News

Microsoft Endpoint Manager Getting Cloud Add-On 'Premium' Capabilities To Remote Support Work

• By Kurt Mackie
• 04/05/2022

Microsoft on Tuesday described Microsoft Endpoint Manager (MEM) as becoming a "single, cloud powered solution" for organizations, with new capabilities.

Most of the new MEM capabilities described this week are expected to arrive "over the next year." However, one capability that's available now is Remote Help, a new "secure" help desk service, integrated with MEM.

Remote Help is the first of MEM's so-called "premium" add-on features, which means it'll cost extra for organizations to use them.

Remote Help General Availability
The Remote Help service is currently at the "general availability" commercial-release stage. It lets IT pros fix problems on remote user Windows devices in "real time." Support for Android devices is planned for "a future release."

The remote devices accessed using the Remote Help service can be "cloud managed as well as co-managed from on premises," Microsoft explained, and the service also works with unmanaged devices. It'll also work with Windows 365 and Azure Virtual Desktop remote desktops.

The Remote Help service is "permission-scoped" for IT departments. Remote Help has support for role-based access control (RBAC), for instance, in contrast to MEM Configuration Manager's current Remote Control help desk feature, which lacks RBAC. It also performs compliance checks on remote devices prior to help sessions being established.

Organizations with MEM subscriptions that want to use Remote Help will have to pay extra for it. The add-on costs "$3.50 per user per month." Here are its other requirements:

• License for Microsoft Intune as part of Enterprise Mobility+ Security E3/5, Microsoft 365 E3/5, or F3/5 or standalone
• Add-on license for remote help for users and helpers
• Windows 10/11 including Windows 365 Cloud PC.
• The remote help app for Windows

Possibly, Remote Help is dependent on using the Azure Active Directory identity and access management service. Microsoft's announcement was unclear on that point.

Other MEM Tools To Come
Another tool for help desk overseers is the ability to "elevate standard user permissions" on a temporary basis, which might be done in scenarios where locked-down users need to install an app or run a diagnostic tool. This MEM capability is yet to come.

Automation will be part of the process when the temporarily elevated permissions capability becomes available, and it'll allow nuanced or "granular" permissions to be carried out via executable files, Microsoft promised.

"Organizations can define executables that elevate granular permissions on a device, saving IT time," Microsoft indicated regarding the elevated permissions feature.

MEM also will have a cloud-based "certificate lifecycle management solution" at some point. It's described as a "cloud certificate management solution for Public Key Infrastructure (PKI)," which will permit IT pros to "easily deploy certificates from within Endpoint Manager."

Microsoft is adding an automated vulnerability management and application protection capability to MEM and Microsoft Defender for Endpoint for "third-party" (non-Microsoft) applications. This feature will enable "continuous detection, assessment, and automated app patching across Microsoft Defender for Endpoint and Endpoint Manager" for such apps.

MEM will be getting "alerts based on anomaly detection," along with recommendations. These alerts, based on artificial intelligence assessments, will be capable of integrating with "leading IT service management tools" as well.

MEM users also will be getting the ability to set up secure virtual private networks (VPNs) and application protection policies using Microsoft Tunnel. The protections are expected to work with mobile devices, both managed and unmanaged, when accessing company resources. This new VPN capability will be coming first for the Microsoft Edge mobile app on unenrolled mobile devices.

MEM is getting Conditional Access support for Linux devices. Moreover, "premium portfolio" users will be able to provision and configure devices running Android Open Source Project (AOSP) code, a capability that's currently at the preview stage. The "premium" word suggests that Microsoft will charge extra for the AOSP capability, but cost details weren't described.

MEM will get the ability to set application protection policies for users with "multiple company accounts or identities on a single device." This sort of approach could be used when the end user has responsibilities both to customers and an organization. Microsoft described the kind of end users that may need this capability as "physicians, consultants, recruiters or something else."

Premium Capabilities
Only Remote Help and AOSP support were specifically called out as "premium capabilities" in Microsoft's announcements.

Having a subscription to Microsoft Intune, Microsoft's mobile management service, seems to be key to accessing the coming new premium capabilities, which will be released as MEM add-ons. Microsoft seems to be contemplating selling these features in bundles.

Here's Microsoft's statement to that effect:

"We will have more to say about these premium capabilities in the next few months, so stay tuned for more details regarding expected timelines and availability," the announcement explained. "In the coming months, they will be released individually, as a la carte add-ons to your Microsoft 365 enterprise plans that include licenses for Microsoft Intune. When sufficient add-on capabilities are generally available, we will offer a bundled suite."