If you manage Windows PC in a small to medium business or even an enterprise then you are going to want to read on. This month we are announcing that Windows Intune will be available in Australia on Thursday March 24 2011. Make sure you check the website for more details and for links to a 30 day trial! The first question I often get asked is what is it? Well in a nutshell Windows Intune simplifies how businesses manage and secure PC’s using Microsoft Cloud Services and Windows 7. We do this by delivering a cloud-based management solution and security capabilities from a single Web Based console. This means that administrators can manage PC’s from any location; all that’s required is an internet connection. The other question I get is what do I get? Let’s have a look. There’s a lot in Windows Intune so this is a fairly long post but one I think you’ll find well worth a read.
- Simple Web Based Console
- Protect PC’s from Malware
- Manage Updates
- Proactively Monitor PC’s
- Provide Remote Assistance
- Inventory Hardware and Software
- Set Security Policies
- Windows 7 Enterprise Upgrade Rights
Before I go into each of the components of Windows Intune I want to address the second most common question I get about it. Why would I want to manage through the cloud? There are many good reasons to do this but there are some core things you will not have to worry about by simply moving the management of your PC’s to our cloud service.
- First; you won’t have to build out a server infrastructure to manage your PC infrastructure. Simply put you won’t have to purchase server hardware, OS licenses for that hardware or management software. It’s all done through our cloud services. You also won’t have to install and configure each server or integrate that server into your existing infrastructure.
- Second; you won’t have to worry about security because this is handled through the cloud based service.
- Third; you won’t have to worry about high availability. Are my servers up and running? What do I do if I have a failure? This is all provided as part of the Windows Intune service and Microsoft Cloud Services.
Now that I’ve said that I know that Cloud Services doesn’t fit every business and you have to consider what services you can move to the cloud. I also know that most IT Pro’s that I talk with don’t want to move everything to the cloud just yet but Windows Intune certainly can help simplify how you do PC management. I’ll talk more about what that means later. So let’s get back to what each of the core components in Windows Intune provides.
Web Based Console
When you first logon to the Windows Intune Portal you are presented with the main System Overview page. On this page you will see 3 panes; the Navigation pane on the left, the Information Panel in the middle and the Task Panel on the right. As an administrator the main area you need to pay attention to at first login will be the System Status pane and the Alerts by Type pane. This will give you the overall status of the system you are managing plus give you details of any alerts for the system you are managing. The screenshot above happens to be the login that I use to manage some of my virtual machines. Here I can see at a glance that I have one update waiting for approval that I need to deploy to my PC’s. I’ll talk more about updates later in the post.
When we look at managing PC’s; keeping them secure is one of the most important tasks. When you setup Windows Intune on your client machines it installs Windows Intune Endpoint Protection and the Windows Intune Protection Agent.
Windows Intune Endpoint Protection is based the Microsoft Malware protection engine which is used by Forefront Endpoint Protection and Microsoft Security Essentials. Once installed the agent reports back to the administrator console the health of each machine and issues that they might have. In order to demonstrate this I’m going to intentionally infect one of my machines with a test virus file from Eicar. This simply allows me to demonstrate the end to end workflow of what happens when a machine gets a virus. Don’t try this at home folks!
So as you can see here I’ve clicked on a suspicious link and now have a virus.
Windows Intune Endpoint Protection kicks into gear and says it’s time to clean this virus off this machine.
Virus clean in progress.
Virus cleaned. Now because I’m managing this machine through Windows Intune I get alerts in the administrator console whenever there are issues such as virus outbreaks. The screenshot below shows me there was a recently resolved malware instance in my environment. This shows up in the Endpoint Protection Overview screen and tells me how many instances there was of this piece of malware and how many computers had the virus. It also tells me the name of the virus so I can go and get more details.
If I drill into this a bit further more details of this virus such as detections to date and the alert level.
And if I click on the learn more about this virus I’m taken directly to the Microsoft Malware Protection Centre for more information.
So that is the workflow of what happens when a virus outbreak occurs in a environment where you are managing the PC’s with Windows Intune. Let’s move on to the next component.
Patch management is probably one of the biggest headaches for any administrator and Windows Intune is about making this process easier. Update management is built upon WSUS and Microsoft Update so you know it scales. We’ve been pushing updates out for a long time now on Microsoft Update so the service definitely scales. This of Update Management in Windows Intune as WSUS in the cloud. So let’s have a look at what gets installed on the user’s machine and what it looks like in the Administrator console.
So here you can see the 3 agents that relate to Update Management; Microsoft Online Management Client, Microsoft Online Management Policy Agent and the Microsoft Online Management Update Management. Once these are installed the PC updates are managed by the administrator instead of going directly to Microsoft Update. As you can see by the following screenshot.
So if you’ve used WSUS then you will be completely familiar.
And if I click on the link for 1 update needing approval then it takes me to a page giving me more information on this update.
And if I click on the link for computers needing this update it takes me to the computer names that need it so I can approve the update for installation.
The screenshot below show where in the Administration tab you set all the settings for updates. Here you can set Product Category settings, Update Classification Rules and create your own Auto Approval Rules. The Auto Approval rules are good for automating the process of approving certain updates such as critical updates or security updates. In the end all this makes patch Tuesday a much easier process!
Proactively Monitoring PC’s
Monitoring of PC’s using Windows Intune is handled courtesy of the Microsoft Operations Manager Client Agent. Essentially you need to know when there are issues with the PC’s your managing so the Windows Intune Monitoring Agent keeps you up-to-date with any events that are happening on your PC fleet. The agent is one of many that get installed as part of the Windows Intune setup process. I’ll show you a screenshot later of all the agents that are installed.
You can see from the screenshot below that you can monitoring a bunch of different areas on your system including applications and operating system events.
You can also customize what types of alerts you want to monitor by going to the Administration tab and then clicking on alerts and notifications to customize to your environment. By monitoring common alerts you can take proactive action no matter where you are and no matter where your users are.
Providing Remote Assistance
Now we all know there are going to be times when users need a bit of assistance. Windows Intune provide remote assistance by installing Microsoft Easy Assist as one of the agents that get installed on your PC’s. Easy Assist is accessed through the Windows Intune Centre which is installed on each of the managed PC’s. You can see a screenshot of that below.
Once the user request remote assistance that request is sent to the the administrator and this will show up in the alerts panel.
Now you can see from this picture the request has made its way to the administrators console. This only took about a minute or so to appear in my console. About as much time to write this paragraph.
Now you can see that I’ve clicked on the remote assistance request which takes me to the alerts page showing me the machine that has made the request and a link where I can take more action.
The dialog box below is where I can accept the remote assistance and begin the handshake process with the client machine.
This then loads the Easy Assist Entry Page using Live Meeting. The reason we use Live Meeting as it’s more firewall friendly in most organisations than traditional remote desktop sessions.
This then loads the Microsoft Easy Assist session on the administrators machine and sets up a handshake between the administrator and the client machine requesting the assistance. At this point the client is presented with the dialog bellow asking them to share their desktop. Obviously in order to continue the user needs to share their desktop so the administrator can help them.
So when the user clicks on Share Desktop the handshaking process is complete and the Easy Assist client on the Administrators machine loads a separate windows for interfacing with the client machine.
This screenshot shows the user’s desktop as the administrator see’s it. That's the end to end process flow for Remote Assistance.
Hardware and Software Inventory
The next area I wanted to focus on was Asset management and in particular hardware and software Inventory. Windows Intune provides the ability to get per computer hardware inventory and account wide and per computer software inventory. This give organisations a basic understanding of what hardware and software they have installed on the PC’s in the organisation. Software is categorized using the Asset Inventory Service. The asset inventory service is the same service used in the Microsoft Desktop Optimization Pack or MDOP. It provides a detailed inventory of your machines. This is important to organisations that need to keep track of their licenses and asset details which is pretty much everyone.
In this screenshot I’ve gone to Computers tab, Work Computers, Computers and then click on the client machine I wanted to look at. You can see I get some basic information about BIOS, System, Processor and other details.
In this next screenshot you can see all the software you have installed on the PC’s you are managing including the name of application along with the installation count. Good for making sure you are within your licensing guidelines.
Next I can drill into individual machines to see what software is installed and get more details about version number.
Setting Security Policies
The next sections setting policies on client machines using the Policy workspace. This section of Windows Intune lets configure policies and settings on computers through the use of templates. This is broken down into 3 areas:
- Windows Intune Agent Settings
- Windows Intune Centre Settings
- Windows Firewall Settings
While Windows Intune does not provide everything an on-premise solution would provide with Group Policy; it does provide some basic settings that you can manage.
Here I’ve started to configure my policy for the Endpoint Protection agent for Windows Intune. Once this is saved these policies will get applied to all machines that I manage with Windows Intune.
Windows Intune Centre Policy settings
Windows Firewall Policy Settings
Earlier in this post I talked about the agents that get installed as part of the Windows Intune Client software. When the software is installed we install a core Windows Intune Agent then bootstrap the rest of the agents through Windows Intune. After they are installed you end up with 12 agents installed on your managed PC’s to handle all the components of Windows Intune. Below is a screenshot.
During the Beta of Windows Intune we added a new feature called the Multi-Account console. This feature is designed for partners who will provide the Windows Intune service to their customers. What is does is give you a single aggregate view of all the customers you are managing through the Windows Intune service. This is great for service providers because they can get an at a glance view of the current health of all their customers PC’s and taken action according. Below is a screenshot of what this looks like.
In this example I’m managing several customers through the Windows Intune service and I can see from this dashboard that one of those customers has an issue that I need to take care of. The rest are looking fine. From here I can click on the customer with the issues and manage that through the normal web console.
Well that’s about it and to be quite frank I can’t type anymore in this post or I’m never going to get it out. If you want to know more we have an upcoming Webcasts with Mark Russinovich called the Windows Intune Technology Tune-Up. Make sure you register for this event to hear from Mark and a panel of experts on best practices for PC management.
And finally if you want to be reminded about the 30-day trial make sure you sign-up to be notified when that’s available!
Jeffa – just sayin’…