What Exactly Is Microsoft Endpoint Manager?

vlcsnap 2019 11 22 13h29m57s607

At Ignite 2019 there was some buzz in the area of device management with a new product called “Microsoft Endpoint Manager”. While the product name and management interface may be shiny and new, the underlying products are the same familiar products that device administrators have known for years. We’ll break down what’s included and explain some changes that may benefit (and possibly impact) current and future deployments.

Under The Hood

Microsoft Endpoint manager is comprised of the following products:

Things That Have Changed

The Name

  • Instead of referring to each of these products individually going forward, Microsoft is trying to simplify by referring to all the aforementioned products under the “Microsoft Endpoint Manager” name.


  • Microsoft is also allowing some existing ConfigMgr customers to add Windows devices to Intune without an extra licensing fee. The criteria appear to be (a) already having ConfigMgr licenses as part of a Software Assurance agreement, and (b) Azure AD Premium P1 licenses. There is currently no licensing benefit to MacOS, iOS, or Android as a result of these changes. Either way, I would check with your Microsoft licensing rep to verify your entitlements and any fine print.

Azure AD Requirement


  • Starting with Windows 10 (v1909), Bitlocker can be managed in the Microsoft Endpoint Manager Admin Console.

Things That Have Not Changed


  • Can still be utilized as a separate product, with all the same features that currently exist.


  • Can still be utilized as a separate product, with all the same features that currently exist.


  • This was originally positioned as an answer to the problem that Endpoint Manager is now addressing. For now, this still serves a useful purpose for existing customers who have both on-prem and cloud device management needs. There is not really a downside I could find by using this co-management capability immediately. For new customers moving into device management, it makes much more sense to go cloud-native with Endpoint Manager, assuming your environment is already in (or federated to) Azure AD.

Things to Note

No support for Windows Server management

  • At this time, Endpoint Manager cannot manage Windows Server systems, but it will still display managed servers in the Admin Console.

Malware Protection

  • Contrary to what the term “endpoint” is used for in most of the industry with regard to security and malware protection, there is currently no overlap that I could find with this product and the Microsoft Defender Advanced Threat Protection product. There is a link to Microsoft Defender Advanced Threat Protection on the Endpoint Manager landing page, implying integration. But I could find no evidence of actual integration of the two products at the time this article was written.

Productivity Score/Technology Experience Analytics

  • If you currently have these as part of an existing Microsoft 365 or EMS plan, attaching your ConfigMgr deployment to InTune will allow you to gather this data from both places and display it in the Endpoint Manager admin console.


Final thoughts

As much as I think the intention here is to help reduce customer confusion over products, features, and naming – Microsoft has still effectively added yet another name to the pile of already saturated acronyms, similar product names, and product packaging overlap. At the end of the day, every single product listed in this article still exists as its own entity, but now there’s an additional name for a group of them. I’m not sure how this exactly helps because as I see it, every customer falls more or less into one of the three following categories:

Microsoft 365 Only

This customer is a Microsoft 365-only customer and probably doesn’t care as much how the products they are already entitled to receive are packaged or named.

Microsoft Only (but a mix of On-Prem and Cloud)

This customer may or may not welcome these changes, depending on where they are in their journey. A customer actively moving to Microsoft 365 will welcome consolidation, whereas another customer with only a portion of their infrastructure in the cloud may find it more difficult to keep track of the changes, especially where licensing is concerned.


These are the customers that really lose with the constant changes to names and packaging. If these customers aren’t able to clearly define where their software and solution boundaries are, they are more likely to have gaps, ultimately leading to issues with security and compliance.

To add to that last point, I’ll clarify that this problem isn’t Microsoft-specific. The entire security and device management industry has a lot of growing up to do when it comes to the realization that customers are building their own solutions, comprised of hand-picked vendors that best fit their needs.

Microsoft isn’t totally off the hook, though – they are completely responsible for the current spaghetti ball of licensing and customer comprehension for Microsoft 365 products and features if you don’t fit neatly into one of the E3/E5 buckets. But we’ll save that topic for another article.

(Photo Credit: Microsoft via YouTube)

Related Article: