At Ignite 2019 there was some buzz in the area of device management with a new product called “Microsoft Endpoint Manager”. While the product name and management interface may be shiny and new, the underlying products are the same familiar products that device administrators have known for years. We’ll break down what’s included and explain some changes that may benefit (and possibly impact) current and future deployments.
Under The Hood
Microsoft Endpoint manager is comprised of the following products:
Instead of referring to each of these products individually going forward, Microsoft is trying to simplify by referring to all the aforementioned products under the “Microsoft Endpoint Manager” name.
Licensing
Microsoft is also allowing some existing ConfigMgr customers to add Windows devices to Intune without an extra licensing fee. The criteria appear to be (a) already having ConfigMgr licenses as part of a Software Assurance agreement, and (b) Azure AD Premium P1 licenses. There is currently no licensing benefit to MacOS, iOS, or Android as a result of these changes. Either way, I would check with your Microsoft licensing rep to verify your entitlements and any fine print.
Starting with Windows 10 (v1909), Bitlocker can be managed in the Microsoft Endpoint Manager Admin Console.
Things That Have Not Changed
Intune
Can still be utilized as a separate product, with all the same features that currently exist.
ConfigMgr
Can still be utilized as a separate product, with all the same features that currently exist.
Co-management
This was originally positioned as an answer to the problem that Endpoint Manager is now addressing. For now, this still serves a useful purpose for existing customers who have both on-prem and cloud device management needs. There is not really a downside I could find by using this co-management capability immediately. For new customers moving into device management, it makes much more sense to go cloud-native with Endpoint Manager, assuming your environment is already in (or federated to) Azure AD.
Things to Note
No support for Windows Server management
At this time, Endpoint Manager cannot manage Windows Server systems, but it will still display managed servers in the Admin Console.
Malware Protection
Contrary to what the term “endpoint” is used for in most of the industry with regard to security and malware protection, there is currently no overlap that I could find with this product and the Microsoft Defender Advanced Threat Protection product. There is a link to Microsoft Defender Advanced Threat Protection on the Endpoint Manager landing page, implying integration. But I could find no evidence of actual integration of the two products at the time this article was written.
If you currently have these as part of an existing Microsoft 365 or EMS plan, attaching your ConfigMgr deployment to InTune will allow you to gather this data from both places and display it in the Endpoint Manager admin console.
Final thoughts
As much as I think the intention here is to help reduce customer confusion over products, features, and naming – Microsoft has still effectively added yet another name to the pile of already saturated acronyms, similar product names, and product packaging overlap. At the end of the day, every single product listed in this article still exists as its own entity, but now there’s an additional name for a group of them. I’m not sure how this exactly helps because as I see it, every customer falls more or less into one of the three following categories:
Microsoft 365 Only
This customer is a Microsoft 365-only customer and probably doesn’t care as much how the products they are already entitled to receive are packaged or named.
Microsoft Only (but a mix of On-Prem and Cloud)
This customer may or may not welcome these changes, depending on where they are in their journey. A customer actively moving to Microsoft 365 will welcome consolidation, whereas another customer with only a portion of their infrastructure in the cloud may find it more difficult to keep track of the changes, especially where licensing is concerned.
Multi-Vendor
These are the customers that really lose with the constant changes to names and packaging. If these customers aren’t able to clearly define where their software and solution boundaries are, they are more likely to have gaps, ultimately leading to issues with security and compliance.
To add to that last point, I’ll clarify that this problem isn’t Microsoft-specific. The entire security and device management industry has a lot of growing up to do when it comes to the realization that customers are building their own solutions, comprised of hand-picked vendors that best fit their needs.
Microsoft isn’t totally off the hook, though – they are completely responsible for the current spaghetti ball of licensing and customer comprehension for Microsoft 365 products and features if you don’t fit neatly into one of the E3/E5 buckets. But we’ll save that topic for another article.