2. George Chrysovalantis Grammatikos
MCSA : Cloud Platform, MS Dynamics 365 | Azure Solutions Architect Expert | Microsoft Azure MVP
E-mail : george@cloudopszone.com
Blog: https://cloudopszone.com
Microsoft Wiki Profile: George Chrysovaladis Grammatikos
Tech Community Profile: George Chrysovalantis Grammatikos
Working with MS Endpoint Manager
3. Enterprise Mobility + Security
Azure Active Directory
MS Endpoint Configuration Manager
MS Intune
Azure Information Protection
MS Cloud App Security
MS Advanced Threat Analytics
MS Defender for Identity
A T P
4. What is the Endpoint Manager?
Endpoint Manager is a MS cloud service which allows us to
manage centrally corporate and personal devices, and mobile
phones.
6. Enrollment Methods
Add work or school account
Enroll in MDM only(User driven)
Azure AD Join (Out Of the Box Experience - OOBE)
Azure AD Join (Autopilot – User driven deployment mode)
Azure AD Join (Autopilot – Self-deploying mode)
Enroll in MDM only (Device Enrollment Manager)
System Center Configuration Manager co-management
Azure AD Join (Bulk Enrollment)
7. MS Intune – MDM and MAM
Source: https://docs.microsoft.com/el-gr/mem/intune/fundamentals/high-level-architecture
(MDM) Mobile Device
Management
(MAM) Mobile
Application Management
9. Configuration Profiles
• Minimum password length (12)
• Password expiration days (180 days)
• Block simple passwords
• Number of sign-in before wiping device (Full Wipe)
• Microsoft Defender Antivirus
• ……..
Device Restrictions
• Microsoft Defender SmartScreen
• Microsoft Defender Firewall
• Windows encryption (BitLocker disk encryption)
• Microsoft Defender Application Control
• Local device security options
• ……..
Endpoint Protection
10. Windows Apps Policies
• Install MS365 Apps (Word, Excel, OneDrive, etc.)
• Install Line-of-business app
• Install Windows app (Win32)
• Install Microsoft Edge, version 77 and later
• ….
App Configuration Policies
11. Options for corporate data removal
Restore device to factory defaults
• All data on the device is removed
• Device is reset to factory defaults
• Typically used for lost/stolen
devices or resetting corporate-
owned devices
Full wipe
• Remove company assets from device
• Company resources (apps, data, profiles,
certificates, settings, and email) are removed
• MAM support adds ability to remove only
corporate data from multi-account
applications
• Typically used for personal-owned devices
Selective wipe
• Retire device from MDM
• Company resources ( apps, data,
settings, email profiles)
• Leaves user’s personal data
• Typically use for contractors' devices
Retire device
12. Important Tips to follow
• Always store corporate files to MS365 (SharePoint, OneDrive On-Line)
• Use apps like LastPass to keep corporate passwords
• Keep fully updated Windows OS and Antivirus/Antimalware
• Frequently scan devices for malwares/viruses
• Reboot the device after Windows Update installation
Tips
13. Source: https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot
Windows Autopilot – Process Overview
Windows Autopilot enables you to:
•Automatically join devices to Azure Active Directory (Azure AD) or
Active Directory (via Hybrid Azure AD Join). For more information
about the differences between these two join options,
see Introduction to device management in Azure Active Directory.
•Auto-enroll devices into MDM services, such as Microsoft Intune
(Requires an Azure AD Premium subscription for configuration).
•Restrict the Administrator account creation.
•Create and auto-assign devices to configuration groups based on a
device's profile.
•Customize OOBE content specific to the organization.
15. •Microsoft 365 E5
•Microsoft 365 E3
•Enterprise Mobility + Security E5
•Enterprise Mobility + Security E3
•Microsoft 365 Business Premium
•Microsoft 365 F1
•Microsoft 365 F3
•Microsoft 365 Government G5
•Microsoft 365 Government G3
•Intune for Education
MS Intune licensing
16. Enterprise Mobility +
Security E3
Enterprise Mobility +
Security E5
Identity and access management Simplified access management and security, MFA,
Conditional access, Advanced security reporting,
Privileged identity management, Windows Server
CAL*
Simplified access management and security, MFA,
Conditional access, Risk-based conditional access,
Advanced security reporting, Privileged identity
management, Windows Server CAL*
Endpoint management Mobile application management, Advanced MS
O365 data protection, Integrated PC
management, Integrated on-premises
management
Mobile application management, Advanced MS
O365 data protection, Integrated PC
management, Integrated on-premises
management
Information Protection Persistent data protection, Document tracking
and revocation, Encryption key management per
regulatory needs
Persistent data protection, Intelligent data
classification and labeling, Document tracking and
revocation, Encryption key management per
regulatory needs
Identity –driven security Microsoft Advanced Threat Analytics Microsoft Advanced Threat Analytics, Microsoft
Cloud App Security, Microsoft Defender for
Identity
1. Microsoft Advanced Threat Analytics (ATA) will end Mainstream Support on January 12, 2021. Extended Support will continue until January 2026. Find additional information here.
* Customers purchasing Windows Server CAL agreements, Microsoft Endpoint Configuration Manager, System Center Endpoint Protection, Microsoft Active Directory Rights Management Services CALs via the Microsoft Enterprise Volume Licensing agreements may purchase
the Enterprise Mobility + Security Add-on offer.
** Open estimated retail per-month pricing. Pricing is in US dollars and can vary by country. Volume discounts are also available. To receive a quote, contact your partner or Microsoft representative.
Enterprise Mobility + Security pricing options
17. Useful Links
• Azure AD joined
• Set up enrollment for Windows devices
• Bulk enrollment for Windows devices
• Azure AD joined with Autopilot (User driven mode)
• Device Enrollment Manager (DEM)
• Demonstrate Autopilot deployment
MS Intune Useful Links