Microsoft Endpoint Manager Simplifies Remote PC Management During Pandemic
There are lots of ways that you can remotely manage Windows devices. But some of them require direct network connectivity to the remote devices. For example, if you need to install or update software remotely, you can do it with PowerShell and a little bit of help from a package manager. And that’s fine if your management device and the remote PCs are all on the same network. Or if you have remote devices connecting to the corporate intranet using a VPN that’s configured for ‘manage out’ scenarios.
But as 2020 saw many companies move employees to remote working, those without the right infrastructure in place not only struggled to provide secure access to corporate resources, but also to update and manage remote devices. Creating custom solutions using PowerShell, package managers, or whatever other scripting solutions come to mind, might be OK for small organizations. But it’s not always a good option when you need to scale out an endpoint management solution and have a large IT team with mixed skillsets.
A new name and simplified licensing
At Ignite in September 2020, Microsoft launched Microsoft Endpoint Manager (MEM). MEM is a new brand for Microsoft’s enterprise system configuration products. The idea was to bring Intune, Microsoft’s Mobile Device Management (MDM) solution, and SCCM (now Microsoft Endpoint Configuration Manager) under the umbrella of one product title to reassure customers that Microsoft wasn’t about to stop supporting SCCM. The move also lets organizations that had SCCM co-manage their Windows endpoints using Intune through the cloud service in MEM without additional licenses.
Not only are licensing and branding simplified, but Microsoft plans to integrate the administration experience of Intune and MECM. In early 2020, Microsoft had already added cloud intelligence to some PC management features to use data and intelligence collected from the cloud. And the integration between Intune and MECM is getting ever closer with each new release.
Co-management for Configuration Manager clients over the Internet
Not a new feature, Cloud Management Gateway (CMG) lets organizations manage Configuration Manager clients over the Internet without the need for a VPN. Configuration Manager was originally designed to manage devices connected to a corporate intranet. But as more employees work remotely, Microsoft saw the need to extend Configuration Manager’s capabilities to include remote device management.
Cloud Management Gateway is deployed in the Azure cloud and it manages Windows devices that are joined to a Windows Server Active Directory (AD) domain. Devices joined to Windows Server AD use certificates to securely connect to the gateway. Windows 10 devices that are joined, or hybrid joined to Azure AD don’t need a public key infrastructure (PKI) or certificates to connect to CMG.
CMG, can perform the following functions on endpoints:
- Software updates and endpoint protection
- Inventory and client status
- Compliance settings
- Software distribution to the device
- Windows 10 in-place upgrade task sequence
Additionally, organizations can distribute software to Windows 10 clients that are domain joined to Azure AD. CMG doesn’t require organizations to provision any additional on-premises infrastructure or expose existing infrastructure to the Internet.
Internet-based client management
Organizations that don’t want to rely on Microsoft’s CMG service can use Internet-based client management (IBCM) instead. It involves deploying Internet-facing site system servers, which remote clients can communicate with directly. IBCM requires additional investment in on-premises infrastructure, like a PKI infrastructure to provision certificates for securing the communication channel.
Cloud-only management using Microsoft Intune
Finally, organizations can use MDM to manage remote devices using Intune. MDM doesn’t require any on-premises infrastructure. Intune is included in some Microsoft 365 subscriptions, it is licensed as part of Microsoft Endpoint Manager for Windows devices only, and it can be bought as a standalone service.
Intune’s Policy Analyzer, which is currently in preview, helps organizations remove Group Policy settings that could be moved over to MDM. Removing unneeded Group Policy settings helps reduce reliance on on-premises infrastructure for device management and it can improve logon performance.
Configuration Manager isn’t going away anytime soon
While Microsoft isn’t planning to kill off Configuration Manager, it would prefer you use its Intune service to manage devices. If you’re a small organization, Intune is easier to get started with and it is less complex to manage because it doesn’t require complex on-premises infrastructure. Furthermore, Configuration Manager requires a skill set that might only be available to larger businesses.
Microsoft Intune, or other MDM service, is a good starting point for remote management if you are looking for a endpoint management solution and don’t have an existing product. Custom solutions, like PowerShell scripting, still require you to put some infrastructure in place to provide the necessary network connectivity between management workstations and remote devices. And while Intune incurs a monthly fee, it’s easier to use and more convenient than deploying a custom solution.