Endpoint Management

What are the Pros and Cons of Microsoft Endpoint Management?

Posted on December 1, 2022

Estimated reading time 6 minutes

Research from IBM found that the average cost per breach is $1.07 million higher when remote work is a contributing factor. So, with every smartphone, IoT device, and application added to an enterprise’s IT stack, the need to establish a uniform approach to security becomes greater.

However, there isn’t an all-in-one solution to cybersecurity; each enterprise server and device requires a different approach to protection. With BYOD and CYOD the expected norm, a variety of devices or endpoints will contribute to a complex landscape of endpoints which all need to be updated, secured and managed. A hybrid and remote workforce is now once again mobile, and JLM processes within the business are executed remotely. This means endpoint management has never been more complex, so companies must establish security baselines to ensure that security controls are aligned with industry best practices.

Microsoft Intune (previously part of Microsoft Endpoint Manager) allows enterprise security teams to holistically monitor Threat & Vulnerability Management information. It’s also among the market’s top-rated Configuration Management and Enterprise Mobility Management (EMM) tools. It offers a cloud-based solution for remotely managing all company and BYOD devices.

This post explains the pros and cons of Microsoft Endpoint Management and Microsoft InTune. We’ll also share some tips for establishing baseline security policies to provide the best cyber defense.

What is Microsoft Endpoint Manager and Intune?

Microsoft Endpoint Manager (MEM) controls users, apps, and devices from one central location. In contrast, Microsoft Intune is a Mobile application, device management, and mobile application management (MAM and MDM) solution. It offers the same services but is designed to manage cloud-based devices, apps, and data, including BYOD.

It’s compatible with Azure Active Directory, Information Protection, and Microsoft Defender for Endpoint. Organisations can move away from on-premise devices for good through its combined API-native capabilities in cloud-based identification and endpoint management.

Alternatively, companies can use Endpoint Manager Microsoft solutions to build a hybrid cloud environment where employees can use their home or company devices to access all workplace systems from anywhere safely.

In short, Microsoft Intune (and related tools) can present a unified endpoint management solution, providing users with seamless workplace system access, whether using a Mac, PC, or tablet at home.

Pros of Microsoft Endpoint Manager solutions

Centralised Control: Endpoint Manager keeps everything in one location, making it easy to provision, reset, and repurpose devices. You can create profiles for all users and grant data access to personnel via the Central Control Management platform. Additionally, Intune enables you to configure built-in WiFi settings to connected devices directly.

Automatic updates: Endpoint Manager tools make it quick and straightforward to distribute security updates to company devices. No waiting is involved, and criminals cannot take advantage of recognised weaknesses.

Automated remediation: Microsoft Defender for Endpoint allows rapid, automated remediation capabilities. It will also automate onboarding, managing, and reporting processes for security technologies, including encryption, antivirus software, and firewalls.

Seamless user experience: Companies can deploy, test and refine security solutions without incurring any downtime for system users. Furthermore, home device information is kept private as Intune will not log the user’s personal mobile phone history, browsing data, camera roll, etc.

Controlled scaling and licensing costs: MEM customers benefit from lower operational costs, as devices can be wiped and re-used easily.

Cons of Microsoft Endpoint Manager

Lack of location data: If a device is lost or stolen, security teams may not be able to track the geographical location of the equipment.

Third-party identity management integration: In some cases, integrating non-Microsoft identity tools with your Intune suite can take time and effort. Therefore, it may be beneficial to seek the help of a managed IT service like Atech, which specialises in Endpoint Management.

Tips for establishing security baselines in your organisation

Here are some tips for streamlining and automating deployment, provisioning, policy management, app distribution, and upgrades with unified endpoint management from Microsoft:

Step one: Define resource access across all endpoints

Working with a managed service security provider will help your enterprise define specific regulations that restrict your company’s data access to the appropriate individuals and circumstances.

For instance, they may advise removing from your scope all servers that will be shut down during the next 12 months. Then, divide up-to-date servers (2019-2022) into groups, separate from older servers (2008-2016). From here, IT teams can incrementally schedule the full baseline implementation with minimal business interruptions.

Step two: Enforce your protocols

Define baseline criteria for access based on user, location, device status, app sensitivity, and real-time risk, then enforce the regulations. Use artificial intelligence (AI) and machine learning (ML) to proactively decrease risk in your environment. Start analysing your cloud’s billions of signals with UEBA (user and entity behaviour analytics) alongside SIEM (Security Information and Event Management) to get a complete real-time view of all endpoints. These are all activities that Atech can help implement and manage as part of our SOC service.

Step three: Test and refine your solutions

Deploy Windows Defender application control audit mode on devices to supplement Microsoft Defender for Endpoint (MDE) capabilities. Also, enable WDAC in block mode on your Tier 0 systems and block credentials stealing across all devices.

Microsoft recommends enabling Audit Mode on the initial Windows Defender Application Control installation because it allows you to test policies before rolling them out organisation-wide. Each application event outside of the policy is logged rather than blocked in this mode. Teams can extract the information from analytics to alter their policies where needed.

Find out more about boosting adherence to the Microsoft Defender for Endpoint Security baseline here.

Atech’s Endpoint Management services offer complete peace of mind

Earlier this year, we were named a finalist in Microsoft’s Partner of the Year 2022 awards for Modern Endpoint Management. We have also recently gained Microsoft Solutions Partner status n for Security, and Infrastructure (Azure) and Modern Workplace, along with Specialisms in Identity and Access Management, Threat Protection, Azure Virtual Desktop, and Windows Server and SQL Server Migration. These demonstrate our proven expertise and customer success as organisations continue to optimise operations and shift to a world of hybrid work.

These certifications demonstrate our team’s commitment to staying on the cutting edge of Microsoft technologies. We also pride ourselves on developing our team’s skills and knowledge base to guarantee exceptional service to a vast range of enterprise clients.

If you want to learn more about how Atech’s managed security and Endpoint management services can help your organisation thrive, please don’t hesitate to contact us.

How can we help?

As Microsoft accredited cloud service providers we’ve got the tools and talent to put the incredible potential of cloud technology at the heart of your operation.

Fill in the form to speak to one of our cloud consultants about your cloud project. Let’s get the conversation started.


    First name
    Last name