The ultimate MEM tour part 1 – Devices

According to the Gardner quadrant published on August 16, Microsoft is by far the leader in the area of unified endpoint management tools. Microsoft Endpoint Manager (MEM) has played a major role in achieving this clear ranking. MEM has grown more and more in recent years and has received more and more new functions. According to rumors, we can soon expect support for Chrome OS (source: twitter).

This blog is the first blog of a whole blog series. In this blog series, I want to give you a tour of all the features that Microsoft Endpoint Manager has to offer.

More blogs from this series:

Before we start, the following questions arise:

What is Microsoft Endpoint Manager?

Microsoft Endpoint Manager is a unified endpoint management tool (UEM) that enables the management of multiple endpoints and device types in a single console. MEM includes the following services: Microsoft Intune, Configuration Manager, Co-management, Desktop Analytics, Windows Autopilot, Azure Active Directory (AD) and Endpoint Manager admin center.

Intune is the cloud part of the Microsoft Endpoint Manager. With Intune, you can manage mobile devices securely and easily over the Internet.

How can I access the Microsoft Endpoint Manager?

To access the Microsoft Endpoint Manager, you need to open the Microsoft Endpoint Manager Admin Center in the browser:

How can I set up a test environment?

How you can set up a test environment and what are the first steps to enroll a device via Intune I have explained in detail in this blog post.

So go ahead: Device Management

MEM currently supports the management of Windows, Mac OS X, iOS, iPadOS and Android. All settings and functions related to device management can be found in this blog.


When you go to the devices section, the first thing you see is the Overview dashboard. Here you get an overview of the state of the complete envirement across all operating systems.

This is broken down into the following sections: 

Enrollment status

  • Overview of how many devices have been enrolled per platform and how often the enrollment process was successful or how often an errors occurred.

Enrollment alerts

  • Overview of the Autopilot devices. You can see here for example if you have device hashes without profile assignment.

Compliance status

  • Overview of how many devices conform to the guidelines defined in compliance rules and how many are not compliant.

Configuration status

  • Overview of the configuration policies status how often which policy is successfully or not successfully applied.

Software update status

  • Overview of the software update installation. Count of successfully or failed update installations.

All Devices

In the All Devices menu you get a list of all devices managed via MEM independent from the platform. You can see here the compliance status of the devices, the OS Build version and the last check-in in intune. Also some more informations.


In the monitor section, you’ll find many reports. These reports are divided into the categories Configuration, Compliance, Enrollment, Software updates and Other.


Assignment status

  • Overview of the configuration policies status how often which policy is successfully or not successfully applied. You can also see what type of policy it is.

Assignment failures (preview)

  • Here you can see the policies that have an assignment error. If you select a policy you can also see which devices are affected.

Devices with restricted apps

  • This report shows devices that have apps installed that are prevented by device restrictions.

Encryption report

  • This report gives you an overview of the disk encryption status of the devices. The report is valid for Windows and Mac OS devices.


  • Overview of certificate deployment. You can see which certificate is on which device.


Noncompliant devices

  • Here you can see devices that do not meet the compliance policies. For example, this could be a defined mindest OS version or an encrypted disk.

Devices without compliance policy

  • Devices for which no compliance policies are applied or defined.

Setting compliance

  • Here you can see the individual attributes of the policy that are defined and how often they are compliant and how often they are not. 

Policy compliance

  • A list of all compliance policies with an evaluation of how many devices are compliant and how many are not. You can also see how often there was an error when applying the policy.

Noncompliant policies (preview)

  • Here you can see the compliant policies that have an error or are not compliant.

Windows health attestation report

  • This report gives you an overview of the security relevant elements like e.g. Code Integrity, Secure Boot and BitLocker Encryption.


Autopilot deployments (preview)

  • This report provides an overview of past device enrollments. You can see which method was used to enroll the devices and the status of the enrollment.

Enrollment failures

  • You can see the failed enrollments. You have the choice to search for a specific user or to select All User.

Incomplete user enrollments

  • The report shows how many enrollments were not completed and at which step they were aborted.

Software updates

Per update ring deployment state

  • An overview of the deployment status of update rings. How often was this successful or how often was there an error.

Installation failures for iOS devices

  • Here you can see failed software updates under IOS. Here you can see under which OS version the error occurred.

Feature update failures (Preview)

  • In this table you can see which feature updates failed how often.

Windows Expedited update failures (Preview)

  • This report shows failed expedited updates (updates installation as quickly as possible).


Device actions

  • Overview of status triggered device actions like a wipe. 

By platform

In the Platform category, you can choose between Windows, iOS/iPasOS, macOS and Android. This selection filters the various items such as All Devices or Configuration Policies to only those that apply to the device group.

I will describe the individual submenus of the platforms in the following points.

Device Enrollment

In the Device enrollment menu, you will find all options to configure an enrollment for the different operating system types. There are also general settings such as enrollment restrictions. In this section I will explain all functions around the enrollment.

Windows enrollment

  • Here are the settings needed to configure Windows autopilot. You have an overview of the devices registered in your tenant, can configure settings for windows hello for business, can add a CName and can set up and manage an Active Directory to Intune connector. You can also create the ESP and the different deployment profiles. I have already explained how this works in my blog.

Apple enrollment

  • In this section you will find all settings that are required for an Apple enrollment. The prerequisite you can add here is the Apple MDM Push certificate. Once this is uploaded you can configure a bulk enrollment via Apple Configurator or via the Apple Business Manager. You can also configure enrollment targeting. With this option you can configure a user or device enrollment.

Android enrollment

  • This option is similar to the Apple section but for Android. The prerequisite to configure an Android enrollment is a managed Google Play account. Once this link is established you can configure the device enrollment. You have 4 options (Personally-owned devices with work profile, Corporate-owned dedicated devices, Corporate-owned, fully managed user devices, Corporate-owned devices with work profile). I will explain what is behind this in a future blog. Be curious.

Enrollment restrictions

  • In this section you can configure enrollment restrictions and enrollment limitations.
  • Enrollment restrictions is an option to exclude certain devices. You can e.g. only allow devices from a certain OS version or exclude a certain OS completely, ban manufacturers or block personal owned. 
  • Enrollment limitation is an area where you can configure the maximum number of devices each user can enroll.

Corporate device identifiers

  • You can configure an IMEI or serial number to mark devices as corporate owned. The following platforms are supported: iOS/iPadOS, macOS, Android Device Administrator, pre Android v10, Android Enterprise Personal Work Profile, pre Android v12.

Device enrollment managers

  • As a device enrollment manager you can specify an Azure AD account, which is used to set up the mobile devices and prepare them for the user. It is possible to register up to 1000 devices with this account.

Provisioning / Windows 365

Windows 365 is Windows SaaS. Microsoft provides a way to host virtual instances in the cloud. More info can be found on the Microsoft site.

Compliance Policy

Compliance Policy can ensure the security of devices and the protection of corporate data.  With the help of this policy, devices can be marked as compliant or not compliant. These are rules that define what a device must comply with, such as Bitlocker encryption, a minimum OS version, etc.

 This device status can be used for conditional access.

There are the following submenus for the compliance policies area:


  • Define new compliance policies and an overview of existing ones. Here you can also see which policies are assigned and which are not.


  • Here you can define mail notifications if a device is not compliant. Mail templates can be created in different languages.

Retire Noncompliant Devices

  • Decommissioning devices after they have been non-compliant for some time. This action removes the device from Intune management and removes all corporate data from the device.


  • In this menu, locations can be defined based on network information.

Compliance policy settings

  • Further options for compliance policies can be found here like the default state if no policy is defined, an enhanced jailbreak detection can be enabled and the days of the compliance status validity period can be defined.

Conditional Access

Access policies are definitions/instructions that a user or device must meet in order to access certain resources. For example, if you need to access certain data, a pre requisite may be that your device must be complaint.

A other example: if a user is outside the company network a multi factor authentication is required.


  • In this section the Conditional Access policies can be defined. There is the possibility to create policies as report only to get only an overview or to activate the policies actively. How to configure a Conditional Access is explained very well in the blog of peter van der woude.

Insights and reporting

  • Here CA data can be sent to an Azure Log Analytics Workspace to get an advanced reporting dashboard.

Diagnose and solve problems

  • Help and troubleshooting instructions.

Named locations

  • Here, trusted locations / company networks can be defined on the basis of IP information. This data can then be used for CA policies.

Custom controls (Preview)

  • Custom CA controls can be defined here based on a JSON. To satisfy this control, a user’s browser is redirected to the external service, performs the required authentication, and is then redirected back to Azure Active Directory. Azure Active Directory checks the response, and if the user is successfully authenticated or validated, the user continues with the conditional access flow.

Terms of use

  • Here the terms of use can be defined in different languages. If the terms of use are defined and enforced via CA, a page opens where you have to accept them.

VPN connectivity

  • In this option, a certificate for an always on VPN connection can be created. More information about the alway on VPN with CA can be found here.

Authentication context (Preview)

  • With authentication context, applications can trigger policy enforcement when a user accesses sensitive data or actions. How to configure this you can find here.

Classic policies

  • Tool for migration of old CA policies not created in Azure portal to new framework.

Virtual assistant (Preview)

  • Chatbot for Azure Active Directory Topics.

New support request

  • Wizard to open Azure Active Directory tickets or get existing solutions.

Configuration Policies

This is the heart of complete mobile device management. The creation of policies. Here you have all the possibilities to create configurations like certificates, Wifi and VPN, device restrictions, personalizations, and many more configurations. In the following blogs I explain how you can create configuration policies. Microsoft has also announced that 1400 new MDM policies will be added in the future to Intune.

Administrative templates

  • For creating ADMX policies. The administrative templates contain thousands of settings that control, for example, Microsoft Edge, Microsoft Office, OneDrive, and more.
  • Use the MDM channel to deliver old-school group policy settings
  • Platform:
    • Windows 10 and later

Security Baselines

  • Creation of preconfigured security settings.
  • Can be found in the Endpoint Security menu. More about this in the third part of the series.
  • Platform:
    • Windows 10 and later

Settings catalog 

  • List of all the available settings categorized into the different areas like BitLocker, Defender, OneDrive and many more in one location.
  • Platform:
    • Windows 10 and later
    • macOS (Only for configure MS Edge)


  • Grouping of settings such as VPN, email, kiosk devices, and more. Also here are masses of settings available.
  • Platform:
    • Android
    • iOS/iPadOS
    • macOS
    • Windows 10 and later


There is not much to say about this section. Here you have the possibility to assign scripts to macOS or Windows devices.

You can select if the script should run with the login credentials (user context) or in the machine context.

Group Policy analytics

Group policies are an essential part of traditional device management. To make the transition to modern device management easier for companies, microsoft has introduced Group Policy analytics.

With Group Policy analytics you can upload an export of on premise GPOs and get suggestions which you can translate into MDM providers. A percentage is displayed for GPOs that have the same setting in Intune. You will get an evaluation of how many policies are supported and how many are not supported.

Update rings for Windows 10 and later

Updates to Intune only managed devices come from Windows Update for business. To configure and manage them, Intune offers the possibility to configure update rings. You can create pilot groups that receive the updates earlier to test them before releasing the updates to all devices.

Microsoft has add the possibility to also use assignment filters for the assignment of update rings. I explained this in the following blog.

Feature updates for Windows 10 and later

With this feature you can release feature update for specific device group for example 21H1. This is all the magic behind it.

Quality updates for Windows 10 and later 

This feature helps to install critical update on the devices faster. Prerequisite for this is that the devices are in the semi-annual channel. This can be configured in the update rings menu.

Enrollment restrictions

With Enrollment restrictions you can configure which devices can be enrolled for management with Intune. You can also configure enrollment limitations. With this you can set how many devices per user can be registered.

eSIM cellular profiles

With Enrollment restrictions you can configure which devices can be enrolled for management with Intune. You can also set how many devices per user can be registered per OS type.

Policy sets

Policy sets are a collection of different management objects and apps that can be grouped and assigned together. The policy set is a reference to different objects you added. This feautre was introduced at the end of 2019.

In the following blog post I explain policy sets in detail.

Device clean-up rules

With Cleanup rules you can delete devices  based on last check-in date. For example, if a device has not checked in for 90 days in Intune, it will be cleaned.

Device categories

To group devices of certain departments or areas, Intune provides a function called Device Categories. How you can configure them and how they work I have explained in detail in the following blog.


With the Assignment Filter a possibility was added to intune to make assignments more comfortable. This feature was first available for configuration profiles and then for apps. With the service release 2107 Intune has enabled the assignment filters also for update rings.

What are assignment filters and how can you use them I explain in this blog.

Help and support

This menu can be found in several places in the MEM portal. Here you have the possibility to get help, to open tickets or to access already opened tickets.


These are the countless possibilities that the Microsoft Endpoint Manager only offers in the Device Management. When you read this blog, many more features will probably been added. The next blog that deals with the topic of applications will follow soon.

Thank you very much for reading this blog. If you like this blog I would be very happy about a like or a share.

We hear us in the next part of this series.
Until then:

Stay healthy, Cheers