Microsoft's latest entry into the cloud applications arena is still in beta, but the company's enrollment numbers indicate a good bit of interest in Intune. According to the session of Microsoft program manager Marc Shepard at TechEd North America, the beta that was launched in April 2010 was initially limited to 1,000 accounts or 30 days, whichever came first. Shepard said that 1,500 people signed up in 30 hours. Microsoft reopened the beta in mid-July, and it is available now. First offered only in North America, Microsoft's European Union site is now open as well.
Windows Intune looks like a simplified version of Microsoft System Center Configuration Manager (SCCM) but is sold as an online service. It is a management and inventory service that runs in the cloud. In fact, Microsoft has positioned a number of its standard on-premise apps to have an online counterpart, as shown in Figure 1. Windows Intune is the online version of Microsoft System Center.
There is a good bit of information as well as a link to sign up for the beta on the Intune home page, but I found that the overview and other docs were not intuitive for the uninformed. That said, Intune was very easy to install, and after watching Shepard's TechEd presentation, it was very easy to configure. Within five minutes, I was able to install the program and configure two clients. As a cloud computing offering, Intune allows remote management of Windows computers as long as they are connected to the Internet. These managed machines can include the following operating systems:
- Windows 7
- Windows XP
- Professional (SP2 minimum, SP3 recommended)
Intune includes rights to upgrade to the latest version of Windows. So if you are planning an upgrade to Windows 7, this would be a good benefit. Note, however, that there is no capability for OS deployment or software distribution as with SCCM.
Last winter, Microsoft entered the cloud market with Windows Azure. The company is expanding its cloud portfolio by adding data centers to host the Azure services and offering Intune to provide systems management capabilities. Microsoft claims that it can host 10,000 computers per Intune account, though the limit in the beta is 25. Keep in mind that this is still the beta, so this may improve.
So what exactly does Intune do? While it does not provide all the features of SCCM, it does provide the following functions:
- Installation of agents on managed clients
- Software for malware protection
- Windows Update management
- Remote assistance
- Asset management
- Inventory hardware
- Inventory software (license management)
- Customizable security policies
- Status monitoring of system events in the console.
As the first bullet implies, there is an agent on all managed machines. The nice thing about this is that Intune uses proven agents, not new software. For instance, update management uses the existing Windows Update agent, Desktop monitoring uses the System Center Operations Management agent, and the Malware Protection agent is the same agent used by ForeFront Endpoint Protection. In addition, the EZ Assist agent is used for remote assistance.
Let's take a peek at the operation of Intune.
To sign up for Intune, you have to agree to install it within a week and deploy it on at least five clients. These are pretty minimal requirements, especially if you are just taking it for a test drive like I did. You'll need to identify a machine to act as your administrative console with a browser that supports Silverlight 3.0.
Figure 2 shows the Intune console. Its layout looks similar to other Micosoft Management Consoles (MMCs), with three panes. The navigation pane is on the left, common tasks are in the right pane, and system status is presented in the center pane. In the center-pane "Overview," you'll see the Notice Board and System Status. The "Notice Board" has links to install and configure Intune's anti-malware software, policies, and a link to download and deploy the client software. "System Status" contains alerts of various levels that require action. These alerts are fully configurable. To deploy the client (agent) software, you can use any deployment method you like, such as Group Policy, PsExec, scripting, email attachment or, as in my small test lab, a Universal Serial Bus (USB) drive. The install file is only about 8 KB.
I must say I was quite impressed with the client installation. The enrollment package contains a certificate that enrolls the client in your specific account. I downloaded the client package to a USB drive and found two clients -- Windows 7 and Windows XP -- that had been shut off for a good six months. One had no antivirus protection, and both were out of date, so I figured they would be good test machines. I installed the software on each machine, which required a reboot. I watched the console -- just a browser connected to my Intune account -- and very soon after the clients booted up, they showed up in the "Unassigned Computers" group. No muss, no fuss, no configuration. It made me want to find more machines to install it on. Not only did they show up, but looking at the group page "Computers Overview," I can see immediately if there are any computers with alerts, needing updates, and the malware protection status(see Figure 3).
I found the configuration easy. No training, no white papers; just Shepard's TechEd presentation. When the video from that presentation is posted , don't forget to listen to the Q&A at the end.
I then created a Windows XP group and a Windows 7 group. Be careful of an option to select the "Parent" group (Figure 4). I created one group under the other and had to delete it and recreate it to get a new parent.
It is also possible to create administrator accounts and add notification rules. Just like other monitoring software, alerts can be configured, and you can select various levels to send email notifications. Other features such as software licensing can also be configured.
Another impressive feature was the management of updates. Intune looks at virus updates and security updates, and it allows you to view them by group, by client or in a summary of all computers. The user interface also has a filter to make it easy to review lots of clients. Figure 5 shows that the events can be filtered by severity and type in the left pane. Each update shows the severity and if it has been approved (accomplished through the Intune console). Clicking on an update provides verbose detail including a link to the knowledge base and if the machine requires a restart. Note that the updates are viewable from several locations -- by group, all computers combined or by individual client.
Intune has many more features that I don't have time or space to cover here. While the functionality of Intune is impressive, I wonder if paying for a management and inventory service in the cloud is really cost-effective over an on-premise solution. Intune seems to be geared for small and medium-size businesses, but there are a lot of third-party management tools. Microsoft has announced that the pricing is $11.00 per month, per client, with 10,000 clients per account. My recommendation is to sign up for the beta and try it out -- see how it works for your needs. Then get pricing information and see if it will meet your requirements and be cost-effective.
ABOUT THE AUTHOR
Gary Olsen is a systems software engineer in Global Solutions Engineering at Hewlett-Packard. He authored Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers. Olsen is a Microsoft MVP for Directory Services and formerly for Windows File Systems.
This was first published in August 2010