Configuring and deploying policies and settings to devices using Microsoft Endpoint Manager

The Senture facility houses computer

Why MEM?

Microsoft Endpoint Manager (MEM) is a cloud-based solution that allows IT administrators to manage and secure devices across an organization. Presently, it includes two main services: Microsoft Intune and Configuration Manager.

crop person working on laptop at table with smartphone and notepad

Enrolling devices

To configure and deploy policies and settings to devices, you will need to first, enrol the devices.

Here are the steps to enrol devices into Microsoft Endpoint Manager (MEM):

  1. Go to the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com) and sign in with your Microsoft 365 Global Administrator account.
  2. In the navigation pane, select Devices > Enroll devices.
  3. Select the type of device you want to enroll: Windows, macOS, iOS, Android, or Chrome OS.
  4. Follow the instructions provided for the type of device you selected to download and run the enrollment profile.
  5. On the device, open the settings app and navigate to the Accounts or Device Management settings.
  6. Select the option to enroll the device, and enter the enrollment profile you downloaded in step 4.
  7. Enter the credentials for the account that you want to use to enrol the device.
  8. The device is now enroled in MEM.

Note: Generally, these steps may vary slightly depending on the device type and operating system version you are using.

Enrollment Options

Additionally, there are different ways to enrol devices into MEM, such as bulk enrolment, or using third-party MDM solutions.

a person s hands typing on a laptop

You can also use the Intune Company Portal app to enrol devices, which is an app that you can download from the App Store or Google Play Store to enroll a device with Intune.

It is also possible to enrol devices using Azure AD for Windows 10, Windows Autopilot, and Apple DEP for iOS/macOS devices. Each of these options has its own set of requirements and steps that you need to follow.

Deploying policies and settings

You can deploy policies and settings to devices using Configuration Manager after enrolling them, moreover, create and deploy Configuration Items (CIs) and Configuration Baselines to accomplish this. CIs establish the settings and configurations you want to deploy to devices, and Configuration Baselines, which include one or more CIs, can be assigned to device groups.

This is just a basic example, and the steps might vary depending on the specific settings and configurations you want to deploy, equally, Configuration Manager uses a pull-based method, which means that the clients must initiate communication with the management point in order to receive policies, software, and other information.

Deployment Settings example

Here is an example of deploying settings and configurations using Configuration Manager in Microsoft Endpoint Manager (MEM):

  1. Go to the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com) and sign in with your Microsoft 365 Global Administrator account.
  2. In the navigation pane, select Devices > Configuration Manager.
  3. Select the Configuration Manager workspace, and then select the Assets and Compliance workspace.
  4. In the Assets and Compliance pane, select the Device Collections node.
  5. Select the device collection to which you want to deploy the configuration.
  6. In the Home tab, in the Create group, select Configuration Item.
  7. On the General page, in the Name field, type a name for the configuration item.
  8. In the Settings group, select one of the configuration items, such as Windows 10 or Windows 7.
  9. Select the settings you want to configure and set the values for those settings.
  10. On the Home tab, in the Create group, select Configuration Baseline.
  11. On the General page, in the Name field, type a name for the configuration baseline.
  12. In the Configuration data group, select the Configuration Items you want to include in the configuration baseline.
  13. Select the device collection to which you want to deploy the configuration baseline.
  14. Select the Deploy button to deploy the configuration baseline.
  15. The configuration will now be deployed to the devices in the selected device collection.

Monitoring device compliance

In addition to deploying policies and settings, you can also use MEM to monitor device compliance. You can check whether devices are compliant with deployed policies and settings and take action if they are not.

code projected over woman

Managing and monitoring step-by-step

Here’s a step-by-step guide on how to manage and monitor device compliance using Microsoft Endpoint Manager (MEM):

  1. Go to the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com) and sign in with your Microsoft 365 Global Administrator account.
  2. In the navigation pane, select Devices > Configuration Manager.
  3. Select the Configuration Manager workspace, and then select the Assets and Compliance workspace.
  4. In the Assets and Compliance pane, select the Device Collections node.
  5. Select the device collection for which you want to check compliance.
  6. In the Home tab, in the Devices group, select Compliance Settings.
  7. In the Compliance Settings pane, you will see the compliance status of the devices in the selected device collection.
  8. You can also create compliance policies, which define the settings and configurations that devices must comply with, and assign them to device collections.
  9. To create a compliance policy, select the Create button in the Compliance Settings pane.
  10. Select the type of compliance policy you want to create, such as Windows 10 or Windows 7.
  11. Select the settings and configurations that you want to include in the policy.
  12. When you assign the policy to a device collection by selecting the Assign button.
  13. When assigning the policy, you can monitor the compliance status of devices in the device collection.
  14. You can also take action on non-compliant devices, such as sending a notification, wiping the device, or blocking access to company resources.
  15. You can also create custom reports to monitor device compliance, and use the MEM admin center to view the compliance status of devices.

Troubleshooting

shallow focus of woman working in a call center

So, if you encounter issues with policy deployment, there are several troubleshooting steps you can take. These include checking the device logs, reviewing the Configuration Manager status messages, and looking at the device compliance status in the Microsoft Endpoint Manager admin center.

Here are some troubleshooting steps to resolve common issues with policy deployment using Microsoft Endpoint Manager (MEM):

  1. When identifying what’s preventing the policy from being deployed correctly, check the device logs as one of the first steps in troubleshooting policy deployment issues.
  2. Review Configuration Manager status messages: Configuration Manager generates status messages that provide information about the deployment of policies and settings. You can review these messages to check the status of the deployment and to troubleshoot any issues.
  3. Check device compliance status: The device compliance status in the MEM admin center can provide important information about the deployment of policies and settings. Check the compliance status of devices to see if they are in compliance with the policies.
  4. Check network connectivity: Another common issue that can prevent policy deployment is a lack of network connectivity. Make sure that the devices are able to connect to the Configuration Manager site and that any necessary ports are open.
  5. Lastly, Software updates: policy deployment issues could be caused by outdated software on the device. Make sure that the device has the latest software updates installed.

Furthermore;

  1. Check for conflicting policies: In some cases, multiple policies may be conflicting with each other. Review the policies that are deployed.
  2. When verifying the device is enrolled: Make sure the device is enrolled to the MEM, if not, enroll the device again.
  3. When verifying that your device is managed by Microsoft EndPoint Manager
  4. Check the policy assignment: Verify that the policy is assigned to the correct device collection.
  5. Run a hardware inventory: Sometimes the inventory data is not up-to-date, this step can help to update it.

These are just a few examples of steps to resolve common issues with policy deployment.

Summary

In summary, Microsoft Endpoint Manager (MEM) is a cloud-based solution that allows businesses to manage and secure devices across their organization. In 2023, MEM can help businesses in several ways:

  • Device management: MEM allows businesses to manage and configure devices remotely, which can help to increase productivity, and subsequently, reduce the need for on-site IT support.
  • Security: MEM includes device compliance, conditional access, and mobile device management.
  • Software deployment: MEM allows businesses to deploy software updates and applications to devices remotely, which can help to ensure that devices are up-to-date and that employees have access to the tools they need to be productive.
  • Cloud-based management: MEM is a cloud-based solution, which means that businesses can manage and secure their devices from anywhere, at any time.
  • Remote work: With the trend of remote work increasing, MEM can help businesses to securely manage and secure remote devices, subsequently, ensuring that employees have access to the tools they need to be productive.

Other areas include

  • Compliance
  • Automation

To end, please watch Andy Malone’s great video regarding deploying Windows 10 using AutoPilot in Microsoft Endpoint Manager. You can find more great content from Andy on his website – https://www.Andymalone.org

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.