Microsoft released the initial version of Windows Intune, its cloud-based PC-management service, in March 2011, providing basic Microsoft System Center-like capabilities to a wider audience. As I explained in "Windows Intune Brings PC Management Into the Cloud," the initial release covered the basics (minus one glaring functional hole) and saw adoptions across a range of customer segments. Because Intune is a cloud-based service, Microsoft isn't beholden to the slow, monolithic upgrade strategy that comes with traditional, on-premise servers. So a scant seven months later, in October 2011, the company provided a significant update to Intune. Already, this update, which I call Intune 2, fills that functional hole and significantly increases the value of this service.
As a refresher, Intune is essentially a standalone service that exists outside of whichever internal infrastructure you might have in your environment. For small businesses -- even very small businesses, such as startups -- this independence from a formal infrastructure is a huge benefit. Intune can easily manage disparate, physically isolated PCs as long as they're connected to the Internet.
For larger businesses with an Active Directory (AD) infrastructure, Intune provides basic AD acknowledgement -- it respects and gives precedent to any Group Policies that you've established, for example -- but no true integration. This approach isn't necessarily a negative, however. According to Microsoft, some interesting scenarios have unfolded in these businesses: Machines that are rarely or never connected directly to the local network, such as laptops of frequent travelers or even executives' home machines, can be managed more easily using Intune than using AD. In these situations, treating isolated machines differently often makes sense.
Intune provides a core set of functionality. You can manage individual computers or groups of computers to
- process security fixes and other updates
- ensure that each machine is up-to-date with security software, such as the Microsoft Forefront Endpoint Protection client, which resembles Microsoft Security Essentials and is provided with Intune
- receive alerts when things go awry
- view per-PC software inventories
- oversee (though not enforce) software licensing to ensure that you're in compliance
- create flat policies that are simpler than, but do not fully integrate with, AD Group Policies
- create and view reports
- accomplish other administrative duties
Unlike with System Center, you manage Intune remotely, through a simple web-based interface. Clients are monitored and updated remotely, over the Internet. Intune is provided as a subscription service, so you pay a per-PC monthly fee. (More about licensing costs later.) Note that there are some additional benefits to doing this price scheme, including Windows 7 Enterprise upgrade rights for each managed PC. And for an additional $1 per PC per month, you also gain access to the excellent capabilities in the Microsoft Desktop Optimization Pack (MDOP).
On the flipside, Intune is not as full-featured as System Center, though Microsoft has been vocal about quickly achieving partial parity -- where doing so makes sense -- through a series of updates to the service. Intune 2 is the first major step in that direction.
What's New in Intune 2: Software Distribution
When I examined the initial Intune service in early 2011, I was pretty impressed overall. (You can see my reaction in "Windows Intune Brings PC Management Into the Cloud.") That said, I noted one major missing feature, and I had some concerns about the pricing model. I felt, and still feel, that very small businesses are unlike to pony up the required per-PC monthly fee, no matter how rich the experience. Microsoft has yet to address my pricing concerns -- more on that in a bit -- but did add in that missing feature. And it's a big one: software distribution.
Thanks to Intune 2's new software-distribution functionality, you can now arbitrarily deploy software applications and updates to client PCs that are managed by the service. Think about that for a second. The only client-side requirement is that these PCs be connected to the Internet and have the Intune client agent installed on them. The administrator, from the simple web-based interface, can manage which applications are deployed to which PCs. And then that happens, automatically, over the Internet.
Now, depending on the complexity of the application that you want to deploy, this process might require some work. If you've spent any time deploying software in a managed, AD-based environment, the methodology here is second nature, and the application packages that you create are identical to those that you'd deploy through AD or System Center. But because Intune targets a more diverse customer base, many of whom have never performed that type of deployment, things can get a bit tricky.
Again, it depends on the software. Consider a simple application, such as Adobe Reader. To deploy that type of application, you first log on to the Windows Intune management console at manage.microsoft.com. You then go to the revamped Software interface, which includes areas for Detected Software -- essentially an inventory of the software applications across your managed PCs -- and the new Managed Software area, from which you deploy and manage applications. From the perspective of the management console, there are two steps to deploying software. First, you must upload the software to Intune, and second, you determine to which clients to deploy it.
For the first activity, Intune provides a handy wizard that steps you through the process. You specify the file or files that constitute the application package; provide descriptive information; specify the processor architecture, if required (32-bit, 64-bit, or any); specify which Windows versions are supported (Windows 7, Windows Vista, Windows XP, or any); and then navigate a series of increasingly complex options. Intune supports detection rules, which help you to fine-tune whether to install the software to particular PCs, which command-line arguments to use, and even how to interpret return codes. That last option can help you to troubleshoot failed deployments but is likely be over the heads of inexperienced users.
At this point, the software is uploaded to Intune, as Figure 1 shows. Each Intune account is provided with 2GB of storage on Windows Azure, so each application that you upload (and doing so is a requirement for deployment) eats into this allotment. Each application that you upload appears in the Managed Software area.
Managed Software displays a list of each application that you've uploaded, as Figure 2 shows, as well as a list of all the uploaded software that you've deployed. For an application that you've just uploaded, you can perform several different actions. You can edit the package, by using what is essentially a modified version of the upload wizard that works against the uploaded version of the software. Or you can choose to deploy the package.
To deploy the software, simply select the computer group or groups on which you want to install the software. Optionally, you can select a deadline, such as "as soon as possible," "one week," and so on. (See "Windows Intune Brings PC Management Into the Cloud" for details about the purpose and creation of computer groups in Intune.) You can also view various attributions of your managed software, such as on which computers an application has or hasn't been deployed (as Figure 3 shows).
Of course, things can get complicated pretty quickly. All but the simplest of applications need to be packaged into more easily deployable Windows Installer packages. And you'll need to set the appropriate command-line switches so that these packages can be installed correctly in quiet or silent modes that don't require user interaction. (To be fair, that last step isn't required, and less-sophisticated environments might require users to go through setup routines, if needed.) Microsoft Office is a typical and obvious example of such an application, and one that many environments will want to deploy. And again, for larger environments that have performed such customizations in the past, such packaging will be straightforward and familiar. Smaller, newer businesses will need some help to achieve this level of sophistication.
On the client, deployed applications are installed automatically. First, the download occurs in the background, using compression to minimize traffic, encryption for security, and automatic resume in case of a connection interruption. After a package is successfully downloaded, it is decompressed, unencrypted, and installed according to the schedule that you specified in the Intune management console. This process does not require the user to be logged on interactively, though of course the PC must be up and running. If the setup routine requires user interaction, it will wait for 16 hours before timing out and sending an error code to the console. Otherwise, the routine will simply install silently in the background and be available the next time the user logs on or uses the PC.
Other New Features in Intune 2
Remote tasks. From the management console, admins can now fire off remote scans of managed PCs. This feature is especially useful for malware scans, but you can also remotely trigger a malware scanner update and a PC restart.
Read-only admin access. In a move toward a more delegated administrative future, Intune 2 now supports a read-only view of the web-based management console so that certain employees can simply view information, such as software inventories. This capability stops short of true delegation, and hopefully a future version of Intune will provide actionable access to only certain parts of the management experience. But it's a good first step, and Microsoft tells me that specific scenarios around delegation are being considered for later improvements. Which form those scenarios take is currently uncertain.
Improved reporting. Intune 2 now provides hardware-inventory reporting in addition to the software and licensing reporting in the first version. As you might expect, these reports are highly customizable but can contain machine name; chassis type (laptop or desktop); manufacturer; model; operating system; total, used, and free disk space; physical memory; CPU speed; serial number; user; and the date of the most recent hardware status.
License-management improvements. In the initial version of the Intune service, you could manage Microsoft volume licenses only. Now, you can also manage Microsoft OEM and retail licenses, and third-party licenses. As before, there's no enforcement capability, so this is purely a way to examine your licensing status and manually ensure that you're legally licensed.
Offline PC agent installation. The agent that's deployed to PC clients can now be installed while the PC is offline, though of course you'll need an Internet connection to receive the software initially. Previously, the PC needed to be online during the entire agent-installation process.
There are a few other changes, including some fit-and-finish improvements for the management console and interface changes that relate to the new features. Intune is also now available in more languages and regions. The important bit to understand is that Intune 2 is a full superset of the initial service, so there's no loss in functionality or major changes to existing features. Instead, you just get more by upgrading the service. This is one of the big benefits of subscribing to a cloud service: Not only do you not need to perform an upgrade or migration on servers and PC clients, but features are simply added over time.
Upgrading to Intune 2
Speaking of which, the upgrade process is incredibly simple. On the cloud side, you are upgraded automatically; most existing customers will have received the upgrade by now. (Two weeks before the upgrade, you'll be prompted as to the exact upgrade date.) On the client, the process is even simpler. Although a tiny update to the agent is required, it happens silently, automatically, and without any user interaction.
New users that sign up for the Intune service after October 2011 will automatically receive the new features and functionality. It's that simple.
Licensing and Availability
From a pricing standpoint, nothing has changed since the initial release of Intune. The service costs $11 per PC per month. Included in this cost, as before, is a Windows 7 Enterprise upgrade license, which Microsoft says will help to ensure consistency across managed clients to ease certain management tasks (including software distribution), and perhaps to provide a higher level of baseline functionality.
I still have some concerns about this cost, however. Consider a typical five-person small business or startup, in which the individuals work from home or from physically disparate locations. At $11 per PC per month, this service would cost $55 per month, or $660 per year. And while the availability of the best version of Windows 7 and some heady management capabilities are enticing, it's more likely that most businesses of this size would simply forego the service entirely. It's just too expensive.
For this reason, I'd like to see a less-expensive version of Intune, aimed at truly small businesses. Such a version would not include the Windows 7 Enterprise upgrade rights and would be less expensive as a result -- perhaps something in the $5 per PC per month range. It's difficult to determine the magic price point, which might even vary from business to business, but it would be less than $11.
Furthermore, there should be some form of integration between Intune and the other Microsoft tier-1 cloud service, Microsoft. This integration doesn't need to be technical; a simple licensing integration would be fine. The idea is to provide a significant cost savings, per PC per month, for each business that elects to subscribe to both services. Currently, both Office 365 and Intune are simply out of reach for the smallest of businesses, most of which operate on a shoestring budget.
Windows Intune is a tremendously useful service that has gotten even better in its second incarnation, thanks in large part to the addition of software-distribution capabilities. Intune provides a look at the future of Microsoft, in which the software giant moves beyond its traditional offerings to a more complete lineup that includes pervasive cloud services. Although people often point to email and calendaring as the low-hanging fruit of the cloud-services world, I think that PC management is an even more ideal candidate because many businesses simply eschew the complexity and cost of on-premises solutions altogether. That said, Intune is simply too expensive for very small businesses, and this barrier to entry might ultimately prove to be the service's Achilles Heel in that market.