Organizations worldwide are aligning their infrastructure, services, and processes with cloud-native technologies. But, as the global pandemic quickly showed, relying on legacy on-premises solutions creates challenges for today’s hybrid workforce. For example, it includes the ability to provision and manage end-user workstations.
Traditional workflows used workstation images to load the Windows operating system and applications. IT admins then used Active Directory Group Policy to apply the policy configurations needed to control governance and what users can and can’t do. With the shift to the hybrid workforce, these approaches are no longer practical. Microsoft Intune provides a modern, cloud-native approach to managing, configuring, and applying configuration policies to workstations as part of Microsoft Endpoint Manager.
Traditional workstation management is no longer effective
Why is traditional workstation management no longer effective in today’s hybrid workforce? Traditional workstation and endpoint policy management technologies rely on legacy architecture for their functionality. It means these depend on the fact that workstations exist on the same network as the solutions controlling them.
In previous years, end-users drove into the corporate office campus and used workstations and laptops directly connected to the corporate network. Now that the workforce landscape has shifted to a hybrid configuration with many employees working remotely, the infrastructure requirements of these legacy solutions no longer apply.
What are the legacy solutions used in the enterprise today? For example, IT Admins may currently use solutions such as the following:
- Windows Deployment Services (WDS) is typically used to image Windows clients and Windows Servers for deployment. IT admins typically create special “images” for different roles or use cases and install the appropriate image for the specific use of the client or server.
- Windows Server Update Services (WSUS) – Windows Server Update Services is used to deploy Windows Updates to both end-user clients and Windows Servers in the enterprise datacenter. WSUS provides an interface enabling IT admins to approve Windows Updates for clients and servers and have those endpoints connect to the WSUS server to pull down the updates instead of communicating directly with Microsoft Windows Updates Services on the Internet.
- Group Policy – Microsoft Active Directory Domain Services (AD DS) Group Policy is the traditional way that enterprise organizations enforce policies for users and computers. Group Policy requires line of sight access to a domain controller.
While the tools listed above are still very powerful in the enterprise, they are no longer adequate exclusively to provide the solutions businesses need today, supporting a very hybrid workforce.
Microsoft Endpoint Manager and Microsoft Intune
Microsoft Endpoint Manager is a cloud-based solution that provides the framework and tools to provision, manage, and secure end-user clients. However, it is not limited to PCs. Businesses can manage and monitor desktop computers, virtual machines, mobile devices, embedded devices, and even servers.
Microsoft Intune falls under the umbrella of Microsoft Endpoint Manager, as do other familiar Microsoft solutions such as the legacy Configuration Manager and Windows Autopilot. So, let’s key in further on Microsoft Intune and precisely what it is.
The Microsoft Intune solution provides two key capabilities for the enterprise. These capabilities include:
- Mobile device management (MDM)
- Mobile application management (MAM)
With the capabilities provided by Microsoft Intune, organizations can control many types of devices, including Android, Ios/IPadOS, macOS, and Windows 10 & 11 devices. As expected, Microsoft Intune has native integration with other Microsoft cloud-based solutions, including Azure Active Directory (Azure AD), the Microsoft Defender suite of solutions, and many others.
Microsoft is still providing on-premises interoperability
Like most technology solutions, Microsoft Intune will not totally replace all legacy tools, at least for now. Some capabilities are found in legacy on-premises Active Directory solutions that are not found yet in Microsoft Intune. For example, there is not yet feature parity with Microsoft Intune configuration profiles and Active Directory Domain Services Group Policy.
However, most businesses today are moving forward with a hybrid cloud strategy, still utilizing on-premises tools but heavy on cloud-based solutions. It allows taking advantage of the best of both worlds and using the right tool for the job. In the world of end-user clients and the hybrid workforce, cloud-based solutions make the most sense. They remove the barrier and challenges of network connectivity to the legacy solutions housed on-premises.
Microsoft is still leaving the door open to interoperability with the new cloud-based approach and on-premises technologies. Let’s look at a couple of examples of this being the case.
- Microsoft Endpoint Configuration Manager – As part of the Microsoft Endpoint Manager product portfolio, Configuration Manager is an on-premises management solution. Configuration Manager allows configuring endpoints, servers, and laptops as part of the corporate network. In addition, Microsoft now has cloud-enabled Configuration Manager, allowing it to natively connect to the Intune cloud service and use Azure Active Directory (Azure AD), Microsoft Defender solutions, and other Microsoft cloud services.
- Co-management – Microsoft has coined a term they are tossing around called “Co-management.” With co-management, organizations can choose which solution best meets their needs for managing and configuring end-user clients, either Intune or Configuration Manager.
- The Intune Connector for Active Directory – Microsoft has created an Intune Connector for Active Directory Domain Services, allowing it to add entries to your on-premises Active Directory Domain Services environment for computers you enroll using Autopilot.
Enroll devices and manage with Microsoft Intune
There are essentially a couple of ways to enroll a device with Microsoft Intune. Consider the example of enrolling a Windows 10 client PC with Microsoft Intune. Let’s look at the following two ways to enroll a client with Microsoft Intune:
- Windows Autopilot – The Windows Autopilot solution provisions new devices and applies Intune configurations automatically to get the new devices ready for use. It includes a collection of technologies that can pre-configure, reset, repurpose, and recover devices.
The Windows Autopilot lifecycle
– In this way, IT admins can perform zero-touch provisioning, using the capabilities of Microsoft Intune applied with the Windows Autopilot provisioning engine.
- Company Portal App – The Company Portal App allows an end-user to access sanctioned business-critical resources as part of Microsoft Intune and simplifies the tasks needed for remote work access. It includes:
– Enrolling your device to access corporate resources
– Receiving company-issued certificates by signing into the Company Portal
– Taking advantage of single-sign-on (SSO)
– Installing approved apps from the IT department or Microsoft Store
– Manage your enrolled devise, including performing remote wipe if they are lost or stolen
– Receive help from the IT department
Viewing the Company Portal App in the Microsoft Store
Provision business applications using Microsoft Intune
One of the great features of using Microsoft Intune is providing business applications to end-users. Instead of IT or the Helpdesk needing physical access to an end-user client or remote desktop access, using Microsoft Intune, applications can simply be assigned and provisioned to Intune managed devices.
Adding a Windows app in Microsoft Endpoint Manager
IT admins have a wide range of choices they can make to provision applications on Microsoft Intune-enrolled devices, including custom Windows app (Win32) applications.
Select apps for installation in Microsoft Endpoint Manager
Microsoft 365 apps can be easily assigned and provisioned on remote client PCs.
Assigning Microsoft 365 apps in Microsoft Endpoint Manager
Endpoint Security, governance, and configuration profiles
Another area where cloud-based management shines is the ability to control and have visibility to the security posture of end-user clients used by the hybrid workforce. No matter where devices are located or which network they connect to, Microsoft Endpoint Manager’s Endpoint security helps to give IT admins visibility and control over the security settings, governance, and configuration profiles for remote devices.
Note the tools available in Endpoint Security:
- Security baselines
- Security tasks
- Antivirus management
- Disk encryption controls
- Firewall configuration
- Endpoint detection and response
- Attack surface reduction
- Account protection
- Device compliance
- Conditional access
Microsoft Endpoint Manager Endpoint Security options
In addition to specific security configuration control in Microsoft Endpoint Manager, the Devices blade in the Microsoft Endpoint Manager admin center provides access to tools, including:
- Compliance policies
- Conditional access
- Configuration profiles
- Scripts
- Group Policy analytics
- Update rings for Windows 10 and later
- Feature updates for Windows 10 and later
- Quality updates for Windows 10 and later
- Update policies for iOS/iPadOS
- Enrollment restrictions
- eSIM cellular profiles
- Policy sets
Features such as the compliance policies, conditional access, and configuration profiles provide organizations with powerful “Group Policy-like” tools that allow controlling what users and computers can and can’t do, enforce governance, and set conditions that must be met for corporate access.
Organizations can also use the “Update” functionality listed to control Windows Updates across the board, effectively allowing a cloud-based solution that can augment or replace legacy solutions like Windows Server Update Services (WSUS).
Microsoft Endpoint Manager Device tools
Wrapping Up
Microsoft Endpoint Manager, including Microsoft Intune, provides a robust set of cloud-based tools, allowing organizations to meet the hybrid workforce’s challenges effectively. In addition, Microsoft offers multiple ways to enroll devices in Microsoft Intune and several continuing integrations between cloud-based tools and on-premises technologies.
As shown, Microsoft Endpoint Manager provides a myriad of capabilities for managing Microsoft Intune-enrolled devices. These include security, governance, configuration enforcement, and tools to manage other lifecycle tasks such as Windows Updates. As businesses continue to support the hybrid workforce and use cloud-based solutions, Microsoft Intune device management will remain a great tool to empower companies to meet the challenges of remote work.