Sunday, August 29, 2010

Why Windows Intune is such a big deal

Microsoft announced a few months ago a new cloud based Windows Management service known as Windows Intune.  It is currently in Beta, however the Beta is not available in Australia at this stage (at this stage MS Australia have confirmed there is no confirmed release or Beta date for Australia). 

The easiest way I can think of to explain what Intune provides, is a lightweight version of System Centre Essentials designed towards the SMB/SOHO market, where centralized IT Infrastructure is either not in place, or consists of minimal components.  The screenshot below displays the console, which gives you a good idea of what is provided:


As you'll notice, the console presents an Overview of your environment, A list of computers managed by Intune, the Updates Section, Malware Protection, Alerts, Software, Licenses, Policy, Reports and Administration. 

The centre section gives you a snapshot of the organization at a glance, letting you know whether there are any major issues in your organization. To the right we have the familiar (in recent windows versions) tasks sequence giving contextual tasks dependent upon the pane you are currently in. 

Drilling down further into the menu, we can go into the Computers section, which is shown below. 

As you can see we have a series of groups that can be created to categorize the Computers managed by Windows Intune.  By default any new computers are joined to the Unassigned Computers group until you allocate them to a new computer group.  These groups are used to manage/apply policy in a similar fashion to Organizational Units in Active Directory.  The overview tab which is not shown above, provides a quick snapshot of the general health of each managed computer. 

If you continue drilling down into the individual computers you are presented with detailled information about each of the sections that Windows Intune manages.  In addition to these you are presented with a Hardware and Software tab.  The Software tab provides you with a list of all installed applications on the computer (handy to see if your user has decided to install 1001 screensavers).  The Hardware tab provides detailled hardware information, from Motherboard to firmware to printers which is exceptionally useful when troubleshooting hardware related issues.

Next down, we have the Updates tab which is very familiar to those of you who have used Windows Server Update Services in your client organization.  Below I have screenshots of the Updates screen when an update is pending approval, and the standard (all updates taken care of) view.



You'll notice in the first screenshot there is an option to approve the pending updates, where you would select which computer groups these updates need to apply to.  Again, very similar to the standard WSUS screens you are probably familiar with.  An important note to consider is that updates are downloaded from the Microsoft Update Service - which has bandwidth considerations if you are using InTune in addition to an on premises WSUS.  Microsoft have confirmed that Group Policy overrides InTune Policy, so if you apply WSUS local updating policies these will take precedence.

Continuing down the console, we have the Anti-Malware section, I have taken screenshots of the Anti-Malware section when a virus is found on a client machine. 




As you'll notice the interface is pretty basic, providing you with the details of any malware found on managed machines and a brief overview of the threat severity.  What is really cool is the ability to click on the name of the threat (or the "Learn More:") link, and you will get a Forefront Threat description with information about the threat (see below)




Note that I was unable to find a way of remotely cleaning up the threat, however at least you are notified that the threat exists.  I would imagine that future Beta versions will include this functionality as it seems fairly trivial to implement.

Next we have the Alerts section, which provides a snapshot of all active Alerts in the system.  From within this section you are able to view any informational alerts (such as information to let you know how to install client software) or critical alerts (such as malware found) and the ability to close these once they have been resolved.  The section is fairly self explanatory but comprehensive in the areas of the client that it covers.  Screenshot below.




The next section is software which is also reasonably basic, it simply provides you with a list of all software installed on the computers within your organization.  You can see the number of computers the software is installed on, as well as the author & publisher information (the usual stuff).





Continuing down, we have the Licenses section - this is quite a nifty feature for smaller organizations to keep track of their software compliance. Again at this case it's fairly basic, you can currently upload Microsoft Volume Licenses here (add the Agreement/Authorization number) which allows you to keep track of numbers. This is the information used in the next section around Reporting on compliance.



 
 
 
 
 
 
 
 
 
We then continue to the Policy section which can be thought of as the Intune version of Group Policy.  At this stage we have the ability to apply policy around the Intune Client, the Anti-Malware Agent and the Windows Firewall.  These policies are applied to Computer Groups exactly as you would expect.  Again the implementation seems pretty basic at this stage but it shows what can be done and I would imagine that future versions of Intune should allow you to apply other policy settings to your clients.  I absolutely love this concept of remotely managed Group Policy for all.
 
 

Second from last we have the Reports section which provides a useful area which consolidates all aspects of reporting into the one section.  Here we can generate reports on the Update Status, Installed Software and License Reporting.  Each has multiple types of report that can be generated and these are quite handy for generating paperwork for your managed clients (to show them the work you do for them!).



Finally we have the Administration pane where you can configure various aspects of your client management. 



The updates section (screenshow below) allows you to configure what types of update are available for installation on your client machines (ie. the product categories, and update types).  You can also configure Automatic Approval settings to ensure that your clients automatically receive critical updates without administrative approval.



We can then configure Alerts for your managed clients and whether these are enabled.  In addition you can configure recipients to be notified when an Alert event has been triggered as well as what events actually trigger an email (and what purely triggers a console alert).



The remaining two administration sections simply cover the authorized Intune administrators (and their associated Live ID's).  These are known as Service Administrators, although at this stage I have yet to see exactly what these differences constitute.

This year I was extremely lucky to be able to attend TechEd Australia 2010 where Jeff Alexander and his fellow presenter (terribly sorry I've forgotten his name) gave us an excellent demonstration of the User Interface and were able to provide us with some interesting information around the product. 

The beauty of this product is the ability to manage workstations irrespective of where they are currently located.  No special firewall rules required, it's all client initiated polling, and communicates over SSL (so as long as their internet connection allows outbound web traffic they can be managed. 

@nathanm was kind enough to let me know that Remote Assistances is also provided via Windows Intune which was one of the key features I had originally thought missing.  It's called Windows Easy Assist and is implemented via Live Meeting.  It supports Full Desktop Sharing, Single App Sharing, the ability to record & replay, file transfer and the ability to reboot/reconnect, which is great. Taking this into account the product begins to look increasingly polished and any feature changes would be relatively minor.

Australian pricing is not ready, in the same way the beta is not currently ready, however indicative american pricing suggests that we will be looking at around $10US per month per client, with an additional $1US per month for the Microsoft Desktop Optimization Pack.  The cool thing about this cost though, is that it actually entitles you to upgrade every single computer managed by the product to Windows 7 Enterprise.  And that extra $1 US per month gives you the rights to use all of the MDOP products.  That to my mind is pretty awesome, and the price is inline with the numbers Telstra are currently providing for hosted BPOS.  It may well be that pricing will be different when the product is released, but the power & management provided by the product justifies that pricepoint in my mind.

We're still unsure of the release date, however initial suggestions from MS were some time next year.  We are assured that by the time the next TechEd comes around we will be talking about this product more and more. 

Personally I'm excited by the product and can't wait to get my hands on the Australian beta as soon as it comes out and follow the product to completion.  I can't deny that there are other products out there that cover this market, however when Microsoft put their minds to something they tend to produce a winner.  They have made a serious commitment to the cloud and I think this product will be one of their flagship SMB products moving forward.  Especially when you consider this product in conjunction with BPOS and "Aurora" (the new SBS Light).

Exciting times ahead people, definitely keep your eyes and ears open for Windows InTune, it's going to be massive.