How AI is reshaping the software build vs. buy decision

Copyright TechTarget - All rights reserved https://cyber.law.harvard.edu/rss/rss.html Techtarget Feed Generator en Wed, 17 Jun 2026 07:00:42 GMT https://www.techtarget.com/searchenterprisedesktop editor@techtarget.com <p>Due to the growing popularity of AI-enabled development, the market for AI coding tools is getting increasingly crowded. Organizations can choose from context-aware integrated development environments (IDEs) and editors like Replit and Google Antigravity, autonomous coding agents such as Claude Code, coding assistants like <a href="https://www.techtarget.com/searchsoftwarequality/news/366623845/New-GitHub-Copilot-agent-edges-into-DevOps">GitHub Copilot</a> and Sourcegraph Cody, and generative AI (GenAI) platforms such as ChatGPT. Together, these tools are making custom development faster, easier and more accessible.</p> <p>These benefits notwithstanding, this modern development approach also presents several limitations and challenges.</p> <p>This article explores how AI lowers development barriers for three categories of enterprise software. It also unpacks the limitations of AI-assisted development and provides guidance to help organizations navigate the tradeoffs between building custom software and buying ready-made suites.</p> <section class="section main-article-chapter" data-menu-title="UCC: Build or buy?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>UCC: Build or buy?</h2> <p>A unified communications and collaboration (<a href="https://www.techtarget.com/searchunifiedcommunications/definition/unified-communications-and-collaboration-UCC">UCC</a>) platform integrates multiple communication capabilities into a single, centralized, cohesive ecosystem. This eases business collaboration and enables seamless communication mobility for remote or hybrid teams.</p> <h3>Where custom AI shines</h3> <p>AI tools accelerate UCC software development by automating coding, testing, debugging and even providing documentation so that companies can launch messaging, video calling, virtual whiteboards and other features much faster compared with traditional development approaches. With AI assistance, developers can easily create custom collaboration workflows, integrations, automations and features tailored to the needs of specific organizations. They can also use GenAI tools and AI agents to build custom chatbots, test and debug the platform and even prepare user documentation.</p> <h3>Where suites win</h3> <p>While AI is changing how organizations build, customize and optimize UCC platforms, readily available UCC platforms like Microsoft Teams and Zoom also offer several advantages, including prebuilt integrations to accelerate organization-wide UCC deployment and ease platform scalability.</p> <p>Another advantage of buying a UCC suite is that UCC vendors manage all code updates. This lowers the customer firm's maintenance costs and reduces its operational complexity. Vendor-led maintenance can also help keep integrations and connections functional, relevant and reliable as connected systems evolve, though customers still need to govern configurations, APIs and custom workflows.</p> <p><a href="https://www.techtarget.com/searchunifiedcommunications/feature/Explore-unified-communication-products-for-your-organization">Popular UCC products</a> include Microsoft Teams, <a href="https://www.techtarget.com/searchunifiedcommunications/definition/Cisco-Webex">Cisco Webex</a>, Zoom Workplace and Slack.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/microsoft_teams_phone_vs_cisco_webex_calling-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/microsoft_teams_phone_vs_cisco_webex_calling-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/microsoft_teams_phone_vs_cisco_webex_calling-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/microsoft_teams_phone_vs_cisco_webex_calling-f.png 1280w" alt="Table comparing Microsoft Teams Phone features against Cisco Webex Calling features" height="482" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Microsoft Teams and Cisco Webex are two popular collaboration platforms with integrated support, analytics and auto attendant features. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>What to consider</h3> <p>AI tools can generate code for UCC platforms much faster than human developers. However, AI-generated code may contain inefficient logic that introduces latency and degrades user experience. AI tools can also create "buggy" or insecure code. A 2026 IOActive <a href="https://www.ioactive.com/the-security-gap-in-ai-generated-code/" target="_blank" rel="noopener">report</a> found that 31.6% of the AI-generated code samples it tested were fully vulnerable, with exploitable security flaws. The finding underscores the need for human review, secure development practices and security testing before AI-generated code reaches production.</p> <p>AI-generated code can also be difficult to maintain over time if development teams lack visibility into how the code was produced. Dependence on proprietary AI development environments and intellectual property theft are some of the other risks of AI-assisted UCC development.</p> <p>Of course, purchasing a commercial UCC product also involves certain tradeoffs between benefits and drawbacks.</p> <p>For one, its features may not fully align with an organization's unique workflows or operational requirements. They could also face integration challenges when connecting custom workflows to other enterprise systems, such as CRM or ERP. Also, as business needs evolve, maintaining and updating custom features can increase long-term costs.</p> <p><a href="https://www.techtarget.com/searchdatacenter/definition/vendor-lock-in">Vendor lock-in</a> is another significant drawback. Depending on a single UCC vendor limits an organization's flexibility. Migrating to a different vendor or product can also be costly. Off-the-shelf UCC suites also require ongoing governance to ensure compliance with data privacy and security standards.</p> </section> <section class="section main-article-chapter" data-menu-title="ERP and SCM: Build or buy?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>ERP and SCM: Build or buy?</h2> <p><a href="https://www.techtarget.com/searcherp/definition/ERP-enterprise-resource-planning">ERP</a> and supply chain management (<a href="https://www.techtarget.com/searcherp/definition/supply-chain-management-SCM">SCM</a>) platforms are critical for enabling companies to unify core processes, streamline operations, reduce costs and respond more effectively to business disruptions.</p> <h3>Where custom AI shines</h3> <p>AI enables companies to build custom modules and interfaces for ERP and SCM systems, particularly when standard systems do not address their specific business needs. AI simplifies the creation of automations and workflows within ERP and SCM, reducing manual development effort and operational costs. AI tools can also ease the integration of advanced demand forecasting tools and capabilities such as intelligent inventory optimization, anomaly detection and automated reporting.</p> <p>Lenovo offers one example of how AI can support supply chain planning and disruption response. A May 2026 NC State University Supply Chain Resource Cooperative <a href="https://scm.ncsu.edu/scm-articles/article/building-the-intelligent-supply-chain" target="_blank" rel="noopener">case study</a> described Lenovo's in-house AI-powered supply chain platform, iChain, which uses company data and external signals to support risk sensing, planning and decision intelligence. In it, Jack Fiedler, Lenovo's senior vice president of global supply chain, described how the hardware supplier used AI to <a href="https://www.computerweekly.com/news/366640549/AI-infrastructure-investment-in-the-Middle-East-enters-a-new-geopolitical-reality" target="_blank" rel="noopener">monitor geopolitical events</a> and anticipate potential logistics disruptions, such as airspace closures, so teams could develop mitigation plans earlier.</p> <h3>Where suites win</h3> <p>While AI is transforming ERP and SCM development, it also has several limitations.</p> <p>Building enterprise platforms internally -- even with user-friendly AI tools -- requires substantial, expensive human expertise across a wide variety of areas, including infrastructure, cybersecurity, governance and code maintenance. Another problem is that generic AI models lack visibility into firms' unique configurations, module interactions and master data hierarchies unless they are securely grounded in internal code, documentation and system context. This visibility gap could limit the system's reliability. It could also lead to data corruption and hinder cross-system decision-making.</p> <p>AI-generated ERP/SCM architectures might contain security vulnerabilities, logic inconsistencies or governance gaps. Without rigorous human oversight and secure development controls, AI-generated code can introduce authorization gaps, injection risks, hardcoded credentials or other vulnerabilities into production environments. Finally, AI tools could generate obsolete or incorrect code, making it harder to maintain a reliable system in the long-term.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Without rigorous human oversight and secure development controls, AI-generated code can introduce authorization gaps, injection risks, hardcoded credentials or other vulnerabilities into production environments. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Companies can avoid these problems by investing in commercial ERP/SCM suites.</p> <p>Mature, enterprise-grade ERP and SCM suites from reliable vendors are designed with industry-specific best practices baked in. These products reduce implementation timelines and risk. They also integrate numerous core processes and features into a centralized platform to reduce data silos and improve workflow coordination. Additionally, most vendors offer ongoing support in the form of system monitoring, continuous quality checks and security patches, so organizations don't need to maintain large, expensive in-house maintenance tools and teams.</p> <p>Popular ERP platforms include SAP Cloud ERP, <a href="https://www.techtarget.com/searcherp/news/366640636/Oracle-calls-Fusion-Agentic-Applications-next-level-AI-for-ERP">Oracle Fusion Cloud ERP</a> and Microsoft Dynamics 365 Finance, while SAP Integrated Business Planning, Oracle Fusion Cloud SCM, Microsoft Dynamics 365 Supply Chain Management and Blue Yonder are major SCM or supply chain planning options.</p> <h3>What to consider</h3> <p>Off-the-shelf products might not fully align with an organization's unique operational workflows or integrate well with its legacy systems, so enterprises might need to build, update and manage custom-built components. These activities require specialized, hard-to-find talent that can increase operational costs.</p> <p>Another challenge: If the workflows and modules are not properly maintained or integrated with core systems, the organization's technical debt could increase. Poor integration -- especially in combination with weak governance -- can also create security or compliance issues, increasing the risk of data loss and compliance violations.</p> </section> <section class="section main-article-chapter" data-menu-title="CX: Build or buy?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>CX: Build or buy?</h2> <p>Customer experience (<a href="https://www.techtarget.com/searchcustomerexperience/definition/customer-experience-CX">CX</a>) platforms collect and analyze customer feedback, behavioral signals, service interactions and journey data to help companies reduce friction in customer journeys and deliver more personalized, consistent experiences.</p> <h3>Where custom AI shines</h3> <p>GenAI- and agentic-AI powered development tools are increasingly transforming how organizations build CX platforms. AI tools reduce the time and effort required to launch, enhance or modernize them. Organizations can also incorporate advanced capabilities into the platforms, such as intelligent routing, real-time customer insights, personalized recommendation engines or sentiment analysis dashboards. Additionally, developers can use AI to improve customer engagement across digital channels by setting up automated chatbots.</p> <p>Vodafone offers one example of AI-enabled customer care development. Using Microsoft's GenAI tools, the company developed SuperTOBi and SuperAgent to improve customer self-service and help customer care agents respond to complex queries more efficiently.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/key_attributes_of_agentic_ai_vs_generative_ai-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/key_attributes_of_agentic_ai_vs_generative_ai-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/key_attributes_of_agentic_ai_vs_generative_ai-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/key_attributes_of_agentic_ai_vs_generative_ai-f.png 1280w" alt="Table comparing agentic and generative AI key attributes" height="330" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Advances in both agentic AI and GenAI are transforming the development of CX platforms. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Where suites win</h3> <p>While AI can be a game-changer for CX platform development, relying heavily on AI tools may create several problems for organizations, including security and compliance risks. CX AI systems often need access to large volumes of customer interaction data for grounding, personalization, evaluation or fine-tuning, which raises privacy, security and governance requirements. Without strong security guardrails, human oversight and governance, this data is vulnerable to manipulation and theft, opening up serious compliance and legal liabilities for organizations.</p> <p><a href="https://www.techtarget.com/searchsecurity/tip/Security-risks-of-AI-generated-code-and-how-to-manage-them">AI-generated code might also contain hidden security vulnerabilities</a> or flawed logic that could affect the platform's reliability. Additionally, AI-generated code might not properly connect with other enterprise systems, such as CRM or marketing automation. Integration gaps can lead to incomplete or outdated customer records or broken workflows, resulting in fragmented or inconsistent CX and potentially damaging customer trust and brand reputation. Lastly, AI-generated CX architectures could be difficult and expensive to troubleshoot and maintain, particularly in complex enterprise environments with dense integrations and evolving requirements.</p> <p>CX suites can help companies to avoid the challenges of AI-assisted development. Commercial products provide prebuilt integrations, eliminating the need for costly custom development and enabling seamless syncing of data across all departments, business systems (e.g., CRM, ticketing systems) and communication channels.</p> <p>Many platforms also provide numerous mature capabilities out of the box, such as customer journey orchestration, sentiment analysis, predictive recommendations, analytics, personalization, workflow automation and chatbots. These capabilities enable organizations to better understand customers and meet their CX expectations -- without significantly increasing implementation timelines, cost or risk. Additionally, CX platforms from established vendors typically include security, privacy and compliance controls that can help organizations meet regulatory obligations, but customers still need to configure, govern and document how customer data is processed.</p> <p><a href="https://www.techtarget.com/whatis/feature/Best-customer-experience-management-software">Popular CX platforms</a> include <a href="https://www.techtarget.com/searchcustomerexperience/news/366643472/Zendesk-adds-AI-tools-in-pursuit-of-autonomous-service">Zendesk</a>, Qualtrics CustomerXM, Salesforce Service Cloud and Adobe Experience Cloud.</p> <h3>What to consider</h3> <p>Significant human effort and expertise may be needed to integrate custom CX offerings with some business systems. Also, customization can be limited by vendor architecture, licensing models and integration constraints, preventing organizations from tailoring the system to their unique workflows or customer segments. Thirdly, organizations might incur additional costs to scale custom features to handle increased customer data and traffic, add third-party digital channels, and maintain and update the platform.</p> <p>Lastly, they might have limited control over how the platform processes sensitive customer data. In-house governance weaknesses could make it difficult to manage data privacy and ensure compliance with stringent regulations such as GDPR.</p> </section> <section class="section main-article-chapter" data-menu-title="Which approach is better?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Which approach is better?</h2> <p>To choose the right paradigm, leaders need to carefully weigh the benefits of each against its tradeoffs in governance, integration, staffing, technical debt and ongoing costs. It is equally important to ensure that build vs. buy decisions align with broader business objectives and operational realities.</p> <p>Organizations pursuing AI-driven innovation can realize significant benefits. However, AI also shifts governance, integration responsibility and long-term cost management <i>back</i> onto the enterprise. The key to low-risk AI-enabled development is to adopt a strategic approach that balances opportunity with risk. By doing so, organizations can create successful, AI-forward operating models.</p> <p><i>Rahul Awati is a PMP-certified project manager with IT infrastructure experience spanning storage, compute and enterprise networking.</i></p> </section> AI is making custom development more accessible, but it also shifts governance, integration responsibility and long-term cost back onto the enterprise. https://cdn.ttgtmedia.com/rms/onlineimages/collab_a275903017.jpg https://www.techtarget.com/searchenterprisedesktop/feature/How-AI-is-reshaping-the-software-build-vs-buy-decision Fri, 12 Jun 2026 14:58:00 GMT How AI is reshaping the software build vs. buy decision <p>The Windows 10 Print Management Utility, better known as the Print Management Console, has been a part of the Windows operating system for decades, so it's critical to ensure this utility is accessible.</p> <p>This console can help desktop administrators with numerous settings such as hardware preferences and default printers.</p> <p>However, IT professionals might run into an issue where the Print Management Console is missing from their Windows deployments. As a desktop administrator, you should make sure you can <a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-Windows-11-Print-Management-can-fix-printer-issues">access the Print Management Console</a> and know what to do when the console is inaccessible.</p> <section class="section main-article-chapter" data-menu-title="How to access the Print Management Console"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to access the Print Management Console</h2> <p>In the past, the Print Management Console was installed within Windows 10 by default. To find out whether this console exists on your system, right-click on the <b>Start</b> button and then click <b>Run</b>.</p> <p>Next, enter the <span style="font-family: 'courier new', courier, monospace;">PrintManagement.msc</span> command at the Run prompt. If the Print Management Console is installed, you will see it open, as shown in Figure 1.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/windows_print_management_missing_1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/windows_print_management_missing_1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/windows_print_management_missing_1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/windows_print_management_missing_1-f.jpg 1280w" alt="A screenshot of the command to run the Print Management Console in Windows 10." data-credit="Brien Posey" height="432" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 1. The Print Management Console that pops up after running the command. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="What are the Print Management Console use cases?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are the Print Management Console use cases?</h2> <p>For some, the Print Management Console's absence is a nonissue. After all, Windows 10 enables you to install and use printers without having to open the Print Management Console. Even so, the tool can be extremely useful for Windows administrators.</p> <p>Although many IT professionals are quick to dismiss the Print Management Console as being one of those tools that exists <a href="https://www.techtarget.com/searchwindowsserver/tip/Explore-print-server-alternatives-to-avoid-IT-headaches">mostly for use on server</a> OSes, it definitely has its place within a desktop-centric environment.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> You can use the Print Management Console to update device drivers and configure all the various print settings. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>For example, the console simplifies the process of working with multiple printers. Rather than having to navigate the Printers and Scanners settings or the legacy Control Panel -- which Microsoft plans to eventually <a target="_blank" href="https://support.microsoft.com/en-us/windows/system-configuration-tools-in-windows-f8a49657-b038-43b8-82d3-28bea0c5666b" rel="noopener">remove</a> from Windows -- the Print Management Console acts as a single pane of glass interface for managing all of your printers.</p> <p>These printers don't have to be directly attached to your PC. Network printers are also exposed through the Print Management Console. You can use the Print Management Console to update device drivers and configure all the various print settings.</p> <p>Another reason why the Print Management Console is so useful is that it enables access to the print queues for individual printers -- or print devices, as Microsoft likes to call them -- so you can see the individual jobs that exist within the print queue. You can delete a "stuck" print job if necessary. You can also cancel a print job or even change the order in which print jobs will be printed.</p> <p>Microsoft lets you use the Print Management Console to apply access controls and other security settings to individual printers. For example, if you have a printer that's expensive to operate or used for a special purpose, such as printing checks, you can use the console to control who's allowed to print to the printer. You can also control who's allowed to manage the documents within the print queue.</p> </section> <section class="section main-article-chapter" data-menu-title="Why is the Print Management Console missing?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why is the Print Management Console missing?</h2> <p>There are two main reasons why the Print Management Console might be missing from your Windows 10 deployment. The first reason is that not every Windows edition includes the utility. You can find the Print Management Console in Windows 10 Pro, Enterprise, and Education. However, it's not included with Windows 10 Home.</p> <p>Additionally, the Print Management Console is technically an optional feature as of Windows 10 version 2004 -- the May 2020 update. In other words, as of that release, the utility is no longer installed by default.</p> <p>In some cases, you might find that a Windows 10 device still includes the Print Management Console in spite of running a build that is newer than 2004. Assuming the Print Management Console wasn't manually installed, this could happen if the PC was originally running an older Windows 10 build but was later upgraded to a more current build. In some circumstances, you might discover that the update process did not cause the Print Management Console to be removed.</p> <p>However, if the installation media used for deploying a machine's original Windows 10 installation is build 2004 or higher, then the Print Management Console will not be installed by default. In these situations, you'll need to manually install the console.</p> </section> <section class="section main-article-chapter" data-menu-title="How to install the Print Management Console"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to install the Print Management Console</h2> <p>If you find that the Print Management Console is missing from your Windows 10 deployment, there are two techniques you can use to install it. Keep in mind that both methods require running a supported Windows 10 Edition and that the Print Management Console isn't supported with Windows 10 Home Edition.</p> <h3>Install the Print Management Console with PowerShell</h3> <p>The first technique for installing the Print Management Console involves Windows PowerShell. Begin by opening an elevated PowerShell session. Then, enter the following command:</p> <pre class="language-powershell"><code>Get-WindowsCapability -Name "Print.Management.Console*" -Online | Add-WindowsCapability -Online</code></pre> <p>This command will install the Print Management Console (Figure 2).</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/windows_print_management_missing_2-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/windows_print_management_missing_2-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/windows_print_management_missing_2-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/windows_print_management_missing_2-f.jpg 1280w" alt="A screenshot of Windows PowerShell showing the command to install the Print Management Console." data-credit="Brien Posey" height="228" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 2. The PowerShell command that installs the Print Management Console on Windows desktops that can support it. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Installing the Print Management Console through the Windows GUI</h3> <p>If you would prefer not to have to use the Windows command line, you can install the Print Management Console from the Windows desktop. To do so, open <b>Settings</b> and click on <b>System</b>. Next, click on the <b>Optional Features</b> tab. Now, scroll through the list of optional features until you locate the Print Management Console. Select the Print Management Console checkbox and then click the <b>Add </b>button (Figure 3).</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/windows_print_management_missing_3-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/windows_print_management_missing_3-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/windows_print_management_missing_3-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/windows_print_management_missing_3-f.jpg 1280w" alt="A screenshot of a Windows 10 desktop with the box to add the Print Management Console checked." data-credit="Brien Posey" height="436" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 3. The option to add the Print Management Console through the Optional features settings menu. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Upon doing so, the Print Management Console will install.</p> <p><em>Brien Posey is a former 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America. </em></p> </section> IT administrators might need to find the Print Management Console for a variety of reasons, but sometimes it's nowhere to be found. Learn the steps to take in a situation like this. https://cdn.ttgtmedia.com/rms/onlineimages/wfh_a382773067.jpg https://www.techtarget.com/searchenterprisedesktop/tip/What-to-do-when-Windows-10-Print-Management-is-missing Thu, 04 Jun 2026 12:31:00 GMT What to do when Windows 10 Print Management is missing <p>Some of the most common causes for Windows 11 upgrade failure are incompatible hardware or firmware. With hardware, it's usually the CPU that's incompatible. With firmware, the issue could be Unified Extensible Firmware Interface (<a href="https://www.techtarget.com/whatis/definition/Unified-Extensible-Firmware-Interface-UEFI">UEFI</a>), Secure Boot or Trusted Platform Module (<a href="https://www.techtarget.com/whatis/definition/trusted-platform-module-TPM">TPM</a>).</p> <p>As a desktop administrator, you need to know what UEFI is and why Secure Boot and TPM are so important. This will help you to better support Windows 11 desktops, understand why these components cause Windows 11 installation to fail and learn workarounds to install Windows 11.</p> <section class="section main-article-chapter" data-menu-title="Windows 11 and Secure Boot requirements"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Windows 11 and Secure Boot requirements</h2> <p>For important context, you should keep Windows 11 requirements in mind, including TPM and UEFI requirements.</p> <p>You can use the PC Health Check tool included in Windows 10 to <a href="https://www.techtarget.com/searchenterprisedesktop/tip/3-tools-to-check-Windows-11-update-compatibility">determine Windows 11 compatibility</a> for existing devices. Failure to install Windows 11 is probably due to incompatibility with system requirements such as the following:</p> <ul type="disc" class="default-list"> <li>Approved CPU.</li> <li>TPM 2.0 enabled.</li> <li>4 GB of RAM.</li> <li>64 GB of storage or hard disk space.</li> <li>UEFI firmware.</li> <li>Internet connectivity.</li> <li>Windows 10 version 2004 or later.</li> </ul> <p>Some of these requirements are very straightforward, such as internet connectivity and the specified version of Windows 10. The requirements for UEFI and TPM, however, raise more questions.</p> </section> <section class="section main-article-chapter" data-menu-title="What's the difference between BIOS and UEFI?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What's the difference between BIOS and UEFI?</h2> <p>The Windows desktop <a href="https://www.techtarget.com/whatis/definition/BIOS-basic-input-output-system">BIOS</a> provides a low-level ability for OSes and applications to communicate with hardware such as the CPU, disk drives and network adapters. BIOS provides hardware initialization during boot and was created with the first IBM-compatible PCs in the 1970s. While BIOS was originally stored in <a href="https://www.techtarget.com/whatis/definition/read-only-memory-ROM">ROM</a> chips, it eventually moved to flash memory to enable updates and features required for new hardware.</p> <p>Pressing F1, F2 or F12 -- depending on the manufacturer -- will bring up a management program that administrators still refer to as "the BIOS." This will happen before Windows starts up. The BIOS program lets users configure hardware by enabling certain boot features, security features, virtualization, hard drive testing and more.</p> <p>BIOS only has 1 MB of executable space to start devices such as hard disks, USB drives, displays, ports and other controllers. New hardware devices are beyond the scope of the original BIOS design, making booting slow and inefficient. In addition, BIOS enabled any software with a bootloader to boot up the PC. Any skilled engineer could write this so that it could take over the PC.</p> <p>While these limitations were known for decades, it took until 2007 for OEMs to agree to use UEFI as a replacement for BIOS. While Microsoft supported the specification as early as Windows 8, it wasn't required until Windows 11, even though peripherals such as disk drives might have already required UEFI.</p> <p>UEFI has several significant features, including the following:</p> <ol type="1" start="1" class="default-list"> <li>UEFI stores code in non-volatile memory, which could be RAM, a file on a hard drive or even a network share. Note that the EFI folder on a Windows PC, located in the <i>\Windows\Boot\EFI</i> directory structure, contains .efi and .dll files, among others required by the hardware.</li> <li>UEFI uses the <a href="https://www.techtarget.com/searchwindowsserver/definition/GUID-global-unique-identifier">GUID</a> Partition Table standard, which supports up to an 18 exabyte hard disk for 64-bit systems. BIOS, on the other hand, only supports disk size up to 2.2 TB, which is also a function of a 32-bit system. Windows now only runs on 64-bit systems to take advantage of UEFI and larger capacity storage devices, and it has a practical limit of 16 TB disks.</li> <li>UEFI contains a feature called Secure Boot. Secure Boot limits a PC to boot only a specific OS.</li> </ol> </section> <section class="section main-article-chapter" data-menu-title="What are Secure Boot and the Trusted Platform Module used for?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are Secure Boot and the Trusted Platform Module used for?</h2> <p>Secure Boot and TPM are frequently used interchangeably, especially when viewing diagnostic tools and BIOS menu settings. TPM is the hardware or firmware enablement of Secure Boot features.</p> <h3>What is Secure Boot?</h3> <p>Secure Boot is a UEFI security standard that, through firmware enablement, an OEM or an administrator can configure to boot a trusted OS. It first became available as a feature in UEFI in 2016, about the time of Windows 8. Thus, all PCs built since then most likely support Secure Boot.</p> <p>This limits which OS a PC can boot and prevents rogue boot loaders from booting to an unapproved or malicious OS to take over the machine. It also effectively lets an organization restrict PCs to only boot a desired OS. For example, an organization might restrict some PCs to running Linux and others to Windows, based on the applications used. Microsoft enforces Secure Boot on Windows 11 machines to enable this security feature.</p> <p>To determine if a Windows installation has Secure Boot enabled, open the MSInfo32.exe or enter <i>System Information</i> in the Windows search bar. Look for <i>Secure Boot State</i> and note the status (Figure 1).</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/windows_eleven_secure_boot_2-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/windows_eleven_secure_boot_2-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/windows_eleven_secure_boot_2-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/windows_eleven_secure_boot_2-f.jpg 1280w" alt="The System Summary menu within the System Information utility shows basic information for several Windows settings." data-credit="Gary Olsen" height="374" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 1. The System Information utility shows Secure Boot enabled on this PC. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The status will be one of the following:</p> <ul type="disc" class="default-list"> <li><b>Unsupported.</b> Secure Boot is unsupported on the PC, probably due to the PC being too old.</li> <li><b>On.</b> Secure Boot is supported and enabled.</li> <li><b>Off.</b> Secure Boot is supported but not enabled.</li> </ul> <p>Secure Boot is enabled or disabled within the BIOS program. Depending on the OEM, this might be called Secure Boot or TPM.</p> <h3>What is a Trusted Platform Module?</h3> <p>A TPM is a chip -- or a function built into more modern CPU chips and graphics cards -- installed in the motherboards of computers to provide cryptographic services. The UEFI makes Secure Boot through TPM possible. The TPM performs functions such as managing, storing and <a href="https://www.techtarget.com/searchsecurity/feature/Cryptography-basics-Symmetric-key-encryption-algorithms">creating the cryptographic keys</a> that generate device signatures.</p> <p>The PC checks these signatures during boot to validate that the devices, any drives and even OS software are allowed. If not, TPM prevents them from loading. This is done using public and private encryption keys stored in the hardware, and the process protects PCs from malware because an attacker can't modify those keys.</p> <p>TPM 2.0 is the latest version of this technology and a requirement for Windows 11. You can verify its presence on any Windows PC by opening TPM.msc to see if it's enabled (Figure 2).</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/windows_eleven_secure_boot_4-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/windows_eleven_secure_boot_4-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/windows_eleven_secure_boot_4-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/windows_eleven_secure_boot_4-f.jpg 1280w" alt="The Trusted Platform Module settings on a local computer show TPM 2.0 is present." data-credit="Gary Olsen" height="246" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 2. The TPM.msc shows TPM 2.0 is present. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>If the tool shows TPM 1.2, it won't pass Windows 11 requirements for installation. If the tool doesn't open, then TPM isn't enabled.</p> <p>To enable TPM, boot the machine into the BIOS tool, navigate to the TPM option and ensure the field is enabled. This is typically under the Security<b> </b>settings, but it can be called different things by different OEMs, so look carefully and refer to available <a target="_blank" href="https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/trusted-platform-module-overview" rel="noopener">documentation</a> if necessary.</p> </section> <section class="section main-article-chapter" data-menu-title="Tricking Windows 11 into installing on an old, unsupported machine"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Tricking Windows 11 into installing on an old, unsupported machine</h2> <p>The internet is full of well-meaning hackers who show how to install Windows 11 on an older machine. However, some of these methods are extremely unreliable, as they cause the OS to run using a method that Microsoft doesn't endorse or support.</p> <p>Microsoft provides the ability to install Windows 11 outside the Windows Upgrade utility. You can even perform an install from media operation <a target="_blank" href="https://www.microsoft.com/software-download/windows11" rel="noopener">using</a> the Windows 11 file. However, these methods still depend on conforming to system requirements and could present continuity and security risks.</p> <h3>Should you bypass Windows 11 install requirements?</h3> <p>Bypassing the requirements isn't a big risk if you're only an enthusiast who enjoys getting an old device to load Windows when it isn't supposed to. However, if you're an enterprise desktop administrator, this can have significant consequences due to the following issues:</p> <ul type="disc" class="default-list"> <li>Disabling Secure Boot in the UEFI reverts the system to the old BIOS, increasing the risk of malware.</li> <li>Ignoring Windows 11 updates and running old OS versions eliminates the Secure Boot requirement needed to run specific hardware and might leave your fleet of PCs open to malware attacks.</li> <li>Manipulating the installation -- for example, editing dynamic link libraries -- creates significant problems for anyone trying to provide support for those PCs. Making these changes and supporting these hacked PCs isn't practical, even if it works. Eliminating the cyberdefense provided by Secure Boot will result in additional security challenges as well.</li> <li>Adding TPM chips or updated CPUs to motherboards that don't have them might not work. This requires special skills and isn't practical to do on a large number of PCs.</li> <li>Even if you can get Windows 11 to run on a machine that doesn't meet system requirements, it might not provide the expected performance.</li> </ul> <p>For security and functionality to meet enterprise standards, organizations should migrate to Windows 11 through supported methods. Challenges and errors can still occur, but <a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-to-plan-a-Windows-11-upgrade-project">strategic upgrade preparation</a> helps to ensure the best outcomes and minimize risk.</p> <p><em>Gary Olsen has worked in the IT industry since 1983 and holds a Master of Science in computer-aided manufacturing from Brigham Young University. He was on Microsoft's Windows 2000 beta support team for Active Directory from 1998 to 2000 and has written two books on Active Directory and numerous technical articles for magazines and websites.</em></p> </section> When organizations upgrade to Windows 11, they encounter several unique requirements, including TPM 2.0, UEFI and Secure Boot. Learn how to handle these requirements. https://cdn.ttgtmedia.com/rms/onlineimages/folder-files13.jpg https://www.techtarget.com/searchenterprisedesktop/tip/How-to-fix-Windows-11-when-Secure-Boot-and-TPM-dont-work Wed, 27 May 2026 12:47:00 GMT How to fix Windows 11 when Secure Boot and TPM don't work <p>I recently conducted <a href="https://research.esg-global.com/reportaction/515202191/Marketing?">research</a> into browser management and security with my network security and zero trust counterpart, John Grady, and there were some fascinating takeaways.</p> <p>John and I both look at browsers from different angles. For me, the browser is an application that now accesses dozens of other apps and extensions. For John, the browser is a secure access platform that's tightly <a href="https://www.techtarget.com/searchsecurity/opinion/NetworkSecurity-predictions">aligned with organizational zero-trust initiatives</a>. John will likely have his own things to say about the research, so stay tuned to his work, too.</p> <p>From my perspective, one of the top things that stood out was ecosystem diversity. Although I always kind of knew that it was crazy out there, it's nice to be able to quantify it. So, in this post, I'll go over a few of the key findings from the app ecosystem.</p> <section class="section main-article-chapter" data-menu-title="On average, Windows apps browser apps"> <h2 class="section-title"><i class="icon" data-icon="1"></i>On average, Windows apps  browser apps</h2> <p>It's understandable to think that the world is comprised of browser apps today, so one of the first areas I wanted to address was the prevalence of both Windows and browser-based apps (sometimes called "SaaS" apps, but <a href="https://www.techtarget.com/whatis/video/An-explanation-of-software-as-a-service-SaaS">SaaS is a license model</a>, so we went with "browser-based"). On average, organizations report roughly 126 Windows-based applications in use, compared to about 109 browser-based applications. I had to double-check the math, but it's correct. Among the IT and cybersecurity respondents to this research, they estimate that Windows apps still outnumber browser apps. Even for an old Windows guy like me, that was surprising.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> 64% of respondents said their users spend more than half their day in the browser, which works out to an average 56% of the day spent in the browser. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Things became a bit clearer when we asked how much time the typical knowledge worker spends using a web browser each day. 64% of respondents said their users spend more than half their day in the browser, which works out to an average 56% of the day spent in the browser. So Windows apps persist, but browsers are used more.</p> <p>What we found anecdotally in conversations after conducting the research is that browser usage versus locally installed app usage is very dependent on the use case and persona. I'm a creator in an organization that's largely Microsoft Office-dependent, and I couldn't do my job without locally installed apps. I'd put myself at 75-80% in locally installed applications. But other people are nearly 100% browser-based.</p> <p>So, we finally answered that question. Too bad it doesn't matter, because we're still stuck delivering, managing and securing all of these. It's good to know where to look, though.</p> </section> <section class="section main-article-chapter" data-menu-title="Unmanaged browsers could be an evolving blind spot"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Unmanaged browsers could be an evolving blind spot</h2> <p>When we asked about organizational browser support, it was no surprise that Chrome and Edge came out on top with 88% and 84% of organizations, respectively. The more interesting takeaway is that Safari and Firefox are in widespread, often unsupported use. While Safari is formally supported by 46% and Firefox by 43%, there's an awful lot of unsupported usage of both -- 26% for Safari and 32% for Firefox. This could indicate a <a href="https://www.techtarget.com/searchsecurity/tip/Browser-detection-and-response-fills-gaps-in-security-programs">browser management and security</a> blind spot, and it's potentially troubling for a few reasons:</p> <ul type="disc" class="default-list"> <li><b>Lack of awareness or visibility.</b> If you're not aware of the browsers, it's difficult to ensure they get updates and maintain a strong security posture. Sure, there are ways to mitigate this, but knowing where to look is always helpful.</li> <li><b>Extensions.</b> Without getting too far off track, browser extensions and their management are a bit of a mixed bag. Extensions can be very powerful, but they can also <a href="https://www.techtarget.com/searchsecurity/tip/Common-browser-attacks-and-how-to-prevent-them">expand the risk profile of a device or browser</a>. Unmanaged browsers lead to unmanaged extensions, which, again, come back to visibility.</li> <li><b>Shadow IT and shadow AI.</b> Unmanaged browsers might just be in use because, for example, the organization standardized on Chrome while the user has a MacBook that defaults to Safari. But multiple browsers -- and unsupported browser usage -- can enable activities that IT perhaps would rather tamp down.</li> </ul> <p>To be clear, I'm not saying the house is on fire. But this kind of fragmentation, coupled with browser app usage numbers and some of the data on how browsers and extensions are managed, makes me think we should pay a bit more attention to this space. As we become more dependent on the browser as the primary interface to apps during the day, we should try to make sure we have a complete picture of what these apps are, what they're accessing and what else can see them (extensions).</p> <p>We also asked about <a href="https://www.techtarget.com/searchenterprisedesktop/opinion/How-AI-and-the-browser-will-change-end-user-IT-in-2026">AI browsers</a>. Given that this research was fielded between December 2025 and January 2026, AI browsers were still relatively new to the market. We got some mixed signals that suggest excitement but some overconfidence in their enterprise readiness. Whether that takes the shape of purpose-built browsers like Comet or Atlas, or AI features embedded into Chrome and Edge, remains to be seen. I'd place my bets on the latter.</p> </section> <section class="section main-article-chapter" data-menu-title="VDI and DaaS usage"> <h2 class="section-title"><i class="icon" data-icon="1"></i>VDI and DaaS usage</h2> <p>I often hear an anti-VDI story from modern secure browsing vendors, so I wanted to specifically ask about the VDI and DaaS environments in use. What I learned should not be surprising to anyone who relies on VDI and DaaS.</p> <p>Very few VDI and DaaS environments are used primarily for delivering browser-based applications. Overall, 52% of respondents surveyed said they use VDI or DaaS to deliver browser apps. Of those, 53% described their environment as a balanced mix of Windows apps, desktops and browser-based applications. 28% said they deployed mostly Windows desktops or apps as opposed to browsers.</p> <p>Just 18% said they deployed "mostly browser-based applications," and only 1% said they solely used VDI/DaaS to deliver browser apps.</p> <p>This leaves me with two main perspectives to share:</p> <ul type="disc" class="default-list"> <li>To the vendors: VDI and DaaS environments are complex and extremely Windows-oriented. While there might be an opportunity to reduce VDI footprints by offloading browser apps, the process of extricating a workload from those environments might not be worth it to the customer, who is also often heavily invested in their existing infrastructure and licensing. Be willing to work with customers and remember that all it takes is one Windows app to mess up a "replace your VDI" story.</li> <li>To the organizations: There are good alternatives if you find yourself hanging on to VDI just to deliver browser apps, or if parts of your environment are solely dedicated to browser apps. But it's also OK to leave well enough alone, especially if cost and complexity aren't your sole motivator. Still, there is a lot that can be done to get out in front of the abundance of browsers and browser apps in use across the organization. If you haven't started paying attention, the time is now.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Conclusion"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Conclusion</h2> <p>While browser apps have certainly displaced several Windows apps, there's a roughly even mix of Windows and browser-based apps deployed in organizations. The reality is the same as ever: If you could have moved your Windows apps to browser-based apps by now, you probably would have, so the Windows apps that you have today are probably stuck with you for a while. AI might change some of that by making it easier to convert Windows apps to browser-based apps (especially those internally-developed monsters), but it's also possible we'll see a resurgence of local app usage if AI inference moves closer to endpoint devices.</p> <p>Regardless of which app type is used more, each of these apps needs to be managed and secured. A key consideration is that the management and security model for browser-based apps is different. The browser itself is an app that's used to access many other apps and services. In that way, it's <a href="https://www.techtarget.com/searchenterprisedesktop/opinion/Your-browser-is-an-AI-enabled-OS-so-secure-it-like-one">a bit like an OS</a>, which makes extensions a bit like apps of their own.</p> <p>In a future post, we'll look at how browsers and extensions are managed, but for now, I'll leave you with this: The research shows there's still a pretty <a href="https://www.techtarget.com/searchenterprisedesktop/tip/Combatting-enterprise-app-sprawl-on-desktop-systems">wide spectrum of apps in use</a>, and app usage appears to differ greatly between user personas. A newer organization might be more browser-dependent. An older organization might be more Windows-dependent. It is, and will continue to be, a mixed bag.</p> <p><i>Gabe Knuth is the principal analyst covering end-user computing for Omdia.</i></p> <p><i>Omdia is a division of Informa TechTarget. Its analysts have business relationships with technology vendors.</i></p> </section> New Omdia research reveals Windows apps still outnumber browser apps in organizations, while unmanaged browsers like Safari and Firefox create potential security blind spots. https://cdn.ttgtmedia.com/rms/onlineimages/maze_g1333061126.jpg https://www.techtarget.com/searchenterprisedesktop/opinion/What-browser-research-tells-us-about-the-app-landscape Mon, 18 May 2026 22:39:00 GMT What browser research tells us about the app landscape <p>Vendors say autonomous endpoint management uses AI to handle devices without IT intervention. Enterprise organizations, meanwhile, need to separate real innovation from marketing hype.</p> <p>Managing endpoint environments has always been a complicated process. However, the degree of <a href="https://www.techtarget.com/searchenterprisedesktop/feature/The-new-geography-of-enterprise-risk">complexity has increased in recent years</a> due to a variety of factors, including device sprawl, hybrid work and multi-platform endpoint use. At the same time, enterprise IT departments are under ever-increasing pressure to deliver faster deployment cycles and better security, while continuing to operate within a strict regulatory environment.</p> <p>Some vendors are positioning autonomous endpoint management software as the best option for coping with these challenges. IT leaders must carefully consider whether this is truly a new category of IT tool, delivering new and much-needed capabilities, or if it's simply a rebranding of the same features that have been widely available for years. </p> <section class="section main-article-chapter" data-menu-title="What is autonomous endpoint management?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is autonomous endpoint management?</h2> <p>Autonomous endpoint management, or AEM, is a broad category of software that is designed for hands-off endpoint monitoring and management. Vendors use a <a target="_blank" href="https://www.forrester.com/blogs/tanium-converge-2025-strategy-shifts-beyond-endpoint-management-to-autonomous-it/" rel="noopener">variety of names</a> to describe these capabilities. Some of the more frequently used terms include <i>autonomous IT</i>, <i>autonomous workspace</i>, <i>self-driving IT</i> and <i>AI-driven endpoint operations</i>.</p> <p>AEM capabilities can differ from one vendor's product to the next, but by and large, AEM software incorporates four main capabilities:</p> <ol class="default-list"> <li>Continuous <a href="https://www.darkreading.com/endpoint-security/visibility-monitoring-key-to-enterprise-endpoint-strategy">monitoring of endpoints</a>.</li> <li>Automated detection of problems, policy drift or compliance violations.</li> <li>Automatic remediation of detected issues.</li> <li>Automatic application of security and compliance policies. </li> </ol> </section> <section class="section main-article-chapter" data-menu-title="What is the difference between "automated" and "autonomous"?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is the difference between "automated" and "autonomous"?</h2> <p>Automated endpoint management tools have been around for years, so business leaders need to consider what, if anything, changes with autonomous endpoint management.</p> <p>The <a href="https://www.techtarget.com/searchitoperations/tip/Follow-these-8-steps-to-implement-automation-in-IT-workflows">automated systems</a> that are so widely used today are largely based on human-defined logic. They rely on scripting, policies or workflows. These mechanisms enable the software to take a rules-based approach to automation. Events are treated as triggers for rules that invoke a pre-defined response to the event -- "if X happens, then do Y." </p> <p>Next-generation autonomous tools use AI or <a href="https://www.techtarget.com/searchenterpriseai/feature/How-to-choose-between-a-rules-based-vs-machine-learning-system">machine learning, with less reliance on a rigid set of rules</a>. In theory, this means that an autonomous tool could enable adaptive decision-making. The software might require some basic ground rules, but it wouldn't require every single remediation action to be explicitly defined. In any case, next-generation AEM tools seek to unify the various aspects associated with endpoint management into a closed-loop system. The goal is to significantly reduce the need for human intervention in the detection, decision-making and remediation cycle. </p> <p> </p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/AQcXJ6Luv3s?autoplay=0&modestbranding=1&rel=0&widget_referrer=null&enablejsapi=1&origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <p>Although automated and autonomous endpoint management software rely on different technology, both seek to solve similar problems, such as the difficulty of maintaining real-time awareness of endpoint health information, especially when multiple OSes and device types are in active use. </p> <p>In both cases, vendors sometimes position their products as tools for reducing the volume of repetitive support tickets as well. The idea is that by automatically addressing the simpler issues, these products free up support staff to focus on more pressing matters. </p> <p>Additionally, both are designed to speed up the device onboarding process and ensure that software is deployed in a consistent manner. This isn't just about speed, although that is a benefit. It's also about removing the possibility of human errors that so often occur as a part of manual device provisioning. </p> </section> <section class="section main-article-chapter" data-menu-title="Why is autonomous endpoint management getting popular now?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why is autonomous endpoint management getting popular now?</h2> <p>Since automated endpoint management software has been around for so long, it's reasonable to question why vendors are suddenly pushing autonomous tools.</p> <p>Part of the impetus for this trend is the <a href="https://www.techtarget.com/searchcio/feature/the-top-cio-challenges-ai-hype-security-and-rapid-change">hype around AI</a>. Vendors are trying to capitalize on the hype cycle that has been so heavily influencing IT ops. However, there might be more to it than that. </p> <p>Enterprise IT has expressed an interest in self-healing infrastructure. The basic concept of self-healing has been around for a while now. However, vendors seem to be working toward a future in which the entire IT infrastructure can holistically heal itself, so the <a href="https://www.techtarget.com/searchnetworking/tip/AI-driven-self-healing-networks-bring-new-capabilities">self-healing capabilities</a> aren't limited to certain areas. While it's true that autonomous endpoint management isn't an infrastructure-wide self-healing tool, it's certainly a step in that direction. </p> <p>Another reason why autonomous endpoint management is trending is that there's often a skills shortage for endpoint management tasks. Endpoint device complexity continues to increase, and IT professionals are being asked to support a diverse collection of devices. It's unrealistic to expect IT pros to be experts on every device type, especially when those devices and their <a href="https://www.techtarget.com/searchenterprisedesktop/feature/What-enterprise-software-updates-now-reveal-about-modern-IT">OSes evolve at such a rapid pace</a>. An autonomous platform might be able to keep up with these changes and develop device expertise more quickly and easily than humans. </p> <p>Finally, AEM is trending because vendors are trying to position themselves based on market forces -- beyond the AI hype cycle. A recent <a href="https://research.esg-global.com/reportaction/515202068/Marketing">report</a> from Omdia, a division of Informa TechTarget, found that organizations are increasingly investing in endpoint automation tools and AI-driven IT ops, although the maturity of these deployments varies widely from one organization to the next. In the July 2025 survey of 364 IT and cybersecurity professionals, 50% of respondents said they were currently using or piloting AEM. Another 46% said they had plans or interest in deploying AEM.</p> </section> <section class="section main-article-chapter" data-menu-title="Are AEM tools mature enough for enterprise use?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Are AEM tools mature enough for enterprise use?</h2> <p>Autonomous endpoint management tools vary greatly in their level of maturity, so it's important to carefully evaluate these products prior to making a purchasing decision. There can be a wide gap in terms of their level of autonomy, with some tools being more capable than others.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> It's critical for vendors to provide their customers with a level of control over the AI. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Control and handling can also differ from one tool to another. If an organization plans to hand its endpoint management tasks over to an autonomous tool, then <a href="https://www.techtarget.com/searchenterpriseai/tip/Build-accountability-into-AI-to-drive-business-value">AI accountability</a> should be built in. Specifically, the IT department needs to be able to see why the tool made a particular decision in the event that it does something unexpected. </p> <p>It's critical for vendors to provide their customers with a level of control over the AI. In other words, organizations should have the ability to define policies that drive and constrain the tool's behavior. It's also worth considering whether a vendor includes any failure-handling capabilities. At a minimum, there should be a way for an organization's IT staff to roll back the changes if an autonomous tool does something undesirable. There should also be a mechanism that can alert the IT staff any time that <a href="https://www.techtarget.com/searchcio/feature/AI-failure-examples-What-real-world-breakdowns-teach-CIOs">automated actions fail</a> or the tool detects an unexpected condition. </p> <p>Because AEM is still relatively new, organizations should be aware of potential shortcomings, including the risk of over-automation or integration challenges. In addition, organizations must make sure these tools don't carry the potential to introduce new security gaps or compliance problems. </p> <h3>Key decision-making criteria</h3> <p>Organizations should consider the following factors as they evaluate their options for AEM:</p> <ul class="default-list"> <li><b>Transparency.</b> Can the system provide a defensible explanation of its actions? Does it provide detailed audit logging? </li> <li><b>Control.</b> Can an administrator set boundaries, and is there a way to require a human approval process prior to performing high-risk actions? </li> <li><b>Security and compliance.</b> Does the tool enable consistent policy enforcement? How easy will it be for the tool to adapt to changing security policies or regulatory requirements? </li> <li><b>Deployment and integration.</b> How easily does the product <a href="https://www.techtarget.com/searchdatacenter/tip/Complexities-of-integrating-AI-into-legacy-data-centers">integrate with the organization's existing IT infrastructure</a>? How easily does it integrate with other management or reporting tools that the organization might use? </li> </ul> <p>AEM should be viewed as an evolution of existing endpoint management tools, rather than a brand new tool category. The big question for IT decision-makers is not whether automation exists. Instead, they need to ask how much control they can retain, and whether there's a way to quantify the risk reduction or operational efficiency gains provided by such a tool.</p> <p><i>Brien Posey is a former 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America. </i></p> </section> Autonomous endpoint management tools promise AI-driven device oversight, but are they truly innovative, or just rebranded automation? Here's what IT leaders need to know. https://cdn.ttgtmedia.com/rms/onlineimages/ai_a352095729.jpg https://www.techtarget.com/searchenterprisedesktop/answer/Is-it-time-to-adopt-autonomous-endpoint-management-software Wed, 13 May 2026 15:54:00 GMT Is it time to adopt autonomous endpoint management software? <p>Deploying Microsoft Intune for the first time demands a structured approach that aligns licensing, identity, security, applications and enrollment into a cohesive management strategy.</p> <p>Many organizations already use Microsoft 365 or Azure services, which means they have the foundation in place. However, a successful Intune rollout still requires IT to complete several essential configuration steps in the right order.</p> <p>To get started with Intune, organizations must carry out five important steps:</p> <ol class="default-list"> <li>Set up the Intune tenant.</li> <li>Add device configuration profiles to configure the different aspects of devices.</li> <li>Add device compliance policies to determine when access to corporate data and apps is allowed.</li> <li>Add apps to get users immediately productive.</li> <li>Configure device enrollment profiles to get the devices into the Intune tenant and managed.</li> </ol> <p>These steps don't represent every possible configuration -- such as Apple Business Manager integration, <a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-to-troubleshoot-Intune-enrollment-with-Autopilot">Windows Autopilot setup</a> or advanced Conditional Access design -- but they do establish the basic environment for IT to start managing devices with Intune. By following this sequence, organizations create a secure baseline, ensure users can access the tools they need and lay the groundwork for expanding into more advanced Intune capabilities as their deployment matures.</p> <section class="section main-article-chapter" data-menu-title="Step 1: Setting up the Microsoft Intune tenant"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Step 1: Setting up the Microsoft Intune tenant</h2> <p>Before getting started with Intune, make sure the organization meets the <a href="https://www.techtarget.com/searchenterprisedesktop/tip/A-guide-to-Microsoft-Endpoint-Manager-licensing-and-cost">licensing requirements</a>. Using Intune requires at least a Microsoft Intune Plan 1 license per user. Intune Plan 1 is available as a standalone license and is also included in Microsoft 365 E3, Microsoft 365 E5, Microsoft 365 Business Premium, Enterprise Mobility + Security E3 and E5.</p> <p>When the required licenses are available, sign up for or log in to Intune. The actual starting point depends on whether a work or school account is already available. If other Microsoft 365 or Azure services are already being used, which often is the case, a Microsoft Entra ID tenant already exists. The Entra ID tenant contains the users and groups that Intune uses for setup and management. Every user needs their own account and license. The initial setup of the Entra ID tenant creates a default domain: <i>onmicrosoft.com</i>. Organizations can also add a custom domain name if they want users to sign in with their own company domain.</p> <p>After setting up the Intune tenant, verify that the mobile device management (MDM) authority is set to Microsoft Intune. The <a target="_blank" href="https://learn.microsoft.com/en-us/intune/fundamentals/setup-mdm-authority" rel="noopener">MDM authority</a> determines which service manages devices in the organization -- Intune, Microsoft Configuration Manager in co-management with Intune, or Basic Mobility and Security for Microsoft 365. For a user to start enrolling devices, the MDM authority must be set to Intune.</p> </section> <section class="section main-article-chapter" data-menu-title="Step 2: Configuring and securing devices"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Step 2: Configuring and securing devices</h2> <p>The second step is to configure the most important security features and the best user experience. To do this within Intune, IT can use device configuration profiles. This should be a layered approach and can contain various levels of device configurations.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Intune contains configuration profiles for all supported platforms. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>The key focus, however, should be device security. Make sure the basic security configurations -- antivirus, firewall, encryption, password and software updates -- are enabled and installed. Additionally, provide users with easy and secure access to corporate data and apps, including email, personal data and group data. Depending on the expertise of the IT staff, this can be further enhanced to include more features and configurations.</p> <p>Intune contains configuration profiles for all supported platforms. For Windows, a strong starting point is the set of security baselines available in Intune. These baselines include the most important security features that should be enabled by default, along with additional recommended configurations,</p> </section> <section class="section main-article-chapter" data-menu-title="Step 3: Protecting access to corporate data and apps"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Step 3: Protecting access to corporate data and apps</h2> <p>The third step is to protect access to corporate data and apps through device compliance policies and Conditional Access. IT can use Intune to configure the compliance policies that define the requirements devices need to meet, and <a href="https://www.techtarget.com/searchwindowsserver/tip/Test-conditional-access-with-Microsoft-Entra-ID-What-If-tool">Entra ID to configure Conditional Access policies</a> that enforce those requirements before granting access to corporate data and apps. This combination is an important enabler for zero trust within the environment.</p> <p>Every application connected to Entra ID can be protected with Conditional Access, making strong compliance policies essential. These policies define core security requirements and are continuously evaluated to ensure devices remain compliant. Unlike configuration profiles, which simply apply settings, compliance policies generate a compliance status that Conditional Access can use to allow or block access.</p> </section> <section class="section main-article-chapter" data-menu-title="Step 4: Adding apps"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Step 4: Adding apps</h2> <p>Next, IT must <a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-to-troubleshoot-Intune-app-deployments">add applications to Intune</a>. This is the step that enables end users to be productive. Adding applications from native app stores, such as Google Play on Android devices, is very simple. Adding Microsoft apps is even easier. Many of them are built into Intune, so IT can deploy them right away with almost no setup.</p> <p>When looking at Windows devices specifically, it often becomes a bit more challenging, as the process often relies on installers created by different vendors. Microsoft introduced the Win32 app model to address this issue. The model enables IT administrators to wrap the different installers and deploy them through Intune. It also provides advanced options for detecting app installation, defining installation requirements and superseding older versions of the app. This makes it easy to replace one app with another, such as when switching PDF readers within the organization. Admins can also add configurations with applications. This helps get users to a productive state more quickly by preconfiguring items like email profiles.</p> <p>Intune also provides the ability to protect corporate apps and data. Just like with device compliance policies, <a href="https://www.techtarget.com/searchmobilecomputing/tip/Navigating-app-protection-policies-with-Intune-MAM">app protection policies</a> can be used in combination with Conditional Access to secure enterprise data across devices.</p> </section> <section class="section main-article-chapter" data-menu-title="Step 5: Enabling device enrollment"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Step 5: Enabling device enrollment</h2> <p>The last step is enabling users to <a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-to-add-and-enroll-devices-to-Microsoft-Intune">enroll devices into Intune</a>. This ensures that the users' devices receive all the required apps and configurations. First, determine which devices users can enroll within the environment. This includes choosing which OSes are supported and whether personal or BYOD endpoints are allowed. Ultimately, an organization should only allow the enrollment of devices that can actually be managed with its existing Intune configuration policies. A more lenient approach could give unmanaged or unsupported devices access to corporate data and apps.</p> <p>IT administrators can then make sure that there are enrollment profiles available for each supported platform. Once those enrollment profiles are in place, users can start enrolling their devices.</p> <p><i>Peter van der Woude works as a mobility consultant and knows the ins and outs of the ConfigMgr and Microsoft Intune tools. He is a Microsoft MVP and a Windows expert.</i></p> </section> Organizations can deploy Microsoft Intune effectively by following five critical steps that establish security, compliance and device management from the ground up. https://cdn.ttgtmedia.com/rms/onlineimages/folder-files13.jpg https://www.techtarget.com/searchenterprisedesktop/tip/How-to-set-up-a-new-Intune-deployment Thu, 07 May 2026 14:04:00 GMT How to set up a new Intune deployment <p>Today's IT teams rely on mobile device management (MDM) platforms to remotely manage mobile, desktop and laptop devices. These tools enable IT teams to configure, monitor and secure all devices across the enterprise, supporting tasks such as policy enforcement, app deployment and security configuration. Most MDM products provide a unified console for managing the entire device environment.</p> <p>For organizations with a significant Apple device footprint, understanding how MDM platforms manage Apple devices -- and which products do so effectively -- is critical. Apple's OSes, including iOS, iPadOS, macOS and tvOS, include a built-in MDM framework that uses secure HTTPS communication with the Apple Push Notification service to exchange management commands and responses. Third-party platforms use this framework and Apple's native protocol to manage devices within Apple's security model.</p> <p>When evaluating a third-party Apple MDM tool, organizations should consider several key capabilities. The following sections outline key features, supporting tools and common use cases.</p> <section class="section main-article-chapter" data-menu-title="Apple MDM features"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Apple MDM features</h2> <p>Apple's built-in MDM framework enables centralized control, automated provisioning and consistent policy enforcement through the following features:</p> <ul class="default-list"> <li><b>Automated Device Enrollment (ADE). </b>Apple Business Manager or Apple School Manager (ABM/ASM) automatically enrolls new Apple devices into MDM when they are first powered on.</li> <li><b>Supervision</b> <b>support. </b>This places iPhones, iPads and Macs in supervised mode, unlocking advanced management features, including app restrictions and configuration enforcement. Combined with ADE, it enables IT teams to remotely provision devices, getting users productive more quickly while simplifying security and application management.</li> <li><b>Declarative Device Management. </b>This feature reduces IT troubleshooting by automatically fixing compliance issues when devices drift from policy. This helps reduce IT team interaction and downtime and supports ongoing compliance.</li> <li><b>App store and volume purchase program (VPP) app management. </b>Organizations can use this feature to install and deploy App Store and <a href="https://learn.microsoft.com/en-us/intune/app-management/deployment/manage-vpp-apple" target="_blank" rel="noopener">volume-licensed apps</a> across devices, ensuring security and MDM control across the organization.</li> <li><b>Custom app deployment.</b> This enables organizations to distribute privately developed apps directly to managed devices without publishing them to the public App Store. Using Apple Business Manager, IT teams can assign apps to users or devices and push installations and updates remotely, maintaining centralized control and compliance.</li> <li><b>MacOS scripting and policy management. </b>This enables admins to centrally enforce policies and configuration rules, ensuring consistency across macOS clients while lowering support costs.</li> <li><b>FileVault encryption management. </b>This protects company assets and data in case of loss or theft. Many industries require encryption management for regulatory compliance.</li> <li><b>OS update and patch management. </b>This keeps devices secure from cyber threats and ensures compatibility with corporate-deployed apps, supporting consistency across the organization.</li> <li><b>Conditional access integration. </b>In environments with identity providers, this feature tightly couples security requirements with those providers, enabling more consistent and secure access control.</li> <li><b>Remote commands. </b>IT teams use commands such as restart, lock, wipe and clear passcode to remotely purge data from a lost or compromised device and to access it for troubleshooting.</li> <li><b>Compliance reporting. </b>This helps ensure organizations are prepared for audits and regulatory compliance.</li> <li><b>API and automation support. </b>MDM platforms expose APIs to integrate with identity providers (e.g., Microsoft Entra ID, Okta) and management tools, enabling automated device enrollment, profile and app assignment and compliance checks. This is critical for large, complex enterprise organizations that require identity interfaces with multiple systems.</li> </ul> <ul class="default-list"></ul> </section> <section class="section main-article-chapter" data-menu-title="User experience, access and productivity features"> <h2 class="section-title"><i class="icon" data-icon="1"></i>User experience, access and productivity features</h2> <p>The following features enhance user experience and productivity by streamlining access, reducing manual setup and minimizing support overhead:</p> <ul class="default-list"> <li><b>Single-sign-on. </b><a href="https://www.techtarget.com/searchsecurity/definition/single-sign-on">SSO</a> lets users and admins log in to multiple systems, including the MDM console, with a single set of credentials.</li> <li><b>User self-service portals. </b>A web- or app-based portal gives users more autonomy by enabling them to install approved apps and perform other admin tasks without submitting a support request.</li> <li><b>Kiosk and single app mode. </b>This locks mobile devices to a single app or set of apps, dedicating them to specific use cases such as point-of-sale terminals, information displays and workstations. This improves security and efficiency.</li> </ul> <p>The following table shows how selected MDM platforms align with these capabilities and enterprise requirements. The analysis includes a representative set of products based on market presence, analyst recognition and their role within broader enterprise platforms. It is not exhaustive, and the products are listed in alphabetical order.</p> <table class="main-article-table" style="width: 722px;"> <thead> <tr style="height: 55px;"> <td style="width: 93.7656px; height: 55px;"><b>MDM platform</b></td> <td style="width: 87.0938px; height: 55px;"><b>JamF Pro</b></td> <td style="width: 91.5px; height: 55px;"><b>Kandji</b></td> <td style="width: 103.125px;"><b>ManageEngine MDM Plus</b></td> <td style="width: 105.547px;"><b>Microsoft Intune</b></td> <td style="width: 101.406px;"><b>Mosyle</b></td> <td style="width: 117.562px;"><b>VMware Workspace One</b></td> </tr> </thead> <tbody> <tr style="height: 18px;"> <td style="width: 93.7656px; height: 18px;"><b>Best fit</b></td> <td style="width: 87.0938px; height: 18px;">Apple-only environments</td> <td style="width: 91.5px; height: 18px;">Apple-only environments</td> <td style="width: 103.125px;">SMBs</td> <td style="width: 105.547px;">Microsoft-centric environments</td> <td style="width: 101.406px;">Apple-only environments</td> <td style="width: 117.562px;">Existing VMware customers</td> </tr> <tr style="height: 18px;"> <td style="width: 93.7656px; height: 18px;"><b>Automated Device Enrollment (ABM/ASM)</b></td> <td style="width: 87.0938px; height: 18px;">Yes</td> <td style="width: 91.5px; height: 18px;">Yes</td> <td style="width: 103.125px;">Yes</td> <td style="width: 105.547px;">Yes</td> <td style="width: 101.406px;">Yes</td> <td style="width: 117.562px;">Yes</td> </tr> <tr style="height: 18px;"> <td style="width: 93.7656px; height: 18px;"><b>Supervision support</b></td> <td style="width: 87.0938px; height: 18px;">Yes</td> <td style="width: 91.5px; height: 18px;">Yes</td> <td style="width: 103.125px;">Yes</td> <td style="width: 105.547px;">Yes</td> <td style="width: 101.406px;">Yes</td> <td style="width: 117.562px;">Yes</td> </tr> <tr style="height: 18px;"> <td style="width: 93.7656px; height: 18px;"><b>Declarative Device Management</b></td> <td style="width: 87.0938px; height: 18px;">Yes</td> <td style="width: 91.5px; height: 18px;">Yes</td> <td style="width: 103.125px;">Yes</td> <td style="width: 105.547px;">Partial</td> <td style="width: 101.406px;">Yes</td> <td style="width: 117.562px;">Yes</td> </tr> <tr style="height: 18px;"> <td style="width: 93.7656px; height: 18px;"><b>App store/VPP app management</b></td> <td style="width: 87.0938px; height: 18px;">Yes</td> <td style="width: 91.5px; height: 18px;">Yes</td> <td style="width: 103.125px;">Yes</td> <td style="width: 105.547px;">Yes</td> <td style="width: 101.406px;">Yes</td> <td style="width: 117.562px;">Yes</td> </tr> <tr style="height: 18px;"> <td style="width: 93.7656px; height: 18px;"><b>Custom app management </b></td> <td style="width: 87.0938px; height: 18px;">Yes</td> <td style="width: 91.5px; height: 18px;">Yes</td> <td style="width: 103.125px;">Yes</td> <td style="width: 105.547px;">Yes</td> <td style="width: 101.406px;">Yes</td> <td style="width: 117.562px;">Yes</td> </tr> <tr> <td style="width: 93.7656px;"><b>macOS scripting and policy management</b></td> <td style="width: 87.0938px;">Yes</td> <td style="width: 91.5px;">Yes</td> <td style="width: 103.125px;">Partial</td> <td style="width: 105.547px;">Yes</td> <td style="width: 101.406px;">Yes</td> <td style="width: 117.562px;">Yes</td> </tr> <tr> <td style="width: 93.7656px;"><b>FileVault encryption management</b></td> <td style="width: 87.0938px;">Yes</td> <td style="width: 91.5px;">Yes</td> <td style="width: 103.125px;">Yes</td> <td style="width: 105.547px;">Yes</td> <td style="width: 101.406px;">Yes</td> <td style="width: 117.562px;">Yes</td> </tr> <tr> <td style="width: 93.7656px;"><b>OS update and patch management</b></td> <td style="width: 87.0938px;">Yes</td> <td style="width: 91.5px;">Yes</td> <td style="width: 103.125px;">Yes</td> <td style="width: 105.547px;">Yes</td> <td style="width: 101.406px;">Yes</td> <td style="width: 117.562px;">Yes</td> </tr> <tr> <td style="width: 93.7656px;"><b>Conditional access integration</b></td> <td style="width: 87.0938px;">Partial</td> <td style="width: 91.5px;">Yes</td> <td style="width: 103.125px;">Partial</td> <td style="width: 105.547px;">Yes</td> <td style="width: 101.406px;">Yes</td> <td style="width: 117.562px;">Yes</td> </tr> <tr> <td style="width: 93.7656px;"><b>Remote commands</b></td> <td style="width: 87.0938px;">Yes</td> <td style="width: 91.5px;">Yes</td> <td style="width: 103.125px;">Yes</td> <td style="width: 105.547px;">Yes</td> <td style="width: 101.406px;">Yes</td> <td style="width: 117.562px;">Yes</td> </tr> <tr> <td style="width: 93.7656px;"><b>Compliance reporting</b></td> <td style="width: 87.0938px;">Yes</td> <td style="width: 91.5px;">Yes</td> <td style="width: 103.125px;">Yes</td> <td style="width: 105.547px;">Yes</td> <td style="width: 101.406px;">Yes</td> <td style="width: 117.562px;">Yes</td> </tr> <tr> <td style="width: 93.7656px;"><b>API and automation support</b></td> <td style="width: 87.0938px;">Yes</td> <td style="width: 91.5px;">Yes</td> <td style="width: 103.125px;">Yes</td> <td style="width: 105.547px;">Yes</td> <td style="width: 101.406px;">Yes</td> <td style="width: 117.562px;">Yes</td> </tr> <tr> <td style="width: 93.7656px;"><b>SSO</b></td> <td style="width: 87.0938px;">Yes</td> <td style="width: 91.5px;">Yes</td> <td style="width: 103.125px;">Yes</td> <td style="width: 105.547px;">Yes</td> <td style="width: 101.406px;">Yes</td> <td style="width: 117.562px;">Yes</td> </tr> <tr> <td style="width: 93.7656px;"><b>User self-service portal</b></td> <td style="width: 87.0938px;">Yes</td> <td style="width: 91.5px;">Yes</td> <td style="width: 103.125px;">Yes</td> <td style="width: 105.547px;">Yes</td> <td style="width: 101.406px;">Yes</td> <td style="width: 117.562px;">Yes</td> </tr> <tr> <td style="width: 93.7656px;"><b>Kiosk and single app mode</b></td> <td style="width: 87.0938px;">Yes</td> <td style="width: 91.5px;">Yes</td> <td style="width: 103.125px;">Yes</td> <td style="width: 105.547px;">Yes</td> <td style="width: 101.406px;">Yes</td> <td style="width: 117.562px;">Yes</td> </tr> </tbody> </table> </section> <section class="section main-article-chapter" data-menu-title="Apple MDM products and use cases"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Apple MDM products and use cases</h2> <p>After identifying key features and how they align with enterprise requirements, the next step is to evaluate each product's strengths. Technology leaders should assess not only how well each product's capabilities support business needs, but also how closely they align with broader strategic goals. In many cases, more than one MDM might meet an organization's requirements. Evaluating tools through free trials or in a test environment can help narrow the field.</p> <h3>Jamf Pro</h3> <p>This MDM<b> </b>platform<b> </b>is widely used by mid-market organizations and large enterprise organizations that manage 250 or more devices or are subject to global regulations. Jamf Pro is well-suited for Apple-focused environments, supporting seamless integration with Apple frameworks such as FileVault, scripting and policy-based management. IT teams can automate software deployment, integrate with identity providers for SSO access and provide users self-service access to approved apps through the Jamf Self Service app.</p> <p>Apple's native User Enrollment model enables Jamf Pro to securely partition corporate and personal data on iOS and iPadOS devices, supporting BYOD use cases.</p> <p>Pricing highlights include the following:</p> <ul class="default-list"> <li>Device-based pricing, typically with a minimum of 25 devices.</li> <li>Multiple product offerings aligned to different use cases and organization sizes, including Jamf Pro, Jamf for Mac, Jamf Mobile and Jamf for Small Business.</li> </ul> <h3>Kandji</h3> <p>Focused on SMBs -- typically, 1-250 seats -- Kandji is an Apple-only MDM that is aligned with smaller Apple environments. Its simplicity and fast onboarding make it a strong fit for teams with limited IT resources. Kandji features a library of more than 150 prebuilt controls and templates, as well as self-healing policies for OS updates and app patching. Although it delivers a high-quality, streamlined experience, its pricing might be a consideration for some SMBs.</p> <p>Kandji pricing is not publicly disclosed, but it follows a per-device, per-month model. Costs vary by device type -- for example, macOS typically costs more than iOS -- and might increase with add-on features.</p> <h3>ManageEngine MDM Plus</h3> <p>This MDM<b> </b>is appropriate for SMBs, offering pricing advantages, straightforward onboarding and a comprehensive feature set that competes with higher-level MDMs. It supports both on-premises and cloud deployments, along with iOS, Android, Windows, macOS and ChromeOS, making it a strong fit for BYOD environments.</p> <p>An established unified endpoint management (UEM) platform, ManageEngine enables <a href="https://www.techtarget.com/searchenterprisedesktop/feature/Understand-how-UEM-EMM-and-MDM-differ-from-one-another">unified management</a> of mobile and desktop devices from a single console and delivers many enterprise capabilities at a lower cost than comparable platforms.</p> <p>Pricing highlights include the following:</p> <ul class="default-list"> <li>Free edition: Up to 25 devices with a full feature set.</li> <li>Paid tiers: Available for on-premises and cloud deployments, with device-based scaling of 50-10,000 devices.</li> </ul> <h3>Microsoft Intune</h3> <p>Best suited for mid-market and large enterprise organizations -- particularly those in regulated environments -- Intune supports hybrid device environments that include both Apple and Microsoft products. It is a strong fit for organizations with significant Microsoft investments, especially those using Microsoft cloud services such as Entra ID and similar integrations. In BYOD environments, Intune supports mobile application management (MAM) for iOS and Android, enabling organizations to manage apps and corporate data without requiring full device control.</p> <p>Pricing highlights include the following:</p> <ul class="default-list"> <li>Plan 1: Per user, per month licensing.</li> <li>Plan 2: Additional features available as an add-on to Plan 1.</li> <li>Device-only licensing is available for kiosk scenarios, where devices are configured for specific, task-based use cases.</li> <li>Can be bundled with existing Microsoft 365 and other enterprise suites.</li> </ul> <h3>Mosyle</h3> <p>This Apple-focused MDM product is widely adopted in education, offering free K-12 tiers, streamlined deployment and classroom management. It is also attractive to Apple-only businesses that do not require multi-OS support. Features such as <a href="https://www.techtarget.com/searchitoperations/definition/zero-touch-provisioning-ZTP">zero-touch deployment</a> make Mosyle popular with organizations with straightforward environments, while still providing competitively priced enterprise-level features.</p> <p>Pricing highlights include the following:</p> <ul class="default-list"> <li>Free tier: Up to 30 Apple devices with full MDM features.</li> <li>Business Premium: Per-device, per-month pricing for more than 30 licenses.</li> <li>Mosyle Fuse: Premium per-device, per-month subscription that bundles advanced features, including security, identity and automation; available for macOS, iOS, iPadOS and visionOS.</li> </ul> <h3>VMware Workspace One MDM</h3> <p>Designed for enterprise organizations managing more than 2,500 devices, this cross-platform MDM supports Windows, macOS, iOS, Android and ChromeOS. It integrates with the Workspace One environment for SSO and includes Intelligent Hub, which provides a self-service portal with an app catalog, console access and support features.</p> <p>The platform supports single-app and kiosk modes for iOS and Android devices, making it suitable for secure, task-specific deployments. Built for complex, heterogeneous environments, Workspace One is highly scalable and offers advanced capabilities, including BYOD management <a href="https://www.techtarget.com/searchmobilecomputing/tip/How-to-evaluate-mobile-application-management-software">through MAM</a>. It is attractive to organizations with existing Workspace One deployments.</p> <p>Pricing highlights include the following:</p> <ul class="default-list"> <li>Subscription-based, typically licensed per user or per device.</li> <li>Tiered offerings range from Mobile, Desktop and UEM Essentials to the more advanced Enterprise Edition.</li> <li>Pricing is quoted-based. Contact a reseller for exact pricing.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Selecting an Apple MDM platform"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Selecting an Apple MDM platform</h2> <p>Choosing an Apple MDM platform is less about feature comparison and more about how well the platform supports the organization's operating model, security posture and long-term strategy.</p> <p>Organizations should first define their operating environment and constraints, including the following:</p> <ul class="default-list"> <li>Whether the environment is Apple-only or multi-OS.</li> <li>Organizational scale -- SMB, mid-market, enterprise or educational institution.</li> <li>Key functional requirements, including onboarding, deployment and security.</li> <li>Desired level of complexity, including support for multiple OSes and BYOD.</li> <li>Budget considerations and how pricing tiers affect deployment.</li> </ul> <p>Once this is established, IT leaders can evaluate MDM tools based on the following core criteria:</p> <ul class="default-list"> <li><b>Apple feature support</b>. Identify and prioritize tools that fully support critical Apple capabilities. The platform should also document how each feature is applied and enabled.</li> <li><b>Alignment with the operating model.</b> Apple-focused tools can build on native OS integrations, while multi-OS platforms offer broader coverage but might limit some Apple-specific functionality. Evaluate how each approach supports device provisioning, policy enforcement and day-to-day management.</li> <li><b>Security and compliance.</b> Ensure support for SSO, multifactor authentication and conditional access, along with compliance reporting and enforcement of security baselines such as FileVault, Gatekeeper and password policies.</li> <li><b>Cost and licensing.</b> Evaluate pricing models, including per-device versus per-user licensing, as well as feature tiers and support levels. Lower-cost options might lack critical capabilities or require add-ons to meet organizational requirements.</li> <li><b>Deployment model compatibility.</b> Confirm support for cloud or on-premises deployment and management, particularly for organizations managing local and remote users or requiring strict data control.</li> <li><b>Vendor maturity.</b> Established vendors with strong Apple ecosystems or analyst recognition are more likely to provide long-term support, integration stability and ongoing updates.</li> </ul> <p>In complex environments, a single MDM platform might not be sufficient. Organizations might pair an Apple-specific MDM in dedicated environments with a broader platform for cross-OS management. While this approach can improve alignment with specific use cases, it could also introduce additional management, integration and governance complexity.</p> <p><i>Gary Olsen has worked in the IT industry since 1983 and holds a Master of Science in computer-aided manufacturing from Brigham Young University. He was on Microsoft's Windows 2000 beta support team for Active Directory from 1998 to 2000 and has written two books on Active Directory and numerous technical articles for magazines and websites.</i></p> </section> Examine Apple MDM capabilities, key features and use cases and how platforms support enterprise device management, security, scalability and governance. https://cdn.ttgtmedia.com/rms/onlineimages/maze_g676210320.jpg https://www.techtarget.com/searchenterprisedesktop/tip/Choosing-an-MDM-for-Apple-management-in-the-enterprise Mon, 04 May 2026 12:37:00 GMT Choosing an MDM for Apple management in the enterprise <p>Deploying a fleet of laptops to users can be a major undertaking for organizations. Distributed locations and remote users further complicate matters. Failing to plan and manage laptop deployments invites delays, security gaps, <a href="https://www.techtarget.com/searchenterprisedesktop/feature/How-end-user-computing-is-becoming-a-cost-control-system">licensing violations or waste</a>, and user disruption.</p> <p>However, efficient deployments offer a strategic advantage by keeping employees productive and maintaining standards. To provide usable tools with as little disruption as possible, IT must prioritize automation, standardization and compliance.</p> <p>Use the following deployment stages to establish a solid management plan for an enterprise laptop rollout:</p> <ol type="1" start="1" class="default-list"> <li>Planning.</li> <li>Initial assessment.</li> <li>Deploying and provisioning.</li> <li>Licensing.</li> <li>Policy automation.</li> <li>Operations.</li> <li>Measuring success.</li> </ol> <p>These concepts also apply to other deployment projects, so establishing a carefully thought-out workflow can benefit additional similar activities.</p> <section class="section main-article-chapter" data-menu-title="1. Deployment planning"> <h2 class="section-title"><i class="icon" data-icon="1"></i>1. Deployment planning</h2> <p>As with any significant project, an enterprise-wide laptop deployment begins with aligning the rollout with business needs. These needs include speed, scalability, compliance, cost efficiency and support, ensuring employees can use the laptop fleet to complete work projects after the deployment.</p> <p>Start by breaking the rollout into clear planning and operations phases, which should include the following:</p> <ul type="disc" class="default-list"> <li>Infrastructure readiness.</li> <li>Device selection, preparation and OS strategy.</li> <li>App selection and provisioning.</li> <li>Policy and security configuration.</li> <li>Ongoing support and optimization.</li> </ul> <p>Be sure to work with key stakeholders during the planning phases. Stakeholders often <a href="https://www.techtarget.com/searchcio/tip/How-compliance-provides-stakeholders-evidence-of-success">include compliance</a>, security, procurement, finance and end-user teams, in addition to the expected IT ops staff.</p> <p>The following user populations might require additional attention:</p> <ul type="disc" class="default-list"> <li><b>Developers.</b> Might require specific hardware or additional compute power for compiling software, running test VMs or containers, or other intensive tasks.</li> <li><b>Remote workers.</b> Might require additional attention for remote deployment and support, as well as specific <a href="https://www.techtarget.com/searchnetworking/tip/8-remote-work-security-risks-and-tips-to-mitigate-them">network security needs</a>.</li> <li><b>Specialized users.</b> Might have particularly intensive workloads or operate in environments with specialized hardware.</li> </ul> <p>Potential timelines vary by environment, depending on existing infrastructure and governing body requirements.</p> </section> <section class="section main-article-chapter" data-menu-title="2. Initial assessment"> <h2 class="section-title"><i class="icon" data-icon="1"></i>2. Initial assessment</h2> <p>IT teams should assess a few key aspects of the deployment early on. Considerations include hardware, licensing, network capabilities and predicted timelines.</p> <h3>Hardware planning considerations</h3> <p>Matching hardware specifications to job requirements can be challenging. Begin by identifying standard roles in the organization. Then, evaluate specific apps, unique peripherals and other user needs. It's equally important to emphasize standardization to streamline support and simplify configuration management.</p> <p>Take the following planning considerations into account as well:</p> <ul type="disc" class="default-list"> <li>Vendor and supply chain coordination, including any necessary security audits.</li> <li>Lifecycle expectations, including vendor support plans and <a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-to-securely-recycle-enterprise-computers">recycling or repurposing options</a>.</li> </ul> <p>The evaluation process should also identify exactly which employees require laptops. Not all employees bring work outside the traditional workspace, and it's easier to secure information if it doesn't leave the premises. Laptops are also typically more expensive than the equivalent desktop systems. Determine which users really need to be part of the new laptop rollout.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/laptop_vs_desktop-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/laptop_vs_desktop-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/laptop_vs_desktop-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/laptop_vs_desktop-f.png 1280w" alt="A chart comparing laptop versus desktop. Laptop: smaller, lighter; mobile; less processing power; less memory and storage; rechargeable battery; attached display; lower power consumption. Desktop: larger, heavier; stationary; more processing power; more memory and storage; plugs into power source; usually has a separate display; higher power consumption." data-credit="Informa TechTarget" height="224" width="560"> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Licensing considerations</h3> <p>Licensing is a significant part of any deployment. Begin with a software inventory that identifies the frequency of use and eliminates legacy and abandoned apps or those with non-standard licensing options. Be cautious about unauthorized or unknown apps installed in <a href="https://www.techtarget.com/searchcio/tip/potential-costs-of-shadow-IT">shadow IT situations</a>.</p> <p>Creating a standard applications catalog is essential. Categories include the following:</p> <ul type="disc" class="default-list"> <li>Productivity suites.</li> <li>Collaboration tools.</li> <li>Customer relationship management.</li> <li>Project management.</li> <li>Enterprise content management.</li> <li>Web browsers.</li> <li>Security software and agents.</li> </ul> <p>Evaluate the use of subscription-based versus perpetual licensing models. This is also a great time to determine whether <a href="https://www.techtarget.com/searchcloudcomputing/tip/Understanding-SaaS-migration-benefits-and-best-practices">converting to SaaS tools</a> would be beneficial.</p> <h3>Network distribution readiness</h3> <p>Many of today's deployment options are automated and occur over the network, so ensuring the network can handle the additional workload is critical. Many organizations use an isolated operations <a href="https://www.techtarget.com/searchnetworking/tip/How-to-implement-network-segmentation-for-better-security">network segment</a> for initial installations. This helps avoid potential security issues that might contaminate systems before security software is in place and configured.</p> <p>For the actual distribution of systems after installation and configuration, establish remote delivery and direct-to-employee shipping.</p> <h3>Planning timelines</h3> <p>Hardware, licensing and network assessment times vary by environment. The process goes much more quickly for organizations that already have a comprehensive inventory and configuration management platform. The same is true if IT already measures network usage to identify peak traffic times and performance bottlenecks. Having a firm grasp of license management also helps prevent delays.</p> <p>Deployment delays might occur if an organization needs to create these tracking mechanisms before starting the laptop deployment process. However, they're crucial to many deployment situations.</p> </section> <section class="section main-article-chapter" data-menu-title="3. OS deployment and app provisioning"> <h2 class="section-title"><i class="icon" data-icon="1"></i>3. OS deployment and app provisioning</h2> <p>Traditional imaging approaches might work well for some organizations, especially for smaller deployments with more specialized configurations. Other organizations might prefer cloud-based tools, or even OS and app installations completed by the laptop hardware vendors and tailored to the organization's specifications and requirements.</p> <p>Regardless, standardized configurations -- often called <a href="https://www.techtarget.com/searchitoperations/definition/golden-image">golden images</a> -- are essential. They give support teams, trainers and users a consistent configuration to interact with. They also simplify security configuration and auditing, which are necessary to guarantee compliance.</p> <h3>App provisioning strategies</h3> <p>A major hardware rollout is a good opportunity to evaluate an organization's provisioning strategies. IT teams should verify that their app catalog is complete and current. This catalog defines exactly which applications users have access to.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> A major hardware rollout is a good opportunity to evaluate an organization's provisioning strategies. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Next, determine how users access these programs. Options include self-service portals for on-demand installations or preinstalled apps that arrive with the new laptop. Many organizations offer a combination by providing standard applications to all users and offering on-demand installations for more specialized or department-specific programs.</p> <h3>Automated OS and app deployment workflows</h3> <p>IT should construct automated, zero-touch workflows to install OSes, apps and custom configurations to the new laptop fleet. This integrates the deployment into the organization's <a href="https://www.techtarget.com/searchitoperations/tip/Steps-to-develop-your-IT-automation-strategy">other automation initiatives</a>. It also offers the same benefits as automating service deployments, including efficiency, consistency and scalability.</p> <p>Zero-touch provisioning offers the following benefits for end users:</p> <ul type="disc" class="default-list"> <li>Less downtime and faster time to productivity.</li> <li>Smoother onboarding for new team members.</li> <li>Reduced setup frustration and errors.</li> <li>Consistent experience across locations.</li> </ul> <p>IT support staff members likewise experience lower support ticket volumes, improved compliance and easier lifecycle management.</p> <p>Be sure to carefully sequence OS installations, app deployment, security tools and updates.</p> </section> <section class="section main-article-chapter" data-menu-title="4. License management"> <h2 class="section-title"><i class="icon" data-icon="1"></i>4. License management</h2> <p>License management remains a critical component of IT operations and governance. Modern licensing relies on automated processes that link license assignment to device enrollment and user identity within unified endpoint management (UEM) and <a href="https://www.techtarget.com/searchmobilecomputing/tip/Top-7-mobile-device-management-tools-to-consider">MDM systems</a>.</p> <p>Effective license management offers the following advantages:</p> <ul type="disc" class="default-list"> <li>Fewer manual steps, resulting in time savings and reduced rick of misconfigurations or errors.</li> <li>Enhanced tool availability for users.</li> <li>Reduced overspending on unnecessary licensing for users who don't need specific apps.</li> </ul> <p>Management provides centralized tracking and visibility, enabling greater control over deployed applications. It lets organizations reclaim unused licenses, which is crucial to avoid overpaying on subscription-based licensing when employees change roles or leave the company. It's also important for proving licensing compliance.</p> </section> <section class="section main-article-chapter" data-menu-title="5. Policy automation"> <h2 class="section-title"><i class="icon" data-icon="1"></i>5. Policy automation</h2> <p>Policy automation is essential to securing a new fleet of laptops, ensuring each device receives a consistent, compliant configuration. Deployment teams reduce risk and avoid manual configurations by generating a workflow that <a href="https://www.techtarget.com/searchitoperations/definition/security-automation">includes security baselines</a>. The goal -- and challenge -- is to balance security controls with UX and productivity. Overly restrictive policies might hinder employee productivity, especially for traveling or remote users who might need to adjust firewall or other configurations on the fly.</p> <p>Deployment teams can enforce various types of policies during the deployment workflow. Policies should include the following:</p> <ul type="disc" class="default-list"> <li><b>Security baselines.</b> Storage encryption, endpoint protection, access controls and service controls.</li> <li><b>Configuration settings.</b> Desktop icons, service availability, system settings and more.</li> <li><b>User access controls and identity integration.</b> Account management for Active Directory (AD), Azure AD and similar directory services.</li> </ul> <p>Automated configurations ensure consistent security from day one. This consistency also benefits users, who have similar and familiar experiences on their systems. It also streamlines new employee onboarding and simplifies the jobs of training teams and support personnel. Additionally, policy automation enhances regulatory compliance by continuously enforcing settings and enabling auditing.</p> </section> <section class="section main-article-chapter" data-menu-title="6. Operational planning"> <h2 class="section-title"><i class="icon" data-icon="1"></i>6. Operational planning</h2> <p>IT should plan to identify and mitigate potential obstacles early by following established best practices. Don't neglect patching and updating as part of the overall system lifecycle.</p> <p>Various technical, resource and app challenges exist. Whether these will affect the deployment depends on the organization's unique environment. However, common challenges include the following:</p> <ul type="disc" class="default-list"> <li>Network bottlenecks.</li> <li>App conflicts or failed package installations.</li> <li><a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-to-troubleshoot-Intune-enrollment-with-Autopilot">Enrollment and provisioning errors</a> in UEM or MDM platforms.</li> </ul> <p>IT can mitigate many of these potential challenges using the following best practices:</p> <ul type="disc" class="default-list"> <li>Establish a pilot deployment program.</li> <li>Emphasize automation for all steps.</li> <li>Enforce standardization to simplify configuration, support and training.</li> <li>Provide cross-team coordination for the best user experience.</li> </ul> <p>Plan for post-deployment support, particularly for remote users. Many organizations rely on remote control software that lets help desk team members connect to and reconfigure systems directly.</p> <h3>Ongoing updates and lifecycle management</h3> <p>During a major platform deployment, IT should reexamine the organization's OS and app <a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-to-use-Windows-Update-for-Business-with-Group-Policy">patching and updating infrastructure</a>. Automated updates are the norm, and it's essential to confirm that new systems receive the necessary configuration to install all required updates.</p> <p>Updated configurations include the following:</p> <ul type="disc" class="default-list"> <li>Operating systems.</li> <li>Standard and specialized applications.</li> <li>Security software, including agents, antimalware and firewalls.</li> <li>SaaS availability.</li> <li>Remote connectivity or VPN software.</li> </ul> <p>It's never too early to examine the lifecycle of laptop systems. IT must allocate resources in the future to procure new laptops and repurpose or recycle existing systems.</p> <p>The standard laptop lifecycle consists of three stages:</p> <ol type="1" start="1" class="default-list"> <li>Select, procure and deploy laptops.</li> <li>Update and maintain laptops.</li> <li>Repurpose or recycle laptops.</li> </ol> <p>Enterprise-grade laptops typically include durability features that extend their lifespan beyond what one can expect with less expensive consumer systems.</p> <p>Organizations often plan for three-to-four-year lifecycles for laptops, though many users find the devices remain viable for another year or two beyond that.</p> <p>The following factors can <a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-to-push-the-PC-lifecycle-to-its-limits">extend device life</a>:</p> <ul type="disc" class="default-list"> <li>16-32 GB of RAM for future-proofing memory requirements.</li> <li>Proactive battery replacement after three years.</li> <li>Periodic clean installations of OSes and apps.</li> <li>Well-designed heat management systems.</li> <li>Responsible user care.</li> </ul> <p>The following factors can decrease device lifespans:</p> <ul type="disc" class="default-list"> <li>Poor heat management.</li> <li>Wear and tear from use over time and travel.</li> <li>Nonreplaceable components, especially memory and batteries.</li> <li>OS and app installations that are incompatible with older hardware.</li> <li>Selection of consumer-grade laptops instead of more durable enterprise-class systems.</li> </ul> <p>IT administrators should evaluate these conditions in their organizations and either <a href="https://www.techtarget.com/searchmobilecomputing/tip/How-organizations-should-handle-mobile-device-lifecycles">adjust lifecycle expectations</a> or correct practices that decrease system lifespans.</p> </section> <section class="section main-article-chapter" data-menu-title="7. Measuring success and continuous improvement"> <h2 class="section-title"><i class="icon" data-icon="1"></i>7. Measuring success and continuous improvement</h2> <p>As with any significant project, it's important to measure success and establish continuous improvement practices. Key metrics for measuring deployment success include the following:</p> <ul type="disc" class="default-list"> <li>Deployment time per device.</li> <li>User readiness and satisfaction.</li> <li>Support ticket volume.</li> <li>Security and compliance postures.</li> </ul> <p>Use these metrics to identify opportunities for other similar hardware deployments, such as desktop systems or servers.</p> <p>Planning and verifying the support structure's readiness improves an organization's chances of avoiding productivity disruptions during a deployment. Major deployments and hardware lifecycle management are ongoing strategic capabilities rather than one-time projects. This means automation is one of the most effective investments an organization can make. IT teams should take the opportunity to streamline all their deployment processes.</p> <p><em>Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to TechTarget Editorial, The New Stack and CompTIA Blogs.</em></p> </section> Efficient laptop deployments require careful strategizing across seven key stages. Learn how to ensure security and productivity -- from initial planning to ongoing management. https://cdn.ttgtmedia.com/rms/onlineimages/check_g1199243271.jpg https://www.techtarget.com/searchenterprisedesktop/tip/How-to-plan-a-full-laptop-deployment-with-app-provisioning Fri, 01 May 2026 15:13:00 GMT How to plan a full laptop deployment with app provisioning <p>For IT leaders, it's important to understand not just what Intune Suite does, but whether its expanded capabilities and licensing model fit their organization's roadmap.</p> <p>With Microsoft planning licensing shifts in 2026 and continuing to integrate Intune more deeply into Microsoft 365 and its security stack, understanding how Plan 1, Plan 2 and the Suite align with an organization's device strategy, budget and operational model is essential.</p> <section class="section main-article-chapter" data-menu-title="What is the Microsoft Intune Suite?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is the Microsoft Intune Suite?</h2> <p>Intune Suite is a collection of advanced endpoint management and security services that Microsoft offers as an add-on to its core Intune platform. Intune Suite bundles these services into a unified, centrally managed platform that builds on and expands the basic platform.</p> <p>Microsoft promotes Intune as a unified endpoint management (<a href="https://www.techtarget.com/searchenterprisedesktop/definition/unified-endpoint-management-UEM">UEM</a>) platform for managing, assessing and protecting devices and their apps. IT teams carry out their administrative tasks through a centralized management console called the Microsoft Intune admin center.</p> <p>Organizations can use the admin center to manage and monitor a range of endpoint devices, including laptops, desktops, servers, smartphones, tablets and virtual machines. To this end, Intune supports Windows, macOS, Linux, iOS, iPadOS and Android devices.</p> <p>The basic Intune service includes the following core capabilities:</p> <ul class="default-list"> <li>Cross-platform endpoint management for on-premises, cloud, mobile, desktop and virtual endpoint systems.</li> <li>Mobile application management (MAM) <a href="https://www.techtarget.com/searchmobilecomputing/tip/How-to-use-Intune-app-protection-without-MDM-enrollment">without requiring device enrollment</a> or interfering with user productivity.</li> <li>Endpoint analytics that provide device and app health scores and data-driven recommendations for improving productivity and UX.</li> <li>Support for specialty and shared devices through features such as maintenance windows, shared device mode and specialty device management.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/mobile_computing-components_of_emm.jpg"> <img data-src="https://www.techtarget.com/rms/onlineImages/mobile_computing-components_of_emm_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/mobile_computing-components_of_emm_mobile.jpg 960w,https://www.techtarget.com/rms/onlineImages/mobile_computing-components_of_emm.jpg 1280w" alt="A graphic showing the different aspects and functions of unified endpoint management." data-credit="Informa TechTarget" height="560" width="560"> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Intune Suite expands on these core capabilities by adding a set of advanced endpoint management and security tools. The suite also offers better support for remote workers and for users accessing on-premises resources. To provide these capabilities, Intune Suite currently includes the following services:</p> <ul class="default-list"> <li><b>Advanced Analytics.</b> Provides IT administrators with data-driven insights and metrics about their endpoint devices, helping them to better understand and improve the user experience.</li> <li><b>Cloud PKI.</b> Provides a cloud‑based public key infrastructure service that automates certificate issuance, renewal and revocation for managed devices.</li> <li><b>Endpoint Privilege Management.</b> Lets IT administrators provide Windows standard users with controlled, temporary security elevation so they can carry out tasks that require higher permissions. At the same time, it enables administrators to apply least privileged access to the broader user base.</li> <li><b>Enterprise Application Management.</b> Provides a catalog of prepackaged, Microsoft‑curated applications and automated tools for deploying, updating and managing Win32 apps across the organization.</li> <li><b>Firmware-over-the-air (FOTA) updates.</b> Enables organizations to deploy, manage and automate firmware updates for <a target="_blank" href="https://learn.microsoft.com/en-us/intune/device-updates/android/manage-fota" rel="noopener">supported devices</a> directly through Intune.</li> <li><b>Remote Help.</b> Enables help desk personnel to establish secure connections with their users to provide remote assistance and <a href="https://www.techtarget.com/searchenterprisedesktop/tip/Troubleshooting-the-most-common-issues-with-Windows-11">troubleshoot managed devices</a>.</li> <li><b>Specialty device management.</b> Offers IT teams a set of device management and protection features for specialized devices such as conference room meeting equipment, virtual reality headsets or large smart-screen devices.</li> <li><b>Tunnel for Mobile Application Management.</b> Provides organizations with a micro-VPN that lets users access corporate resources from their personal iOS, iPadOS or Android devices, without requiring device enrollment.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="How does Intune licensing work for Microsoft's endpoint management?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How does Intune licensing work for Microsoft's endpoint management?</h2> <p>To understand how licensing works for Intune Suite, it's important to first understand how Intune licensing works in general. The licensing structure currently consists of three plans:</p> <ul class="default-list"> <li><b>Intune Plan 1.</b> Includes the platform's core capabilities, such as cross-platform endpoint management, mobile application management and built-in endpoint security. Advanced Analytics, Cloud PKI, Endpoint Privilege Management, Enterprise Application Management and Remote Help are available as optional add-ons to this plan.</li> <li><b>Intune Plan 2.</b> An add-on to Plan 1 that provides FOTA updates, specialty device management and Tunnel for MAM.</li> <li><b>Intune Suite.</b> An add-on to Plan 1 that includes Advanced Analytics, Cloud PKI, Endpoint Privilege Management, Enterprise Application Management, FOTA updates, Remote Help, specialty device management and Tunnel for MAM. Intune Suite is also integrated with Microsoft Security and Microsoft 365, providing customers with data science and AI features.</li> </ul> <p><iframe title="Microsoft Intune licensing options" aria-label="Table" id="datawrapper-chart-rfhkA" src="https://datawrapper.dwcdn.net/rfhkA/1/" scrolling="no" frameborder="0" style="width: 0; min-width: 100% !important; border: none;" height="585" data-external="1"></iframe></p> <p> <script type="text/javascript">window.addEventListener("message",function(a){if(void 0!==a.data["datawrapper-height"]){var e=document.querySelectorAll("iframe");for(var t in a.data["datawrapper-height"])for(var r,i=0;r=e[i];i++)if(r.contentWindow===a.source){var d=a.data["datawrapper-height"][t]+"px";r.style.height=d}}});</script> </p> <p>Microsoft includes Intune Plan 1 with Microsoft 365 E3, E5, F1, F3 and Business Premium. The vendor also provides Plan 1 with Enterprise Mobility + Security (EMS) E3 and E5, Microsoft 365 Government G3 and G5, and Microsoft 365 Education A3 and A5. Microsoft has <a target="_blank" href="https://techcommunity.microsoft.com/blog/microsoftintuneblog/microsoft-365-adds-advanced-microsoft-intune-solutions-at-scale/4474272" rel="noopener">announced</a> that some Intune Suite capabilities will be incorporated into Microsoft 365 E3/E5 and EMS E3/E5 later in 2026, which means the current licensing boundaries might shift as those changes roll out.</p> <p>Customers who want to acquire Intune through one of these bundles should first evaluate the features and licensing for each applicable product:</p> <ul class="default-list"> <li><b>Enterprise Mobility + Security.</b> EMS E3 and E5 include identity and access management, endpoint management, information protection and identity-driven security. EMS E5 offers additional features, such as risk-based conditional access, intelligent data classification and labeling, and Microsoft Defender for Cloud Apps. Current EMS E3 pricing is $10.60 per user, per month; EMS E5 pricing is $16.40 per user, per month.</li> <li><b>Microsoft 365.</b> Microsoft 365 bundles can vary substantially and should be carefully assessed before choosing a plan. For example, Microsoft 365 E3 and E5 include Microsoft 365 apps, email and calendar, meetings and voice, device and app management, social and intranet support, access to files and content, work management, advanced analytics, identity and access management, information protection, security management, and compliance management. Microsoft 365 E5 includes additional capabilities on top of these features, while Microsoft 365 F1, F3 and Business Premium provide only a subset of these features. Currently, the pricing for each service is on a per-user, per-month basis: E3 for $36, E5 for $57, F1 for $2.25, F3 for $8, and Business Premium for $22. Prices for E3 and E5 are set to <a target="_blank" href="https://www.microsoft.com/en-us/licensing/news/2026-M365-Packaging-Pricing-Updates" rel="noopener">increase</a> by $3 in July 2026.</li> </ul> <p>Most of the bundles that include Intune Plan 1 also grant the rights to use Microsoft Configuration Manager, although customers might still require <a href="https://www.techtarget.com/searchwindowsserver/tip/What-should-admins-know-about-Microsoft-Entra-features">Microsoft Entra ID</a> for co-management. Customers who don't subscribe to any of these bundles can get Plan 1 as a standalone license. In addition, Microsoft offers a standalone license for devices that are not tied to specific users, such as kiosks or shared computers.</p> <p>Because Intune Plan 2 and Intune Suite are add-ons to Intune Plan 1, customers must already have Plan 1 before they can subscribe to Plan 2 or Intune Suite. The two add-ons come with additional subscription fees. Currently, the pricing for Plan 2 is $4 per user, per month, and Intune Suite is $10 per user, per month.</p> <p>Customers can acquire the Plan 2 add-on or Intune Suite add-on from any of the following sources:</p> <ul class="default-list"> <li>Microsoft 365 Admin Center.</li> <li>Microsoft Volume License Servicing Center.</li> <li>Microsoft partner or reseller.</li> </ul> <p>According to Microsoft, each Intune add-on has its own requirements for how many licenses customers must purchase. For specifics about license minimums, volume discounts or other Intune licensing details, customers should contact Microsoft or a qualified partner or reseller.</p> <p>Customers should also carefully evaluate which Intune features they need before deciding on a plan. For example, if Endpoint Privilege Management is the only capability they want in addition to the core services, they're usually better off paying for the add-on of $3 per user, per month than paying $10 for the entire Intune Suite. On the other hand, Intune Suite offers capabilities not available to Plan 1 or Plan 2, in which case, that plan might be the only option that can meet an organization's requirements.</p> <p><b>Editor's note:</b><i> This article was updated in April 2026 to reflect changes in Microsoft Intune features and pricing.</i></p> <p><i>Robert Sheldon is a freelance technology writer. He has written numerous books, articles and training materials on a wide range of topics, including big data, generative AI, 5D memory crystals, the dark web and the 11th dimension.</i></p> </section> As Microsoft makes changes to the structure of Intune and updates pricing, organizations need to evaluate their endpoint management licensing options. https://cdn.ttgtmedia.com/rms/onlineimages/money_g1270998711.jpg https://www.techtarget.com/searchenterprisedesktop/tip/A-guide-to-Microsoft-Endpoint-Manager-licensing-and-cost Mon, 27 Apr 2026 13:10:00 GMT A guide to Intune Suite licensing for endpoint management <p data-end="4395" data-start="4206">Any Windows device management plan must account for the full lifecycle of the endpoint, from enrollment and active use to reassignment, loss, compromise and retirement.</p> <p data-end="4662" data-start="4397">In Microsoft Intune, removing a device is not a single action. IT teams have several removal and reset options, and the right choice depends on whether the goal is to preserve personal data, cut off corporate access, prepare the device for reuse or fully erase it.</p> <section class="section main-article-chapter" data-menu-title="5 ways to remove Windows devices from Microsoft Intune"> <h2 class="section-title"><i class="icon" data-icon="1"></i>5 ways to remove Windows devices from Microsoft Intune</h2> <p>Before IT admins remove or retire Windows devices from Microsoft Intune, they should learn the different options to achieve that. IT has several options for removing <a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-to-change-a-Windows-device-name-with-Intune">Windows devices in Intune</a>, and all of these options have their own pros and cons. Often, the best option depends on the reason for removing that specific device. For Windows devices, the following options are available:</p> <ol type="1" start="1" class="default-list"> <ol type="1" start="1" class="default-list"> <li><strong data-end="5133" data-start="5113">Autopilot reset.</strong> IT can use Autopilot reset to restore a Windows device to its original settings while removing personal files, apps and settings. It is most useful when the organization plans to keep the device in service.</li> <li><strong data-end="5354" data-start="5343">Delete.</strong> Admins can use Delete to remove a device from Intune management. Microsoft also describes this action as removing corporate data and retiring the device.</li> <li><strong data-end="5525" data-start="5509">Fresh Start.</strong> Intune administrators can use Fresh Start to reinstall the latest version of Windows and remove apps installed by the manufacturer.</li> <li><strong data-end="5671" data-start="5660">Retire.</strong> IT teams can use Retire to remove corporate data, settings and managed apps while leaving personal data intact. This makes it especially relevant for personally owned devices.</li> <li><strong data-end="5857" data-start="5848">Wipe.</strong> The Wipe action restores a device to factory settings and removes all data and settings, unless the selected options specify otherwise.</li> </ol> </ol> <ol type="1" start="1" class="default-list"></ol> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Retire vs. delete vs. wipe</h3> <p>Retire is the least disruptive option for personally owned devices because it removes company data and settings while leaving personal data intact. Delete removes the device from Intune management and also removes corporate data. Wipe is the most destructive option because it restores the device to factory settings and removes all data and settings. Microsoft's current device-actions documentation makes these differences much clearer than many older Intune how-to articles did.</p> </div> </div> </section> <section class="section main-article-chapter" data-menu-title="How to remove Windows devices from Microsoft Intune"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to remove Windows devices from Microsoft Intune</h2> <p>Within Microsoft Intune, there are two different approaches to removing Windows devices, and each of these approaches can account for the five types of device removal.</p> <p>Either the IT administrator can remotely trigger an action to remove the device through Intune, or the user can locally trigger an action to remove the device.</p> <h3>Removing Windows devices from Microsoft Intune as an IT administrator</h3> <p>The first option for removing Windows devices from Microsoft Intune is as an IT administrator. The IT administrator can remotely trigger any of the previously described actions by using the Microsoft Intune admin center portal:</p> <ol type="1" start="1" class="default-list"> <li>Open the Microsoft Intune admin center portal and navigate to Devices > Windows.</li> <li>On the Windows | Windows devices page, select the device that should be removed from Microsoft Intune.</li> <li>Select the remote action by choosing the action that is applicable to the scenario for removing that device from Microsoft Intune (Figure 1).<br><br> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/remove_device_from_intune_1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/remove_device_from_intune_1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/remove_device_from_intune_1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/remove_device_from_intune_1-f.jpg 1280w" alt="The Intune admin center showing the details of a specific Windows device" height="312" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 1. The Microsoft Intune admin center with a specific device selected and several removal options highlighted. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure></li> <li>Depending on the desired removal action, admins need to complete the requisite follow-up actions:</li> <ol type="a" start="1" class="default-list"> <li><b>Autopilot reset.</b> When performing an <a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-to-troubleshoot-Intune-enrollment-with-Autopilot">Autopilot reset action</a>, click <b>Yes</b> to confirm the action.</li> <li><b>Delete.</b> When performing a Delete action, click <b>Yes</b> to confirm the action.</li> <li><b>Fresh Start.</b> When performing a Fresh Start<i> </i>action, choose whether or not to retain the user data, and click <b>Yes</b> to confirm the action.</li> <li><b>Retire.</b> When performing a Retire action, click <b>Yes</b> to confirm the action.</li> <li><b>Wipe.</b> When performing a Wipe action, choose the type of wipe action that should be performed, and click <b>Yes</b> to confirm the action.</li> </ol> </ol> <h3>Removing Windows devices from Microsoft Intune as a user</h3> <p>The second option for removing Windows devices from Microsoft Intune is for the device's user to trigger the action. For this option, one prerequisite is that the IT department has not blocked users from unenrolling devices from Intune. When the user is allowed to perform this action, the user can enact the following steps to remove the device from Microsoft Intune:</p> <ol type="1" start="1" class="default-list"> <li>Open the Settings app and navigate to Accounts > Access work or school.</li> <li>On the Access to work or school page, select the connected account that should be removed, and click <b>Disconnect</b> (Figure 2).</li> <li>On the confirmation dialog box, select <b>Yes</b> to confirm the removal of the device.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/remove_device_from_intune_2-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/remove_device_from_intune_2-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/remove_device_from_intune_2-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/remove_device_from_intune_2-f.jpg 1280w" alt="indows Settings app showing the Access work or school page with a connected work account and the Disconnect option." height="349" width="558"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 2. A Windows device can be removed locally through Accounts > Access work or school when IT allows unenrollment. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Besides directly using the Settings app, the user could also use the <a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-to-troubleshoot-issues-with-the-Intune-Company-Portal-app">Company Portal app</a> to remove their Windows device from Intune. This approach isn't available if IT has blocked the option to remove.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> In Microsoft Intune, removing a device is not a single action. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> </section> <section class="section main-article-chapter" data-menu-title="What does removing a device from Intune do?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What does removing a device from Intune do?</h2> <p>After a user unenrolls a Windows device from Intune, the device is removed from Company Portal, the user can no longer install apps from Company Portal, and access to work or school resources is reduced or removed. Depending on the configuration, device settings that Intune enforced are no longer required, and the user might also lose access to work Wi-Fi or VPN connections.</p> <p>If the Intune client software is installed on the device, Microsoft says that the software is also removed during unenrollment.</p> <p>The Company Portal app can still store <a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-to-access-and-read-Intune-management-extension-logs">local diagnostic logs</a> and cached support files after removal. To clear that residual data, uninstall the Company Portal app or reset it in Windows.</p> <p><strong>Editor's note</strong>: <em>This article was originally published in 2024 and was updated in 2026 to reflect current Intune device-removal actions, user unenrollment effects and Microsoft terminology.</em></p> <p><i>Peter van der Woude works as a mobility consultant and knows the ins and outs of the ConfigMgr and Microsoft Intune tools. He is a Microsoft MVP and a Windows expert as well.</i></p> </section> When a Windows device leaves service, IT should choose the right Intune removal action based on whether it must preserve personal data, retire access or fully reset the endpoint. https://cdn.ttgtmedia.com/rms/onlineimages/mobile_g1022892890.jpg https://www.techtarget.com/searchenterprisedesktop/tip/How-to-remove-a-device-from-Intune-enrollment Thu, 23 Apr 2026 09:59:00 GMT How to remove a device from Intune enrollment <p>Microsoft 365 Copilot has evolved from a feature into a platform that includes chat, embedded application capabilities and agent-based automation. As more organizations adopt this technology, they must consider not only licensing and pricing, but also data access, governance and how Copilot integrates into core business workflows -- particularly as it begins to surface enterprise data across applications, which can introduce new governance challenges if not carefully managed.  </p> <section class="section main-article-chapter" data-menu-title="What types of Microsoft Copilots are there?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What types of Microsoft Copilots are there?</h2> <p>Microsoft's Copilot technologies rely on <a href="https://www.techtarget.com/whatis/definition/large-language-model-LLM">large language model</a>-driven systems that generate natural language responses and assist with task execution. Depending on the implementation, they <a href="https://www.techtarget.com/searchenterpriseai/tip/Agentic-AI-vs-generative-AI-Whats-the-difference">combine generative AI</a> with enterprise data governed by existing access controls to create content, summarize data and trigger actions. Microsoft Copilot offerings span multiple categories, from enterprise productivity tools embedded in 365 to domain-specific copilots and developer-focused assistants.</p> <p>Of the Copilot offerings, Microsoft 365 Copilot has the broadest reach across the enterprise for end users and administrators. It integrates with applications such as Word, Excel, Outlook and Teams as well as Copilot Chat, providing real-time analysis, workflow automation and content generation.</p> <p>Agents extend the functionality of Microsoft 365 Copilot to help streamline business processes, improve decision-making and <a href="https://www.computerweekly.com/news/366632865/HMRC-rolls-out-Microsoft-Copilot-AI">increase efficiency</a>. Using prebuilt agents or building custom ones enables organizations to integrate additional applications, data sources or knowledge to <a href="https://www.techtarget.com/searchenterprisedesktop/tip/Understanding-the-use-cases-of-Copilot-for-Microsoft-365">address specific use cases</a>.</p> <p>Beyond Microsoft 365, Microsoft offers domain- and role-specific copilots in its business applications. Examples include Microsoft Sales Copilot, which aims to improve efficiency in sales organizations; Microsoft Copilot Studio, which enables administrators to build custom AI agents, connect to data sources and automate workflows; and Microsoft Security Copilot, which assists with threat detection, incident response and analysis.</p> <p>For development workflows, Microsoft's GitHub Copilot remains one of the earliest and most widely adopted Copilot tools, providing code suggestions, code generation and developer assistance.<b></b></p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading"></h3> <h3 class="splash-heading">Cost considerations for Microsoft 365 Copilot beyond licensing</h3> <p>Before deploying Microsoft 365 Copilot, organizations must evaluate the following:</p> <ul class="default-list"> <li><b>Subscription costs.</b> Does the organization have eligible Microsoft 365 licenses, or are upgrades required?</li> <li><b>Deployment and enablement. </b>What investments are needed for configuration, user training and change management?</li> <li><b></b><b>Data governance and security.</b> Have permissions, access policies and compliance controls been validated to prevent unintended data exposure before rolling out Copilot?</li> <li><b>Business impact.</b> How will Copilot be integrated into core business workflows -- such as sales, finance and operations -- to drive measurable ROI and accountability?</li> </ul> </div> </div> </section> <section class="section main-article-chapter" data-menu-title="Real-world use cases for Microsoft 365 Copilot"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Real-world use cases for Microsoft 365 Copilot</h2> <p>Microsoft 365 Copilot capabilities are already being applied across the following business functions:</p> <ul class="default-list"> <li><b>HR. </b>Draft job descriptions, automate resume review, generate interview questions, prepare onboarding checklists, summarize employee feedback surveys and perform <a href="https://www.techtarget.com/searchbusinessanalytics/definition/opinion-mining-sentiment-mining">sentiment analysis</a>.<b> </b></li> <li><b>Sales. </b>Research customers, create client proposals and negotiation follow-ups, summarize CRM data and create agendas to help move prospects through the sales cycle.</li> <li><b>Marketing. </b>Generate campaign ideas, draft social media copy and summarize market research.</li> <li><b>Finance. </b>Analyze cash flow, summarize financial reports, automate payroll forecasting and identify potential inconsistencies in proposed budgets.</li> <li><b>Legal. </b>Summarize regulatory updates and key changes in legal documents and draft handbook updates.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="What are the prerequisites for Microsoft 365 Copilot?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are the prerequisites for Microsoft 365 Copilot?</h2> <p>Before organizations commit to <a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-to-install-and-set-up-Copilot-for-Microsoft-365">implementing Microsoft 365 Copilot</a>, they must determine whether it is a realistic option from a licensing and pricing perspective and an operational readiness standpoint.</p> <p>Copilot for Microsoft 365 is an add-on to eligible Microsoft 365 subscriptions. These include enterprise plans such as E3 and E5, as well as Business Standard and Business Premium plans.</p> <p>When Microsoft 365 Copilot was first released in November 2023, it required a 300-seat minimum purchase. <a href="https://www.techtarget.com/searchenterprisedesktop/news/366566593/Microsoft-delivers-Copilot-Pro-eliminates-300-seat-minimum">This is no longer the case</a>, enabling organizations of all sizes to adopt Copilot. Microsoft also offers a consumer-based option, Copilot Pro, for individual users.</p> <p>There are some additional requirements besides licensing that IT teams must keep in mind to ensure their users are ready for Copilot deployment. To access Microsoft 365 Copilot, end users need the following:</p> <ul type="disc" class="default-list"> <li>An eligible base Microsoft 365 subscription.</li> <li>An active Microsoft Entra ID account for each user to support identity and access.</li> <li>Access to Microsoft 365 Apps (desktop apps) to enable full functionality in applications such as Word, Excel and Outlook.</li> <li>Exchange Online mailboxes and Microsoft Teams to support Copilot use cases across email, meetings and collaboration.</li> <li>Network and service connectivity for cloud-based AI processing.</li> <li>Data governance controls, including permissions and access policies, to ensure secure and compliant deployment.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="How much does Copilot for Microsoft 365 cost?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How much does Copilot for Microsoft 365 cost?</h2> <p>Microsoft 365 Copilot, which is an add-on to qualifying Microsoft 365 subscriptions, is typically priced around $30 per user, per month for enterprise plans, with <a href="https://www.techtarget.com/whatis/definition/SMB-small-and-medium-sized-business-or-small-and-midsized-business">SMB</a>-focused pricing ranging from $18 to $21 per user, per month. Pricing is billed annually and might vary based on region, currency or bundled offers.</p> <p data-end="3281" data-start="3069">Some Microsoft listings show bundled pricing -- such as Business Standard or Premium plans combined with Copilot -- but these figures reflect promotional packaging rather than the standalone Copilot license cost. Organizations should consult Microsoft for current pricing.</p> <p data-end="3495" data-start="3288">While Microsoft offers limited Copilot Chat capabilities in certain subscriptions, full Microsoft 365 Copilot functionality generally requires a paid license and does not have a free trial.</p> <p><b>Editor's note:</b> <i>This article was updated in April 2026 to reflect the evolution of Microsoft 365 Copilot from an add-on feature to a broader AI platform. </i></p> <p><i>John Powers is a former senior site editor for Informa TechTarget's SearchEnterpriseDesktop, SearchVirtualDesktop and SearchMobileComputing sites. He graduated from the Philip Merrill College of Journalism at the University of Maryland.</i></p> </section> Microsoft 365 Copilot spans apps, chat and agents. Learn its licensing, prerequisites, pricing and use cases -- and how to plan deployment, governance and ROI. https://cdn.ttgtmedia.com/rms/onlineimages/money_g1164584480.jpg https://www.techtarget.com/searchenterprisedesktop/answer/How-does-Microsoft-365-Copilot-pricing-and-licensing-work Wed, 22 Apr 2026 14:30:00 GMT How does Microsoft 365 Copilot pricing and licensing work? <p>Windows answer files are a cornerstone of modern IT management. This is especially true in enterprise environments, where consistency, speed and accuracy are paramount.</p> <p>For Windows administrators, understanding the function and application of answer files is crucial for streamlining OS deployments and ensuring that configurations align with organizational standards.</p> <section class="section main-article-chapter" data-menu-title="What are Windows answer files?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are Windows answer files?</h2> <p>Windows answer files are <a href="https://www.techtarget.com/whatis/definition/XML-Extensible-Markup-Language">XML</a>-based configuration files used during the automated setup and deployment of Windows OSes. Their primary role is to provide predefined responses to the questions that the Windows Setup program normally asks. This removes the need for manual intervention during installation. The structure of an answer file is hierarchical, containing various sections, or <i>passes</i>, that correspond to different stages of the setup process. Examples include <a href="https://www.techtarget.com/searchwindowsserver/tip/Using-Diskpart-to-create-extend-or-delete-a-disk-partition">disk partitioning</a>, user account creation, regional settings and app installation.</p> <p>Each answer file can be customized to meet specific deployment requirements, making it possible to automate everything from basic installations to complex, multi-stage configuration scenarios. By using these files, organizations can ensure every device is configured uniformly, reducing the risk of errors and minimizing setup time.</p> <h3>Benefits of Windows answer files for enterprise administrators</h3> <p>Adopting Windows answer files offers several benefits for enterprise IT teams. First and foremost, they streamline the deployment process, enabling admins to roll out hundreds or thousands of devices with minimal manual effort. This automation saves time and frees staff to focus on other critical tasks.</p> <p>Consistency is another advantage. Answer files ensure that every machine receives the same configuration, which helps maintain compliance with corporate policies and security standards. Also, the use of answer files reduces the likelihood of human error, which can be costly and disruptive in large environments. The flexibility to deploy customized images and settings also enables organizations to meet diverse user needs while maintaining operational control.</p> </section> <section class="section main-article-chapter" data-menu-title="Accessing and reviewing Windows answer files"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Accessing and reviewing Windows answer files</h2> <p>To work effectively with Windows answer files, admins must be familiar with the technologies and utilities involved in their creation, extraction and review. The primary tool for generating and editing answer files is the Windows System Image Manager (<a href="https://www.techtarget.com/searchenterprisedesktop/definition/Microsoft-Windows-System-Image-Manager-SIM">SIM</a>), which is part of the Windows Assessment and Deployment Kit. Windows SIM provides a graphical interface for building answer files, validating their structure and ensuring compatibility with specific Windows images.</p> <p>Answer files are typically named Autounattend.xml or Unattend.xml. They are stored on deployment media, such as USB drives or network shares. For one-shot installs, they might reside within the X:\Sources directory of a Windows image, or whatever drive letter the install media uses. Administrators can access these files directly using Windows Explorer or through command-line utilities like Deployment Image Servicing and Management (<a href="https://www.techtarget.com/searchenterprisedesktop/definition/Microsoft-Windows-Deployment-Image-Servicing-and-Management-DISM">DISM</a>) and PowerShell. For more advanced scenarios, IT can use third-party utilities to extract answer files from captured images or deployment packages. However, most enterprise environments rely on native Microsoft tools.</p> <p> </p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/rtyXJC6RdpA?autoplay=0&modestbranding=1&rel=0&widget_referrer=null&enablejsapi=1&origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="Specifying answer files for review"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Specifying answer files for review</h2> <p>Administrators might need to review specific answer files depending on their various deployment scenarios or troubleshooting requirements. Typically, only the answer files associated with the current installation or deployment package are relevant for review. When working with multiple images or custom configurations, specify which answer file to analyze, as not all files are universally applicable. Fortunately, Windows SIM and DISM let users open and inspect any XML-based answer file, facilitating targeted reviews and modifications.</p> <p>If all answer files reside together in a central repository, administrators can extract and review any file as needed. However, it's best practice to analyze only the files that are pertinent to the deployment at hand. This helps avoid confusion and ensures changes are applied where intended. Clear naming conventions are helpful for identifying targets, Windows versions and other vital data.</p> </section> <section class="section main-article-chapter" data-menu-title="Analyzing Windows answer files"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Analyzing Windows answer files</h2> <p>Effective analysis of answer files requires a systematic approach. To start, open the file in Windows SIM or a compatible XML editor, which will display the hierarchical structure and reveal all configuration passes. Pay close attention to the following sections:</p> <ul type="disc" class="default-list"> <li><b>Windows PE.</b> Manages initial setup tasks, such as disk partitioning and boot configuration.</li> <li><b>Offline Servicing.</b> Handles driver and update integration before the OS boots for the first time.</li> <li><b>Generalize.</b> Prepares the image for deployment across multiple devices, removing device-specific information.</li> <li><b>Specialize.</b> Applies machine-specific settings, such as network configuration and domain joining.</li> <li><b>OOBE System.</b> Controls <a target="_blank" href="https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/automate-oobe" rel="noopener">user-facing setup options</a>, including account creation and privacy settings.</li> </ul> <p>When reviewing answer files, IT should take the following actions:</p> <ul class="default-list"> <li>Look for critical data indicators such as disk configuration parameters, product keys, localization settings and automation scripts.</li> <li>Confirm that all required fields are completed and check for deprecated or unsupported options, as these can cause deployment failures.</li> <li>Use Windows SIM's validation feature to identify errors and warnings.</li> <li>Cross-reference configurations with organizational standards to ensure compliance.</li> </ul> <p>For deeper analysis, admins can use DISM and PowerShell to mount images and inspect embedded answer files. This makes it possible to audit deployments after the fact or troubleshoot issues in production environments. Documenting changes and maintaining version control over answer files ensures that deployments remain consistent and traceable over time.</p> </section> <section class="section main-article-chapter" data-menu-title="Best practices for using Windows answer files"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Best practices for using Windows answer files</h2> <p>Windows answer files are an essential tool for administrators tasked with managing large-scale deployments. By automating responses and standardizing configurations, these files drive efficiency, consistency and security across enterprise IT operations. To maximize their value, admins should become proficient in using Windows SIM, DISM and PowerShell, and adopt a disciplined approach to reviewing and maintaining answer files.</p> <p>Focusing on key configuration passes and data indicators ensures that deployments proceed smoothly and meet organizational requirements. Regular audits and validation of answer files help prevent errors and maintain compliance. Mastering the use of Windows answer files empowers admins to deliver reliable, repeatable and <a href="https://www.techtarget.com/searchwindowsserver/tutorial/Secure-Windows-with-Microsofts-Security-Compliance-Toolkit">secure Windows environments</a> -- an indispensable capability in today's business landscape.</p> <p><i>Ed Tittel is a 30-plus year IT veteran who has worked as a developer, networking consultant, technical trainer and writer.</i></p> </section> Explore what Windows answer files are, why every IT professional should be familiar with them, and how they simplify and automate installations at scale. https://cdn.ttgtmedia.com/rms/onlineimages/folder-files06.jpg https://www.techtarget.com/searchenterprisedesktop/tip/What-Windows-answer-files-do-and-how-to-use-them Tue, 21 Apr 2026 13:58:00 GMT What Windows answer files do and how to use them <p>I spent some time at Canva Create this week, and, as events go, it's wildly different from the normal events I'm at. Canva, historically, has been made by and for designers, and this comes through loud and clear at the event. But here's the thing: Canva has many of the parts needed to become the future of not just design (an area I won't pretend to know that well), but knowledge work in general.</p> <p>Last year, I also attended this event, and my main takeaway was that there's a large, grassroots user base of Canva, and that the company was using this to make a pivot to enterprise. There was the usual AI this-and-that, but the single most important thing I learned was that behind all the vibes and colors and tools was a massive data layer. This data layer is accessible to all the document types, code and workflows in Canva, and it's specifically used in the context of Canva Sheets. Sheets is a spreadsheet feature, but it's less of a Microsoft Excel or Google Sheets alternative than it is a software-defined, customizable view into the contents of the data layer. I <a href="https://www.techtarget.com/searchenterprisedesktop/opinion/Canva-The-business-productivity-app-flying-under-ITs-radar">left Canva Create 2025</a> thinking two things:</p> <ul class="default-list"> <li>That was the coolest keynote I've ever seen.</li> <li>These guys could really be successful if they decide to branch out past creatives and really go after enterprise use cases.</li> </ul> <p>In the intervening 12 months, Canva released its own AI model and built and trained more than a hundred other models that are used for specific tasks. This enabled it to build lots of AI tools that focused on things like image generation, image layering, video generation, etc. For a lot of these specialized tasks, Canva's fine-tuned models are coming in cheaper and faster than the big, general-purpose frontier ones with comparable output quality -- a quiet but significant signal about where AI is going.</p> <p>This is glossing over a lot of work, but it all culminated in what was released this week: Canva AI 2.0. And while there are significant improvements to Canva's design capabilities that deserve attention, even Canva has started referring to itself not as a "design company with AI," but as an "AI company that does design."</p> <p>Cliff Obrecht, Canva's co-founder, took it a step further, putting Canva alongside Google and Microsoft as "the third productivity suite." It's the first time I've heard this from Canva directly, and it's one of the reasons I left the event thinking, "This is the future of all knowledge work."</p> <section class="section main-article-chapter" data-menu-title="Canva is becoming the second brain"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Canva is becoming the second brain</h2> <p>Canva AI 2.0 introduced a concept called <i>memories</i>, and among the types of memories that Canva stores are organizational (brand) memories and personal memories. Organizational memories include things like brand guidelines and company voice. Admins (or brand leaders) can configure these memories and push them out to everyone in an organization, ensuring that all content, including AI-generated content, adheres to brand guidelines. This is really useful, but the real eye-opener was personal memories.</p> <p>To build a personal memory, Canva scans all the documents a user has created, learning their voice, their style, their perspective. It spans all document types, including those that have been uploaded into Canva or that are accessible through connectors to other corporate information stores, such as Microsoft Office or Google. In this way, it builds a model of each end user, just like the <a href="https://www.techtarget.com/searchenterprisedesktop/opinion/The-promise-and-concern-around-end-user-AI-second-brains">second brain concept</a> that's been transforming knowledge work. These memories are stored as editable Canva documents that users can browse and modify directly, which is very similar to how second brains work.</p> <p>This, coupled with agentic features like scheduled tasks and collaborative work planning and execution, means that Canva is effectively bringing the concept of the second brain to the masses in a way that's immediately personal and useful. This is coming at the perfect time, because while second brain implementations are great for developers and power users that aren't afraid to get their hands dirty, they're not for the faint of heart.</p> <p>Is Canva's attempt to bring the idea of the AI co-collaborator exactly the same as a second brain? No. It's missing most of the knobs and dials and full-on agentic features that developers and power users would want. But that's not who it's for. It's <a href="https://www.techtarget.com/searchcustomerexperience/feature/How-AI-will-affect-the-future-of-content-marketing">for designers and marketers</a> and, increasingly, other roles.</p> </section> <section class="section main-article-chapter" data-menu-title="Going beyond design"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Going beyond design</h2> <p>The core of Canva's story is around designers, for sure. That's its pedigree, and the creative aura is persistent everywhere you look. But if you follow the trail of breadcrumbs, you can see glimpses of the path Canva is on. It's a path that I think Canva sees, too, but I'm honestly not sure. It's not as cool, and the vibes are decidedly more low-key, but Canva is -- purposely or not -- on a path to disrupt workplace productivity in general in the very near future.</p> <p>It starts with the aforementioned Sheets, but we all know displacing Excel is effectively impossible. It's really powerful to still be able to ingest Excel docs or Google Sheets into Canva's data layer, then use that to create presentations, proposals, etc. with seamlessly integrated AI. In fact, Canva only has one file type for everything it does, so it can optimize its AI for a single file type rather than having to figure out how to work with dozens of different formats.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> If design, marketing, and now sales start using Canva, the company suddenly has a huge footprint in an organization. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>This isn't the same experience you get with Office 365 and Copilot, or even Google Workspace with Gemini. Sprinkled in among the various content creation and graphics design conversations were other things that have typically resided in the less creative corners of knowledge work: pitch deck creation, product messaging documents, go-to-market workflow and campaign tracking, <a href="https://www.channelfutures.com/channel-business/is-your-customer-tuning-out-the-qbr-">QBRs</a>, etc.</p> <p>Campaign tracking and QBRs stick out to me because they're without a doubt more data-driven, business-focused workflows and outputs that aren't usually thought of in the same breath as the design side. (Surely they're connected, but I've never attended a QBR that required a graphic designer, and there's an entire marketing tech angle that should also be explored.) They are, however, the next rung up the ladder as Canva grows from grassroots, product-led growth to widespread use across the enterprise. And again, the AI is seamlessly integrated everywhere.</p> <p>If design, marketing, and now sales start using Canva, the company suddenly has a huge footprint in an organization. If other use cases are adopted, organizations might eventually wise up to the fact that they've got so many workplace productivity suites in use that they want to consolidate. And by then, Canva might have very well earned a seat at the table as those organizations choose which ones to continue investing in strategically.</p> <p>Could Microsoft and Google catch up? Maybe. Microsoft seems to have a more complex problem to solve, weaving AI and Copilot into everything without making it feel bolted on, but it also has the longest runway to make changes. <a href="https://www.techtarget.com/searchenterpriseai/news/366585309/Google-Gemini-generative-AI-hits-all-products-including-Search">Google and Gemini seem a bit more integrated</a>, but neither appears to be as naturally integrated as Canva today. I'm not saying Canva will take over, but I am considering it a breath of fresh air that appears to be nimbler and more in touch with the way the world seems to be moving.</p> <p>A few other thoughts:</p> <ul class="default-list"> <li>Canva announced an offline mode that lets you download documents and work with them while disconnected. This is presumably done using a progressive web app and some sort of file download. Nice to have, for sure, but it got me thinking about the device-level capabilities. If Canva has all these models, some of which are rather small, would it be able to use on-device inference resources like the NPU on an AI PC? This would lighten the load on Canva's data centers and also enhance the offline experience.</li> <li>Canva Enterprise customers benefit from Canva Shield, which is a set of policies that includes indemnification for AI outputs that would <a href="https://www.techtarget.com/whatis/feature/AI-lawsuits-explained-Whos-getting-sued">infringe on any other creator's intellectual property</a>. I haven't seen this before, and I think it's worth pointing out because it's the kind of thing you don't see from the frontier models.</li> <li>I'd be curious to see what memories organizations and admins have access to. Second brains can be personal and portable across models. Canva's approach is locked within Canva, which can unlock some amazing functionality and efficiency, but it also introduces some potential concerns that the company should address. It's one thing to provide a tool to make end users more productive. It's another for an organization to take those memories and use them to build digital twins that could ultimately reduce the need for (or outright replace) the workers themselves. To be fair, this isn't a Canva problem as much as a broader <a href="https://www.techtarget.com/searchenterpriseai/tip/Generative-AI-ethics-8-biggest-concerns">issue in the AI age</a>: Where is the line between corporate IP and acquired human skills that the company has hired?</li> </ul> <p>There's a lot to think about here, but I really do think that we're getting glimpses of the future of knowledge work. Whether or not it will be Canva is another story, but the company is proving new ground in bringing agentic AI to the hands of end users in a very Canva-like way, and we're all sure to learn something from it that will be useful as AI continues to transform the digital workspace.</p> <p><i>Gabe Knuth is the principal analyst covering end-user computing for Omdia.</i></p> <p><i>Omdia is a division of Informa TechTarget. Its analysts have business relationships with technology vendors.</i></p> </section> With Canva AI 2.0, the company appears to be evolving from a design tool into a full-fledged, AI‑powered productivity platform that could reshape knowledge work. https://cdn.ttgtmedia.com/visuals/digdeeper/2.jpg https://www.techtarget.com/searchenterprisedesktop/opinion/Canva-is-showing-us-a-glimpse-of-knowledge-works-future Fri, 17 Apr 2026 12:58:00 GMT Canva is showing us a glimpse of knowledge work's future <p>Microsoft ended support for Windows 10 on October 10, 2025. As of that date, the company no longer provides technical assistance, feature updates or, most importantly, security updates for the OS. This means organizations have little option but to upgrade to Windows 11 if they haven't already done so.</p> <p>By this point, IT administrators should, in theory, be able to <a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-to-perform-an-in-place-upgrade-to-Windows-11">perform in-place upgrades</a> on their managed PCs with little problem. The upgrade process is designed to migrate all the user's data and files, including the device settings, while also updating the OS. However, Windows sometimes fails to migrate device settings. In these cases, admins must take additional steps to ensure that connected devices are operational.</p> <section class="section main-article-chapter" data-menu-title="Understanding Windows 11 device settings migration errors"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Understanding Windows 11 device settings migration errors</h2> <p>When IT admins try to migrate their managed PCs from Windows 10 to Windows 11, the upgrade process attempts to maintain existing device settings. In some circumstances, however, an error message might pop up, stating that the settings were not migrated. This results in a partial upgrade that can affect the UX.</p> <p>The error message indicates that certain device-related drivers or configurations could not be successfully transferred to the new operating environment. This type of error can be the result of a few possible factors:</p> <ul type="disc" class="default-list"> <li>One or more device drivers are outdated, corrupted, unsupported or otherwise <a href="https://www.techtarget.com/searchenterprisedesktop/tip/3-tools-to-check-Windows-11-update-compatibility">incompatible with Windows 11</a>. This can often occur with legacy hardware that no longer receives device driver updates.</li> <li>One or more physical components, such as a graphics card, external drive or USB port, are behaving erratically or are near failure.</li> <li>One or more physical components or their configuration settings are incompatible with or unsupported in Windows 11.</li> <li>Specific software components are incompatible with or prohibited by Windows 11. This might include VPN clients, antivirus software, or third-party apps or utilities.</li> <li>Restrictive group policies are preventing Windows from transferring the settings to the new operating environment.</li> <li>One or more device-related registry keys are missing or corrupt.</li> <li>IT might be using a <a href="https://www.techtarget.com/searchenterprisedesktop/tip/Windows-11-migration-tools-for-desktop-administrators">third-party migration tool</a> or drive management tool that interferes with the Windows upgrade process.</li> </ul> <p>When a computer that's being upgraded to Windows 11 encounters a device settings error, the devices that caused the error might not function properly or quit functioning altogether. In addition, the device's configuration settings could be permanently lost during the migration process. A wide range of devices can be susceptible to device settings errors, including legacy hardware, nonstandard devices, USB hubs, network adapters, fingerprint readers, Bluetooth adapters and touchpads.</p> <p>Disruptions in device operations can affect users in multiple ways. For example, if the driver for an external hard disk drive can't be migrated, the user won't be able to access the files on that drive, resulting in disrupted workflows and a loss of productivity. Even if an updated driver can be manually installed, the user could still be affected by delays until the problem is fixed.</p> <p>IT teams faced with device-related <a href="https://www.techtarget.com/searchenterprisedesktop/tip/Windows-11-upgrade-issues-that-desktop-admins-should-know">errors during migration</a> must take troubleshooting steps that address their specific circumstances. In some cases, they might need to replace legacy hardware or software components, or they might need to download the latest drivers and install them manually or through a management platform.</p> <p>Additionally, administrators who manage large numbers of Windows installations can run into device-related issues on multiple computers at the same time. For instance, an IT team might manage many Windows desktops that are configured with the same graphics card. If the card's driver can't be migrated across all those computers, admins need to roll out driver updates to all those devices, resulting in delays and increased overhead and costs.</p> </section> <section class="section main-article-chapter" data-menu-title="How to resolve device settings migration issues in Windows 11"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to resolve device settings migration issues in Windows 11</h2> <p>When device settings issues occur, IT admins must try different strategies to resolve the problem. Use the following steps to guide the troubleshooting process, from restarting the computer to performing a clean boot or system restore. Note that an organization's specific circumstances and immediate needs could necessitate a different order or different steps.</p> <h3>1. Restart the computer</h3> <p>Before attempting anything else, IT can try to restart the computer to see whether this resolves the migration issue. A restart shuts down running processes and clears the memory. It also causes Windows to rescan for hardware devices and, in some cases, reinstall drivers. A restart sometimes helps resolve conflicts and address device issues without needing to take any other steps.</p> <h3>2. Identify the devices causing the error</h3> <p>If restarting the computer doesn't help, the next step is to identify the devices that are likely causing the problem. A good place to start is with Device Manager, which provides information about each of the computer's devices. Click the chevron next to any device category to view the individual devices (Figure 1).</p> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/win11_migrate_settings_1-h.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/win11_migrate_settings_1-h_half_column_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/win11_migrate_settings_1-h_half_column_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/win11_migrate_settings_1-h.jpg 1280w" alt="The list of the computer's devices in Windows 11 Device Manager. The Sound, video and game controllers category is expanded, with the High Definition Audio Device selected." data-credit="Robert Sheldon" height="352" width="280"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 1. The Sound, video and game controllers category expanded in Device Manager, with the High Definition Audio Device selected. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>If there is a problem with a device, Device Manager flags it with a yellow exclamation mark. In this way, IT can quickly determine which devices might not have migrated correctly. IT can also access the device's properties to find additional information about the device and its driver.</p> <p>Device Manager also lets admins scan the computer for hardware changes to ensure it's showing the most current information. To perform a scan, right-click the computer name at the top of the device list and select <b>Scan for hardware changes</b>.</p> <p>Information about device-related problems is also available in the computer's logs. IT can access the logs through Event Viewer or another tool.</p> <p>The logs show the device-related errors that occurred during the migration process, which can help identify the problem devices.</p> <p>Event Viewer makes it easy to review the individual events in each log. It also lets admins sort and filter a log so they can find the events they're looking for more efficiently.</p> <p>Another option is to review the upgrade log files -- <span style="font-family: 'courier new', courier, monospace;">setupact.log</span> and <span style="font-family: 'courier new', courier, monospace;">setuperr.log</span> -- for device-related issues. However, the exact location of the files can vary. To determine where to look for the log files, consult the <a target="_blank" href="https://learn.microsoft.com/en-us/windows/deployment/upgrade/log-files" rel="noopener">Windows 11 documentation</a>.</p> <p>In some cases, it might be useful to check the Windows Update history to find information about device-related issues that occurred during an upgrade. Access the history through the Windows Settings app by going to Windows Update > Update history.</p> <h3>3. Verify the device drivers</h3> <p>Settings migration issues often occur because of the device's driver, which might not be supported in Windows 11. If the driver is the problem, IT must update, replace or reinstall it.</p> <p>The easiest way to work with drivers in Windows is through Device Manager. After launching Device Manager, locate and right-click on the target device. Then, click <b>Properties</b>. When the Properties dialog box appears, go to the <b>Driver</b> tab. There, IT can view details about the driver, update the driver, disable the device or uninstall the device (Figure 2).</p> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/win11_migrate_settings_2-h.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/win11_migrate_settings_2-h_half_column_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/win11_migrate_settings_2-h_half_column_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/win11_migrate_settings_2-h.jpg 1280w" alt="The Driver tab in the Properties dialog box for the High Definition Audio Device driver." data-credit="Robert Sheldon" height="314" width="280"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 2. The Driver tab in the Properties dialog box for the High Definition Audio Device driver. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Typically, it's best to try to update the driver before disabling or uninstalling the device. If it's not possible to update the driver through Device Manager, IT might be able to update it manually by downloading it from the vendor's website. Once downloaded, either install it directly onto the computer or use a tool such as Intune or Configuration Manager to manage and install the driver as part of the IT team's larger driver management strategy.</p> <p>In some cases, the device's vendor might offer a tool for managing and updating the drivers for its devices. Be careful using these tools. They can sometimes affect the Windows update process. The vendor might also provide information about possible driver conflicts and how to resolve potential issues.</p> <p>If an admin can't update the driver to a version that functions with Windows 11, they might need to uninstall the device. If possible, disconnect the device from the computer first. Uninstalling a device in Device Manager causes Windows to delete the driver and its configurations and remove the device from Device Manager. Restarting the computer without disconnecting the device, on the other hand, prompts Windows to redetect it and try to reinstall the driver.</p> <h3>4. Verify the devices</h3> <p>Device settings problems can sometimes stem from issues with the physical device itself. If it seems like this might be the case, there are several steps IT can attempt, especially with external devices. Steps include restarting the device or disconnecting and then reconnecting it. If the device is plugged into a USB port, IT can also try to connect it to a different port. In some cases, updating the device's firmware might be an option, which can sometimes help resolve device-related issues.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Device settings problems can sometimes stem from issues with the physical device itself. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Another strategy is to run one or more of the <a href="https://www.techtarget.com/searchenterprisedesktop/tip/Troubleshooting-the-most-common-issues-with-Windows-11">Windows troubleshooters</a>. To access the troubleshooters, open the Settings app and navigate to System > Troubleshoot > Other troubleshooters.<b> </b>This screen shows a list of troubleshooters, which can sometimes help resolve hardware- or system-related issues. Windows provides troubleshooters for audio, video, networking, printing and other device types. Admins should also verify that any hardware they're trying to troubleshoot is indeed compatible with Windows 11.</p> <h3>5. Verify the operating environment</h3> <p>Sometimes device-related issues might not be as apparent as an outdated driver or faulty USB port, which requires IT to dig deeper into the Windows environment itself. Start by ensuring that the computer has the latest Windows updates. Then, run the Windows Update troubleshooter, which identifies and tries to repair update-related issues.</p> <p>Another helpful step is to check whether the computer is running third-party apps or services that might be conflicting with the Windows environment or preventing the system from properly updating its devices. Antimalware software, particularly legacy products, can sometimes cause update issues, as can driver update tools, VPN clients and other types of third-party apps.</p> <p>Group Policy settings, <a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-to-access-Windows-11-BIOS-configuration-with-hotkeys">UEFI settings</a>, and corrupt or missing registry settings can also cause issues. Review those settings as they relate to the problem devices. In addition, consider updating the computer's firmware if it seems to be causing device-related problems.</p> <h3>6. Use available features and tools</h3> <p>Microsoft offers several tools for managing Windows computers. The following command-line utilities can help solve Windows 11 migration problems:</p> <ul type="disc" class="default-list"> <li><b>SetupDiag.</b> This tool retrieves details about why a Windows upgrade was unsuccessful. The utility examines the Windows Setup log files to determine the root cause of an update or upgrade failure.</li> <li><b>Deployment Imaging Servicing Management (DISM).</b> This tool restores and repairs system files. It's often used in conjunction with the SFC utility. Admins can use the DISM tool to scan a Windows 11 image for corruption and then use it to repair the image.</li> <li><b>System File Checker (SFC).</b> This tool scans the system files and restores corrupted or missing files. Microsoft recommends using the DISM utility to repair any corrupted files, followed by the SFC utility to scan the system and replace files.</li> <li><b>PnPUtil.</b> This tool lets IT carry out certain operations on driver packages, such as installing a driver package, enabling a device, installing or removing a driver package from the driver store, or viewing the driver packages currently in the driver store.</li> </ul> <p>IT teams that use a centralized platform such as Intune or Configuration Manager to manage their Windows 11 desktops might be able to take advantage of the platform's built-in capabilities when updating to Windows 11 or addressing related settings migration issues.</p> <p>Management platforms often include features such as pre-upgrade readiness checks, automated script deployment, driver management, policy-based management and upgrade orchestration. For example, admins might use the endpoint analytics features integrated into Intune or Configuration Manager to assess device readiness, or use the driver management features to distribute the latest version of a driver.</p> <h3>7. Perform a clean boot or system restore</h3> <p>If none of the previous steps solve the issue, IT might need to take one of the following steps:</p> <ul type="disc" class="default-list"> <li><b>Perform a clean boot.</b> A clean boot launches Windows with a minimal set of drivers and startup programs and enables IT to control which services and programs run at startup. From this simplified environment, admins can then try to upgrade to Windows 11 again.</li> <li><b>Perform a system restore.</b> If a clean reboot doesn't work, try to perform a system restore that rolls back the computer. When rolling back the system, admins might need to choose a restore point that precedes a recent update. They can then try to upgrade to Windows 11 from there.</li> </ul> <p>If all else fails, consider performing a <a href="https://www.techtarget.com/searchitchannel/definition/clean-install">clean install</a> of Windows 11 instead of attempting an upgrade. This process removes the existing Windows installation and lets IT start fresh. Some teams prefer this approach because it ensures that they're working with a clean slate. Unfortunately, it means that users will lose all their device settings, along with other settings. But at some point, it could prove the most viable option.</p> <p><i>Robert Sheldon is a freelance technology writer. He has written numerous books, articles and training materials on a wide range of topics, including big data, generative AI, 5D memory crystals, the dark web and the 11th dimension.</i></p> </section> Device settings don't always make the jump from Windows 10 to Windows 11, leaving IT teams to fix driver issues, hardware conflicts and upgrade failures that disrupt users. https://cdn.ttgtmedia.com/rms/onlineimages/arvr_a170745745.jpg https://www.techtarget.com/searchenterprisedesktop/tip/What-to-do-when-device-settings-dont-migrate-to-Windows-11 Thu, 16 Apr 2026 17:51:00 GMT What to do when device settings don't migrate to Windows 11 <p data-end="3501" data-start="3265">Microsoft Intune device management starts with device enrollment, but Windows enrollment can follow several different paths depending on device ownership, deployment goals and how much control IT needs during setup.</p> <p data-end="3697" data-start="3503">Once enrolled, devices can receive policies, apps, updates and management settings from Intune. That makes the enrollment method an important design decision, not just a technical prerequisite.</p> <p>The enrollment process requires Intune to install a mobile device management (MDM) certificate on the device that allows Intune to communicate with it directly. <a href="https://www.techtarget.com/searchenterprisedesktop/tip/Using-the-Intune-management-extension-for-PowerShell-scripts">Through this communication with Intune</a>, IT administrators can deploy policies, control updates and perform general management tasks on devices such as Windows desktops.</p> <section class="section main-article-chapter" data-menu-title="What are the options for enrolling Windows devices?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are the options for enrolling Windows devices?</h2> <p>There are multiple ways to enroll Windows devices in Intune, and the best option usually depends on whether the device is corporate-owned or personal, how much lifecycle control IT needs and how much setup work the user should have to do. There are different enrollment scenarios for personally owned and corporate-owned devices, with the goal of keeping personal devices personal and corporate devices corporate.</p> <ul class="default-list"> <li><b>Windows Autopilot.</b> For corporate-owned devices, <a href="https://www.techtarget.com/searchenterprisedesktop/definition/Windows-Autopilot">Windows Autopilot</a> is the most common option. Windows Autopilot is a service with a collection of technologies that aims to simplify the initial setup and deployment of new devices. During that process, the device is automatically joined to Microsoft Entra ID and automatically enrolled into Microsoft Intune. After that process is completed, the device is ready for management and use.</li> <li><b>Microsoft Entra join with automatic enrollment.</b> When using Windows Autopilot is not an option, IT administrators can set corporate-owned devices to automatically enroll into Microsoft Intune. They can do this by choosing to <a href="https://www.techtarget.com/searchwindowsserver/tip/What-should-admins-know-about-Microsoft-Entra-features">join the device to Microsoft Entra ID</a> and providing a work or school account during the out-of-box experience (OOBE). During that process, the same end result of enrollment will happen as with the Windows Autopilot method. However, this approach offers a lot less control over the full lifecycle of the device and a less user-friendly experience.</li> <li><b>Bulk enrollment with provisioning package.</b> When there are a lot of corporate-owned devices that IT needs to enroll, bulk enrollment with a provisioning package can be an efficient alternative to Autopilot. Admins can apply a provisioning package during the OOBE that ensures the device is automatically joined to Microsoft Entra ID and automatically enrolled into Microsoft Intune.</li> <li><b>Intune Company Portal app.</b> For personally owned devices, the Intune Company Portal app is the most common option. The user can download and install the Intune Company Portal app from the Microsoft Store and walk through the process within the app to enroll the device into Microsoft Intune. Once this process is complete, the device is enrolled as a personal device with only a few management options and insights for IT to work with. For privacy-sensitive BYOD scenarios, Intune also supports MAM for unenrolled Windows devices, which can protect organizational data at the app level without enrolling the entire device.</li> <li><b>Connecting a work or school account.</b> Another option for personally owned devices is to use the available process within the Settings app to add a work or school account. The result will be similar to the Intune Company Portal app but with fewer insights about the status of the device and no direct <a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-to-troubleshoot-Intune-app-deployments">overview of the available apps</a>.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="What is the most common scenario for corporate-owned Windows devices?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is the most common scenario for corporate-owned Windows devices?</h2> <p>The enrollment of corporate-owned devices with Windows Autopilot is the most commonly used scenario for enrolling Windows devices into Microsoft Intune. Within this scenario it is important that those devices are registered with the Windows Autopilot service. The easiest way to achieve this is by arranging that during the purchase process of those devices.</p> <p>Most vendors and OEMs support enrollment at the time of purchase for new devices. Often this means the vendor gets access to the tenant to automatically upload the required information to those devices. When the vendor only provides a CSV <a target="_blank" href="https://docs.python.org/3/library/csv.html" rel="noopener">file</a> with the device information, the IT administrator must upload that information to the Windows Autopilot service.</p> <p>Microsoft also offers Windows Autopilot device preparation as a newer deployment option. It is designed to simplify provisioning, improve troubleshooting and speed setup, and it uses a different model from the traditional registered-device workflow described below.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Which Windows enrollment path fits best?</h3> <p>Windows Autopilot is often the best fit for corporate-owned devices because it offers more control over setup and lifecycle management. For personally owned devices, the Company Portal app remains the more common choice. The right enrollment path depends on ownership, user experience and how much control IT needs during setup and beyond.</p> </div> </div> </section> <section class="section main-article-chapter" data-menu-title="What are the requirements for using Windows Autopilot?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are the requirements for using Windows Autopilot?</h2> <p>There are not many requirements that need to be in place before an IT administrator can use Windows Autopilot. Admins must make sure the following licenses and configurations are in place:</p> <ul class="default-list"> <li>At least Microsoft Entra ID P1 license for automatic enrollment and at least Microsoft Intune P1 for Intune management. IT must have both assigned to the users.</li> <li>Basic Intune tenant setup with the MDM authority <a href="https://www.techtarget.com/searchenterprisedesktop/feature/What-does-the-new-Microsoft-Intune-Suite-include">set to Microsoft Intune</a>.</li> <li>Devices running a supported version of Windows 11 in a supported edition, such as Windows 11 Pro, Enterprise or Education.</li> <li>An administrator account with at least the Global Administrator or the Intune Service Administrator Microsoft Entra role assigned.</li> </ul> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Windows Autopilot is often the best fit for corporate-owned devices because it offers more control over setup and lifecycle management. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>The following setup steps cover the traditional Windows Autopilot workflow that uses registered devices and deployment profiles.</p> </section> <section class="section main-article-chapter" data-menu-title="How to set up automatic enrollment for Windows Autopilot using Intune"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to set up automatic enrollment for Windows Autopilot using Intune</h2> <p>When admins use Windows Autopilot for automatic enrollment of devices to Microsoft Intune, there are a few activities they must perform.</p> <h3>Configure automatic enrollment</h3> <p>The first task is to configure automatic enrollment. Automatic enrollment will ensure the device is automatically enrolled into Microsoft Intune -- <a href="https://www.techtarget.com/searchwindowsserver/tip/How-to-manage-a-migration-to-Microsoft-Entra-ID">after joining Microsoft Entra ID</a>.</p> <ol type="1" start="1" class="default-list"> <li>Open the Microsoft Intune admin center and go to Devices > Enrollment, then open the Windows tab and select Automatic Enrollment.</li> <li>On the Configure page, configure the MDM user scope by choosing one of the following options (Figure 1).</li> <ol type="a" start="1" class="default-list"> <li><b>None.</b> MDM automatic enrollment is disabled.</li> <li><b>Some.</b> MDM automatic enrollment is enabled only for the selected group.</li> <li><b>All.</b> MDM automatic enrollment is enabled for all users.</li> </ol> <li>Leave <b>MDM terms of use URL</b>, <b>MDM discovery URL</b>, and <b>MDM compliance URL</b> to their default configuration and click <b>Save</b> to store the changes.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/enroll_devices_with_intune_1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/enroll_devices_with_intune_1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/enroll_devices_with_intune_1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/enroll_devices_with_intune_1-f.jpg 1280w" alt="Intune admin center window showing MDM automatic enrollment scope options." data-credit="Peter van der Woude" height="277" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 1. The Intune automatic-enrollment settings let admins apply Microsoft Intune MDM enrollment to none, some or all users. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Register the devices with Windows Autopilot</h3> <p>The second task is to register devices with Windows Autopilot -- this is only necessary if the devices are not already registered by the vendor. This will use information accessible theough a CSV file.</p> <ol type="1" start="1" class="default-list"> <li>Open the Microsoft Intune admin center and go to Devices > Windows > Enrollment, then under Windows Autopilot select Devices.</li> <li>On the Windows Autopilot devices page, as shown in Figure 2, click <b>Import</b>.<b> </b>Select the CSV file and click<b> Import </b>again.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/enroll_devices_with_intune_2-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/enroll_devices_with_intune_2-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/enroll_devices_with_intune_2-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/enroll_devices_with_intune_2-f.jpg 1280w" alt="Alt text: Intune admin center page listing registered Windows Autopilot devices." data-credit="Peter van der Woude" height="277" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 2. The Windows Autopilot devices page shows registered devices and helps admins group and manage deployment inventory. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The Windows Autopilot devices overview also provides insights with important details that IT admins can use to filter and group devices. The most important of these is the Group tag, which IT can easily adjust. To create an Entra device group based on that tag use the following example code:</p> <pre class="language-c"><code>(device.devicePhysicalIds -any (_ -eq "[OrderID]:Example"))</code></pre> <h3>Create a Windows Autopilot deployment profile</h3> <p>The third task is to create a Windows Autopilot deployment profile, configure the deployment mode of the devices and customize the user's OOBE. The following steps will walk through the creation of that profile:</p> <ol type="1" start="1" class="default-list"> <li>Open the Microsoft Intune admin center and go to Devices > Windows > Enrollment, then under Windows Autopilot select Deployment Profiles.</li> <li>On the Windows Autopilot deployment profiles page, select Create profile > Windows PC.</li> <li>On the Basics page, specify a name for the profile and click <b>Next</b>.</li> <li>On the Out-of-box experience (OOBE) page, configure at least the first two settings and click <b>Next</b> (Figure 3).</li> <ol type="a" start="1" class="default-list"> <li><b>Deployment mode. </b>Select<b> User-Driven </b>for a standard Windows Autopilot deployment, in which users provide their credentials during the enrollment and the device is assigned to that user.</li> <li><b>Join to Microsoft Entra ID as.</b> Select <b>Microsoft Entra joined</b> for the Microsoft recommended location to join new devices. Organizations that still depend on on-premises Active Directory can use Microsoft Entra hybrid join with Windows Autopilot, but Microsoft recommends Microsoft Entra join for new devices.</li> <li>For the remaining settings, choose what's applicable based on internal policies. Determine which pages should be shown, choose the account type, configure the language and determine the name standard.</li> </ol> <li>On the Scope tags page, click <b>Next</b>.</li> <li>On the Assignments page, configure the appropriate assignment of the profile based on an Entra device group. Consider using a group based on a Group tag.</li> <li>On the Review + create page, review the configuration and click <b>Create</b>.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/enroll_devices_with_intune_3-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/enroll_devices_with_intune_3-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/enroll_devices_with_intune_3-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/enroll_devices_with_intune_3-f.jpg 1280w" alt="Intune admin center page showing Windows Autopilot deployment profile settings." data-credit="Peter van der Woude" height="377" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 3. Windows Autopilot deployment profiles define OOBE settings and deployment behavior for enrolled devices. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>After these configurations are complete, IT can use Windows Autopilot to deploy corporate-owned devices with a more consistent setup experience and stronger lifecycle control than lighter-touch enrollment methods. Admins should also configure an Enrollment Status Page so required apps and policies apply before the device is handed over for use.</p> <p><strong>Editor's note:</strong> <em>This article was updated in April 2026 to reflect current Microsoft Intune enrollment guidance and improve the reader experience. </em></p> <p><em>Peter van der Woude works as a mobility consultant and knows the ins and outs of the ConfigMgr and Microsoft Intune tools. He is a Microsoft MVP and a Windows expert as well.</em></p> </section> Microsoft Intune provides various Windows enrollment options, with Windows Autopilot being a top choice for corporate devices. Learn how to plan and configure these approaches. https://cdn.ttgtmedia.com/rms/onlineimages/toolGearArrow_g103332398.jpg https://www.techtarget.com/searchenterprisedesktop/tip/How-to-add-and-enroll-devices-to-Microsoft-Intune Wed, 15 Apr 2026 10:59:00 GMT How to add and enroll devices to Microsoft Intune <p>Copilot for Microsoft 365 is an AI-driven tool designed to integrate with the Microsoft 365 suite to automate tasks and produce natural language responses. In applications like Word and Excel, it offers real-time support through editing suggestions, content generation and data analysis.</p> <p>Before organizations can use Copilot, IT administrators must prepare data environments and assign licenses. The setup process is straightforward. However, it is important for admins to understand the process and review the associated considerations.</p> <section class="section main-article-chapter" data-menu-title="Requirements before enabling Copilot"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Requirements before enabling Copilot</h2> <p>Before setting up Copilot for Microsoft 365, organizations should ensure they meet Microsoft's prerequisites. Copilot is available as an add-on for eligible Microsoft 365 Business and Enterprise plans, including E3 and E5.</p> <p>Microsoft has removed the 300-seat minimum purchase requirement. While Microsoft 365 Business plans remain capped at 300 users, organizations can purchase fewer Copilot licenses. This makes it more accessible to SMBs, while Microsoft Enterprise plans support scaling without user limits.</p> <p>Organizations using Microsoft 365 E3 or E5 should already meet most of the requirements to use Copilot, but it's important to review Microsoft's <a target="_blank" href="https://learn.microsoft.com/en-us/microsoft-365-copilot/microsoft-365-copilot-requirements" rel="noopener">list</a> of prerequisites to confirm. These include the following:</p> <ul type="disc" class="default-list"> <li>Each user must have a base Microsoft 365 or Office 365 license; it is not limited to E3 or E5.</li> <li>For Copilot mail and data integration, users must be managed through Microsoft Entra ID.</li> <li>Microsoft 365 Apps (desktop) must be deployed to enable Copilot in desktop applications.</li> <li><a target="_blank" href="https://learn.microsoft.com/en-us/microsoft-365-copilot/extensibility/prerequisites?utm_source=chatgpt.com" rel="noopener">Additional licensing might be required</a> for custom agents or Copilot Studio.</li> </ul> <p>Although Microsoft recommends upgrading devices to Windows 11 to improve the user experience, 365 Copilot is also available on Windows 10. Once organizations confirm they have met the prerequisites, admins can begin installing and configuring Copilot.</p> <h3>Data preparation and governance considerations</h3> <p>There are several important considerations that IT teams must manage before implementing Copilot for Microsoft 365. First and foremost, organizations should address the <a href="https://www.techtarget.com/searchenterpriseai/tip/How-to-manage-generative-AI-security-risks-in-the-enterprise">security and privacy concerns</a> associated with using Copilot. It is vital to ensure that users access only the data that they need to do their jobs. IT should implement best practices and tools to prevent data oversharing and restrict access without hindering user productivity. In addition, organizations should ensure that Exchange Online mailboxes and Microsoft 365 Apps use Entra ID-based permissions as needed.</p> <p>Additionally, organizations must clean up their data so Copilot can use it correctly. To ensure a smooth experience for end users, IT should reduce redundant, outdated or trivial data and ensure appropriate access controls. Other best practices include standardizing file names and tagging files with descriptive keywords.</p> <p> Organizations should prioritize strong <a href="https://www.techtarget.com/searchdatamanagement/definition/data-governance">data governance</a> as they prepare for Copilot and ensure that compliance practices remain in place as <a href="https://www.techtarget.com/searchenterprisedesktop/tip/Understanding-the-use-cases-of-Copilot-for-Microsoft-365">they continue using the tool</a>. Data preparation can be a long and complex process, so IT should treat it as its own project before starting installation and setup. Creating a plan around data access and management is a crucial first step.</p> <h3>Assigning Copilot for Microsoft 365 licenses</h3> <p>Before assigning licenses, ensure end users meet the required criteria and that Microsoft 365 Apps are updated to a supported version.</p> <p>Organizations should also distinguish among the different Copilot offerings. For example, Microsoft Security Copilot is a separate product focused on threat response, risk management and other security tasks through data analysis. It supports the following capabilities:</p> <ul type="disc" class="default-list"> <li>Incident response.</li> <li>Threat hunting and intelligence.</li> <li>Risk management.</li> <li>Automation of security workflows.</li> <li>Integration with Microsoft Defender.</li> </ul> <p></p> <table class="main-article-table" style="width: 522px;"> <thead> <tr style="height: 55px;"> <td style="width: 89.7656px; height: 55px;"><strong>Microsoft 365 plan</strong></td> <td style="width: 83.5312px; height: 55px;"><strong>Microsoft 365 Copilot (Productivity)</strong></td> <td style="width: 89.75px; height: 55px;"><strong>Microsoft Security Copilot (Security Operations)</strong></td> <td style="width: 97.7344px;"><strong>User limit (max)</strong></td> <td style="width: 145.219px;"><strong>Base plan cost (per user/month)</strong></td> </tr> </thead> <tbody> <tr style="height: 18px;"> <td style="width: 89.7656px; height: 18px;"><strong>Business Basic</strong></td> <td style="width: 83.5312px; height: 18px;">Add-on required</td> <td style="width: 89.75px; height: 18px;">Separate; uses SCUs</td> <td style="width: 97.7344px;">300 users</td> <td style="width: 145.219px;">$6</td> </tr> <tr style="height: 18px;"> <td style="width: 89.7656px; height: 18px;"><strong>Business Standard</strong></td> <td style="width: 83.5312px; height: 18px;">Add-on required</td> <td style="width: 89.75px; height: 18px;">Separate; uses SCUs</td> <td style="width: 97.7344px;">300 users</td> <td style="width: 145.219px;">$12.50</td> </tr> <tr style="height: 18px;"> <td style="width: 89.7656px; height: 18px;"><strong>Business Premium</strong></td> <td style="width: 83.5312px; height: 18px;">Add-on required</td> <td style="width: 89.75px; height: 18px;">Separate; uses SCUs</td> <td style="width: 97.7344px;">300 users </td> <td style="width: 145.219px;">$22</td> </tr> <tr style="height: 18px;"> <td style="width: 89.7656px; height: 18px;"><strong>Enterprise E3</strong></td> <td style="width: 83.5312px; height: 18px;">Add-on required</td> <td style="width: 89.75px; height: 18px;">Separate; uses SCUs</td> <td style="width: 97.7344px;">No cap</td> <td style="width: 145.219px;">$36</td> </tr> <tr style="height: 18px;"> <td style="width: 89.7656px; height: 18px;"><strong>Enterprise E5 </strong></td> <td style="width: 83.5312px; height: 18px;">Add-on required</td> <td style="width: 89.75px; height: 18px;">Separate; uses SCUs</td> <td style="width: 97.7344px;">No cap </td> <td style="width: 145.219px;">$57</td> </tr> </tbody> </table> <p><em>Microsoft 365 Copilot uses per-user licensing, while Security Copilot uses a consumption-based model, which introduces different cost and governance considerations.</em></p> <p>Once an organization has fulfilled all the necessary prerequisites and has its data in order, the next step is to assign Copilot for Microsoft 365 licenses to users. There are several ways to do this. As with other Microsoft 365 services, admins can assign Copilot licenses using their preferred license assignment approach. Options include PowerShell and the Microsoft 365 admin center. Refer to Microsoft's <a target="_blank" href="https://learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-setup" rel="noopener">documentation</a> for additional details.</p> </section> <section class="section main-article-chapter" data-menu-title="How to enable Copilot for Microsoft 365"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to enable Copilot for Microsoft 365</h2> <p>In the Microsoft 365 admin center, IT can assign the licenses by completing the following steps:</p> <ol class="default-list"> <li>Go to Billing > Licenses.</li> <li>Select <b>Copilot for Microsoft 365</b>.</li> <li>Choose users and select <b>Assign</b>.</li> </ol> <p>Changes apply immediately, though Copilot could take up to 24 hours to appear across all apps.</p> <p>Users must have a qualifying base license (e.g., Microsoft 365 Business Standard/Premium, E3 or E5).</p> <p>Ensure devices use the <a href="https://learn.microsoft.com/en-us/microsoft-365-apps/updates/overview-update-channels#current-channel-overview">Current Channel</a> for the newest Microsoft 365 apps. Slower channels might delay or limit Copilot availability in some apps.</p> <ol start="4" class="default-list"> <li>To verify service plans for assigned users, go to Users > Active Users and select licensed users.</li> <li>Open <b>Licenses and Apps</b> and confirm the <b>Copilot service plan</b> is enabled.</li> </ol> <p>Additional services, such as Loop or Viva, can extend Copilot functionality but are not required.</p> <ol start="6" class="default-list"> <li>This step is optional when using alternative assignment methods. Admins can also assign Copilot licenses using the setup wizard or manage licenses under Billing > Licenses.</li> </ol> <h3>Adding Copilot to Microsoft 365 apps</h3> <p>At this point, data access permissions must be enabled and configured. Note that there are no specific permissions for Copilot, as it uses existing user permissions. Verify that each user has the necessary rights to access the desired data. Check the following permissions:</p> <ul type="disc" class="default-list"> <li><b>SharePoint.</b> Site access and sharing policies.</li> <li><b>OneDrive.</b> File access and sharing settings.</li> <li><b>Teams.</b> Chat access and retention policies.</li> <li><b>Exchange.</b> Mailbox access and retention.</li> </ul> <p>After confirming access, users must sign in with their licensed account. Note that Copilot appears differently across apps, and some might require additional steps.</p> <h3>Excel, Word and PowerPoint</h3> <p>The Copilot ribbon button appears automatically with no additional setup required. Some advanced features require Microsoft Graph Connectors and the Copilot semantic index, which require appropriate licensing and configuration.</p> <h3>Outlook</h3> <p>Copilot is available in Outlook on the web and the new Outlook for Windows, with limited support in classic Outlook. Admins can enable the new Outlook through policy. Features include draft generation, summaries and rewrite.</p> <h3>Teams</h3> <p>Copilot requires the new Teams client. Admins can optionally configure the following settings:</p> <p>1. In the Teams admin center, go to Teams apps > Permission policies and ensure Copilot apps are allowed.</p> <p>2. Go to <b>Messaging policies</b> and enable AI-enhanced chat features.</p> <p>Copilot appears in chat, meeting recaps, real-time meeting assistance and message rewriting or summarization.</p> <h3>Loop, Planner and OneNote</h3> <ul class="default-list"> <li><b>Loop.</b> No admin toggle is required.</li> <li><b>Planner.</b> Copilot adds project summaries; no toggle needed.</li> <li><b>OneNote.</b> The Copilot icon appears in the ribbon after licensing.</li> </ul> <h3>Microsoft Edge</h3> <p>Copilot is also available in Microsoft Edge. Ensure the latest version of Edge is installed and users are signed in with a licensed account. Features include page summaries, access to work content and writing assistance.</p> <h3>Semantic index for Copilot</h3> <p>Organizations with appropriate Copilot and Microsoft Graph capabilities can enable the semantic index as follows: Go to Microsoft 365 Admin Center > Settings > Search & Intelligence.</p> </section> <section class="section main-article-chapter" data-menu-title="Copilot enablement checklist"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Copilot enablement checklist</h2> <p>To enable Copilot for Microsoft 365, organizations must ensure the following:</p> <ol class="default-list"> <li>Copilot licenses are assigned to users.</li> <li>Copilot service plans are enabled for assigned users.</li> <li>Users have access to the required Microsoft 365 apps.</li> <li>Apps are up to date, and supported Teams and Outlook clients are in use.</li> <li>Data permissions are properly configured for SharePoint, OneDrive and Exchange.</li> </ol> <p>After licenses are assigned, Copilot becomes available once users sign in, though availability might vary by app or configuration. To familiarize users with the new tool, Microsoft recommends that IT provide guidance on how Copilot works. Organizations can also establish a Copilot <a href="https://www.techtarget.com/whatis/definition/center-of-excellence-CoE">center of excellence</a> to support training, drive adoption and gather feedback.</p> <p><b>Editor's note:</b> <i>This article was originally written by Katie Fenton in December 2023. Gary Olsen updated and expanded this article in early 2026 to reflect how Copilot has evolved from a limited, add-on feature into a more integrated capability across Microsoft 365 apps and services.</i></p> <p><i>Gary Olsen has worked in the IT industry since 1983 and holds a Master of Science in computer-aided manufacturing from Brigham Young University. He was on Microsoft's Windows 2000 beta support team for Active Directory from 1998 to 2000 and has written two books on Active Directory and numerous technical articles for magazines and websites.</i></p> <p><i>Katie Fenton is site editor for Informa TechTarget's SearchEnterpriseDesktop, SearchMobileComputing and SearchVirtualDesktop sites.</i></p> </section> Copilot for Microsoft 365 offers AI-powered functionality to users, but there's more to consider before installing it. Data governance and licensing determine the setup process. https://cdn.ttgtmedia.com/rms/onlineimages/ai_a352095729.jpg https://www.techtarget.com/searchenterprisedesktop/tip/How-to-install-and-set-up-Copilot-for-Microsoft-365 Tue, 14 Apr 2026 13:30:00 GMT How to enable Copilot in Microsoft 365: A step-by-step guide <p>I've finally had some time to decompress after an incredibly busy RSAC 2026, especially counting the obligatory cold that comes from spending a week in close proximity to 40,000 people in and around Moscone Center in San Francisco. In all, I had nearly 30 meetings with vendors in areas like endpoint security, email security, device management and more. What struck me is the common thread that ran through all of these: Agentic AI.</p> <p>If you've been to RSAC (or any other independent industry event) before, you probably know there's an unofficial theme each year. A few years ago, it was just "AI," and every vendor was scrambling to incorporate a chatbot into their booth demo. Last year, it was "Agentic," but in a hand-wavy way that didn't really translate to what organizations were doing at the time. This year was agentic again, but with a bit more meat on the bone.</p> <p>Building on the browser, shadow AI and <a href="https://www.techtarget.com/searchenterprisedesktop/opinion/The-promise-and-concern-around-end-user-AI-second-brains">second brain</a> blog posts I've written, I went into the event looking for what organizations are doing about AI agents in the hands of end users. I was not disappointed. Here are some of the conversations I found myself having throughout the show.</p> <section class="section main-article-chapter" data-menu-title="Nobody can see what their employees are actually using"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Nobody can see what their employees are actually using</h2> <p>If there was one theme that came up again and again, it was visibility. You can't secure what you can't see. Or, to put it another way, organizations don't know what they don't know. Trend AI (formerly Trend Micro) has structured its entire security approach around four pillars, and the first one is visibility. LastPass built a SaaS app discovery capability using their browser extension because customers genuinely didn't know the scope of what employees were accessing. ESET is building AI observability into its <a href="https://www.techtarget.com/searchsecurity/definition/extended-detection-and-response-XDR">XDR</a> so administrators get a single view of which AI tools are in use across the environment.</p> <p>The wrinkle is that it's not just ChatGPT or other chatbots anymore. AI is embedded in productivity apps now, and you can't just block those outright. Take, for example, Canva. If your organization allows Canva, you're allowing AI, because <a href="https://www.techtarget.com/searchenterprisedesktop/opinion/Canva-The-business-productivity-app-flying-under-ITs-radar">Canva has multiple foundation models underneath it</a> and a growing enterprise data layer that feeds into all of them. The same is true for Microsoft Copilot, Google Workspace with Gemini, Adobe's integrations and dozens of other apps that have quietly added AI capabilities without making a big deal about it. Blocking ChatGPT.com is a 2024 response to a problem that has already moved past it.</p> <p>My own <a target="_blank" href="https://research.esg-global.com/reportaction/515202002/Toc" rel="noopener">research</a> backs this up. The last time I polled both IT decision-makers and knowledge workers on AI usage, 72% of IT said they had an AI policy in place, but only 44% of end users said they had seen it. And 53% of end users admitted to using unsanctioned AI tools. The gap between what IT thinks is happening and what's actually happening is real, and it's only going to widen as AI becomes embedded in the tools people already use every day.</p> </section> <section class="section main-article-chapter" data-menu-title="Blocking AI just creates more shadow AI"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Blocking AI just creates more shadow AI</h2> <p>When a company blocks access to AI tools and replaces them with an (often inferior) internal tool, people find workarounds -- personal devices, screenshots of spreadsheets uploaded through mobile apps, copying and pasting into tools the network filter doesn't catch, etc. And these are all harder to track than the original problem.</p> <p>I heard the same dynamic described by vendors across the board. Island's framing stuck with me. The company wants IT to be able to "say yes" instead of "say no," putting <a href="https://www.techtarget.com/searchsecurity/tip/Shadow-AI-How-CISOs-can-regain-control-in-2026">guardrails around AI usage</a> rather than blocking it outright so the data stays protected without killing productivity. LastPass made a similar argument: Give employees good, sanctioned tools with real security controls, and they'll use them. Don't, and they'll find ways around whatever you built. Just like we learned with BYOD and mobile devices, the block-everything approach doesn't work. It's time to learn to live with them.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Blocking ChatGPT.com is a 2024 response to a problem that has already moved past it. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>My favorite analogy: Saying you <a href="https://www.techtarget.com/searchenterpriseai/answer/How-bad-is-generative-AI-data-leakage-and-how-can-you-stop-it">solved the DLP problem</a> by blocking third-party AI and/or deploying an internal tool is like saying you solved your cockroach problem by flipping on the light. The cockroaches might have scattered, but they're still there. You just can't see them anymore.</p> <p>We're quickly entering a situation where IT (including security teams) is holding back both the business and the end users. I'm not saying IT is bad. I'm saying efforts are better spent learning how to live in this new world than trying to play whack-a-mole.</p> </section> <section class="section main-article-chapter" data-menu-title="End-user agents are here, but nobody knows how to secure them"> <h2 class="section-title"><i class="icon" data-icon="1"></i>End-user agents are here, but nobody knows how to secure them</h2> <p>Amidst all the "agentic" chatter on the expo hall floor, a few companies stuck out to me that seem to understand the impending agentic knowledge worker revolution. What happens when an end user runs an agent whose every behavior looks just like that of the end user? How do we know if it's the agent or the user? How do we know if the scripts or apps it writes are secure and accurate? Knowing the productivity gains and impact on the business, how can IT allow this, but still implement guardrails and visibility?</p> <p>Trend AI shared a story about a customer whose CEO mandated deploying 200 AI agents. The chief information security officer's response was essentially, "I know how to deal with ransomware. I have no idea how to deal with a situation where an AI agent gets compromised." That captured the state of things perfectly.</p> <p>The solution, at least in part, will hinge on identity and granular controls for <a href="https://www.techtarget.com/searchenterpriseai/definition/autonomous-AI-agents">autonomous agents</a>. Password managers like LastPass and 1Password are trying to solve this, but how do you let an autonomous agent use those credentials on your behalf? If there's a human in the loop who can approve access in real time, it's solvable. But fully autonomous, where the agent needs to book a flight or access a SaaS app while you're getting coffee, there's no good answer yet. Nobody in the password management space has solved it, and there are no standards for it.</p> <p>Then there are Model Context Protocol (MCP) servers, another facet of agentic AI that is already at "wild west" status. ESET has been scanning over 60,000 MCP skills and described the security landscape as "an absolute mess." Other vendors are wise to this as well. For example, Palo Alto recently <a target="_blank" href="https://www.prnewswire.com/news-releases/palo-alto-networks-announces-intent-to-acquire-koi-to-secure-the-agentic-endpoint-302689465.html" rel="noopener">announced</a> an intent to purchase Koi Security specifically for this purpose.</p> <p>As a final "holy smokes!" moment, I spoke with email security companies and learned that end-user agents are actually defeating API-based, post-delivery email security tools because they can process incoming mail instantly, and before the email security tool can take action. This opens the door for AI-specific exploits, and it could potentially reshape what a complete email security platform should look like. (For example, does this make <a href="https://www.techtarget.com/searchsecurity/feature/Browse-the-best-email-security-gateways-for-your-enterprise">secure email gateways</a> more important?)</p> </section> <section class="section main-article-chapter" data-menu-title="Attention is turning back to the endpoint"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Attention is turning back to the endpoint</h2> <p>Another development I want to quantify in research this year is something I kept noticing in the agentic conversations at RSAC: an apparent return of attention to the endpoint. For years, and despite my protests, the importance of the PC has taken a back seat in a world full of browser apps. AI PCs gave it some new life, but the killer use case never really showed up. End-user agents and token economics might be what finally does.</p> <p>Both forces point in the same direction. The agents that hold up under real workloads aren't pure cloud constructs. They mix local data, scripts and small models on the device with frontier inference in the cloud (like second brains), which makes the endpoint a real participant rather than a swappable terminal. And as knowledge workers start consuming tokens at agentic rates, the cloud bill turns into a budget conversation, which makes the idle silicon already sitting on people's desks look a lot more interesting. OpenClaw and Nvidia's NemoClaw are early proof points worth watching, and Nvidia CEO Jensen Huang has been making the same case from the <a href="https://www.techtarget.com/searchnetworking/opinion/Infrastructure-highlights-from-Nvidia-GTC-2026">supply side at GTC 2026</a>. There's a lot more to unpack here, so I'll come back to it in its own post soon.</p> </section> <section class="section main-article-chapter" data-menu-title="And so much more"> <h2 class="section-title"><i class="icon" data-icon="1"></i>And so much more</h2> <p>There were lots of other themes, too. <a href="https://www.techtarget.com/searchsecurity/news/366636759/News-brief-Browser-security-flaws-pose-growing-risk">Browser security</a> is all of a sudden on everyone's radar now that CrowdStrike and Zscaler bought Seraphic and SquareX, respectively, while Island is establishing itself as a workspace platform, not just an enterprise browser.</p> <p>Human risk management is increasingly top of mind for email and messaging security companies. KnowBe4, Ironscales, Proofpoint, Abnormal and Mimecast all had something to offer around visibility, awareness and training of end-user behaviors.</p> <p>There's also the overall convergence of endpoint management and security that's <a href="https://www.techtarget.com/searchenterprisedesktop/answer/Is-it-time-to-adopt-autonomous-endpoint-management-software">driving autonomous endpoint management</a> and unifying the teams, tools and processes that are tasked with dealing with end users and their many devices, OSes and apps.</p> <p>RSAC 2026 was an amazing show for me. End-user computing and digital workspace have never been this interesting.</p> <p><i>Gabe Knuth is the principal analyst covering end-user computing for Omdia.</i></p> <p><i>Omdia is a division of Informa TechTarget. Its analysts have business relationships with technology vendors.</i></p> </section> Agentic AI dominated RSAC 2026 as vendors grappled with invisible AI usage, shadow tools, unsecured end‑user agents and a renewed focus on the endpoint. https://cdn.ttgtmedia.com/rms/onlineimages/ai_a205627811.jpg https://www.techtarget.com/searchenterprisedesktop/opinion/RSAC-2026-End-user-AI-agents-are-here-but-invisible Fri, 10 Apr 2026 14:08:00 GMT RSAC 2026: End-user AI agents are here, but invisible <p>Some organizations need to pause or block Windows updates to avoid disruptions, and a few built‑in tools let IT control when updates install.</p> <p>Although Microsoft generally encourages customers to install Windows updates as quickly as possible, there are situations in which it might be better to defer updates. While <a href="https://www.techtarget.com/whatis/feature/5-reasons-software-updates-are-important">updates often include security patches and bug fixes</a>, they can sometimes introduce new problems to a system that was previously working well. Fortunately, there are a variety of techniques IT administrators can use to prevent the installation of Windows updates.</p> <section class="section main-article-chapter" data-menu-title="Why might an organization want to stop Windows 10 updates?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why might an organization want to stop Windows 10 updates?</h2> <p>There are several reasons why an organization might want to prevent Windows updates from being installed. One major concern is that updates might introduce compatibility problems for legacy apps or highly customized environments.</p> <p>IT teams choosing to prevent updates might also want to avoid <a href="https://taylorandfrancis.com/knowledge/Engineering_and_technology/Computer_science/Feature_creep/">feature creep</a>. For example, an organization that operates public-facing kiosks would likely prefer that Microsoft not introduce any new features that might change how the kiosks behave. Similarly, some organizations have created their own <a target="_blank" href="https://www.cisecurity.org/cis-hardened-images" rel="noopener">hardened Windows images</a> that prioritize security above all else. A generic Windows update could undo much of the work that has been done to lock down the Windows image.</p> <p>Concerns about excessive bandwidth consumption are another reason to prevent updates. For example, if a research team were operating in a remote field deployment with limited bandwidth available, the team probably wouldn't want to enable <a href="https://www.techtarget.com/searchwindowsserver/definition/Microsoft-Windows-Update">Windows Update</a> to deplete the little bandwidth that they have.</p> <p>These are just a few of the many reasons why an organization might need to figure out how to stop Windows 10 updates. Additionally, in some cases, an organization might not want to permanently disable updates, but rather pause those updates until they can be tested.</p> </section> <section class="section main-article-chapter" data-menu-title="4 ways to stop Windows 10 updates"> <h2 class="section-title"><i class="icon" data-icon="1"></i>4 ways to stop Windows 10 updates</h2> <p>There are a few different methods IT can use to disable updates within Windows 10. Not every option is appropriate for every situation, so it's important to consider which method is the best fit for an organization.</p> <h3>1. Use a centralized patch management tool</h3> <p>The first way to prevent updates on Windows 10 desktops is to use a centralized patch management platform to automate the patch deployment process. Automated patch management might seem like the exact opposite of preventing patches from being deployed. However, patch management tools such as Windows Server Update Services (<a href="https://www.techtarget.com/searchwindowsserver/definition/Windows-Server-Update-Services-WSUS">WSUS</a>) and Microsoft Intune provide ways to prevent the deployment of updates. Admins can configure WSUS so that only patches that they specifically approve are deployed. Intune doesn't enable IT to block all future patches the way that WSUS does, but it's possible to create a policy that prevents Windows devices from being upgraded past a specific version. IT can also defer feature updates for up to a year.</p> <h3>2. Configure Group Policy settings</h3> <p>IT can also disable Windows 10 updates at the Group Policy level. Open the Group Policy Editor and navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Update. Next, double-click the <b>Configure Automatic Updates</b> policy. When prompted, enable the policy and configure it to use the second option, <b>2 = Notify before downloading and installing any updates </b>(Figure 1). Under this setting, Windows Update notifies users when updates are available rather than automatically installing them. The disadvantage of this technique is that it doesn't block users from choosing to install updates.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/prevent_windows10_update_1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/prevent_windows10_update_1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/prevent_windows10_update_1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/prevent_windows10_update_1-f.jpg 1280w" alt="The Configure Automatic Updates window in the Group Policy Editor." data-credit="Brien Posey" height="306" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 1. Some organizations create Group Policy settings to prevent automatic updates. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>3. Disable the Windows Update service</h3> <p>Another way to prevent updates on Windows 10 desktops is to disable the Windows Update service. To do this, enter the <b>Services.msc</b> command at the Windows Run prompt. This causes Windows to open the Service Control Manager. Scroll through the list of services to find the Windows Update service. Double-click on <b>Windows Update</b> and set the Startup type to <b>Disabled</b> (Figure 2). This prevents the Windows Update service from running, thereby preventing all future updates so long as Microsoft doesn't reenable the service.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/prevent_windows10_update_2-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/prevent_windows10_update_2-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/prevent_windows10_update_2-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/prevent_windows10_update_2-f.jpg 1280w" alt="The Windows Update Properties page in the Service Control Manager." data-credit="Brien Posey" height="472" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 2. IT can disable the Windows Update service to prevent updates from being installed. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>4. Set a metered connection</h3> <p>IT can prevent automatic updates by telling Windows that the machine is using a <a href="https://www.techtarget.com/searchnetworking/definition/Internet-metering">metered connection</a>. The disadvantage to this approach is that some other applications might try to reduce their data usage, which could cause some unintended side effects. Additionally, Windows might still download certain high‑priority or security‑critical updates even when a connection is marked as metered. While metering significantly reduces automatic update activity, it doesn't guarantee a complete block.</p> <p>To configure Windows to use a metered connection, go to Settings > Network & Internet and click either <b>Ethernet</b> or <b>Wi-Fi</b>, depending on how the PC is connected. Next, click on the network name and toggle on the <b>Set as metered connection</b> option (Figure 3). Repeat this process for all of the machine's network connections.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/prevent_windows10_update_3-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/prevent_windows10_update_3-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/prevent_windows10_update_3-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/prevent_windows10_update_3-f.jpg 1280w" alt="The Settings page for a specific network in Windows 10." data-credit="Brien Posey" height="444" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 3. IT can configure Windows to treat the network as a metered connection. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Windows does include a setting that enables it to download updates over a metered connection, so IT must also make sure this setting is disabled. Go to Settings > Update & Security, then select <b>Advanced options</b>. Set the toggle switch under <b>Download updates over metered connections (extra charges may apply)</b> to <b>Off </b>(Figure 4).</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/prevent_windows10_update_4-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/prevent_windows10_update_4-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/prevent_windows10_update_4-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/prevent_windows10_update_4-f.jpg 1280w" alt="The Automatic updates page in Windows Update." data-credit="Brien Posey" height="446" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 4. Toggle off the option to download updates over a metered connection. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Stopping updates in Windows 11"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Stopping updates in Windows 11</h2> <p>An administrator might choose to stop updates in a Windows 11 environment for the same reasons that they might in Windows 10. The same techniques generally work in both environments, although the Windows 11 GUI differs a bit from Windows 10.</p> <p>Keep in mind that, because Windows 10 no longer receives regular security updates, blocking updates on the platform carries significantly higher risk. Organizations that must <a href="https://www.techtarget.com/searchenterprisedesktop/tip/When-is-Windows-10-end-of-life-How-to-extend-support">continue using Windows 10</a> should evaluate Microsoft's Extended Security Updates (ESU) program, which provides paid security patches beyond the end-of-life date. Any strategy that disables or delays updates must account for how ESUs are delivered and ensure that update‑blocking policies don't interfere with their deployment.</p> <p>Microsoft has also been pushing organizations to <a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-to-use-Windows-Update-for-Business-with-Intune">switch to Windows Update for Business</a> or other cloud-native platforms since the release of Windows 11. As such, organizations might need to base their strategy for blocking updates on how Windows delivers them.</p> <p><i>Brien Posey is a former 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America. </i></p> </section> Windows updates can cause compatibility issues, bandwidth strain or unwanted changes. Find out why some organizations stop Windows 10 updates and how they can manage it. https://cdn.ttgtmedia.com/rms/onlineimages/ai_a238006601.jpg https://www.techtarget.com/searchenterprisedesktop/tip/How-to-prevent-updates-on-Windows-desktops Tue, 07 Apr 2026 13:14:00 GMT How to prevent updates on Windows 10 desktops <p>Maintaining good disk health is one of the most important tasks to keep Windows desktop PCs running at peak performance. Both Windows 11's built-in Disk Cleanup tool and similar third-party utilities can help.</p> <p>Windows requires a disk to store the OS, applications and user data. It also uses disk space for temporary files, caching and virtual memory. Physical drives are usually <a href="https://www.techtarget.com/searchwindowsserver/tip/Using-Diskpart-to-create-extend-or-delete-a-disk-partition">split into partitions</a> labeled by a letter, with the C: drive typically hosting the OS. External drives and USB flash storage can expand capacity.</p> <p>Proper <a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-to-scan-and-repair-disks-with-Windows-10-Check-Disk">disk maintenance</a> keeps systems fast, stable and easy to support. When available disk space runs out, Windows logs system errors and notifies the user. Low free disk space degrades performance, possibly causing apps and Windows itself to crash or fail.</p> <p>While Microsoft now treats Disk Cleanup as a legacy tool and instead directs users toward the native Storage settings, it still exists in Windows 11 and can be helpful in some instances. Regular upkeep and running Disk Cleanup can improve boot time, application loading, file access and operations, and more.</p> <section class="section main-article-chapter" data-menu-title="How to use Windows 11 Disk Cleanup"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to use Windows 11 Disk Cleanup</h2> <p>Disk Cleanup is built into Windows 11. It offers most of the same capabilities as similar<sup> </sup>third-party products, but without any additional cost or installation. To use Disk Cleanup, take the following steps:</p> <ol class="default-list"> <li>From the Windows search bar, enter <i>Disk Cleanup</i><b>. </b>Under the utility that appears, select <b>Run as administrator</b>. To view, delete or otherwise access system files, administrator access is required.</li> <li>In the window that appears on the screen, check the boxes of the files you want to remove. Note that the corresponding disk space is shown to the right of each set of files. This will help determine which files will return the most disk space. Selecting the file type will also display a description of the files.</li> <li>Select <b>Clean up system files</b> to delete unneeded system log files and others.</li> <li>Click on the <b>More Options</b> tab (Figure 1). If this tab does not appear, Disk Cleanup was not started with administrator privileges. In that case, close the dialog box and restart the process using administrator privileges.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/disk_cleanup_windows11_1-h.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/disk_cleanup_windows11_1-h_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/disk_cleanup_windows11_1-h_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/disk_cleanup_windows11_1-h.jpg 1280w" alt="The More Options tab in the Disk Cleanup window, showing options to clean up Programs and Features and System Restore and Shadow Copies." data-credit="Gary Olsen"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 1. Click on the More Options tab to see options to clean up installed applications and system restore points. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <ol start="5" class="default-list"> <li>To delete installed applications, click the <b>Clean up…</b> button under Programs and Features. To delete all system restore points except the most recent, click the <b>Clean up…</b> button under System Restore and Shadow Copies. This could result in significant disk space recovery.</li> <li>Once all the desired files are selected, click <b>OK</b> to start the removal.</li> </ol> <p>Many of these files will only return 100 MB of disk space. This is a minuscule amount on a 500 GB disk. System Restore and Shadow Copies, crash dump files, and the Windows.old folder are examples of items that can recover a significant amount of disk space.</p> <p>Before removing items such as temporary internet files, consider how much disk space will be recovered and if the removal will negatively affect UX. Deleting temporary internet files affects the user's internet browser experience, so deleting a few hundred megabytes probably isn't worth it.</p> <h3>Files to target for disk maintenance</h3> <p>Administrators should be familiar with the various file types that consume disk space and how Windows handles them. Consider the most common categories and their cleanup methods:</p> <ul type="disc" class="default-list"> <li><b>Unused applications.</b> Applications might remain on a device despite never being used, leaving folders and files to take up valuable disk space. Admins can remove unused apps using the More Options tab in Disk Cleanup, the Windows Add or Remove Programs utility, or the application's uninstall utility. Be sure to back up user data.</li> <li><b>Old documents or media.</b> This might include office files, databases, videos, ISO downloads, training materials, Recycle Bin contents, thumbnail caches and downloaded program files. Typically, these items require manual removal.</li> <li><b>Windows Update temporary files.</b> The system creates these files whenever an OS update takes place, and you can use Disk Cleanup to remove them.</li> <li><b>Browser caches</b> <b>and temporary files.</b> Most internet browsers save temporary files on the local disk so webpages can load more quickly. Each browser maintains its own cache location for these pages. Disk Cleanup removes these files for Internet Explorer only. Caches and temporary files for Microsoft Edge, Chrome, Firefox and other third‑party browsers must be cleared manually through their settings.</li> <li><b>Windows crash dump and debug files.</b> System crashes generate memory dump (.dmp) files. Disk Cleanup can remove them if they're associated with System Error Memory Dump Files or Windows Error Reporting logs. Disk Cleanup can't remove debug-related files, such as .dbg, that are stored in custom locations or generated in development environments like Visual Studio. It does, however, remove any debug-related files produced by system error minidumps.</li> <li><b>Checkpoint files.</b> These files include <a href="https://www.techtarget.com/searchitoperations/tip/A-beginners-guide-to-Hyper-V-checkpoints">Hyper-V and restore point data</a>. They are not removed by Disk Cleanup. Instead, use Hyper-V Manager or PowerShell to delete them.</li> <li><b>Windows.old.</b> The OS creates this folder when upgrading from one Windows version to the next (i.e., Windows 10 to Windows 11). It might also appear after a custom installation of Windows without formatting the drive, or when refreshing the PC. This enables rollback to the previous version in case of installation problems or to recover files. This folder typically takes up 10 GB to 30 GB of disk space and can be removed with Disk Cleanup.</li> </ul> <p>Disk Cleanup doesn't remove files that aren't system‑generated or that are stored outside default directories, such as developer-created .dbg files. A PowerShell script can delete these files, and it can be customized to target other types as well.</p> <p>To find all .dbg files larger than 1 MB, for example, use the following PowerShell code:</p> <pre class="language-powershell"><code>Get-ChildItem -Path C:\ -Filter *.dbg -Recurse -ErrorAction SilentlyContinue |   Where-Object { $_.Length -gt 1MB } |   Select-Object FullName, Length, LastWriteTime</code></pre> <p>This script can be scheduled and launched using Task Scheduler.</p> </section> <section class="section main-article-chapter" data-menu-title="Additional disk utilities"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Additional disk utilities</h2> <p>Windows 11 provides a few additional tools to assist with disk space management. It can help to use the Storage page or Storage Sense in Windows 11 Settings, as well as the Windows Defragment and Optimize Drives utility.</p> <h3>Storage</h3> <p>The Storage page is a more advanced, easy-to-read utility than Disk Cleanup. It shows all classifications of files -- many more than Disk Cleanup -- including Pictures, Desktop, Mail and OneDrive.</p> <p>To access the Storage page, open <b>Settings</b> from the Windows Start menu and go to System > Storage (Figure 2). It also shows the total disk space each category uses, along with descriptions of the files.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/disk_cleanup_windows11_2-h.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/disk_cleanup_windows11_2-h_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/disk_cleanup_windows11_2-h_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/disk_cleanup_windows11_2-h.jpg 1280w" alt="The Storage page in Windows 11, listing all the categories of storage taking up disk space." data-credit="Gary Olsen"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 2. Open the Storage page to see the different categories of files on the disk and how much space they consume. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>For a more granular listing of files and the disk space of each, click on a category. If you click on <b>Temporary files </b>specifically, you can choose temporary files to remove. Click the checkboxes for the files to delete and select <b>Remove files </b>toward the top of the page.</p> <h3>Windows Defragment and Optimize Drives</h3> <p>When programs run, they must find data that is stored on the disk to perform operations. The closer those blocks of data are to each other, the faster the app can run, as opposed to searching all over the disk to find them. Some of the data can be moved to form contiguous storage in an operation called <a href="https://www.techtarget.com/searchwindowsserver/definition/defragmentation">defragmenting</a>. Some items, such as Windows system files and data, cannot be moved.</p> <p>Solid-state drives (SSDs) don't require defragmentation because they have no moving parts and access data at the same speed regardless of location. Windows 11 does run the Optimize Drives utility on SSDs, however, and traditional hard drives do benefit from both defragmenting and optimizing.</p> <p><a name="_Hlk204787258"></a>Windows 11 provides the Windows Defragment and Optimize Drives utility. Type <i>Defrag</i> into the Windows search bar and select the utility that appears. Once the Optimize Drives window opens, the following information and actions are available:</p> <ul type="disc" class="default-list"> <li>Type of drive.</li> <li>The last time Defrag ran.</li> <li>Status of optimization.</li> </ul> <p>In addition, click the <b>Optimize</b> button for immediate optimization of the selected partition, or the <b>Change settings</b> button to schedule Defrag to run (Figure 3).</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/disk_cleanup_windows11_3-h.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/disk_cleanup_windows11_3-h_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/disk_cleanup_windows11_3-h_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/disk_cleanup_windows11_3-h.jpg 1280w" alt="The Optimize Drives page in Windows 11, showing the different drives on the PC and their status, along with options to optimize the drives and change settings." data-credit="Gary Olsen"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 3. The Optimize Drives window provides options to optimize drives and change settings for scheduled optimization. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Storage Sense</h3> <p>Storage Sense automatically frees up space by removing content based on user‑defined rules. It <a target="_blank" href="https://support.microsoft.com/en-us/windows/manage-drive-space-with-storage-sense-654f6ada-7bfc-45e5-966b-e24aded96ad5" rel="noopener">specifically addresses</a> the Recycle Bin, the Downloads folder, temporary system files and locally cached cloud content. Navigate to Settings > System > Storage > Storage Sense to enable it and configure it to run on a schedule.</p> </section> <section class="section main-article-chapter" data-menu-title="Third-party disk cleaning tools"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Third-party disk cleaning tools</h2> <p>There are some third-party products that can help with disk purging and overall cleaning. Popular options include BleachBit, CCleaner, Glary Utilities and Wise Disk Cleaner.</p> <p>When using any third-party tools, download them from the vendor's official website to minimize the <a href="https://www.techtarget.com/searchsecurity/tip/10-common-types-of-malware-attacks-and-how-to-prevent-them">risk of malware</a>. Additionally, perform a full backup of your system, Windows registry and data prior to running any disk utilities.</p> <p>Managing disk space is critical to providing a positive UX in terms of workstation performance and minimal disruption. Using built-in tools such as Disk Cleanup on a regular basis can help provide a healthy environment for data to be used and programs to execute.</p> <p><i>Gary Olsen has worked in the IT industry since 1983 and holds a Master of Science in computer-aided manufacturing from Brigham Young University. He was on Microsoft's Windows 2000 beta support team for Active Directory from 1998 to 2000 and has written two books on Active Directory and numerous technical articles for magazines and websites.</i></p> </section> Proper disk maintenance ensures peak performance for Windows PCs. Use built-in tools like Disk Cleanup and Storage Sense to optimize space and stability. https://cdn.ttgtmedia.com/rms/onlineimages/storage_g1193926746.jpg https://www.techtarget.com/searchenterprisedesktop/tip/How-to-use-Disk-Cleanup-in-Windows-11 Wed, 01 Apr 2026 16:32:00 GMT How to use Disk Cleanup in Windows 11 <p data-end="728" data-start="498">When Intune policies, scripts or Win32 app actions stop applying to a Windows endpoint, IT teams need a fast way to determine whether the problem is with device sync, the Intune Management Extension (IME) or the endpoint itself.</p> <p data-end="728" data-start="498">The Intune Management Extension is an agent that extends Intune's ability to run tasks such as PowerShell scripts and Win32 app deployments on supported Windows devices. Restarting the IME service is one troubleshooting option, but it is not always the first or best one. In some cases, a device reboot or a manual sync is enough to get a stuck action moving again.</p> <p>The <a href="https://www.techtarget.com/searchenterprisedesktop/tip/Using-the-Intune-management-extension-for-PowerShell-scripts">Intune Management Extension performs periodic synchronizations with Intune</a>. During these synchronizations, the extension checks for new policies or policy updates. If policies are not being applied to a managed Windows device or if Intune is unable to <a href="https://www.techtarget.com/searchwindowsserver/feature/How-to-save-and-run-scripts-with-Windows-PowerShell">run a PowerShell script on such a device</a>, then IT might need to restart the Intune Management Extension agent service on that endpoint. There are a few different methods to perform this restart.</p> <section class="section main-article-chapter" data-menu-title="Force the endpoint to reboot"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Force the endpoint to reboot</h2> <p>One of the easiest options is to simply force a reboot on the endpoint running the Intune Management Extension. When the system reboots, any services on that device should also restart, assuming that those services are configured to run automatically.</p> <p>To force a device restart, log in to the Microsoft Intune admin center and then select the <b>Devices</b> tab and click <b>All Devices</b>. This should cause Intune to display a list of the managed devices. Click on the device that needs to reboot and select <b>Restart</b>. When prompted, click <b>Yes</b> to confirm the reboot.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> In some cases, however, forcing a sync will cause a device that had been stuck to begin working again. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> </section> <section class="section main-article-chapter" data-menu-title="Force a sync operation"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Force a sync operation</h2> <p>Another troubleshooting step admins can take when IME-related actions are not working correctly is to force the device to sync with Intune. It is worth noting that forcing a device to sync does not trigger a restart of the Intune Management Extension agent service. In some cases, however, forcing a sync will cause a device that had been stuck to begin working again.</p> <p>Forcing a device sync causes the device to check in with Intune immediately instead of waiting for the next scheduled sync time. This can help apply pending MDM-delivered policy changes more quickly, but it does not force an IME check-in for tasks such as Win32 app processing or PowerShell script actions. Forcing a device sync is the Intune equivalent to the Active Directory's <span style="font-family: 'courier new', courier, monospace;">gpupdate /force</span> command, which causes group policy changes to be immediately applied. Therefore, forced sync operations are primarily used for expediting policy changes to a device, but forced syncs can also be <a href="https://www.techtarget.com/searchenterprisedesktop/tip/Troubleshooting-the-most-common-issues-with-Windows-11">used for troubleshooting purposes</a>.</p> <p>To force a device synchronization operation, log in to the Microsoft Intune admin center. Once logged in, click on the <b>Devices</b> tab and then click on <b>All Devices</b>. This will cause Intune to display a <a href="https://learn.microsoft.com/en-us/mem/intune/remote-actions/device-inventory" target="_blank" rel="noopener">list</a> of all managed devices. Locate and then click on the device that you want to sync. When the device's Overview pane is displayed, click the <b>Sync</b> button and then confirm the operation by clicking <b>Yes</b>.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">When should IT restart IME vs. force a sync?</h3> <p>Use a device restart when the endpoint might have broader service or agent issues. Use a sync when the goal is to force the device to check in with Intune and apply pending policies or actions without rebooting. In many troubleshooting cases, admins try a sync first and then restart IME or the endpoint if the device remains stuck.</p> </div> </div> </section> <section class="section main-article-chapter" data-menu-title="Use the Service Control Manager"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Use the Service Control Manager</h2> <p>Another option for restarting the Intune Management Extension agent service is to use the Windows Service Control Manager. The Service Control Manager is a native tool used for managing all the services that run on the system. IT can access the Service Control Manager by entering the <b>Services.msc</b> command at the Windows Run prompt.</p> <p>When the administrator opens the Service Control Manager it will initially display the services that are running on your own local device. However, the admin can configure the Service Control Manager to manage the services running on a remote endpoint. To do so, right-click on the <b>Services (Local)</b> node and then select the <b>Connect to another computer ...</b> option from the shortcut menu (Figure 1). Then follow the prompts to choose the desired computer.</p> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/intune_management_extension-h.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/intune_management_extension-h_half_column_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/intune_management_extension-h_half_column_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/intune_management_extension-h.jpg 1280w" alt="A menu of services that run on a Windows desktop." data-credit="Brien Posey" height="205" width="280"> <figcaption> <i class="icon pictures" data-icon="z"></i>The Service Control Manager menu showing local services to manage via direct input on the desktop. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Once connected to the computer, locate the Intune Management Extension agent service that needs to be restarted. The service is listed as IntuneManagementExtension. Now, just click on the service, and then select the <b>Restart</b> command from the list of services.</p> </section> <section class="section main-article-chapter" data-menu-title="Use PowerShell via elevated session"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Use PowerShell via elevated session</h2> <p>IT teams can also use <a href="https://www.techtarget.com/searchwindowsserver/definition/PowerShell">PowerShell</a> to restart the Intune Management Extension service, but the exact method depends on whether they are working locally or remotely.  Admins will need to be logged in to the machine using an account that has the permissions necessary to manage the remote machine. Additionally, the admin will need to perform this <a href="https://www.techtarget.com/searchitoperations/tip/When-to-use-the-Windows-command-prompt-vs-PowerShell">action from an elevated PowerShell session</a>. To launch an elevated session, right-click the PowerShell icon in the Windows Start menu, select <strong>More</strong>, and then select <strong>Run as administrator</strong>.</p> <p>In Windows PowerShell, the <span style="font-family: 'courier new', courier, monospace;">Get-Service</span> cmdlet can display services on a remote machine by<a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-to-change-a-Windows-device-name-with-Intune"> using the -ComputerName parameter</a>. For example, to display services on a computer named WK1, type: <span style="font-family: 'courier new', courier, monospace;">Get-Service -ComputerName WK1</span>.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/C6HdheMRyPw?autoplay=0&modestbranding=1&rel=0&widget_referrer=null&enablejsapi=1&origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <p>If the command returns an error, start by verifying network connectivity, permissions and the remote computer name. If you choose to use a PowerShell remoting method such as <span style="font-family: 'courier new', courier, monospace;">Invoke-Command</span>, make sure remoting is enabled and that the required management ports are not blocked.</p> <p>Once IT has verified that it can access the service, it can restart IME locally with <span style="font-family: 'courier new', courier, monospace;">Restart-Service -Name IntuneManagementExtension</span>. For a remote system, admins can either use a remoting-based command such as Invoke-Command or use another remote management method, because <span style="font-family: 'courier new', courier, monospace;">Restart-Service</span> itself does not provide a <span style="font-family: 'times new roman', times, serif;">ComputerName </span>parameter.</p> <p data-end="10005" data-start="9911">For example, a local restart uses:</p> <pre class="language-powershell"><code>Restart-Service -Name IntuneManagementExtension</code></pre> <p data-end="10171" data-start="10012">A remote restart using PowerShell remoting can use:</p> <pre class="language-powershell"><code>Invoke-Command -ComputerName WK1 -ScriptBlock { Restart-Service -Name IntuneManagementExtension }</code></pre> <p data-end="10171" data-start="10012">Restarting the Intune Management Extension is not always the first troubleshooting step, but it can help when policies, scripts or app actions stop applying to a managed Windows endpoint. For IT teams, the key is choosing the right response -- reboot, sync or service restart -- based on what the device is failing to do.</p> <p data-end="10171" data-start="10012"><strong data-end="12663" data-start="12645">Editor's note:</strong> <em>This article was updated to reflect current Intune Management Extension behavior and to clarify local and remote restart options.</em> <code data-end="10171" data-start="10072"><strong></strong></code></p> <p data-end="10171" data-start="10012"><em>Brien Posey is a former 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America.<code data-end="10171" data-start="10072"></code></em></p> <p data-end="10171" data-start="10012"><em><code data-end="10171" data-start="10072"></code></em></p> </section> When Intune policies or scripts stop applying to Windows endpoints, IT teams can restart the Intune Management Extension or use other sync and reboot options. https://cdn.ttgtmedia.com/rms/onlineimages/wfh_a382773067.jpg https://www.techtarget.com/searchenterprisedesktop/tip/How-to-restart-the-Intune-Management-Extension-agent-service Tue, 24 Mar 2026 12:19:00 GMT How to restart the Intune Management Extension agent service Search Enterprise Desktop Resources and Information from TechTarget 60 webmaster@techtarget.com