Vereinfachen Sie die Geräteverwaltung mit dem Microsoft Endpoint Manager

Modern management is a novel approach of managing Windows 10 similar to how mobile devices are managed by Enterprise Mobility Management (EMM) solutions. This approach allows you to simplify deployment and management, improve security, provide better end-user experiences, and lower costs for your Windows devices. With modern management, you can now manage Windows 10 devices of all kinds, from desktop PCs to HoloLens and Surface Hubs, company-owned or employee-owned, as well as mobile devices using one management platform.

Die moderne Verwaltung ist ein neuer Ansatz für die Verwaltung unter Windows 10, ähnlich wie die Verwaltung von Mobilgeräten mit Enterprise Mobility Management (EMM)-Lösungen. Mit diesem Ansatz können Sie die Bereitstellung und Verwaltung vereinfachen, die Sicherheit verbessern, die Benutzererfahrung verbessern und die Kosten für Ihre Windows-Geräte senken. Dank moderner Verwaltung können Sie nun Windows 10-Geräte aller Art mit einer Verwaltungsplattform verwalten, von Desktop-PCs bis hin zu HoloLens und Surface Hubs, firmeneigenen oder persönlichen Geräten von Mitarbeitern sowie Mobilgeräten.

There are many new and evolving security features built directly in the Microsoft 365 platform, including Windows Hello, Windows Defender Advanced Threat Protection (ATP), Windows Information Protection, Azure AD Identity Protection, Conditional Access, and more. These security features are powered by Microsoft Intelligent Security Graph which uses billions of signals, constantly improving machine learning algorithms, and human expertise to help you protect your company data and respond to sophisticated attacks.

• Avoid reimaging with cloud-based device management services such as Microsoft Autopilot for Windows 10 and Microsoft Intune for dynamic provisioning of subscriptions, applications, devices, and user profiles.
• Create self-contained provisioning packages built with the Windows Configuration Designer.
• Use traditional imaging techniques such as deploying custom images using System Center Configuration Manage

bring your own device

choose your own device

You can envision user and device management as falling into these two categories:

1. Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps. With Windows 10, your employees can self-provision their devices.

2. Domain joined PCs and tablets used for traditional applications and access to secure resources. These may be traditional applications and resources that require authentication or accessing highly sensitive or classified resources on-premises. With Windows 10, if you have an on-premises Active Directory domain that's integrated with Azure AD when employee devices are joined, they will automatically register with Azure AD.

Microsoft Endpoint Manager helps deliver the modern workplace and modern management to keep your data secure, in the cloud and on-premises. Endpoint Manager includes the services and tools you use to manage and monitor mobile devices, desktop computers, virtual machines, embedded devices, and servers.

Microsoft Intune

Configuration Manager

Co-management

Desktop Analytics

Windows Autopilot

Azure Active Directory (AD)

Intune is a 100% cloud-based mobile device management (MDM) and mobile application management (MAM) provider for your apps and devices. It lets you control features and settings on Android, Android Enterprise, iOS/iPadOS, macOS, and Windows 10 devices. It integrates with other services, including Azure Active Directory (AD), mobile threat defenders, ADMX templates, Win32 and custom LOB apps, and more.

The Intune Connector for Active Directory adds entries to your on-premises Active Directory domain for computers that enroll using Windows Autopilot.

The Intune Exchange connector allows (or blocks) device access to your Exchange servers if devices are enrolled in Intune, and compliant with your policies.

The Intune certificate connector processes certificate requests from devices that use certificates for authentication and S/MIME email encryption.

Configuration Manager is an on-premises management solution to manage desktops, servers, and laptops that are on your network or internet-based. You can cloud-enable it to integrate with Intune, Azure Active Directory (AD), Microsoft Defender ATP, and other cloud services. Use Configuration Manager to deploy apps, software updates, and operating systems. You can also monitor compliance, query and act on clients in real time, and much more.

As part of Endpoint Manager, continue to use Configuration Manager as you always have. If you're ready to move some tasks to the cloud, consider co-management.

Co-management combines your existing on-premises Configuration Manager investment with the cloud using Intune and other Microsoft 365 cloud services. You choose whether Configuration Manager or Intune is the management authority for the seven different workload groups.

Desktop Analytics is a cloud-based service that integrates with Configuration Manager. It provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows clients. The service combines data from your organization with data aggregated from millions of devices connected to the Microsoft cloud. It provides information on security updates, apps, and devices in your organization, and identifies compatibility issues with apps and drivers. Create a pilot for devices most likely to provide the best insights for assets across your organization.

Windows Autopilot sets up and pre-configures new devices, getting them ready for use. It's designed to simplify the lifecycle of Windows devices, for both IT and end users, from initial deployment through end of life.

As part of Endpoint Manager, use Autopilot to preconfigure devices, and automatically enroll devices in Intune. You can also integrate Autopilot with Configuration Manager and co-management for more complex device configurations (in preview).

Azure AD is used by Endpoint Manager for identity of devices, users, groups, and multi-factor authentication (MFA). Azure AD Premium, which may be an additional cost, has additional features to help protect devices, apps, and data, including dynamic groups, auto-enrollment, and conditional access.

The admin center is a one-stop web site to create policies and manage your devices. It plugs-in other key device management services, including groups, security, conditional access, and reporting. This admin center also shows devices managed by Configuration Manager and Intune (in preview).

Microsoft Intune is an MDM and MAM provider for your devices

Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). Intune is integrated as part of the Microsoft Endpoint Manager in Microsoft 365, and enables users to be productive while keeping your organization data protected. It integrates with other services, including Microsoft 365 and Azure Active Directory (Azure AD) to control who has access, and what they have access to, and Azure Information Protection for data protection. When you use it with Microsoft 365, you can enable your workforce to be productive on all their devices, while keeping your organization's information protected.

• Choose to be 100% cloud with Intune, or be co-managed with Configuration Manager and Intune.

• Set rules and configure settings on personal and organization-owned devices to access data and networks.

• Deploy and authenticate apps on devices -- on-premises and mobile.

• Protect your company information by controlling the way users access and share information.

• Be sure devices and apps are compliant with your security requirement

With Intune, you manage devices using an approach that's right for you. For organization-owned devices, you may want full control on the devices, including settings, features, and security. In this approach, devices and users of these devices "enroll" in Intune. Once enrolled, they receive your rules and settings through policies configured in Intune. For example, you can set password and PIN requirements, create a VPN connection, set up threat protection, and more.

For personal devices, or bring-your-own devices (BYOD), users may not want their organization administrators to have full control. In this approach, give users options. For example, users enroll their devices if they want full access to your organization resources. Or, if these users only want access to email or Microsoft Teams, then use app protection policies that require multi-factor authentication (MFA) to use these apps.

With Device Firmware Configuration Interface (DFCI) profiles built into Microsoft Intune (now available in public preview), Surface UEFI management extends the modern management stack down to the UEFI hardware level. DFCI supports zero-touch provisioning, eliminates BIOS passwords, provides control of security settings including boot options and built-in peripherals, and lays the groundwork for advanced security scenarios in the future.

• See the devices enrolled, and get an inventory of devices accessing organization resources.

• Configure devices so they meet your security and health standards. For example, you probably want to block jailbroken devices.

• Push certificates to devices so users can easily access your Wi-Fi network, or use a VPN to connect to your network.

• See reports on users and devices that are compliant, and not compliant.

• Remove organization data if a device is lost, stolen, or not used anymore.

If you have an existing on-premises Configuration Manager infrastructure, you can connect it with your cloud-based Intune management system using the “co-management” function from Configuration Manager. This cloud-connected scenario lets you manage Windows 10 devices using Configuration Manager and Microsoft Intune concurrently. It brings Intune functionality into your device management ecosystem

Co-management is one of the primary ways to attach your existing Configuration Manager deployment to the Microsoft 365 cloud. It enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Microsoft Intune. Co-management lets you cloud-attach your existing investment in Configuration Manager by adding new functionality like conditional access

When a Windows 10 device has the Configuration Manager client and is enrolled to Intune, you get the benefits of both services. You control which workloads, if any, you switch the authority from Configuration Manager to Intune. Configuration Manager continues to manage all other workloads, including those workloads that you don't switch to Intune, and all other features of Configuration Manager that co-management doesn't support.

You're also able to pilot a workload with a separate collection of devices. Piloting allows you to test the Intune functionality with a subset of devices before switching a larger group.

• Existing Configuration Manager clients: You have Windows 10 devices that are already Configuration Manager clients. You set up hybrid Azure AD, and enroll them into Intune.

• New internet-based devices: You have new Windows 10 devices that join Azure AD and automatically enroll to Intune. You install the Configuration Manager client to reach a co-management state.

• Conditional access with device compliance
• Intune-based remote actions, for example: restart, remote control, or factory reset
• Centralized visibility of device health
• Link users, devices, and apps with Azure Active Directory (Azure AD)
• Modern provisioning with Windows Autopilot
• Remote actions

Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. You can also use Windows Autopilot to reset, repurpose and recover devices. This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple.

Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users. See the following diagram:

When initially deploying new Windows devices, Windows Autopilot leverages the OEM-optimized version of Windows 10 that is preinstalled on the device, saving organizations the effort of having to maintain custom images and drivers for every model of device being used. Instead of re-imaging the device, your existing Windows 10 installation can be transformed into a “business-ready” state, applying settings and policies, installing apps, and even changing the edition of Windows 10 being used (e.g., from Windows 10 Pro to Windows 10 Enterprise) to support advanced features.

Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, Microsoft Endpoint Configuration Manager, and other similar tools. Windows Autopilot can also be used to re-purpose a device by leveraging Windows Autopilot Reset to quickly prepare a device for a new user, or in break/fix scenarios to enable a device to quickly be brought back to a business-ready state.

• Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join).

• Auto-enroll devices into MDM services, such as Microsoft Intune (Requires an Azure AD Premium subscription for configuration).

• Restrict the Administrator account creation.

• Create and auto-assign devices to configuration groups based on a device's profile.

• Customize out of box experience (OOBE) content specific to the organization.

Traditionally, IT pros spend a lot of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new approach.

From the user's perspective, it only takes a few simple operations to make their device ready to use.

From the IT pro's perspective, the only interaction required from the end user is to connect to a network and to verify their credentials. Everything beyond that is automated.