ Examples of these are restrictions to which apps corporate data can be copied
and requiring a PIN code to open a managed app.

✓ An admin has the ability to perform a selective wipe. This action will delete
corporate data from the device, without touching the device itself.

✓ An advantage of this Mobile Application Management solution is this is


available for Android and iOS devices.
Apple Devices Enrollment Microsoft Endpoint Manager

✓ You can set up Enrollment for iOS/iPadOS and iPadOS devices to access company resources
✓ iPads and iPhones to give users secure access to company email, data, and apps
✓ You can let users enroll personally-owned devices, known as "Bring Your Own Device" (BYOD) enrollment
✓ You can also set up enrollment of company-owned devices.

Supported Operating Systems

❑ Apple iOS 12.0 and later


❑ Apple iPadOS 13.0 and later
❑ Mac OS X 10.13 and later
Apple Devices Enrollment Microsoft Endpoint Manager

1. User-owned iOS/iPadOS and iPadOS devices (BYOD)

2. Company-Owned iOS/iPadOS devices


➢ Apple's Automated Device Enrollment (ADE)
➢ Apple School Manager
➢ Apple Configurator Setup Assistant enrollment
➢ Apple Configurator Direct Enrollment
Microsoft Endpoint Manager

Apple Enrollment

User Enrollment – BYOD Company Owned

Automated Device Enrollment Apple School


Manager Apple Configurator
(ADE)

Setup Assistant Enrollment

Direct Enrollment
Prerequisites for iOS/iPadOS Enrollment Microsoft Endpoint Manager

1. Make sure your devices are supported.


2. Set up Intune Device enrollment requires that you set your MDM authority.
3. Get an Apple MDM Push certificate - Apple requires a certificate to enable management of iOS/iPadOS and
macOS devices.
Microsoft Endpoint Manager
User-owned iOS/iPadOS and iPadOS devices (BYOD)
User Enrollment – BYOD

You can let users enroll their personal devices for Intune management, known as "bring your own device" or BYOD

❑ App Protection Policies give you the lightest BYOD experience, providing management at an app level only.
However, if you want to also secure the device with a 6-digit complex PIN, you can use these policies along with
User Enrollment.
❑ Device Enrollment is what you may think of as typical BYOD enrollment. It provides admins with a wide range of
management options.
❑ User Enrollment is a more streamlined enrollment process that provides admins with a subset of device
management options.

Users can download the Intune Company Portal app from the App Store, and follow enrollment instructions in the app.
Microsoft Endpoint Manager

Company Owned
Apple School Manager
Apple School Manager is a device purchase and enrollment program for schools
https://school.apple.com/
✓ Using Intune with Apple School Manager, you can enroll large numbers of iOS/iPadOS devices without ever
touching them.
✓ When a student or teacher turns on the device, Setup Assistant runs with preconfigured settings and the
device enrolls into management.
✓ To enable Apple School Manager enrollment, you use both the Intune and Apple School Manager portals.
✓ A list of serial numbers or a purchase order number is required so you can assign devices to Intune for
management.
✓ You create Automated Device Enrollment (ADE) ( https://deploy.apple.com/ )enrollment profiles containing
settings that applied to devices during enrollment.

https://docs.microsoft.com/en-us/mem/intune/enrollment/apple-school-manager-set-up-ios
Microsoft Endpoint Manager

Company Owned
Automated Device Enrollment (ADE)

ADE enrollments aren't compatible with the app store version of the Company Portal app.
You can give users access to the Company Portal app on an ADE device. You may want to provide this access to let
users choose which corporate apps they wish to use on their device, to use modern authentication to complete the
enrollment process, or to provide a staged enrollment in which the device is enrolled and receives device policies
prior to a user authenticating in the Company Portal.

Supported Volume
✓ Maximum enrollment profiles per token: 1,000
✓ Maximum Automated Device Enrollment devices per profile: within the maximum number of devices per token
✓ Maximum Automated Device Enrollment tokens per Intune account: 2,000
✓ Maximum Automated Device Enrollment devices per token: Intune recommends not exceeding 60,000 devices
per token otherwise you might run into sync issues. If you have more than 60,000 devices, split those up into
multiple DEP tokens.

Apple recently changed from using the Apple Device Enrollment Program (DEP) to Apple Automated Device Enrollment (ADE)
Starting December 1, 2020.
https://support.apple.com/en-in/HT209617
Microsoft Endpoint Manager

Company Owned
Automated Device Enrollment (ADE)

Apple recently changed from using the Apple Device Enrollment Program (DEP) to Apple Automated Device Enrollment (ADE)
Starting December 1, 2020.
https://support.apple.com/en-in/HT209617
Apple Devices Enrollment Microsoft Endpoint Manager

Company Owned
Apple's Automated Device Enrollment (ADE) Automated Device Enrollment (ADE)

➢ Apple School Manager Organizations can purchase iOS/iPadOS devices through Apple's Automated
Device Enrollment (ADE).
➢ ADE lets you deploy an enrollment profile "over the air" to bring devices into Management
➢ Automated Device Enrollment lets you enroll large numbers of devices without ever touching them
➢ devices like iPhones, iPads, and MacBooks can be shipped directly to users
➢ When the user turns on the device, Setup Assistant, which includes the typical out-of-box-experience for
Apple products, runs with preconfigured settings and the device enrolls into management
To Enable ADE:

➢ Use both the Intune and Apple Business Manager (ABM) or Apple School Manager (ASM) portals.
➢ A list of serial numbers or a purchase order number is required so you can assign devices to Intune for
management in either Apple portal.
➢ You create ADE enrollment profiles in Intune containing settings that are applied to devices during
enrollment

Apple recently changed from using the Apple Device Enrollment Program (DEP) to Apple Automated Device Enrollment (ADE)
Apple Devices Enrollment Microsoft Endpoint Manager

Enroll devices in Intune by using a Device Enrollment Manager (DEM) account

➢ You can enroll up to 1,000 mobile devices with a single Azure Active Directory account by using a Device
Enrollment Manager (DEM) account.
➢ DEM is an Intune permission that can be applied to an Azure AD user account and lets the user enroll up to 1,000
devices.
➢ A DEM account is useful for scenarios where devices are enrolled and prepared before handing them out to the
users of the devices.
➢ By design, there's a limit of 150 Device Enrollment Manager (DEM) accounts in Microsoft Intune.
Apple Devices Enrollment Microsoft Endpoint Manager

Enroll Devices in Intune by using a Device Enrollment Manager (DEM) Account

✓ A DEM account user must be assigned an Intune license.


✓ Wipe can't be done from the Company Portal. Wiping a device enrolled by a DEM user account can be done from
the Microsoft Endpoint Manager Admin Center.
✓ Only the local device appears in the Company Portal app or website.
✓ DEM user accounts cannot use Apple Volume Purchase Program (VPP) apps with Apple VPP user licenses
because of per-user Apple ID requirements for app management.
✓ DEM accounts cannot be used when enrolling devices via Apple's Automated Device Enrollment (ADE).
✓ Devices can install VPP apps if they have Apple VPP device licenses.
✓ Devices are blocked for Conditional Access with the exception of Windows 10 1803+
✓ Every device enrolled with DEM accounts needs to be properly licensed to be managed by Intune. The license
could be an Intune user license or an Intune device license.
✓ If you're Enrolling Android Enterprise Personally-Owned Work Profile or Corporate-Owned work profile
devices by using a DEM account, there is a limit of 10 devices that can be enrolled per account.
✓ Enrolling Android Enterprise Fully Managed Devices with DEM accounts isn't supported.
✓ Applying an Azure AD device restriction to a DEM account will prevent you from reaching the 1,000 device limit
that the DEM account can enroll.
Microsoft Endpoint Manager
App Protection Policies
➢ App Protection Policies (APP) are rules that ensure an organization's data remains safe or contained in a
managed app.
➢ A policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of
actions that are prohibited or monitored when the user is inside the app.
➢ A managed app is an app that has App Protection Policies applied to it, and can be managed by Intune.
Microsoft Endpoint Manager
App Protection Policies
➢ App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a
managed app.
➢ A policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of
actions that are prohibited or monitored when the user is inside the app.
➢ A managed app is an app that has app protection policies applied to it, and can be managed by Intune.
➢ You can use Intune app protection policies independent of any mobile-device management (MDM)
solution
➢ By implementing app-level policies, you can restrict access to company resources and keep data within the
purview of your IT department

➢ Protecting your company data at the app level


➢ End-user productivity isn't affected and policies don't apply when using the app in a personal context
➢ App protection policies makes sure that the app-layer protections are in place
Microsoft Endpoint Manager
Framework App Protection Policies

•Introduces advanced data protection mechanisms, enhanced PIN


configuration, and APP Mobile Threat Defense

Enterprise high
data protection

•Introduces APP data leakage prevention


mechanisms and minimum OS requirements.

Enterprise
enhanced data
protection

Enterprise basic data


protection

•Ensures that apps are protected with a PIN


•Encrypted and performs selective wipe operations
Microsoft Endpoint Manager
Conditional Access with Endpoint Manager
✓ Conditional Access combines granular control over organizational data with a user experience that maximizes
worker productivity on any device from any location.
✓ Conditional Access makes sure that only trusted users can access organizational resources on trusted devices
using trusted apps
❑ Device-based Conditional Access
❑ Conditional Access for Exchange on-premises
❑ Conditional Access based on network access control
❑ Conditional Access based on device risk
❑ Conditional Access for Windows PCs
❑ Corporate-owned
❑ Bring your own device (BYOD)
❑ App-based Conditional Access
Benefits of Conditional Access

✓ If every device is encrypted


✓ If malware is installed
✓ If its settings are updated
✓ If it's jailbroken or rooted
Microsoft Endpoint Manager

Please give me feedback on my course


by writing a review!
Microsoft Endpoint Manager
Microsoft Endpoint Manager
Microsoft Endpoint Manager
Microsoft Endpoint Manager
DA – Desktop Analytics https://aka.ms/desktopanalytics
DA with Configuration Manager, version 1902 and update rollup (4500571) Above only

❑ Inventory running apps on your clients


❑ Assess app compatibility
❑ Identify compatibility issues
❑ Receive mitigation suggestions based on cloud-enabled data insights
❑ Create pilot groups that represent your organization based on application and drivers
❑ Use those pilot group to Deploy Windows 10

1. Upgrade Readiness
2. Update Compliance
3. Device Health
4. Richer app and Office macro insights
5. Easier integration with SCCM

Desktop Analytics is a successor of Windows Analytics, which retired on January 31, 2020.
Microsoft Endpoint Manager
DA – Desktop Analytics https://aka.ms/desktopanalytics
DA with Configuration Manager, version 1902 and update rollup (4500571) Above only

Prerequisites
✓ Ensure you are using SCCM 1902 with update rollup (4500571) or later.
✓ An account with Full Administrator role in SCCM
✓ Devices must run Windows 7, Windows 8.1, or Windows 10
✓ Ensure the SCCM clients are installed with the latest version. The client agent version should be
5.00.8790.1025 and above. (which is 1902)
✓ Clients must be able to connect to the Microsoft public cloud
✓ An Azure subscription, using an account with Global Admin permission
✓ Windows 10 Enterprise E3 or E5; or Microsoft 365 F1, E3, or E5
✓ Windows 10 Education A3 or A5; or Microsoft 365 A3 or A5
✓ Windows VDA E3 or E5

Beyond the cost of license subscriptions,


there’s no additional cost for using Desktop
Analytics.

Desktop Analytics is a successor of Windows Analytics, which retired on January 31, 2020.
Microsoft Endpoint Manager
DA – Desktop Analytics

It may take up to 72 hours to process details in order to show in Dashboard


Microsoft Endpoint Manager
DA – Desktop Analytics
Microsoft Endpoint Manager
DA – Desktop Analytics

Log File Name Log file Description / useful Computer with log file

Information about deployment plan sync from Desktop Analytics cloud service to
M365ADeploymentPlanWorker.log Service Connection Point
on-premises Configuration Manager

Information about device health upload from Configuration Manager to Microsoft


M365ADeviceHealthWorker.log Service connection Point
cloud

M365AHandler.log Information about the Desktop Analytics settings policy Client

Information about collection and device upload from Configuration Manager to


M365AUploadWorker.log Service connection Point
Microsoft cloud

Information about Configuration Manager console activity, like configuring the


SmsAdminUI.log Service connection Point
Azure cloud services
Microsoft Endpoint Manager
DA – Desktop Analytics https://aka.ms/desktopanalytics
DA with Configuration Manager,
version 1902 and Above only

Desktop Analytics is a successor of Windows Analytics, which retired on January 31, 2020.
Microsoft Endpoint Manager
DA – Desktop Analytics DA with Configuration Manager,
version 1902 and update rollup
✓ Device and Software Inventory (4500571) Above only
✓ Pilot Identification https://aka.ms/desktopanalytics
✓ Issue Identification
✓ Configuration Manager Integration

Quality &
Deployment
Assets Feature
Plans
Updates

Compatibility Health Status


Assessment Monitoring

Desktop Analytics uses a Log Analytics workspace in your Azure Subscription


Desktop Analytics is a successor of Windows Analytics, which retired on January 31, 2020.
Microsoft Endpoint Manager
Desktop Analytics for Windows 10

Deployment plans in Desktop Analytics


❑ Automatically recommend which devices to include in pilots Deployment
❑ Identify compatibility issues and suggest mitigations Plans
❑ Assess the health of the deployment before, during, and after updates
❑ Track the progress of your deployment
❑ Define what versions of Windows 10 you want to deploy
❑ Choose what groups of devices to which you want to deploy
❑ Create readiness rules for the deployment
❑ Define the importance of your apps
❑ Choose pilot devices based on automatic recommendations
❑ Decide how to fix issues with apps based on recommendations from Desktop Analytics

Use Configuration
Readiness Rules Plan Assets Devices Apps Drivers Pilot Devices Manager to Deploy
the Products
Desktop Analytics for Windows 10 Microsoft Endpoint Manager

❑ Devices - The Devices tab displays key information about all devices in your organization that you enroll to
Desktop Analytics
❑ Installed Apps - The Apps tab shows all installed apps that the service detects on your Windows devices.
➢ Critical
➢ Important
➢ Ignore
➢ Not reviewed Assets
➢ Not important

❑ Usage
❑ Total installs
❑ Install percentage
❑ Devices launched this app in the last 30 days

Noteworthy apps are installed on more than 2% of enrolled devices.


Use Configuration
Readiness Rules Plan Assets Devices Apps Drivers Pilot Devices Manager to Deploy
the Products
Desktop Analytics for Windows 10 Microsoft Endpoint Manager
❑ Security and Feature Updates Quality & Feature Updates
❑ Latest
❑ Latest-1
❑ Older
❑ Not measured

Deployment Status:
❑ Not started
❑ In progress
❑ Completed
❑ Needs attention - Devices (sorted by device name)
❑ Needs attention - Issues (sorted by issue type)

Feature updates
❑ In service
❑ Near end of service
❑ End of service
❑ Not measured

Quality & Feature Updates


Microsoft Endpoint Manager
Compatibility assessment in Desktop Analytics
➢ Compatibility Risk
➢ Asset is removed during upgrade
➢ Full removal
➢ Partial removal
➢ Blocking upgrade
➢ Disk encryption blocking upgrade
➢ May block upgrade, test application
➢ Multiple
➢ Reinstall application after upgrading
Health status monitoring in Desktop Analytics Microsoft Endpoint Manager

➢ Desktop Analytics monitors


➢ % Devices with crashes
➢ After update, Before Update
➢ Commercial avg
➢ % Sessions with crashes
➢ Usage
➢ Active devices
➢ Sessions
DA – Desktop Analytics Microsoft Endpoint Manager
DA with Configuration Manager, version 1902 https://aka.ms/desktopanalytics
and update rollup (4500571) Above only

Desktop Analytics is a successor of Windows Analytics, which retired on January 31, 2020.
Microsoft Endpoint Manager

https://aka.ms/desktopanalytics
DA with Configuration Manager,
version 1902 and update rollup
(4500571) Above only

Desktop Analytics is a successor of Windows Analytics, which retired on January 31, 2020.
Microsoft Endpoint Manager
Windows 10 with Desktop Analytics

✓ Cloud-based Service
✓ Provides Insight and Intelligence
✓ Informed Decisions
✓ Update readiness of your Windows
✓ Combines data from your organization with data aggregated from millions of devices connected to Microsoft cloud services

❑ Create an inventory of apps running in your organization.


❑ Assess app compatibility with the latest Windows 10 feature updates.
❑ Identify compatibility issues, and receive mitigation suggestions based on cloud-enabled data insights.
❑ Create pilot groups that represent the entire application and driver estate across a minimal set of devices.
❑ Deploy Windows 10 to pilot and production-managed devices using Configuration Manager.
❑ Minimize deployment risks by monitoring the health state of your devices during and after the deployment.
❑ Ensure your devices are still supported with security and feature updates status.
Microsoft Endpoint Manager
Microsoft Endpoint Manager
Reports
Reports

❑ Operational - Provides timely, targeted data that helps you focus and take action. Admins, subject matter
experts, and helpdesk will find these reports most helpful.
❑ Organizational - Provides a broader summary of an overall view, such as device management state. Managers
and admins will find these reports most helpful.
❑ Historical - Provides patterns and trends over a period of time. Managers and admins will find these reports most
helpful.
❑ Specialist - Allows you to use raw data to create your own custom reports. Admins will find these reports most
helpful.

Reporting Experience - Functionality

❑ Search and sort – You can search and sort across every column, no matter how large the dataset.
❑ Data paging – You can scan your data based on paging, either page-by-page or by jumping to a specific page.
❑ Performance - You can quickly generate and view reports created from large tenants.
❑ Export – You can quickly export reporting data generated from large tenants.

Who can access the data?


❑ Global Administrator
❑ Intune Service Administrator
❑ Administrators assigned to an Intune role with Read permissions

You might also like