New Microsoft Intune Suite

Mechanics Team
8 min readMar 1, 2023

Privilege Management, Advanced Analytics, Remote Help & App VPN

Reduce cost and complexity of multiple solutions. Use advanced cross-platform capabilities that go beyond UEM for one unified endpoint management solution with the Microsoft Intune Suite. Leverage Microsoft’s intelligent services, which include integrated best-in-class solutions to protect against cyberattacks. Capabilities span endpoint privilege management, advanced analytics, secure app-level VPN for personal devices, and Remote Help for Android and Windows users.

Matt McSpirit, Azure expert, breaks down new Microsoft Intune Suite essentials to manage endpoint devices, provide secure access to resources, and support end users.

Now deploy standard user accounts.

Automate and manage elevated access for authorized apps with Endpoint Privilege Management. Get started with the Microsoft Intune Suite.

Ditch the work phone.

Secure VPN access of approved on-prem apps and files from personal devices. How to leverage Tunnel for MAM in the Microsoft Intune Suite right here.

Improve security and compliance with Intune Suite’s Remote Help.

Verify requester and helper identity, see device compliance warnings in advance, copy text from local device to user device, and direct on-screen actions with a laser pointer. Get started.

Watch our video here.


00:00 — Introduction

01:32 — Endpoint Privilege Management

03:24 — Secure VPN Access: Tunnel for MAM

04:54 — Advanced Endpoint Analytics

06:29 — Remote Help

07:59 — Wrap up

Link References:

Check out

Unfamiliar with Microsoft Mechanics?

As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.

Keep getting this insider knowledge, join us on social:

Video Transcript:

-Welcome to Microsoft Mechanics. If you are an admin managing endpoint devices or in sec-ops concerned about secure access to your resources or the team on point for supporting end users wherever they are, keep watching, because in the next few minutes, we’ll break down the essential things you need to know about the new Microsoft Intune Suite, that goes beyond UEM to bring you one unified solution with a new collection of advanced cross-platform capabilities deeply integrated in the familiar Microsoft Intune admin center.

-These capabilities span endpoint privilege management, advanced analytics, micro-VPN for personal devices and Remote Help for your users, with more capabilities to come. All capabilities that today typically require multiple siloed tools with multiple portals that then need to be integrated; as well as different utilities to perform specific functions or enforce policies. Users in this case suffer because all the different agents deployed reduce performance and impact reliability as they work. And when you add to that the complexity you face of keeping devices healthy and secure as more of us work outside of the corporate network with hybrid work, the management overhead can be significant.

-The good news is it doesn’t have to be this hard. Not only can you reduce the costs of having multiple solutions in place through consolidation, but as I’ll show you, with a single solution, you can also reduce the complexity and take your endpoint management to the next level, while leveraging Microsoft’s unique breadth of integrated and intelligent services, which includes integrated best in class solutions to protect against cyberattacks.

-Let’s look at examples of how this transforms unified endpoint management across the lifecycle, first by looking at a core aspect of Windows endpoint provisioning. Where, as you provision new devices with local user accounts, one of the most pivotal decisions you’ll make is whether or not to provide them with local admin permissions. This isn’t a trivial issue, some apps will require frequent elevation of privilege, and need an administrator account to run, so blocking this can prevent users from getting their work done. At the same time having this level of privilege increases the security risk of privilege escalation attacks, such as malware and or credential theft.

-Our new “Endpoint Privilege Management” capability solves for this. To keep these operations more secure, unlike other Just-in-Time solutions where the account is elevated for a period of time with unlimited scope, elevation is instead performed per approved operation only, to avoid running unauthorized processes at elevated privilege. Endpoint Privilege Management is enabled in Intune at the tenant level, with granular controls to leverage built-in Windows OS protections. Using policies, you can define the elevation type, either automatic or user confirmed along with required additional validation. These allow you to balance security requirements with multiple tiers of end user experience. Automatic allows users to run pre-approved apps at elevated access without any prompts, and user confirmed, on the other hand, prompts the user for an additional confirmation.

-And soon we’ll be adding “Support approved.” This is a first look at the experience. For apps that require infrequent or one-off elevations of privilege, users can request elevation and optionally submit business justification. And once they hit “send,” the request goes to IT for approval. From here, the support tech has the authority to manually approve the elevation request. And the user is able to continue running that process with the required elevation in place.

-Then beyond Windows, for your mobile devices another core decision is whether user-owned devices running on your corporate network, will require enrollment into management. There may be cases where users aren’t comfortable surrendering control of their devices, or as an organization you want a clear separation of personal and work use. In the past, you might solve for this by making users carry two devices, with one dedicated for business use, but now you don’t have to.

-Our new secure VPN access works at the app level, called Tunnel for MAM, it serves as an extension to Intune’s Mobile Application Management. This allows users to securely access on-premises apps and resources from personal devices. It works on both iOS and Android platforms and removes the need for full device enrollment. When you attempt to access a resource within your perimeter, it will only work for the apps you approve. This prevents company data from moving onto the device for personal use, as you can see here, where the file and its contents are contained within the managed Microsoft Edge Browser app. Then, only the apps from your MAM policies are permitted to view that content, while also protecting user privacy.

-Beyond the enlightened Microsoft Edge app, you can also enlighten your own mobile line of business apps to leverage Tunnel for MAM using available Software Development Kits. And from there, you configure Tunnel for MAM by defining your App Configuration Policies in the Intune admin center, and enabling Microsoft Tunnel VPN. This works together with the MAM app protection policies you already have in place.

-Next, continuing down our unified endpoint management lifecycle path, another major benefit is how the Microsoft Intune Suite can transform your management activities from reactive to proactive using advanced insights. Here, Microsoft’s unique advantage comes with the massive signal received across our Windows install base, in addition to our best-in-class integrated services for identity management, enterprise security and productivity apps, which ensures a deeper more comprehensive view of trending incidents impacting your devices and users. And we’re working towards ensuring that these collected insights will lead to proactive resolution, before your users even contact the helpdesk. The advanced endpoint analytics intelligently detects anomalies and unexpected issues across your managed endpoints. It then provides targeted insights down to specific affected devices. And for each, you’ll see a detailed timeline of the user experience with the detected issue.

-Then, for the support calls that do come in, you will also have more flexibility to run remediation scripts on demand for individual devices to diagnose, troubleshoot, and fix common issues. For deeper investigation where you need to look at active support cases and history, the troubleshooting blade in Intune now gives you a single view of your tickets through deep integration with ServiceNow. Here for example, we’ve filtered on a specific user, and not only we can see the information collected by Intune, but in the same view, and in context, we can now see a summary of matching ServiceNow incidents and the deep links allow you to learn more about the incident in the ServiceNow console.

-Of course, where more hands-on help is required or you need to better support hybrid workers, the Intune Suite also adds Remote Help enhancements to improve security and compliance. As a cloud-based service, it removes the need for expensive on-prem infrastructure. All actions are governed using Role-based Access Controls. And you will be able to enforce conditional access policies with Remote Help. Notably, as a helpdesk technician, you can securely connect to both enrolled and unenrolled devices. And once the remote help session has been started and is running, users have peace of mind in being able to validate the technician’s identity to avoid helpdesk spoofing attempts.

-And you, as an admin, before connecting to a remote session, can see device compliance warnings to alert you in advance. You’ll also be able use the clipboard to copy text or files from your local device onto the user’s device And direct on-screen actions using annotations with a laser pointer. By the way, full featured text-based chat support is coming soon, along with support for Android devices using Remote Help. Where you can launch the Remote Help session to view the screen and request full control right from the Intune admin center.

-The unattended option lets you access managed devices while they are not in use, allowing you to set configurations or troubleshoot issues remotely, as long as those devices are powered on and connected to the Internet. This complements Intune’s support for Frontline Workers and works with enrolled Android Enterprise Dedicated devices. And one more thing, cross-platform specialty device management is also now part of the Intune Suite.

-So that was a quick overview of Microsoft Intune Suite, our single solution spanning integrated advanced capabilities to simplify endpoint management while reducing costs, especially if you’re using multiple solutions. If you don’t see all the capabilities in your Intune Admin center today, as mentioned, they’ll be rolling out soon. And to learn more, check out And keep watching Microsoft Mechanics for latest updates, subscribe to our channel, and thanks for watching!