What You Need to Know About New Microsoft Endpoint Manager Preview

MEM is more than just a rebranding of SCCM and Intune. It's a new cloud console and service that serves up your managed devices, whether they're controlled solely by SCCM and whether they even have internet connectivity.

The only constant in IT is change -- and it's getting faster. It seems like only yesterday that we got a handle on virtualizing fleets of servers and now it's all about moving those VMs from on-premises to the cloud, or better yet, replace them with SaaS and PaaS services.

My first brush with what's now System Center Configuration Manager (SCCM) was back when it was called Systems Management Server (SMS) in the late '90s. And now it's changing again -- Microsoft is previewing Endpoint Manager (MEM), its third take on marrying SCCM with the power of the cloud.

When it comes to managing fleets of devices (Windows PCs and servers) in a medium to large enterprise there's the old way -- SCCM deployed with its associated infrastructure of servers, databases and distribution points that you have to maintain -- and the modern way, Mobile Device Management (MDM). The latter is used for managing mobile devices (iOS, Android) and whilst not providing the in-depth lockdown of thousands of settings (what I call the Stalin school of IT management) it's cloud-based and more suited to a modern workplace approach (the IT department as an enabler of the business rather than a control-obsessed dictator).

But how do you go from classic to modern and what are the steps? MEM is Microsoft's third take on this journey and it's got all the ingredients for success.

Endpoint Manager
MEM is more than just a rebranding of SCCM and Intune. It's a new cloud console and service that serves up your managed devices, whether they're controlled solely by SCCM and whether they even have internet connectivity. They're managed by Intune and have never seen an on-premises server, or indeed if they're co-managed by both SCCM and Intune. And it's all of your devices in one console that also provides access to other services that complete the modern device story such as Desktop Analytics, Windows Autopilot and the new Technology and Productivity scores.

Neither Intune or SCCM are going away however. Intune is still the cloud service engine that manages all your devices, albeit with a new console (https://devicemanagement.microsoft.com/), formerly known as DMAC "Device Management Admin Console," now called Endpoint Manager console. And SCCM is the edge computing infrastructure of your MEM deployment, managing bandwidth over your WAN links/Internet pipes and other on-premises tasks.

Co-Management
A long time ago Microsoft offered the Intune connection site system role of SCCM; that solution was limited in scope and has since been retired.

The newer solution, available for a couple of years now, is co-management, where your devices can be managed by both SCCM and Intune and you can gradually transfer workload authority for different services from SCCM to Intune. This has been described by Microsoft in the past as a bridge, but at Ignite 2019 that message was changed to either a bridge or a destination, meaning that you can continue to use SCCM for some services indefinitely if that's what your business needs dictate, while still taking advantage of the benefits of MEM. Co-management gives you Conditional Access (identity-based protection for access to your on-premises and cloud services, i.e. Zero-Trust), Autopilot deployment (see below) and the ability to easily manage roaming devices that don't come to the corporate network.

SCCM and Intune Co-Management Workloads.
[Click on image for larger view.] Figure 1: SCCM and Intune Co-Management Workloads

From a licensing point of view -- if you have SCCM licenses (covered by Software Assurance) today you can add MEM for managing your Windows 10 devices without any additional license cost. If you're going to use MEM to manage iOS and Android devices, you'll need licensing for those. See this FAQ for more information.

From a technical point of view, it's very simple: Just do a tenant attach. Unlike co-management where devices need to be enrolled in Intune as well as have the SCCM agent deployed, this is simply connecting your SCCM servers to MEM in the cloud. This lights up the new console as well as Microsoft Defender ATP integration, Desktop Analytics and the new Technology and Productivity score.

In practice (MEM is still in preview) there are many tasks you'll still do in the SCCM console, Microsoft's first targeted persona for MEM is a helpdesk analyst that can see information about a device that's only managed by SCCM in the MEM console.

Autopilot
Part of the journey from classic to modern management is OS deployment. Traditionally IT departments would take new devices acquired from an OEM with Windows Pro preinstalled, wipe those devices and deploy their own, customized Windows image. This requires gathering correct drivers for all the different hardware platforms and manage and maintain multiple images, requiring a lot of manual work and maintenance.

Autopilot has now been around for a few years and simply means that when you buy new devices from an OEM, they (or your distributor) register their unique hardware IDs with your business so that when those devices are started for the very first time, the normal OEM Windows 10 deployment experience is customized to your company policy. Also: no custom image is required; the pre-installed Windows 10 Pro is automatically upgraded to Enterprise/Education; the device is MDM enrolled; the user isn't a local administrator on the device; and any additional policies you require are send down to the device. The MEM console will be the new home for managing Autopilot.

Desktop Analytics
This is a cloud service that's been around for a little while (replacing Windows Analytics) that helps you inventory your Windows devices and their OS build version and build pilot groups in deployment plans to roll out the next version of Windows 10 to. It also analyses your application portfolio and helps you with compatibility verification by gathering data from all your devices. Some large businesses have improved their rollout times of new Windows 10 versions by 4x by relying on data driven decisions and the machine learning-based insights provided by Desktop Analytics.

Desktop Analytics deployment plan.
[Click on image for larger view.] Figure 2: Desktop Analytics deployment plan

Technology and Productivity Score
Do you know what the end user experience is in your business? How long does it take for their PC to start and how often do they have problems with the applications that they need to do their work? Most IT departments rely on helpdesk statistics for this insight, but it's a slow and expensive signal where it can take days for IT to grasp the magnitude of a problem. Additionally, users often "suffer in silence." The new Technology score service in MEM will give IT performance and reliability data from all devices, with analytics providing suggestions for improving boot times (replace HDDs with SSD, fix agents that slow down start-up and alter GPOs that take a long time to process). It'll also allow you to create (or adapt from the community) PowerShell scripts with remediations for particular issues that your helpdesk can run.

Technology Score.
[Click on image for larger view.] Figure 3: Technology Score

Productivity score on the other hand is all about how your users are adopting new technology and actually working in modern ways (using Teams to share files instead of emailing attachments for instance).

Productivity Score.
[Click on image for larger view.] Figure 4: Productivity Score

Other Improvements
MEM will also be the new home for other endpoint services such as the new cloud-based Bitlocker management service. If you have a large deployment of Windows laptops you're probably using Microsoft Bitlocker Administration and Monitoring (MBAM) today and both SCCM and Intune can be the new homes for this workload.

There's also Device Firmware Configuration Interface (DFCI) for updating and managing the UEFI firmware on devices using MEM. Most businesses don't bother upgrading firmware across their devices as it's different for each OEM, using different tools as well as being time-consuming. DFCI promises to alleviate this across manufacturers (once they get on the DFCI train).

It's still the early days for MEM, but it's an intriguing take on bringing the power of cloud computing to SCCM and also bringing Intune and SCCM closer together. It'll be interesting to see how much of the rich functionality of SCCM console will be migrated to MEM over the coming years.

About the Author

Paul Schnackenburg has been working in IT for nearly 30 years and has been teaching for over 20 years. He runs Expert IT Solutions, an IT consultancy in Australia. Paul focuses on cloud technologies such as Azure and Microsoft 365 and how to secure IT, whether in the cloud or on-premises. He's a frequent speaker at conferences and writes for several sites, including virtualizationreview.com. Find him at @paulschnack on Twitter or on his blog at TellITasITis.com.au.

Featured