IT Pro Evangelist
Managing from the cloud with Windows Intune
Securing and managing the devices that users take for granted when accessing the cloud is top of mind for IT Professionals everywhere and there are lots of solutions to make things more secure. What about desktops PCs? Everyone in the desktop world is accustomed to managing, patching, remote controlling and securing computers but are there new opportunities presented by the cloud? The answer is of course yes. Windows Intune is a new Microsoft product that allows you to manage Windows computers from the cloud, without the back end infrastructure normally associated with endpoint management.
One of the most striking benefits and one that resonates very strongly with those responsible for paying for business IT is the potential cost savings that come from not having to intensively manage infrastructure. Windows Intune is a pretty cool product because it allows for management of corporate PCs without the need to deploy costly servers and spend time engineering that back end infrastructure normally required in a corporate environment. Not only that but some interesting license benefits make Windows Intune exceptionally valuable for some organisations. First off let’s understand what this new offering does.
Manage Windows Update
Windows Update is one of Microsoft’s largest publically available cloud services providing patches and updates to millions of computers around the world each day absorbing the scale required on busy days like patch Tuesday (the 2nd Tuesday of every month when Microsoft releases patches). In fact if you every try to update a computer from Windows Update you’ll find that the service is out there, ready to serve. Contrast that to the “traditional” approach whereby you have a Windows Server Update Services (WSUS) server installed in your business to achieve control over the patches applied to corporate computers and you’ll see that, whilst its and essential service, it’s another server to run, another server to manage and another server buy. WSUS is perfect for some circumstances but increasingly whilst WSUS provides both local caching of updates and control over which are applied the caching is a reducing requirement with increased bandwidth.
With Windows Intune you have control over which updates are applied to which computers and when within your organisation. All updates are pulled from the highly available public Windows Update service though reducing the need for a local WSUS server. Why this need for control? Occasionally an update can cause issue with an incompatible line of business (LOB) application. Windows Intune allows you to group computers together to apply updates or to reject them so you can create a scenario just like I have in my test lab: I have a “testing” group that applies all Windows Updates automatically, when I’m sure they’ve not caused any issues with the applications running on those machines I allow my “corporate” group to apply the updates but I have a group of special machines “CXO office” that only allow updates to be installed when manually approved. This scenario allows me to retain control, something that some people fear the loss of with cloud.
Windows Intune comes with anti-malware software built in that uses the Microsoft Forefront Endpoint Protection and Microsoft Security Essentials technology to provide a highly reliable yet simple to use solution. The testing I’ve done found every test virus in seconds as you’d expect but the notifications to the end user are simple, elegant, unobtrusive and easy to understand. The centralised management that’s built in lets administrators know that malware was detected and what action was taken to resolve the issue or if there was a reason that the issue wouldn’t be resolved lets the admin know what to do next. When it’s a known malware problem the admin is given detailed information from the Microsoft security response centre which makes their workflow even easier by giving them useful follow up hints.
Updates to the malware protection features are handled through Windows Update so as long as you’ve got an internet connection updates area available and they’re controlled in the same way as Windows Update. That makes it simple to introduce testing or validation if your business needs it.
Manage Windows Firewall
Increasingly with laptops and devices being more mobile a device firewall is essential and increasingly so within the corporate environment. Two examples for you of why they’re necessary. Firstly you need to defend those devices when they are used in less secure locations, like a coffee shop when your sales guys are having a meeting. Secondly within the corporate network you are likely having (let’s call them) uncontrolled devices coming in, someone brings their mobile in and connects to the corporate WiFi network or the like. You don’t know what could be on that device so better to protect all your devices to some degree and one way is with device firewalls. Windows includes one as standard in all versions from XP to Windows 7 and Windows Intune allows you to centralise that management, to be able to push out policies to devices and even to be able to open or close firewall ports on those devices.
Knowing what hardware and software you’ve got in your organisation is a critical task for most administrators and one that introduces enough pain that most hate the task: I know I once had to write a script that used WMI to interrogate more than 5000 devices! Windows Intune includes hardware and software inventory that reports back on what software is deployed to which computers and will simply tell you what hardware each computer has. The information can be used to populate spread sheets or create HTML based reports but critically it can be used to understand what you need to do to upgrade to Windows 7.
I’ll do licensing in a bit but every Windows Intune license includes Windows 7 Enterprise for the life of the Windows Intune license.
Not only do administrators get alerted about updates that have been missed or malware that’s been detected by they find out about all sorts of computer specific stuff that could be causing users concern. For example hard drive space shortages can be spotted and addressed by admins with a phone call explaining how to clean up some space, or by ordering a new drive. That’s the kind of shift in customer service that users love but that cloud represents, IT being able to add more value and do more with less.
One of the best tools for helping users is to be able to take control of their computer or even just to watch it whilst they explain a problem. For me that traditionally meant knowing some kind of information about the computer and obtaining that from the user was like pulling teeth… “I need your hostname”… “my hostname?”… “the name of your PC” … “where do I find that” … “right click Computer and select properties” … it says “Local Disk: C: , Devices with removable storage” … “no, right click” … etc. etc. sound familiar?
Windows Intune doesn’t need any of that, the user clicks a link in the Windows Intune client software and the administrator is sent a link to start a remote session. No back and forth or preamble, it just works.
The only software required for Windows Intune is a client application which when downloaded from the Windows Intune administrators console is unique to your organisation. From then on as soon as it communicates with the Windows Intune cloud service the computer is identified as your organisation and off you go. Zero client configuration required, just Next, Next, Next.
The back end
It’s a cloud service; there is no back end infrastructure to deploy. It’s that simple.
How much does it cost?
Ah now onto the always very worrisome licensing conversation. Except that it’s not a worrisome conversation and in this case I think you’ll like it. Licensing for the UK is £7.25 per month, per PC and included into that you get Windows 7 Enterprise installation rights for any PC that is licensed with Windows Intune. That means that for £7.25 per month per PC you can finally get them all to the same version of Windows and get the best possible Windows 7 experience. On top of that pay a little more 60p per PC and you’ll get the rights for MDOP…so you get App-V, Med-V, DaRT etc.
And to answer your question yes, if you have an EA it does get cheaper, and yes the more machines you have it does get cheaper, go over 250 machines and the price drops then again at other levels.
Is it right for you?
If all the above sounds fantastic then you’re probably thinking you’d like to investigate you can get a trial for 30 days free, have a look at http://windowsintune.com for details. Who is Microsoft aiming this at though? Well it’s perfect for smaller businesses that lack an existing solution and for larger businesses that don’t have the need for Operating System Deployment (OSD) or Enterprise Software Deployment (ESD) those are the two things that Windows Intune can’t yet do. It has however been tested up to 20,000 devices in an organisation, which will do most people I think.
I like when there’s an and finally part to a post, a couple of things that I think are brilliant about Windows Intune but that don’t get a lot of air time. It’s the cloud; that means that the infrastructure is run for you, so upgrades happen for you, when there’s a new version of Windows Intune there will be a smooth way to upgrade and Microsoft will do it for you.
Also because it’s the cloud the second the computer can see the internet it can see Windows Intune and the Windows Update service and that means that wherever that computer is you can manage it. You can deploy updates, update malware definitions, update anything else needed and provide remote assistance. That for me is the biggest advantage of Windows Intune, it could mean an end to devices brining in malware and such just because they’ve not been connected to a VPN for a while and not hit the antimalware and patch servers that are available only inside the traditional corporate environment.
What to do now
Get the 30 day trial and give Windows Intune a go yourself and don’t forget to download the trial guide to get the most out of the trial. You might also want to take a look at this video to see Windows Intune in action.
Download free 30 day trial: http://www.microsoft.com/uk/windows/windowsintune/pc-management-how-to-try-and-buy.aspx
Windows Intune TechCentre: http://technet.microsoft.com/en-gb/windows/ff472080