4.2 Advanced Analytics, Remote Help, Cloud PKI, and Tunnel for MAM
Key Takeaways
- Advanced Analytics extends Endpoint analytics with deeper endpoint experience reports, device timeline, device query, multi-device query, and device scopes.
- Remote Help is for secure interactive support with Microsoft Entra authentication, Intune RBAC, and permissions such as view screen, full control, elevation, and unattended where supported.
- Microsoft Cloud PKI issues and manages certificates for Intune-managed devices without requiring on-premises certificate servers, connectors, or hardware.
- Microsoft Tunnel for MAM extends an existing Microsoft Tunnel VPN gateway to unenrolled Android and iOS/iPadOS devices for app-level access to on-premises resources.
- The exam expects you to match the add-on to the use case: analytics for fleet insight, Remote Help for support sessions, Cloud PKI for certificates, and Tunnel for MAM for unmanaged BYOD app access.
Four add-ons, four operating jobs
Intune Suite features are easier to remember when you attach each one to an admin action. Advanced Analytics helps you find and prioritize fleet problems. Remote Help lets support staff assist users through authenticated sessions. Microsoft Cloud PKI provides certificate issuance and lifecycle management from the cloud. Microsoft Tunnel for Mobile Application Management (MAM) gives unmanaged mobile devices app-level access to private resources through Microsoft Tunnel.
What to use when
| Need | Use | Why | Prerequisite or guardrail |
|---|---|---|---|
| Find endpoint experience issues across the fleet | Advanced Analytics | Adds resource performance, battery health, anomalies, timeline, device query, multi-device query, and device scopes | Devices must meet endpoint analytics requirements; some features require additional inventory policy |
| Help a user interactively | Remote Help | Provides view-only, full control, elevation, and supported unattended modes with Entra ID and Intune RBAC | Helpers and sharers need the proper license, role scope, and tenant alignment |
| Issue Wi-Fi, VPN, email, or device identity certificates from Intune | Microsoft Cloud PKI | Creates cloud PKI authorities and supports SCEP certificate profiles for Intune-managed devices | Devices must be enrolled and support SCEP certificate profiles |
| Let unenrolled BYOD phones reach on-premises apps through managed apps | Tunnel for MAM | Extends Microsoft Tunnel to Android and iOS/iPadOS without enrolling the whole device | The Microsoft Tunnel gateway must already be deployed |
Advanced Analytics
Advanced Analytics builds on Endpoint analytics. Use it when leadership asks for trends, not just one device's status. Useful reports include resource performance, battery health, anomalies after changes, device timeline events, and device scopes. It also introduces Device query and Device query for multiple devices, which are covered again in the troubleshooting section.
Operationally, put Advanced Analytics into a review cycle. For example, check anomalies after a feature update rollout, use battery health to plan laptop refreshes, and use resource performance by model or manufacturer when procurement asks which hardware is causing support tickets. Device query for multiple devices can retrieve inventory across a fleet, but Windows devices need a properties catalog policy to collect the required inventory.
Remote Help
Remote Help is the Intune-native remote assistance option. Helpers and sharers authenticate with Microsoft Entra ID, and Intune role-based access control determines what a helper can do. Keep roles narrow: level 1 support might get view-only, while a tier 2 role might get full control or elevation.
Remote Help modes matter in exam scenarios:
| Mode | Use case | Exam caution |
|---|---|---|
| View only | Observe the user session without control | Preferred where privacy is a concern |
| Full control | Support staff need to operate the device | Grant only to scoped support roles |
| Elevation | Helper must interact with User Account Control prompts on Windows | Requires the Remote Help elevation permission |
| Unattended | Supported Android dedicated or fully managed support without repeated user acceptance | Use sparingly and scope carefully |
Remote Help is not a cross-tenant outsourcing shortcut. Helpers, sharers, and devices must align with the tenant and RBAC scope. Conditional Access for helper accounts is a practical control because a helper account can reach user devices.
Microsoft Cloud PKI
Cloud PKI is for certificate lifecycle management. It can create cloud-based root and issuing certificate authorities, issue SCEP certificates to Intune-managed platforms, monitor issued certificates, and support revocation. It is most useful when an organization wants certificate-based Wi-Fi, VPN, email, web, or device identity without building new on-premises PKI infrastructure.
Cloud PKI does not remove the need to plan trust. If relying parties must trust certificates, deploy the correct trusted certificate profiles and understand whether you are using a cloud hierarchy or bringing your own CA. In questions, the clue is usually "issue and renew certificates without maintaining on-premises servers."
Microsoft Tunnel for MAM
Tunnel for MAM is for unmanaged mobile devices that need secure app access to on-premises resources. It extends the Microsoft Tunnel VPN gateway to Android and iOS/iPadOS devices that are not enrolled with Intune. Users can keep a personal device unenrolled while managed apps use modern authentication, single sign-on, Conditional Access, and per-app tunnel behavior.
Do not confuse Tunnel for MAM with mobile device management enrollment. If IT needs full device inventory, device compliance, and configuration control, enroll the device. If the business need is BYOD access from managed apps without granting IT device control, Tunnel for MAM is the better fit.
Leadership wants reports that identify startup, battery, anomaly, and resource performance trends across managed Windows devices. Which Intune Suite capability should the endpoint admin use?
Which controls are important when planning Microsoft Intune Remote Help?
Select all that apply
A company wants users on personal, unenrolled iPhones to access an on-premises line-of-business app through a managed mobile app without giving IT full device control. Which capability fits best?