Jump to content


What's new in Microsoft Endpoint Manager - part 2

Recommended Posts


These are my notes from a session @ Microsoft Ignite 2020, the session was hosted by Steve Dispensa (Director of Program Management at Microsoft Endpoint Manager) and Ramya Chitrakar (Director of Engineering at Microsoft Endpoint Manager).

For the last couple of years at Ignite I blog my notes for sessions I'm interested in as I always find it nice to later refer to this reading material and punctuate it with content I've covered, and sometimes the videos just flow by too fast and you miss out on important points. Where appropriate I'll link to content that I've covered that is referred to in the video.

This is part 2 of a two part series:

  •     What's new in Microsoft Endpoint Manager - part 1
  •     What's new in Microsoft Endpoint Manager - part 2 (this part)

reminder of mem.png
As a reminder, Microsoft Endpoint Manager let's you manage your entire endpoint estate whether cloud native or on premise. On your cloud management journey if you've just started out or you've deployed co-management or you are completely in the cloud Microsoft Endpoint Manager is truly your hub to unify security, apps, access,compliance and end user experience across your entire technology estate.

mem hub.png
MEM delivers analytics and data to keep you ahead of change so you can keep your cost down, no matter what change brings.

Focus on Security

With Covid, almost all businesses in the world are dealing with remote productivity, where users are working from home and other remote locations and that means it's never been more important to ensure uniform security policy. MEM provides a rich portfolio of capabilities to assist you with keeping your organization safe and sound.

security focus.png

"Start with Security Baselines to ensure your organization is following best practices and to ensure you have uniform application policy across your organization."

You can start with Security Baselines to ensure your organization is following best practices and to ensure you have uniform application policy across your organization. You can manage a host of security specific policies across devices including platform specific capabilities like encryption and firewall rules and advanced threat protection from Microsoft Defender ATP.

Then you can move on to risk-based access control where MEM can monitor the compliance of devices real time and that can be fed into Azure AD Conditional Access (powerful access control system). Additional you can deploy app control policies to provide compliance without fully managing a device, for example with BYOD devices.zero trust.png



With users working from so many locations organizations need to deploy consistent policy either inside or outside corporate firewalls, is the foundation of Zero Trust. MEM can ensure that your Zero Trust policy is deployed to all your devices. Cyber threats and phising attacks are increasing between 3 and 5 times and in a recent survey 89% of businesses see cyber security as a top priority yet 62% say they lack the in-house skills to deal with it.

"In a recent survey 89% of businesses see cyber security as a top priority yet 62% say they lack the in-house skills to deal with it."

smb and partners.png

The rapid shift to secure remote work presents a huge opportunity for partners and SMB's.

smb and partners II.png

Covid19 is increasing IT Complexity and cyberattacks. Microsoft 365 Business Premium is a foundation for SMB management and security and contains everything from Teams, Conditional Access, to Azure AD to Intune and it can provide you a roadmap to maintain managed services for your customers as you light up new services for them every 6 months.

Microsoft 365 Lighthouse will provide guidance and experiences with onboarding new customers, offer consolidated insights across multiple tenants in a single pane to understand how customer tenants are configured and secured, and help improve customer experience and demonstrate value.

microsoft lighthouse.png

Demo Configuring Microsoft Defender policy on servers managed by Configuration Manager

Below is a server managed by Config Manager, and using Tenant Attach it shows up in Microsoft Endpoint Manager.

cm01 server managed in mem.png

Using CMPivot, you can run queries on devices in MEM, in this example Ramya queries to see what antivirus service(s) are running on this server. Notice how the two instances found are both in a stopped state.

cmpivot query.png

Note: I showed you how you can run CMPivot queries in MEM here.

You can now deploy Defender AV policies for devices managed by ConfigMgr in the MEM console. To do that go to the Endpoint Security node and select Antivirus, then Create Policy.

create defender policy.png

Windows Autopilot

Autopilot provides cloud value by simplifying the provisioning and management of Windows 10 devices. There is now a new ability in Windows Autopilot to work with co-managed devices that have the ConfigMgr client agent installed during the enrollment status page (ESP) and invoke a provisioning task sequence created in ConfigMgr.

In the example the task sequence was a non-osd task sequence, it was responsible for restoring files and settings for the user.

syncing files and settings.png

Company Portal changes

Company Portal is going to be the one place IT users go for everything related to enterprise IT services. Company Portal now supports Apps from Configuration Manager, web apps from Azure ad and office.com.

company portal.png

When you install and application you can monitor it's progress in the Downloads & Updates tab. The PowerBI app here can be opened in a Browser as it is a SAAS Azure AD app.

"This shows you how Microsoft Endpoint Manager is providing you with unified experiences across the spectrum from IT Pros to End Users."

Microsoft 365 is uniquely positioned to bring together the power of management and security.

The Endpoint Security node in Microsoft Endpoint Manager is your one stop shop for managing security across your enterprise. In there you can configure Antivirus, Firewall, Disk Encryption (BitLocker) policies and settings, but you can also configure Security Baselines. When Defender ATP is connected to MEM you'll see additional tasks listed such as Security tasks as well as device risk based compliance.

Endpoint Security.png

As Defender ATP was released recently for Android, you can now take actions on that in MEM. In this example, you can create a compliance policy in Endpoint Security to enable conditional access based on the Android risk score detected by Defender ATP.

android work profile.png

You can see this in action using the Eicar test virus on an Android device with Defender ATP enabled.

eicar test virus.png

After this happens when the user launches Outlook, you can see Conditional Access kicking in.

ca kicks in.png


After the user uninstalls the test virus from their phone they are once again able to access email successfully.

Custom Compliance Policy

In this demo you can see how to create a custom compliance policy using a Powershell script and a JSON file to manage Dell computers.

create a custom compliance policy.png

"BIOS must be up to date"

And using this new custom compliance policy you can use it to block access using conditional access if for example the BIOS is not up to date. Those settings are configurable in the JSON file.

Security Settings for Micorsoft Edge

Now you can use the Managed App settings in MEM to configure policy for Microsoft Edge on Windows devices.

managed app.png

You can configure the home page and other settings for Edge.

app configuration policy.png

And on a remote users device you can see conditional access informing the user in Edge that they cannot access corporate email while signed in with their private credentials, they must use their office account.

edge must be signed in with your corporate account not private.png

Using GPO Analytics to seamlessly migrate GPO's to the cloud.

For more info see > https://docs.microsoft.com/en-us/mem/intune/configuration/group-policy-analytics

gpo analytics.png

Once you've selected your GPO, click on Migrate to migrate group policy admx to the cloud

migrate group policy admx to the cloud.png

There will also be a possibility of doing this via Powershell and this is will all be released as part of overall GPO to MDM capability.

Key Takeaways

key takeaways.png



Recommended reading



Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.