Introduction to Microsoft Intune Suite

1. What is Intune Suite?

Managing endpoints properly is very complex and traditionally requires many different tools with “cog” integration — which usually works more poorly than right. The Intune Suite offers various add-on functionalities to Microsoft Intune and simplifies Endpoint Management & security through a modern integrated approach. It improves security and reduces costs and complexity by consolidating multiple tools.

‍

The result is reduced complexity and better performance for admins and a better experience for end users.

‍

The Microsoft Intune suite consists of these 6 ingredients:

‍

1. Endpoint Privilege Management: Increased access rights as required or requested
   ‍
2. Enterprise app management: Windows application discovery, packaging, deployment, and patching
   ‍
3. Advanced analytics: Predict which endpoints, applications, and users will have issues
   ‍
4. Cloud PKI: Publish and distribute certificates from Intune without complex PKI
   ‍
5. Tunnel for MAM: Secure access to apps from unmanaged mobile devices
   ‍
6. Remote Help: Secure, remote helpdesk end user connection

‍

We have looked at all 6 components for you, assessed the added value and provide initial advice on how to implement them.

‍

‍

2. Benefits of the Intune Suite

The added value of the Intune Suite for your Endpoint Strategy It's fourfold.

‍

‍

‍

‍

1. Increased safety through user rights as the default setting, repartition from certificates to all devices and automatic patches for 3rd party apps.
   ‍
2. Reduced complexity through simplified IT and security processes and the consolidation of Tools.
   ‍
3. Improved user experience by predicting which endpoints and users need attention, acting proactively before affecting the end user, and using Remote Help to reduce downtime.
   ‍
4. Reduced costs by consolidating multiple third-party tools, saving system administrators time, and increasing efficiency for help desk employees.

‍

‍

The Microsoft Intune suite offers a lot of added value, but it's also expensive. Some features are relevant for almost all of our customers, while other features cover very specific use cases. You should therefore look closely at what challenges a company has and how they can be addressed with the Intune Suite add-ons. On this basis, we put together the package with the best cost-benefit ratio.
‍
Thore Lenz, managing director of SOFTTAILOR

‍

‍

Now let's take a look at the 6 ingredients the Intune Suite and how the added value is actually achieved.

‍

‍

3. Endpoint Privilege Management (EPM)

What is endpoint privilege management?

Microsoft Intune Endpoint Privilege Management (EPM) makes it possible to increase users' access rights as required, so that the least privilege principle as part of Zero Trust is implemented.

‍

Gaining complete control of an endpoint is that Cyber criminals' dream scenario. By enforcing access with least privilege, EPM reduces the impact of an attack because all users have default rights.

‍

In addition, the standard authorizations ensure a lower likelihood of security breaches, but increases frictional losses because certain tasks such as installing peripheral devices, applications, or running Windows diagnostics are limited. This frustrates users, affects productivity, and increases support costs.

‍

EPM solves this challenge by simply adding or removing rules, tenant-level activation, and automatic rights increases approved by the user or support. EPM streamlines IT workflows while improving security and providing a modern user interface.

‍

How does endpoint privilege management improve your endpoint strategy?

The enforcement of least privilege significantly reduces local administrator accounts. This not only increases security, but also enables companies to maintain productivity by allowing controlled increases in permissions when required.

‍

By monitoring permission extensions, EPM provides IT administrators comprehensive visibility and control and thus ensures a proactive approach to security management.

‍

‍

How does Endpoint Privilege Management work?

Through the Using different types of rules You can effectively balance security, usability, and trust according to specific requirements. System administrators can use EPM in Reporting mode use to see what happens before it is used in production. Rules can then be defined using lower-level processes, assignment filters, and based on Entra ID groups.

‍

1. The authorization extension can be triggered by two actions.
   ‍
   1. EPM identifies a process
      ‍
   2. Users can choose Run Elevated to trigger the permission extension.
      ‍
2. There are three types of permission extension available: automatic, user-confirmed, and approved by support.
   ‍
   1. Automatically allows approved applications to automatically increase user rights to function smoothly.
      ‍
   2. User-confirmed requires confirmation from the user before the upgrade as an additional security measure.
      ‍
   3. Support-confirmed requires approval from Support for a time-based increase.

‍

Scope and timeline

EPM is available for Windows 10 from 21H2 and for Windows 11 from 21H2. EPM for macOS should be available soon.

Here you can find more information on the official Microsoft Learn page: https://learn.microsoft.com/de-de/mem/intune/protect/epm-overview

‍

‍

{{cta-box-alt=” /dev/components "}}

‍

‍

4. Enterprise App Management

What is enterprise app management?

Enterprise App Management is an app catalog that Deploying Windows applications via Intune simplifies and automates and is Microsoft's answer to leading tools such as Patch My PC and Robopack. These tools all follow the same rationals: software packaging is time-consuming and complex. With the introduction of an app catalog, admins can use a range of ready-made applications. With Enterprise App Management, these include both proprietary and 3rd party applications.

‍

How does enterprise app management improve your endpoint strategy?

Enterprise Application Management reduces the effort required to package, deploy, and manage from Microsoft and third-party applications. The automation of patch management For standard applications, it is an indispensable part of every endpoint management strategy. Vulnerabilities are closed faster and features are delivered faster.

‍

In our opinion, the solutions from Patch My PC and Robopack Still much better than Enterprise App Management at the moment. More about this under “Scope and Timetable.”

‍

How does Enterprise App Management work?

The Enterprise App Catalog includes Win32 applications prepared and hosted by Microsoft become. Microsoft wraps the installation files (EXE or MSI) of these applications to add the app as a Win32 app in Microsoft Intune.

‍

When adding an app from the Enterprise App Catalog to Intune, the Pre-configured installation, uninstall commands, return codes, and detection rules. However, system administrators can also adjust them as needed. Since these are WIN32 apps, distribution works via the Intune Management Extension, where assignments and supersedence can then be set.

‍

Applications in the catalog are configured so that, whenever possible, they automatically update themselves via the manufacturer routine. To avoid compatibility issues, we never recommend automatic updates, but a structured roll-out in several rings. For applications that are not automatically updated, Microsoft has already announced new features for update notification and a guided update process.

‍

Scope and timeline

Microsoft plans around 100 new applications every month Add to the Enterprise App Catalog and prioritize it based on telemetry data from Intune Tenants and inquiries from customers and partners. At the time of this blog post, there are around 450 applications available in the catalog, with various versions available for some applications, which further reduces the real number of different applications.

‍

For more information, visit the official Microsoft Learn page.

‍

From today's perspective, the price therefore does not justify the performance and We don't recommend this product as the only part of Intune Suite. Solutions such as Patch My PC or Robopack offer significantly more scope (app catalog and functions) for less money and, in the case of Patch My PC, years of experience in automated patching of 3rd party applications.

‍

We are excited to see how Enterprise App Management develops.

‍

‍

5th Cloud PKI

What is Cloud PKI?

The Microsoft Cloud PKI streamlines management of certification authorities and the life cycle of certificates. It is a cloud-based service that simplifies and automates certificate lifecycle management for devices managed by Intune. It provides a dedicated Public key infrastructure (PKI) ready for your organization without the need for local servers, connectors, or hardware. It issues, renews, and revokes certificates for all platforms supported by Intune.

‍

How does Cloud PKI improve your endpoint strategy?

Cloud PKI enables companies to manage their cloud certificates along with their endpoints and This makes it easier to migrate from local to cloud. This transition not only streamlines processes and lowers administrative costs, but also drastically simplifies the deployment and management of certificates.

‍

All in all This increases safety and reduces complexity, which are connected to traditional PKI solutions on-premise. Cloud PKI allows companies to deploy certificates in minutes versus weeks or months of planning, coordinating, procuring, and deploying.

‍

How does Cloud PKI work?

The deployment of Microsoft Cloud PKI in the Intune suite includes two models: Greenfield and Brownfield, which we've briefly described below. We'll also show you the basic architecture of Cloud PKI.

‍

Greenfield

use or Create a new Certificate Authority (CA) in Intune:

‍

• If an issuing CA's certificate does not exist with a relying party, it can automatically use the Certificate discovery, call and install the so-called Certificate Chaining Engine (CCE).
  ‍
• This process, which is similar to downloading CRLs, involves establishing a chain of trust by retrieving missing parent certificates.
  ‍
• It is important to distribute the cloud PKI certificate trust chain, consisting of root and issuer, to all relying parties for comprehensive coverage and trust in the infrastructure.

‍

Brownfield

Use of existing certificate authority and using Intune to issue certificates

‍

• When a bring-your-own CA deployment is initiated, devices managed by Intune must already have specific CA certificates.
  ‍
• This includes the CA's chain of trust, which includes root and issuing CA certificates.
  ‍
• With Cloud PKI, which uses a private root CA, the trusted chain of private CA certificates, consisting of the root CA and the issuing CA, should already be used in the existing infrastructure.

‍

Cloud PKI architecture

The architecture of a PKI remains fundamentally the same, but elements that previously required an on-premise infrastructure are provided as a service.

‍

Scope and timeline

The cloud PKI solution is already pretty mature and Microsoft issues thousands of new certification authorities and tens of thousands of certificates per month.

‍

You can find out more about this again at the official Microsoft Learn page.

‍

‍

6th Tunnel for MAM

What is Tunnel for MAM?

Tunnel for MAM, or Tunnel for Mobile Application Management in German, extends the functionality of the Microsoft Tunnel VPN Gateway to Android and iOS devices that are not Entra ID registered. This expansion allows users to securely access applications or data from unmanaged personal devices. This allows employees to use their personal devices for work as well as for professional and private purposes without giving up administrative control.

‍

How does Tunnel for MAM improve your endpoint strategy?

Tunnel for MAM is part of Zero-Trust and provides secure network access from an unmanaged mobile device. This Facilitates the Introduction of bring-your-own-device (BYOD) policies and supports modern working methods without jeopardizing data security.

‍

‍

How does Tunnel for MAM work?

‍

1. Configure tenant and activate Tunnel for MAM
   ‍
2. Configure apps and roll out App Config Policy
   ‍
   1. System administrators can set up application configuration policies for Microsoft Edge and Microsoft Defender.
      ‍
   2. For Microsoft Edge, an app configuration policy should be configured to support impersonation so that an automatic connection to the VPN tunnel is established when you sign in or switch to a Microsoft work or school account and disconnect when you switch to a personal account.
      ‍
   3. Microsoft Defender requires an app configuration policy to configure it for use as a tunnel client app on the device.
      ‍
3. Roll out App Protection Policy

‍

Scope and timeline

MAM Tunnel is available for both iOS and Android. For Android, the company portal app, Microsoft Edge, and the Defender for Endpoint app must be installed on the endpoint. iOS doesn't require a company portal or defender app.

‍

You can also find more information here on the Microsoft Learn page: https://learn.microsoft.com/de-de/mem/intune/protect/microsoft-tunnel-mam

‍

‍

7. Advanced Analytics

What is advanced analytics?

Advanced Analytics provides a significant expansion of Intune's current endpoint analytics capabilities, for better reporting, deeper insights, and proactive endpoint management. Using Kusto Query Language, administrators can proactively identify and fix problems, simplify troubleshooting and thus improve the end user experience.

‍

How does Advanced Analytics improve your endpoint strategy?

The tool provides deeper insights and proactive management capabilities for IT teams, so administrators no longer just react reactively to issues but mitigate issues before they happen. Gets event and signal flags in near real timethat correlate with abnormal behavior. In addition, integration with Entra/Conditional Access/Device Compliance helps build trust and mitigate phishing attacks.

‍
Exciting: Microsoft uses Copilot across its entire product range, so there is still a lot of potential in advanced analytics to make life easier for IT teams.

‍

How does advanced analytics work?

Advanced Analytics consists in particular of the following 5 Features:

‍

1. Custom Devices Scope: Scope tags allow analysis, insights, and recommendations to be focused on specific sub-groups of devices. For example, you can limit yourself exclusively to devices managed by you or devices from a specific business unit, or devices that are located in a specific geographical region.
   ‍
2. anomalies: Monitoring the health of endpoints for user experience and lost productivity following configuration changes.
   ‍
3. Enhanced device timeline: More detailed events and lower data latency to improve troubleshooting capabilities.
   ‍
4. Device Query: Enables system administrators to query the health and configuration of endpoints in near real time.
   ‍
5. Battery Health: Provides insight into battery performance and energy consumption issues that impact the user experience.

‍

Scope and timeline

The devices must be registered in Intune or managed together with MECM and be visible in Endpoint Analytics. It can take up to 48 hours after the license purchase before the Advanced Analytics features are visible in the tenant.

‍

Find out more about advanced endpoint analytics here.

‍

‍

8. Remote Help

What is Remote Help?

Remote help is native Intune Suite feature, for remote end user support. It provides help desk employees with a secure platform to connect with users and solve problems efficiently. Stand-alone, this is not a revolutionary solution and still lacks some features of leading RMM solutions, but for the first time integrates remote help capabilities into the Microsoft Endpoint Management and Zero Trust environment.

‍

How does Remote Help improve your endpoint strategy?

Remote Help increases the security of the help desk process by secure remote access using the zero trust model. Among other things, role-based access control (RBAC) ensures that administrators can configure who can support end users who and with which permissions. Other security features include:

‍

• Device compliance alerts to alert helpers when the user's device is not compliant and could be infected.
  ‍
• Session reports that show who helped whom, when, and on which device
  ‍
• Build trust between help desk and end user before connections are made by showing each other's Azure AD profile picture, company, name, title, and verified domain.

‍

The security aspect of Intune Remote Help and the seamless integration into the Microsoft (security) infrastructure are therefore very promising for Minimize user support as a security risk and to prevent unauthorized remote control.

‍

Unfortunately, some basic capabilities of RMM Tools are not available, which is why we currently advise against using Remote Help as the sole help desk tool. We hope that Microsoft will continue to develop a few things here, because the idea is good and there is certainly a need for it. More about this under “Scope and Timetable.”

‍

How does Remote Help work?

1. Activate remote help in the tenant: Remote help is a tenant-wide setting and must be activated before users can be authenticated and supported.
   ‍
2. Configure or onboard endpoints: Users can be supported on both devices that are enrolled and not enrolled in Intune, but they must at least be enrolled in Entra ID.
   ‍
3. Grant RBAC permissions: The help desk employee and the end user must both be logged in to the same Microsoft tenant. Remote Help uses Intune's role-based access control (RBAC) to set the level of access that a help desk employee is allowed. Through RBAC, the administrator determines which help desk employees can provide support at which level, e.g. with higher privileges, etc.

‍

Scope and timeline

Remote Help is available for Windows 10, Windows 11 (also on ARM 64), Windows 365 and Android Enterprise Dedicated (Samsung & Zebra). Auch macOS 13, 14 and 15 can now be managed with Intune. Remote help is not (yet) available for iOS or iPadOS endpoints. In addition, Unattended Control so far exclusively for Android endpoints What is viewed critically in the community is possible.

‍

Even with other standard features of stand-alone RMM tools, such as the easy execution of scripts, storage of a file, searching the registry and file structure, Microsoft still needs to provide many features. Right now, we can use Intune Remote Help so Only recommend to a limited extent for remote support and demanding environments.

‍

Here you can find more information on the official Microsoft Learn page: https://learn.microsoft.com/de-de/mem/intune/fundamentals/remote-help

‍

On the other hand, there may be companies that give your help desk such Don't want to enable features at all. In this case, an administrator responsible for Endpoint Management with the appropriate permissions in Microsoft Intune would always have to solve the end user problem. Because many of the features mentioned are generally included in Intune. Another option is the tool from SoftwareCentral, which allows helpdesk employees to be given controlled access to Intune features and thus provides them with the option of leading RMM tools.

‍

9. Other Microsoft Intune Suite Features

In addition, Intune Plan 1 and Intune Suite include the following features:

‍

Microsoft Intune Management of Specialty Devices

Management of Specialty Devices offers a range of features specifically designed to manage, configure, and secure specialized devices, such as AR/VR headsets, smart screens, and conference room devices. While this has so far been limited to a few specialized devices, such as RealWear, Microsoft Teams-Room devices and Microsoft Hololens, Microsoft announced in November 2024 that it would extend the functionality to Apple devices with VisionOS and tvOS in the future. This underpins Microsoft Intunes claim as Unified endpoint management solution.

‍

Learn more about announcing Apple Specialty Device Support here: https://techcommunity.microsoft.com/blog/microsoftendpointmanagerblog/microsoft-intune-expands-support-for-apple-specialty-devices/4309849

‍

Microsoft Intune firmware over-the-air (FOTA) updates

Firmware over-the-air (FOTA) updates make it possible to remotely update the firmware of supported devices, giving companies more control over their employees' mobile devices. Currently, Microsoft Intune only supports integration with Zebra LifeGuard Over-the-Air (LG OTA), so firmware updates for supported Zebra devices can be centrally managed. Zebra LifeGuard Over-the-Air (LG OTA) is a service from Zebra Technologies that allows updates to Android devices to be delivered automatically and without manual intervention.

‍

You can find out more about this on the following Microsoft Learn page: https://learn.microsoft.com/de-de/mem/intune/protect/fota-updates-android

‍

10. Microsoft Intune Suite Pricing and Licensing

The basic Intune license is Microsoft Intune Plan 1. The Microsoft Intune Suite is a comprehensive and heavily discounted add-on package to Microsoft Intune Plan 1 that includes all 8 products described in this blog article. If you want a smaller package, you can use Microsoft Intune Plan 2, which only includes the add-ons Microsoft Intune Tunnel for MAM, Microsoft Intune Management of Specialty Devices and Microsoft Intune firmware over-the-air (FOTA) updates contains which, however, are not offered individually.

‍

The other 5 products are also available separately. Ultimately, the most accurate and cost-effective licensing depends on your organization's requirements and the Intune add-ons you need. The licensing options are clearly summarized in the following table:

‍

‍

Details about the current prices of licenses and plans can be found here: https://www.microsoft.com/de-de/security/business/microsoft-intune-pricing?market=de

‍

‍

Ready?

In 2023, companies used an average of over 80 Endpoint Management and security tools. This fragmented approach is expensive and very complex to manage. The Intune Suite is fighting the Sprawl tool.

‍

For this reason, we highly recommend taking a look at the Intune Suite and matching it with your organization's needs. Almost all modules presented are not only available as a whole with the Intune Suite, but also as separate add-ons to Intune Plan 1, with the exception of Intune Plan 2. In summary, we think the features of the Intune Suite are very good with enormous potential, but we currently have to exclude Enterprise App Management and Remote Help from them.

‍

‍

{{cta-box-alt=” /dev/components "}}

‍

‍