What Is Azure Endpoint Manager and How Does It Work

Azure Endpoint Manager is a powerful tool that helps you manage and monitor all your Windows 10 and Windows 11 devices from a single console.

It's a cloud-based solution that integrates with other Microsoft services like Intune and Microsoft Endpoint Configuration Manager.

With Azure Endpoint Manager, you can enroll devices, deploy apps, and configure settings remotely, making it easier to manage your devices from anywhere.

This helps you save time and reduce the administrative burden of managing multiple devices.

Azure Endpoint Manager is a cloud-based solution designed to address the challenges of deploying, managing, and securing devices in the enterprise. This includes servers, PCs, and mobile devices.

IT administrators can use Azure Endpoint Manager to create policies for personal devices being used to access an organization's applications and data.

Azure Endpoint Manager is essentially a platform that helps IT administrators manage and secure their organization's devices from a single location.

To implement Azure Endpoint Manager, you'll need to start by identifying an application for testing and creating a Duo group containing your pilot users. This group should be created in your source directory and added to your Duo directory sync configuration before importing it to Duo.

Duo's Trusted Endpoints policy should be created with corresponding management integration configurations that enable detection and reporting of device management status. This policy can be applied to the pilot group on the test application and enabled for management integration.

To configure device settings, you can use Microsoft Intune to create configuration profiles for different devices and platforms, including iOS/iPadOS, macOS, Android device administrator, Android Enterprise, and Windows. These profiles can then be assigned to devices using Intune.

Here are the services included with Microsoft Endpoint Manager (MEM):

Microsoft Endpoint Manager (MEM) is a robust tool that offers a wide range of services to manage physical, virtual, and mobile devices. It includes several services that can be used collectively to manage devices throughout an organization.

Microsoft Intune is a cloud-based solution that allows admins to configure and secure iOS, Android, MacOS, and Windows devices. It can also be used to deploy applications to managed devices.

Configuration Manager resides on-premises and is used to deploy applications and manage updates for PCs and servers. Desktop Analytics is a cloud-based solution that delivers actionable insights based on the data gathered by Configuration Manager.

Co-management ties Intune and Configuration Manager together, allowing either one to be designated as the management authority for an organization's various workload groups. Windows Autopilot automates the deployment of new devices, performing the initial setup and configuration for a device and enrolling it into Intune.

Azure Active Directory stores device and user information in Azure AD when a Windows Device is joined to an Active Directory domain. Endpoint Manager Admin Center is a web interface that allows admins to manage Endpoint Manager and its various subcomponents.

Here is a list of the services included with MEM:

To implement Trusted Endpoints effectively, it's essential to start with a staged deployment. Most organizations perform a staged rollout, which involves identifying an application for testing and creating a pilot group containing users who will test the policy.

Begin by identifying an application that uses Duo's inline, interactive Universal Prompt or traditional Duo Prompt to report managed/unmanaged status. This will allow you to test the Trusted Endpoints policy and ensure it's working as expected.

Create a new Trusted Endpoints policy with corresponding management integration configurations that enable detection and reporting of device management status. This policy should be applied to the pilot group on the test application and enabled for management integration.

As you pilot the Trusted Endpoints policy, monitor Device Insight and Endpoints in the Duo Admin Panel to see how it's working. If you're a Duo Essentials customer, you can monitor the Authentication Logs report to see when users authenticate from a trusted access device.

Here's a step-by-step guide to implementing Trusted Endpoints:

1. Identify an application for testing

2. Create a pilot group containing users who will test the policy

3. Create a new Trusted Endpoints policy with management integration configurations

4. Apply the policy to the pilot group on the test application

5. Monitor Device Insight and Endpoints in the Duo Admin Panel or Authentication Logs report (for Essentials customers)

By following these steps, you'll be able to test and refine your Trusted Endpoints policy before expanding it to all users and applications.

MEM automates the process of provisioning new devices, saving IT staff a considerable amount of time by installing Windows, performing an initial configuration, and enrolling the device into Intune with Autopilot.

With MEM, users can access a self-service portal to enroll their personally owned devices into Intune, which verifies compliance with the organization's requirements and allows the user to start using the device.

MEM can detect and automatically deploy missing security updates, ensuring devices remain secure.

Admins can create security policies that are automatically applied to devices, such as requiring a password-protected lock screen on mobile devices or enabling the firewall on Windows devices.

If a device is found to be out of compliance, MEM can sometimes perform automatic remediation, depending on the nature of the issue.

MEM also saves administrators from having to install applications onto devices by making approved applications available to users through an enterprise app store.

Device configuration is a crucial step in setting up Microsoft Intune. You can create profiles for different devices and platforms, including iOS/iPadOS, macOS, Android device administrator, Android Enterprise, and Windows.

Microsoft Intune includes settings and features you can enable or disable on different devices within your organization. These settings and features are added to configuration profiles.

To configure device settings, you can refer to the following resources: Configure device settingsWindows security baselinesiOS/iPadOS Enterprise security configuration frameworkAndroid Enterprise security configuration frameworkDevice features and settings in Microsoft IntuneAssign device profiles in Microsoft IntuneApp configuration policies for Microsoft IntuneManage endpoint security in Microsoft Intune

You can use Intune to apply or "assign" the profile to the devices. Microsoft Intune is a cloud-based solution that allows admins to configure and secure iOS, Android, MacOS and Windows devices.

Device configuration profiles can be used to enforce security policies, such as requiring a password protected lock screen or enabling the firewall on Windows devices.

You can choose between two different subscriptions to use Azure Endpoint Manager: Enterprise Mobility + Security E3 and Enterprise Mobility + Security E5.

The Enterprise Mobility + Security E3 subscription costs $10.60 per user per month.

The Enterprise Mobility + Security E5 plan includes risk-based conditional access, which is a capability not available with the E3 plan.

Microsoft Cloud App Security is also included with the Enterprise Mobility + Security E5 subscription.

To get started with Azure Endpoint Manager, you'll need to decide which subscription option is best for your organization.

The Enterprise Mobility + Security E5 subscription costs $16.40 per user per month, which is more than the E3 plan.

The Intune admin center is a one-stop shop where you can manage your devices, users, and policies all in one place. You can add users and groups, create and manage policies, and even monitor your policies using report data.

If you use Configuration Manager tenant-attach or co-management, you can see your on-premises devices and run some actions on these devices. This is a huge time-saver and makes it easier to manage your devices.

The admin center also integrates with other key device management services, including:

The Intune admin center is a one-stop shop for managing your devices and policies. From here, you can add users and groups, create and manage policies, and even monitor your policies using report data.

You can also use the admin center to integrate other key device management services, such as Microsoft Entra Privileged Identity Management and Microsoft Tunnel VPN gateway solution that runs on Linux.

The admin center is a powerful tool that can help you streamline your device management tasks. With it, you can monitor access to important resources and run actions on your on-premises devices.

Here are some of the key services that integrate with the Intune admin center:

In the Admin Center, you'll find a powerful tool called Microsoft Entra ID, formerly known as Azure Active Directory. This cloud-native service manages user, device, and group identities, making it a crucial part of your Intune setup.

Microsoft Entra ID is used by Intune to assign policies to users, devices, and groups, ensuring a secure and streamlined experience. Your users will sign in to their devices with their Microsoft Entra accounts, such as [email protected].

To get started with Microsoft Entra ID, you'll need to add users to the system. This is a straightforward process that sets the foundation for your identity management.

Microsoft Entra ID offers different license plans, each with additional features to enhance protection for devices, apps, and data. These features include dynamic groups, automatic enrollment in Intune, and Conditional Access.

Here are some key tasks to consider when working with Microsoft Entra ID:

Copilot is a game-changer for administrators, allowing you to get information quickly with the help of AI.

Microsoft Copilot in Intune is a cloud-native service that uses AI to access your Intune data and provide insights. It can help you manage your policies and settings, understand your security posture, and troubleshoot device issues.

With Copilot, you can create Kusto Query Language (KQL) queries to dig deeper into your data. This can be a huge time-saver and help you make more informed decisions.

Here are some of the key capabilities of Copilot for Security: