A more complete solution for more customers
In the Endpoint Protection workspace, Intune lets you quickly view and act on any security-related issues. In my testing period, I didn’t come across anything notable here, but I discovered that malware and dubious PCs are called out separately when needed. Intune maintains a list of the most recent malware instances, including whether or not they’ve been resolved.
Alerts and remote assistance. Windows Intune is configured to trigger alerts in response to specific events that compromise the overall health of your environment or in response to user requests for remote assistance. In the main Alerts workspace view, unresolved alerts are listed according to severity, with warnings at the top and informational alerts at the bottom. Alerts are also divided into two types: those that actively require a response and those that don’t.
Out of the box, Intune is configured with almost 400 different alerts, most of which are disabled by default, and a set of basic notification rules. You can configure who is notified of alerts (recipients), why (the rules), and how (only via email, currently). A basic notification rule, such as All Critical Alerts, will trigger whenever a critical alert occurs and will fire off to whichever users (i.e., email addresses) you configured. You can’t currently edit the default rules, other than to specify who gets the email.
The Alerts workspace also provides a few related bits of functionality. You can specify a list of Intune administrators (unrelated to actual administrators in your environment) by providing an email address for each one. (Note that the email address for each Intune administrator should also be associated with a Windows Live ID.) Granting this access allows a user to log on to the Intune management site (assuming the email address is also a Windows Live ID) and manage computers. It also places that user in the list of potential alert recipients.
The Alerts workspace provides a manual link for downloading the Windows Intune client agent and its associated certificate. It runs on any 32-bit or 64-bit version of Windows XP Professional (SP2 or SP3), Windows Vista (Business, Enterprise, or Ultimate), or Windows 7 (Professional, Enterprise, or Ultimate).
Finally, Alerts provides an interface through which administrators can respond to user requests for remote assistance. Users trigger these requests via the Windows Intune Center software that’s installed along with the agent; for administrators, the alert will appear in both the System Overview and Alerts workspaces in the administration console. (The Intune Center, which Figure 3 shows, also includes front ends for both Windows Update and the Windows Intune Endpoint Protection client.)
Figure 3: Windows Intune Center
Software inventory. Intune’s software inventory functionality leverages technology from MDOP’s Asset Inventory Service (AIS), providing you with an interesting view of the software inventory in your environment. You can sort via installation count (to find out which software is most popular on your connected PCs) or by name, publisher, or category. You can also deep-dive into a particular application and find out exactly which computers it’s installed on, along with its version and whether it’s installed as part of a virtual Microsoft Application Virtualization (App-V) application package.
Microsoft is apparently actively editing the categories list for the software inventory, so this is an area that will improve over time. That said, it’s already pretty well stocked with information about all the top third-party software you’d typically find on business-class PCs, giving you a good starting point for evaluating what’s out there.
License management. In the Licenses workspace, administrators who represent larger environments with Microsoft volume licensing agreements (e.g., Windows, Office) can upload agreements and ensure that they’re in compliance. There’s no licensing enforcement here at all, just a list of what you have and what you’re using.
Intune policies. The Policy workspace is arguably the heart of Windows Intune at the moment. Although System Center and Group Policy veterans will find this interface somewhat cute, those who’ve never had such control over their environments might see it as an epiphany. From this simple UI, you can configure Intune policies that, again, are standalone policies that exist only for Intune-managed computers and outside of Group Policy (if you’re using Group Policy in your own environment).
In that sense, Intune in general might seem like a better solution for smaller, less centrally managed environments. And although I do believe this to be the case, I find one of Microsoft’s observations about Intune usage in larger environments to be compelling as well: As your employee base expands outward, with many employees working from home or on the road, and many never actually connecting to the corporate network, there’s a new need for protecting these edge cases. (Some companies are even deploying Intune for executives’ home machines.) Even in its first version, Intune provides an effective solution in this regard and can work alongside larger, more powerful in-house (on-premises) PC-management solutions.
Intune policies can also work with Group Policies. Microsoft doesn’t recommend this, but the general rule is that Group Policies take precedence over Intune policies. Note, too, that Intune policies are far simpler than Group Policies, because Intune policies can be applied only at a single level: to computer groups. So there’s no need (for now, at least) to worry about multiple policies contradicting each other. Policy management might get more complex in the future, as Intune matures, although Microsoft says the program has been architected to avoid this problem.
Although the policies themselves are simple enough, each policy will have a pretty extensive list of settings you control, as well as three basic templates to choose from on first creation. These templates, which include Windows Intune Agent Settings, Windows Intune Center Settings, and Windows Firewall Settings, essentially determine which entity will be affected by the settings changes contained in the policy. Templates related to the agent have dozens of settings related to Endpoint Protection and software updating, whereas those related to Windows Firewall are, as you’d expect, firewall related, with a host of possible exceptions to enable.
After you create a policy, you can manage policy deployment, which is determined on a computer group–by–computer group basis. It’s a simple check-box affair.
Reporting. Windows Intune also features rich reporting functionality based around the product’s various features. You can easily generate reports for updates, installed software, and licensing. Reports can be generated on the fly, then printed directly from the console or exported as an HTML or CSV file.
You can also generate reports in other parts of the administration console. For example, if you’re viewing a list of alerts in the Alerts workspace or looking at the Definition Updates list in Updates, there’s always a handy Export List button available.
Administration. From the Administration workspace, you can configure settings related to the administrator accounts, set category and rules classifications, configure alert types and notification rules, and manually download the client software.