Endpoint Management: Configuration Manager, Intune or Both?
According to Microsoft, “Microsoft Endpoint Manager is a single, integrated endpoint management platform for managing all your endpoints. This Microsoft Endpoint Manager admin center integrates ConfigMgr and Microsoft Intune.”
What is the Current State of Device Management?
It’s no surprise that many people thought that ConfigMgr was on it’s way out with so many stories doing the rounds, whispering the narrative that ConfigMgr was soon to be replaced by Microsoft’s cloud solution, Intune. As a result, many people were gearing up to abandon installations of ConfigMgr and to install Intune instead. However, during the Ignite conference last fall, there were a couple of big announcements that contradicted this narrative:
- Microsoft’s System Center Configuration Manager is now part of a suite of products called Microsoft Endpoint Management Suite.
As well as ConfigMgr and Intune, the Microsoft Endpoint Suite also includes:
- Desktop Analytics – which allows you to make intelligent decisions around application compatibility and OS upgrade preparedness
- AutoPilot Features – which are part of Intune online services
- A set of additional features – which are available in the cloud services
Essentially, this whole suite of tools has become one single product. At the Midwest Management Summit, Microsoft was crystal clear that Configuration Manager is now part of this Endpoint Management suite and it’s not going anywhere.
The Endpoint Management suite is an integrated solution that allows IT admins to manage their cloud-based products, using Microsoft Intune, for:
- cloud infrastructure,
- and security administration.
And Microsoft ConfigMgr for the on-premises piece. Plus, the additional tools that together make up the Endpoint Management Suite.
- If you are licensed for ConfigMgr on your Windows devices, you are licensed to manage those devices on Intune as well.
You don’t need any additional licensing to manage your Windows devices with Intune if you are already licensed with ConfigMgr. This is a big change as it has simplified the whole licensing question and opened the door for many organizations that are using ConfigMgr to take advantage of Intune as well.
Is Intune Licensing included in Microsoft 365 E3 CALS?
Yes, you have the rights to use Configuration Manager to manage clients covered by the EMS license. Please check out Microsoft’s FAQs for Configuration Manager branches and licensing to find out more >
In summary, the recent changes to the Endpoint Management landscape are:
- Co-managed team – There is now a single group of people at Microsoft who work on both ConfigMgr and Intune – they are in constant dialogue about each of the products.
- Unified Endpoint Manager – This means that ConfigMgr and Intune capabilities can be controlled in one place.
- Co-licensing of Windows devices – Allows you to manage your Windows devices with Intune if you have ConfigMgr licenses for them.
However, there are still some licensing requirements if you want to manage iOS, Android devices, or anything that is not natively managed by ConfigMgr, along with an Azure AD tenant to support the infrastructure.
Furthermore, in order to manage servers with ConfigMgr, you must have sufficient Server Management Licenses to support the managed devices.
Interested in learning more about Microsoft’s Endpoint Management Suite?
Watch our On-demand Webinar Recording Now, where our senior consultant at Steeves and Associates shares his knowledge and expertise on how you can get the best value from your Endpoint Management system.
What does Configuration Manager Encompass?
Configuration Manager has long been adopted by enterprises as their go-to product for device management. It continues to be state-of-the-art, and for on-premises servers and workstations, ConfigMgr allows a rich hardware and software inventory. ConfigMgr is particularly good at the inventory process, allowing clients to add to their catalog of hardware and software with ease.
As well as asset management, we also have the ability to manage changes to devices e.g. application deployment, software update management and operating system deployment. The administrative features, reporting and monitoring, are also very configurable and very powerful.
These are just some of the things ConfigMgr is known for but typically whatever ConfigMgr does, it does exceptionally well. This is supported by Brad Anderson’s statement:
What is the Future of System Center Configuration Manager?
It seems that Microsoft is continually adding to the System Center Configuration Manager (SCCM) team. It’s not something they are planning to fade out, on the contrary, they are building the team and expanding the capabilities of the SCCM product.
To illustrate the improvements and changes that Microsoft is making to ConfigMgr, please see the image below, which details the last three releases that came out in 2019.
Features are still being added and improvements are still being made. As with any system, ConfigMgr has its strengths and weaknesses and although it’s not the perfect product, it is a long-standing tool from Microsoft and the future is bright. ConfigMgr has a long life ahead and the reports of its death are greatly exaggerated.
Do you need Configuration Manager to Reimage a Computer Using a Custom WIM or to Wipe-and-load a System?
The ability to image a computer (deliver a clean Operating System to an existing device) still requires Configuration Manager. If you use a custom WIM to deploy an Operating System or use a Task Sequence to deploy an Operating System, along with device drivers and other customizations you will require Configuration Manager. If you wish to configure system BIOS including conversion from BIOS to UEFI or change system BIOS settings you will require Configuration Manager. If you wish to use the User State Migration Tool (USMT) to migrate user settings and data from an existing device to a new device, you also require Configuration Manager.
Intune allows for the provisioning of devices with an existing OS. Intune is able to enforce compliance and configuration settings bringing it into alignment with your corporate requirements. Intune is also able to deploy applications to that device once it has been registered in Azure Active Directory and enrolled in Intune management.
Note that depending on your requirements for imaging, Microsoft Deployment Toolkit (MDT) may be appropriate for your needs. It provides many of the imaging functionality of Configuration Manager with less administrative cost and overhead.
What does Intune do Differently?
Intune is Microsoft’s cloud-based management solution, which allows companies to be 100% cloud-based if they so choose.
Intune is a complete Mobile Device Management solution that’ll manage iPhone, Android devices, and Windows operating systems. This software allows you to manage a wider variety of devices than ConfigMgr.
Additionally, Microsoft takes care of the infrastructure for you; there is no need for you to maintain local on-premises infrastructure yourself. Lastly, Intune is extensively integrated with the Enterprise & Mobility Suite, which provides organizations with the ability to deploy and authenticate applications. It supplies a lot of the same capabilities for application deployment and software update management as ConfigMgr, plus it allows you to protect your organizational information by controlling the ways in which users can access it. For example, BYOD (Bring Your Own Device), means a user can use their own device and you can control and secure the corporate data that is being hosted on it.
Can I Deploy Larger and More Complex Applications, Such as AutoCAD, Using Intune or is Configuration Manager Required?
AutoCAD is a large and complex application with many CAD toolsets (e.g. Architecture, Electrical, MEP, Civil 3D) and steps. While it may be technically possible to deploy this using Intune, applications such as AutoCAD may be better suited for a customizable tool like Configuration Manager. There are some who have successfully deployed AutoCAD using Intune, so it is not an impossibility.
Microsoft Intune has some considerable strengths, some of which Configuration Manager is lacking, particularly secure, authenticated access for internet access to corporate data. ConfigMgr doesn’t do any compliance checks, it doesn’t check to make sure your device is healthy or allow you to specify access to certain levels of information. This feature is part of the online suite of tools within the Enterprise & Mobility Suite.
In general, Intune is a very rapidly changing product because of improvements, quality assurances, and functional changes. Management and configuration options are limited when compared to Configuration Manager but as Rick Vanover states below, you don’t move to the cloud simply because you can, you move to the cloud because it’s the right solution for you, it’s the right tool for you and it provides added value to your organization.
To Learn More About Microsoft’s Endpoint Management Suite
Doug Griffin, Endpoint Management and Mobility Architect at Steeves and Associates shares his expert understanding of Microsoft’s Endpoint Management system
Can Configuration Manager & Intune Coexist?
The answer is yes. Microsoft has been very encouraging when it comes to Endpoint Co-Management. As when a business adds Intune into their Configuration Management solution, it is immediately clear they gain some significant benefits.
The below image details the benefits of each solution, plus the additional Intune benefits which users receive when their solution is Co-Managed.
N.B. Although it seems like Intune has the same capabilities as Configuration Manager, some of these features are to a much lesser extent, for example, ‘Hardware Inventory’ is less customizable.
Microsoft is championing businesses moving towards Endpoint Co-Management, not to get rid of Configuration Manager but to ensure users can take advantage of all of the capabilities that are available to them at this time.
So How Does Endpoint Co-Management Work?
To set up Endpoint Co-Management you need to go to ConfigMgr Administration Workspace and connect Co-Management to your Microsoft Azure AD (AAD) tenant. Once this has been connected, each of the different applications e.g. Office Applications, Click-to-Run Applications, Resource Access Policies, etc. can be managed in both Microsoft Intune or ConfigMgr.
The best experience on offer is Endpoint Co-Management, as it has been designed to deliver the best of both ConfigMgr and Intune. If you’re already using ConfigMgr, this is the direction we recommend you go in, as it allows you to manage devices whether or not you’re connected to the internet or an intranet. Endpoint Co-Management provides access to the rich set of ConfigMgr and AAD and Intune capabilities.
What is the Best Endpoint Management Solution for my Environment?
You have four options available to you in terms of device management.
- Configuration Manager Client
- Currently, this is the most common solution and if you already have ConfigMgr installed then this is managing your devices.
- On-Premises Mobile Device Management (MDM) with Configuration Manager
- This allows you to manage on-premises devices using MDM (which is basically an agentless management of Configuration Manager clients). Configuration Manager doesn’t require the System Center Configuration Manager client agent to be installed on the device, it simply uses Mobile Device Management calls to Windows 10 devices. It’s a lighter weight management capability, and much more limited in what it’s able to do.
- Co-Management with Microsoft Intune
- Co-Management as discussed above, gives you the ability to link ConfigMgr and Intune so that you’re taking advantage of the best of both worlds.
- Intune only
- For many organizations, this is the ideal solution as it provides you with mobile device management on the go, you can have a 100% cloud infrastructure, you can deploy applications, and you can also secure all your corporate data.
Now you might be thinking, ‘which Endpoint Management solution do I need’? Ultimately, ask yourself what are your administrative capabilities and your corporate requirements for your Endpoint Management solution.
- ConfigMgr provides significant value to enterprises that have clients with complex requirements. For example, if you’re using a big product like AutoCAD or just heavy operating requirements, you’ll likely find that Intune by itself isn’t an appropriate solution.
- Intune is an excellent solution for the needs of many organizations with less complex requirements, having said that, ConfigMgr can also provide value to smaller organizations but it all depends on your requirements and administrative capabilities.
- In both cases, Endpoint Co-Management enhances the Endpoint Management offering, assuming that you already have ConfigMgr in place.
The below graphic concisely summarizes what we have discussed during this blog and what is covered in even more detail in our On-demand Webinar Recording.
If you would like to learn more about the Microsoft Endpoint Management Suite, contact us today at + 1 888 952 8800 or email firstname.lastname@example.org.
Author: Doug Griffin
Doug Griffin is an experienced Endpoint Management & Mobility Architect at Steeves and Associates. With a focus on System Center Configuration Manager since 1998 as well as Microsoft InTune, there are few in the field that has more hands-on experience. Doug Griffin also holds a wealth of certifications from Microsoft, including MCSA, MCTS, MCITP and is a Microsoft Certified Trainer. Griffin also has a Bachelor of Science from the University of Saskatchewan and over a decade of experience as an MCT, providing classroom and online-based training in ConfigMgr and other Microsoft products. In his time off, Doug enjoys playing Squash, although after years of practice he is still not very good at it.