A more complete solution for more customers
The fact that Microsoft is in the midst of a dramatic retooling of its product offerings should come as no surprise: The company is moving rapidly to establish itself as a dominant provider of cloud services in addition to its more traditionally delivered client and server solutions. Today, the company offers both hosted services—cloud-based versions of its most popular server products, such as Exchange Server and SharePoint Server—and entirely new cloud-hosted platforms, such as Windows Azure and SQL Azure, among other offerings.
Microsoft has long championed a unique opportunity for customers that its competitors simply can’t match. In addition to the sheer volume of its disparate offerings, Microsoft also offers customers a range of choices that span both traditional, on-premises offerings and hosted cloud services, but also a hybrid deployment model in which both on-premises and hosted offerings can be mixed and matched within a corporate environment. Companies such as Amazon and Google, whose product offerings exist almost solely in the cloud, simply have no answer to this need.
As Microsoft’s cloud-based offerings have matured and expanded, the company has begun moving into some interesting new product areas. This year, it will replace its Business Productivity Online Standard Suite (BPOS) and other related products with a more cohesive (and more easily licensed) Office 365 service, pushing its dominant Office family of products firmly into the cloud as well. And with Windows Intune, Microsoft has begun the enormous task of bringing its mature PC management capabilities, available today in its on-premises System Center offerings, to the cloud as well.
Over time, Microsoft seeks to bring all the functionality of the System Center servers to the cloud, minus the complexity where possible. And that’s perhaps the most intriguing general idea behind Intune: This isn’t just a hosted port of Microsoft System Center Configuration Manager (SCCM); in fact, in its current state, it’s nowhere near as powerful. Instead, it’s a brand new product, optimized for specific scenarios, and delivered along with a clear plan for the future.
Indeed, the level of transparency we’re seeing from the Windows Intune team is notable and in sharp contrast to the veil of silence that comes out of other Microsoft product groups, including those for Windows Phone and Windows Client. Microsoft understands that this is a quickly evolving market, and the company intends to deliver a number of interesting new features over the next few years, closing the gap with System Center and making Intune, over time, a more complete solution for more customers.
We’ll get to that in a bit. But first, let’s discuss what Windows Intune brings to the table today, and what size businesses will benefit most from its initial feature set.
Windows Intune is a cloud-based PC management solution that Microsoft targets at businesses of all sizes. It consists of a simple web-based management console interface, a client install (or agent), and a bundled client security solution based on Microsoft Forefront and a Windows 7 Enterprise upgrade subscription for each managed PC. For a small additional per-PC cost, you can also add a Microsoft Desktop Optimization Pack (MDOP) subscription, which provides access to a rich set of somewhat related PC management, virtualization, and troubleshooting tools.
Unlike Microsoft’s on-premises System Center offerings, Windows Intune isn’t based on, nor does it require, Active Directory (AD). In fact, it doesn’t require (or support) any on-premises server infrastructure at all. Instead, as a cloud-based service, Intune exists entirely on Microsoft’s data centers, and your only access comes via the web.
There are, of course, some integration bits that will aid deployment and, over time, PC management as well. You can deploy the Windows Intune agent to the PCs in your environment using an existing electronic software distribution (ESD) system, including those made by Microsoft or any third party. And although Intune doesn’t integrate with AD per se, it is at least AD-aware. That is, the Intune policies that I discuss later will always respect any existing AD Group Policies, in that Group Policies take precedence over all Intune policies.
In its first-version guise, Intune offers a number of key features, including the ability to manage PCs regardless of their physical location or connectivity to the corporate network, centralized health monitoring of connected PCs, the ability to manage which updates are (and aren’t) installed on connected PCs in a granular fashion, a bundled Endpoint Protection client that’s based on Forefront technology, highly configurable alerts with remote assistance mediation capabilities, client software inventorying, client software license management, simple client policy management, and excellent reporting functionality. In the next few sections, I step through each of these capabilities and discuss how the simple web-based management interface works.
After you sign up for Intune, you can access the Windows Intune management experience by browsing to manage.microsoft.com in your favorite web browser and logging on. Representatives of a single company will be presented with the Intune administration console, which Figure 1 shows. Microsoft also has a separate Intune multi-account console, which Figure 2 shows, aimed at partners who will be managing multiple environments for customers. This multi-account console lets you sort the available environments by various criteria, including name (the default) and health; environments with problems will appear at the top.
Whether you’re a single-company rep or a multi-account partner, you’ll eventually need to manage a single environment—which is where the Windows Intune administration console comes into play. This console is about as simple as such interfaces get, with a navigational panel that’s divided into what Microsoft calls workspaces, a main information panel, and a context-sensitive tasks panel. If you’ve used any Microsoft console, this will be familiar territory. However, Intune also targets small companies without an IT infrastructure, so the console is friendly enough that virtually any semi-technical user should be able to get started quickly.
System Overview. Intune’s workspaces map closely to the product’s capabilities. System Overview provides a quick overall look at the health of the environment, giving you a single place to examine the security status, agent health, and pending updates for each connected PC, as well as any alerts. You can also quickly create computer groups—used to segregate connected PCs into logical groupings for policy purposes—or view a report from this workspace.
PC management. You can view and manage computers from the Computers workspace. You can also create computer groups, copy individual computers or a range of PCs into a group (only one group; this isn’t a hierarchical system but is instead flat), and view other issues related to managed PCs. The primary activity here is PC group management. By default, each PC that downloads and installs the Intune agent is assigned to the Unassigned Computers group; although you can (and often should) assign policies to PCs in this group, even the simplest of environments would benefit from a more granular grouping. In my demonstration environment, I created groups based on geographic location—Boston, San Francisco, and so on—but grouping can be custom tailored to the needs of your environment.
Looking at the PCs within a group, a rich selection of information is available, including each PC’s OS, machine name, group membership, and alert, update, and security status. For machines that need help (e.g., updates that need approval), you can click a link to view the issue(s) and mediate accordingly. For example, you can select multiple new or pending updates and click an Approve toolbar button to apply the change.
You can also view more detailed information about each PC, including malware, alerts, a full hardware profile, and a complete software inventory. Each of these items can also be used as a pivot of sorts. So if, for example, you discover a certain version of Adobe Reader, you can click it in the list to see exactly which other PCs in your environment also have that software version installed.
Software updates. In keeping with its core mission, Windows Intune can be used to view pending service packs, hotfixes, and other updates for your connected PCs, as well as perform related tasks. The Updates workspace provides you with a running total of how many new updates are waiting to be installed in your full environment, giving you the opportunity to approve (or decline) them in bulk or step through them one at a time to verify the need.
The Updates workspace also provides granular controls for determining the types of products for which you’d like to manage updates. You can be Draconian (all categories) or more measured, select updates by classification (service packs, tools, and so on), and create rules for automatically approving certain types of updates (based on the provided categories and classifications).
Client security protection. As part of your Intune subscription, you also gain the right to optionally install a special version of the Forefront Endpoint Protection (FEP) client, called Windows Intune Endpoint Protection, on each connected PC. There are a variety of ways in which you can determine whether to install this client, however, including the ability to install only when an acceptable security client isn’t found. Alternatively, you can simply choose to disable whatever solution is on the PC(s) and replace it with Endpoint Protection.
In the Endpoint Protection workspace, Intune lets you quickly view and act on any security-related issues. In my testing period, I didn’t come across anything notable here, but I discovered that malware and dubious PCs are called out separately when needed. Intune maintains a list of the most recent malware instances, including whether or not they’ve been resolved.
Alerts and remote assistance. Windows Intune is configured to trigger alerts in response to specific events that compromise the overall health of your environment or in response to user requests for remote assistance. In the main Alerts workspace view, unresolved alerts are listed according to severity, with warnings at the top and informational alerts at the bottom. Alerts are also divided into two types: those that actively require a response and those that don’t.
Out of the box, Intune is configured with almost 400 different alerts, most of which are disabled by default, and a set of basic notification rules. You can configure who is notified of alerts (recipients), why (the rules), and how (only via email, currently). A basic notification rule, such as All Critical Alerts, will trigger whenever a critical alert occurs and will fire off to whichever users (i.e., email addresses) you configured. You can’t currently edit the default rules, other than to specify who gets the email.
The Alerts workspace also provides a few related bits of functionality. You can specify a list of Intune administrators (unrelated to actual administrators in your environment) by providing an email address for each one. (Note that the email address for each Intune administrator should also be associated with a Windows Live ID.) Granting this access allows a user to log on to the Intune management site (assuming the email address is also a Windows Live ID) and manage computers. It also places that user in the list of potential alert recipients.
The Alerts workspace provides a manual link for downloading the Windows Intune client agent and its associated certificate. It runs on any 32-bit or 64-bit version of Windows XP Professional (SP2 or SP3), Windows Vista (Business, Enterprise, or Ultimate), or Windows 7 (Professional, Enterprise, or Ultimate).
Finally, Alerts provides an interface through which administrators can respond to user requests for remote assistance. Users trigger these requests via the Windows Intune Center software that’s installed along with the agent; for administrators, the alert will appear in both the System Overview and Alerts workspaces in the administration console. (The Intune Center, which Figure 3 shows, also includes front ends for both Windows Update and the Windows Intune Endpoint Protection client.)
Software inventory. Intune’s software inventory functionality leverages technology from MDOP’s Asset Inventory Service (AIS), providing you with an interesting view of the software inventory in your environment. You can sort via installation count (to find out which software is most popular on your connected PCs) or by name, publisher, or category. You can also deep-dive into a particular application and find out exactly which computers it’s installed on, along with its version and whether it’s installed as part of a virtual Microsoft Application Virtualization (App-V) application package.
Microsoft is apparently actively editing the categories list for the software inventory, so this is an area that will improve over time. That said, it’s already pretty well stocked with information about all the top third-party software you’d typically find on business-class PCs, giving you a good starting point for evaluating what’s out there.
License management. In the Licenses workspace, administrators who represent larger environments with Microsoft volume licensing agreements (e.g., Windows, Office) can upload agreements and ensure that they’re in compliance. There’s no licensing enforcement here at all, just a list of what you have and what you’re using.
Intune policies. The Policy workspace is arguably the heart of Windows Intune at the moment. Although System Center and Group Policy veterans will find this interface somewhat cute, those who’ve never had such control over their environments might see it as an epiphany. From this simple UI, you can configure Intune policies that, again, are standalone policies that exist only for Intune-managed computers and outside of Group Policy (if you’re using Group Policy in your own environment).
In that sense, Intune in general might seem like a better solution for smaller, less centrally managed environments. And although I do believe this to be the case, I find one of Microsoft’s observations about Intune usage in larger environments to be compelling as well: As your employee base expands outward, with many employees working from home or on the road, and many never actually connecting to the corporate network, there’s a new need for protecting these edge cases. (Some companies are even deploying Intune for executives’ home machines.) Even in its first version, Intune provides an effective solution in this regard and can work alongside larger, more powerful in-house (on-premises) PC-management solutions.
Intune policies can also work with Group Policies. Microsoft doesn’t recommend this, but the general rule is that Group Policies take precedence over Intune policies. Note, too, that Intune policies are far simpler than Group Policies, because Intune policies can be applied only at a single level: to computer groups. So there’s no need (for now, at least) to worry about multiple policies contradicting each other. Policy management might get more complex in the future, as Intune matures, although Microsoft says the program has been architected to avoid this problem.
Although the policies themselves are simple enough, each policy will have a pretty extensive list of settings you control, as well as three basic templates to choose from on first creation. These templates, which include Windows Intune Agent Settings, Windows Intune Center Settings, and Windows Firewall Settings, essentially determine which entity will be affected by the settings changes contained in the policy. Templates related to the agent have dozens of settings related to Endpoint Protection and software updating, whereas those related to Windows Firewall are, as you’d expect, firewall related, with a host of possible exceptions to enable.
After you create a policy, you can manage policy deployment, which is determined on a computer group–by–computer group basis. It’s a simple check-box affair.
Reporting. Windows Intune also features rich reporting functionality based around the product’s various features. You can easily generate reports for updates, installed software, and licensing. Reports can be generated on the fly, then printed directly from the console or exported as an HTML or CSV file.
You can also generate reports in other parts of the administration console. For example, if you’re viewing a list of alerts in the Alerts workspace or looking at the Definition Updates list in Updates, there’s always a handy Export List button available.
Administration. From the Administration workspace, you can configure settings related to the administrator accounts, set category and rules classifications, configure alert types and notification rules, and manually download the client software.
I installed the Windows Intune agent and associated software manually on my own client PCs, replacing the previous security solution (Microsoft Security Essentials—MSE) with Intune Endpoint Protection. (In prerelease form, Intune provided separate 32-bit and 64-bit clients, but the final version includes only one client download.) Generally speaking, using Intune Endpoint Protection doesn’t affect the performance or day-to-day use of the PCs in any meaningful way. In addition, Intune Endpoint Protection looks and works much like MSE.
Intune Endpoint Protection, like FEP 2011 and MSE 2, uses heuristic-based methods to examine suspect software for new malware. And because the back end is a shared infrastructure with those other products and with System Center, customers receive the shared benefits of a large number of users, with their feedback improving accuracy across all products. I use MSE 2 on all my standalone PCs, and I recommend it highly.
Windows Intune Center, as I mentioned previously, provides a handy front end to Windows Update, Endpoint Protection, and of course the remote assistance functionality, through a feature called Microsoft Easy Assist. The benefit here is that this software works wherever you have an Internet connection; your clients don’t have to be on a corporate network to get help—and indeed, many Intune end users won’t ever be directly connected to your business.
Windows Intune isn’t necessarily cheap: It costs $11 per PC per month. But this price also includes a licensed copy of Windows 7 Enterprise for each PC, which Microsoft says can help you maintain a bit of consistency across your environment. That’s a good deal if you need it, but I’d rather see a lower price option that foregoes this client license. On the good news front, those with volume license agreements will get credit for their preexisting purchases and could thus see lower bills. (And let’s give Microsoft credit for licensing simplicity here, which isn’t typically the company’s strong point.)
For an additional $1 per PC per month, Intune customers can also access the full MDOP suite. If you’re already paying for Intune, that’s a tremendous value: MDOP includes many excellent tools and utilities, such as App-V and Microsoft Enterprise Desktop Virtualization (MED-V), Microsoft Advanced Group Policy Management (AGPM), System Center Desktop Error Monitoring (DEM), Microsoft Diagnostics and Recovery Toolset (DaRT), and AIS. That said, MDOP is currently a better deal for larger companies.
These per-PC per-month pricing schemes are very common to cloud services, and like any subscriptions you pay for at home, these relatively small monthly charges can add up. For example, paying for both Intune and Office 365 could strain the resources of a typical small business. Perhaps Microsoft will eventually adopt a model in which customers who subscribe to both products get a discount as well.
For now, Microsoft is preaching total cost of ownership (TCO) for these services. And in the case of Intune, the company claims that customers are saving an average of over $700 per year per PC with Intune, $520 of that from IT labor reduction and related savings. (And that’s on top of the $150 to $1,400 the company’s customers save per PC per year by migrating to Windows 7, depending on the starting infrastructure.)
Although Windows Intune will likely see its biggest successes in the high end of the small business market, as well as the midmarket—that is, organizations with roughly 50 to 1,000 PCs—this is a solution that’s going to see a wide range of adoptions. The lack of true AD integration will be viewed by some as a negative, but I think this form of ad-hoc management is the future for the lower end of the market and something I’d caution Microsoft about “fixing” too quickly. In this age of consumerization in IT, more and more users are bringing their own PCs and devices to work, or at least using their own machines to perform work. And Intune is ideally suited for such scenarios.
For those with any form of corporate infrastructure, however, you’ll have to undergo a process of duplicating, as much as possible, your infrastructure within Intune—and doing so gets increasingly tedious as the size of the business in question grows. But as Microsoft noted to me in a recent briefing, even the largest enterprises could benefit from using Intune on the side, as it were, to protect those machines that will never connect to the corporate network—a scenario that’s becoming more and more common.
Microsoft provides a 30-day trial of Windows Intune, which you can use with up to 25 client PCs: All you need is a Windows Live ID and a collection of PCs on which to test the agent. Intune evaluation is simple and painless, and I strongly recommend it.
Looking ahead, Microsoft plans to update Intune on a regular basis and is already talking, somewhat generally, about plans for future releases. The company expects Intune to match the current level of System Center management functionality within 2 to 3 years, for example, and will more specifically be improving the product to include software deployment in a coming release.
Microsoft's plans for Windows Intune are all very exciting. But even in its first version, Intune is a great example of what’s possible with cloud services, and the product provides a great solution for companies that fall within its sweet spot.