MICROSOFT

ENDPOINT MANAGER
MICROSOFT ENDPOINT MANAGER
 Microsoft Endpoint Manager(MEM)
 Microsoft Endpoint Portal
 Microsoft Configuration Manager(SCCM)
 Microsoft Intune (MDM & MAM)
 Defender Suite
 Configuring MEM for Windows & Mobile devices
 Configuring Defender
Microsoft Endpoint Manager
• Microsoft Endpoint Manager is a single, integrated
management platform for managing, protecting, and
monitoring all of your organizations endpoints.

• In November 2019, Microsoft introduced Microsoft

Endpoint Manager.

• The Microsoft Endpoint Manager console helps keep

your organizations cloud and on-premises devices, apps,
and data secure.
• Microsoft combines its Microsoft intune service and
configuration manager in to a single unified platform
called Microsoft Endpoint Manager
• It ensures that all your corporate services are easily
available to end users on all the devices they use.
• Endpoint Manager includes the following services:
1. Configuration Manager
2. Intune
3. Co-management
4. Desktop Analytics
5. Azure Active Directory.
• We have one Admin console for all the services.
Microsoft Endpoint Manager console:
https://endpoint.microsoft.com/
Configuration Manager:
 It’s a Software management suite for managing windows devices
deployment and security across an enterprise.

 Use by administrators to manage and end-point protection.

 Manages on-premises devices like Servers, Desktops, laptops connected to

network and install Client S/w.

 Manages app deployment and updates on individual devices or group of

devices.

 We can deploy apps, software updates and operating system and monitor the
devices real-time.

 And can cloud enable it to integrate with intune and move tasks to the
cloud by co-management.
Configuration Manager Sites:
1. Central Administration Site
2. Primary Site
3. Secondary Site
1. Central Administration Site :
 install this site in separate server.
3. Secondary Site:
 Optional Site  install this site in separate server.
 Need Windows Server 2012 or greater.  Need Windows Server 2012 or
 SQL Database for storage. greater.
 Manages upto 8,25,000 Client.  Optional Site.
 Manage Primary Site servers.  SQL-database for storage.
 Manages upto 15,000 Client.
2. Primary Site :
 Manages and collect data from
 install this site in separate server.
clients from remote Locations.
 Need Windows Server 2012 or  Used in Branch Offices.
greater.
 Mandatory Site.
 SQL database for storage.
 Manages upto 1,75,000 Client.
 Manages and collect data from
clients in well connected N/w.
 Used in Headquarters
Microsoft Intune:
 Intune is a cloud-based management service, use to create and check for
compliance, and deploy apps, features, and settings to your devices using the
cloud.
 It provides Mobile device Management(MDM) & Mobile Application
Management(MAM).
 Microsoft Intune enables mobile device management for:
 Personal devices, including personally owned phones, tablets, and PCs.
 Corporate-owned devices, including phones, tablets, and PCs owned by your
organization and distributed to employees and students for use at work or
school.
 It lets you control features and settings on Android, Android Enterprise,
iOS/iPadOS, macOS, and Windows 10 devices. It integrates with other
services, including Azure -AD, Endpoint defender and more.
 If you have on-premises infrastructure, Active Directory, the Intune
connectors are also available.
 The Intune Connector for Active Directory adds entries to your on-premises
Active Directory domain for computers that enroll using Windows
Autopilot.
Mobile Device Management(MDM):
Mobile Application Management(MAM):
Co-management:
• Co-management enables you to concurrently manage Windows
10 or later devices by using both Configuration Manager and
Microsoft Intune.
• As part of Endpoint Manager, co-management uses cloud
features, including conditional access. You keep some tasks on-
premises, while running other tasks in cloud by Intune.

Desktop Analytics:
• Desktop Analytics is a cloud-based service that integrates with
Configuration Manager.
• It provides insight and intelligence for you to make more
informed decisions about the update readiness of your Windows
clients.
• It provides information on security updates, apps, and devices in
your organization, and identifies compatibility issues with apps
and drivers.
Windows Autopilot:
• Windows Autopilot sets up and pre-configures new devices, getting
them ready for use. It's designed to simplify the lifecycle of
Windows devices, for both IT and end users.
• It is a complete cloud native solution.
• Its about making Factory State Device to Business Ready State.

Azure Active Directory:

• Azure AD is used by Endpoint Manager for identity and access of
devices, users, groups, and multi-factor authentication (MFA).
Defender Suite
 Microsoft 365 Defender is a unified pre and post-breach
enterprise defense suite that natively coordinates detection,
prevention, investigation, and response across endpoints,
identities, email, and applications to provide integrated
protection against sophisticated attacks.
 With the integrated Microsoft 365 Defender solution, security
professionals can stitch together the threat signals that each of
these products receive and determine the full scope and
impact of the threat; how it entered the environment, what it's
affected, and how it's currently impacting the organization.
Microsoft 365 Defender takes automatic action to prevent or
stop the attack and self-heal affected mailboxes, endpoints,
and user identities.
Microsoft 365 Defender services protects:
Endpoints
 with Defender for Endpoint - Defender for Endpoint is a unified
endpoint platform for preventative protection, post-breach detection, automated
investigation, and response.
Assets with Defender Vulnerability Management - Microsoft Defender Vulnerability
Management delivers continuous asset visibility, intelligent risk-based assessments, and
built-in remediation tools to help your security and IT teams prioritize and address
critical vulnerabilities and mis-configurations across your organization.

Email and collaboration with Defender for Office 365 - Defender for Office 365
safeguards your organization against malicious threats posed by email messages, links
(URLs) and collaboration tools.

Identities with Defender for Identity and Azure (Azure AD) Identity Protection -
Defender for Identity uses your on-premises Active Directory Domain Services (AD
DS) signals to identify, detect, and investigate advanced threats, compromised
identities, and malicious insider actions directed at your organization. Azure AD
Identity Protection automates the detection and remediation of identity-based risks in
your cloud-based Azure AD.
Applications with Microsoft Defender for Cloud Apps - Microsoft Defender for
Cloud Apps is a comprehensive cross-SaaS solution bringing deep visibility, strong
data controls, and enhanced threat protection to your cloud apps.
Windows Device Configuration
Pre-requisites:
 Microsoft Intune subscription
 Azure Directory / Company Portal
 Get your work/school Credentials

Steps:
1. Open Company Portal and sign in with your work or school account.
2. On the Set up your device screen, select Next.
3. On the Connect to work screen, select Connect.
4. Sign in with the credentials
5. At setting up screen select Go and
6. At next screen Click Done
7. You will now see the added account as part of the Access work or
school settings on your Windows desktop.
By this configuration on windows to intune is done.
• To confirm the device enrollment is completed.

• Go to the Microsoft Endpoint manager admin console.

• Select Devices > All devices to view the enrolled devices in Intune.

Verify that you have an additional device enrolled within Intune.
Here we see that the device is enrolled. (i.e Windows device – 1 )

After that now the user can switch user in windows device by signing-in with that credentials
And get access to that particular machine.
Configuring Mobile Device
 Configuring Mobile devices with the Intune Company Portal app gives a secure access
to your organization’s email, files, and apps.
 After your device is enrolled, it becomes managed and organization can assign policies
and apps to the device through Intune.

Pre-requisites:
1. Intune Subscription
2. Install Intune portal app

Android Device:
Steps:
1. Signing with your credentials.
2. Accept Permissions to enroll your device
3. You see a Contoso LLC screen , click to continue.
4. Then you see a permissions screen , Click Accept
5. Next Device Administrator company portal screen , Click on Activate.
6. Here you go, you will see your Apps, Devices, Contact IT.
Android Intune Portal App Home Screen

Here you can see the apps, devices which are assigned by the
organization.
Configuring Mobile Device
iOS-Device:
Pre-requisites:
1. Intune Subscription
2. Enable MDM Authority
3. Be sure the Apple Push Certificate is added to Endpoint Manager, and is active.
This certificate is required to enroll iOS/iPadOS devices.
4. Install Intune portal app

Steps:
1. Install & Open the Company Portal app and sign in with your Credentials.
2. You will see a notification request permission, Tap Ok and Allow.
3. Next screen, Set up Device to access, Click on Begin.
4. Next, Device management and your privacy screen, Click can and Continue.
5. Click continue, its download Company Profile, go to setting and
click on management profile and Device , then click Con tinue.
6. Its all set, now you can access your work apps, data and more.
Configuring Defender for Endpoint
Pre-requisites:
1. Microsoft 365 E5 Subscription.
2. Enable Microsoft Defender for Endpoint in MEM Admin Console.
Steps :
1. Go to Microsoft Defender for Endpoint page in the Microsoft Endpoint
Manager admin center.

2. To use Defender for Endpoint with compliance policies, configure the

following under MDM Compliance Policy Settings for the platforms you
support:
◦ Set Connect Android devices to Microsoft Defender for Endpoint to On
◦ Set Connect iOS devices to Microsoft Defender for Endpoint to On
◦ Set Connect Windows devices to Microsoft Defender for Endpoint to On.

3. To use Defender for Endpoint with app protection policies, configure the

following under App Protection Policy Settings for the platforms you
support. These capabilities are available for Android and iOS/iPadOS.
◦ Set Connect Android devices to Microsoft Defender for Endpoint for
app protection policy evaluation to On.
◦ Set Connect iOS devices to Microsoft Defender for Endpoint for app
protection policy evaluation to On.

4. Then Click on Save, Done the Configuration of Endpoint Protection.