Windows Intune Brings PC Management Into the Cloud

Using Windows Intune

Figure 1: Windows Intune administration console

After you sign up for Intune, you can access the Windows Intune management experience by browsing to manage.microsoft.com in your favorite web browser and logging on. Representatives of a single company will be presented with the Intune administration console, which Figure 1 shows. Microsoft also has a separate Intune multi-account console, which Figure 2 shows, aimed at partners who will be managing multiple environments for customers. This multi-account console lets you sort the available environments by various criteria, including name (the default) and health; environments with problems will appear at the top.

Figure 2: Windows Intune multi-account console

Whether you’re a single-company rep or a multi-account partner, you’ll eventually need to manage a single environment—which is where the Windows Intune administration console comes into play. This console is about as simple as such interfaces get, with a navigational panel that’s divided into what Microsoft calls workspaces, a main information panel, and a context-sensitive tasks panel. If you’ve used any Microsoft console, this will be familiar territory. However, Intune also targets small companies without an IT infrastructure, so the console is friendly enough that virtually any semi-technical user should be able to get started quickly.

System Overview. Intune’s workspaces map closely to the product’s capabilities. System Overview provides a quick overall look at the health of the environment, giving you a single place to examine the security status, agent health, and pending updates for each connected PC, as well as any alerts. You can also quickly create computer groups—used to segregate connected PCs into logical groupings for policy purposes—or view a report from this workspace.

PC management. You can view and manage computers from the Computers workspace. You can also create computer groups, copy individual computers or a range of PCs into a group (only one group; this isn’t a hierarchical system but is instead flat), and view other issues related to managed PCs. The primary activity here is PC group management. By default, each PC that downloads and installs the Intune agent is assigned to the Unassigned Computers group; although you can (and often should) assign policies to PCs in this group, even the simplest of environments would benefit from a more granular grouping. In my demonstration environment, I created groups based on geographic location—Boston, San Francisco, and so on—but grouping can be custom tailored to the needs of your environment.

Looking at the PCs within a group, a rich selection of information is available, including each PC’s OS, machine name, group membership, and alert, update, and security status. For machines that need help (e.g., updates that need approval), you can click a link to view the issue(s) and mediate accordingly. For example, you can select multiple new or pending updates and click an Approve toolbar button to apply the change.

You can also view more detailed information about each PC, including malware, alerts, a full hardware profile, and a complete software inventory. Each of these items can also be used as a pivot of sorts. So if, for example, you discover a certain version of Adobe Reader, you can click it in the list to see exactly which other PCs in your environment also have that software version installed.

Software updates. In keeping with its core mission, Windows Intune can be used to view pending service packs, hotfixes, and other updates for your connected PCs, as well as perform related tasks. The Updates workspace provides you with a running total of how many new updates are waiting to be installed in your full environment, giving you the opportunity to approve (or decline) them in bulk or step through them one at a time to verify the need.

The Updates workspace also provides granular controls for determining the types of products for which you’d like to manage updates. You can be Draconian (all categories) or more measured, select updates by classification (service packs, tools, and so on), and create rules for automatically approving certain types of updates (based on the provided categories and classifications).

Client security protection. As part of your Intune subscription, you also gain the right to optionally install a special version of the Forefront Endpoint Protection (FEP) client, called Windows Intune Endpoint Protection, on each connected PC. There are a variety of ways in which you can determine whether to install this client, however, including the ability to install only when an acceptable security client isn’t found. Alternatively, you can simply choose to disable whatever solution is on the PC(s) and replace it with Endpoint Protection.