To Microsoft, System Center Configuration Manager and Intune are the same thing: ways of managing the PCs and servers and other devices in your organisation that use the cloud and Config Manager to deliver a ‘modern’ management experience that makes both IT and users happy, with secure PCs that start faster, last longer and crash less.
To customers, though, they’ve been completely different things. Renaming their shared platform Microsoft Endpoint Manager (MEM) is part of clearing up confusion and reassuring customers that when Intune gets a new feature, that’s not a step closer to killing off Config Manager and pushing everyone to the cloud. Corporate vice president for Microsoft 365 Brad Anderson explained the decision to TechRepublic.
Anderson had long resisted name changes. “But what I came to realise over the last year is that while I think about Config Manager and Intune as one, there were all these things that got in the way of our customers thinking about them as one — branding, licencing and product,” he said.
The new name was picked because it lets Microsoft add new options to the management platform — Anderson emphasised that “any endpoint can be managed” — and to avoid the appearance that either the cloud or on-premises management approach had ‘won’ by reusing either of the existing names. If you want to keep Using Config Manager because you have solutions built on it, or you need management options that Intune doesn’t have, Microsoft wants you to keep on using Config Manager — but to add on the extra features that the cloud connection can bring.
Licensing is also much clearer: if you already have Config Manager licences, they now cover co-managing Windows devices through Intune (or rather, through the cloud service in Microsoft Endpoint Manager) to get features like analytics, conditional access and management beyond the firewall, without needing any extra licences. If you want to manage non-Windows devices via Microsoft Endpoint Manager you do still need a separate Intune licence (which you can get on its own, as part of the Enterprise Mobility & Security licence or as part of a Microsoft 365 E3 or E5 licence).
“We would be talking to customers and asking them why they hadn’t turned on co-management and attached Intune to Config Manager, and it was remarkable how often we would hear ‘well, l we don’t know if we’re licenced for it’,” Anderson said.
But Microsoft Endpoint Manager is more than just a new name for something organisations might already have without realising it. Coming early in 2020 is the Microsoft Endpoint Manager Admin Center, a new web console for managing all your devices — even Macs managed via Jamf integrated with Intune.
“We wanted to bring together an integrated admin experience for all of it. You have all the devices that are being managed by Intune, by Config Manager: everything comes up in one place and it will become that single point of administration.”
This integration goes beyond the usual ‘single pane of glass’ idea. The 1910 release of Microsoft Endpoint Configuration Manager (as SCCM is now known) is already adding more of what Anderson calls ‘cloud intelligence’ — PC management features that might be delivered through Config Manager but that rely on analytics and intelligence in the cloud.
There are two steps to connecting Intune to Config Manager, which deliver different benefits. Tenant Attach gives you the new EMAC console and analytics options that provide information about the state of your PCs. The new Desktop Analytics is part of that, and unlike the previous Windows Analytics it requires Config Manager. That’s so the service knows which tenant the PCs it’s monitoring are part of. “We need to have an authoritative source for what the PC estate is for an organisation, and that’s going to be Config Manager,” Anderson said.
Tenant Attach also enables integration with Defender Advanced Threat Protection and Desktop Analytics to see security tasks that should be a priority for your organisation in the same console where you’ll deploy them to PCs. That’s part of the way Microsoft is trying to improve productivity across security and IT operations teams by making it clearer what PCs are affected by an issue, what you can do about it, and how successfully the fix has been applied.
SEE: 20 pro tips to make Windows 10 work the way you want (free PDF) (TechRepublic)
You also need Client Attach (or ‘co-management’), where you enrol Config Manager devices into Intune, to get conditional access, management outside your firewall and the new Autopilot support in 1910 for provisioning new Windows 10 PCs.
Adding co-management is a good time to review what Group Policy you have set, and whether you can remove any of that — old GPOs that you don’t need any more could be slowing down PCs. Intune’s new Policy Analytics feature (currently in private preview) scans existing Group Policy and shows how much of that you could move to MDM through Intune. (That will also help Microsoft see which GPOs organisations are using that need to be added to Intune.)
Improving the user and technology experience
If you need inspiration to get rid of some of those old policies, take a look at the new Productivity Score. This covers user experience and technology experience, showing if you’re taking advantage of what’s new in Office 365 and Microsoft 365, or if users are getting the same slow experience that has plagued company PCs for years. The first is about whether people are using Office 365 features like sharing and co-authoring through OneDrive and Teams, rather than sending round attachments and combining multiple versions at the end. It also covers the experience of working with Office 365: if that’s poor, it’s usually because your corporate network is getting in the way.
“Within the same company, you have some users who have just blazing speed when they’re interacting with files in Office 365, and others for whom it’s just incredibly slow. When you dig into it, 99 percent of the time it’s networking. Like, for people working in the Singapore office all the networking traffic is coming back to Detroit before it goes out to the internet,” said Anderson.
The technology experience score looks at three metrics for Windows: boot time, battery life and the number of crashes, and lists actions you can take to improve things.
Anderson recounts stories of executives asking him why their PCs are so slow, like a CFO who was eight minutes late for a Skype call because that’s how long it took his PC to boot. Sometimes that’s the hardware — and usually it’s about having hard drives rather than SSDs. “It’s remarkable how often I’ve heard horror stories of the procurement team, to save $200 per PC, buying poor hardware and that laptop then held people back for the next four years.”
But the other big reason for slow boot times is the number of GPOs and the number of monitoring agents on a PC (which can also increase the number of crashes). When Anderson looked at the CFO’s PC, he found it was running “dozens of agents”.
“There are basically three phases of boot: the operating system initialises; you authenticate and then, depending upon the number of agents that you have, there’s a space of time before the box basically comes to an equilibrium. Poor hardware affects it all, if you have a hard drive instead of an SSD. Group policy is the largest impact on the login time. And in the third phase, the number of agents you have on the device is the biggest contributor.”
Microsoft is learning a lot about the difference that makes via initiatives such as Microsoft Managed Desktop, where Microsoft provides and manages the PCs an organisation uses. One customer had PCs that took between eight and ten minutes to boot; Anderson’s team got that down to less than 30 seconds. The big difference? “They had 47 agents on their devices.”
SEE: Windows 10: A cheat sheet (TechRepublic)
The technology experience score is a way of helping customers who aren’t using the Microsoft Managed Desktop service to get similar improvements. “I want to be able to tell customers why their boot time is three minutes or four minutes, and the best set of actions they should take to improve it,” Anderson explains.
That means getting the security team and IT admins talking, and looking at data rather than just policy.
“Often I’ll hear from the endpoint manager in a company that they have to put all these agents on the device because it’s required by security and compliance. And they’ve never had the data to sit down and have a conversation with these other teams to say, ‘let’s talk about the impact this is having on productivity and on our users’, because you need to balance user experience with security.”
“Microsoft is right to focus MEM and Productivity Score on the employee experience,” says Nick McQuire of analyst CCS Insight. IT teams need to improve the employee experience on PCs, which is often so poor as to slow them down at work. But with CCS Insight’s latest Employee Workplace Technology Survey showing that 42% of employees spend more than three hours a day working on a mobile device, the unified nature of MEM in managing other devices through the same platform is going to be important. So even though Intune PC management is now included with Config Manager, organisations will probably have to plan for the extra Intune licences to manage iOS and Android to really get that modern management.
“By focusing on productivity, unifying desktop and mobile, and focusing on a faster, frictionless experience, Microsoft will help many IT departments catch up with these trends,” McQuire suggests.