First Look: Microsoft Intune

Microsoft unveiled the final version of its Intune cloud-based PC management system at its Management Summit in Las Vegas last month.

Intune is aimed at small and medium sized enterprises (SMEs), offering them the option to move PC management and security to Microsoft’s Windows Cloud Services.

The theory behind the offering is that it will help companies save on both IT personnel and the back-end infrastructure needed to deal with managing their desktops.

Calculating such benefits is not a trivial exercise, and balancing the cost of the Intune all-in-one package against separate hardware asset management and software asset management products is not a task you can carry out on the back of an envelope.

There are also third-party asset management providers available that offer SMEs this type of service on an outsourced basis.

We signed up for a 30-day trial of Intune through our Microsoft Live account, and set up a three PC test network, creating standard user accounts on all three systems.

Each PC was running a different Microsoft business operating system – XP Professional (32-bit), Vista Ultimate (32-bit) and Windows 7 Ultimate (32-bit).

Operating system requirements
With Intune, firms can manage both x86-(32-bit) or x64-(64-bit) XP Professional (SP2/SP3), Vista Enterprise, Ultimate or Business editions, and Windows 7 Enterprise, Ultimate or Professional Editions. Intune does not support Itanium-based IA-64 systems.

Client agent install
First it is necessary to install a client agent onto users' systems. There are two ways of doing this – the easiest is to download the 13MB agent and its associated certificate, and install it locally under an administrator account [see picture].

The other method uses Microsoft's server-based Group Policy to remotely install the package onto users' systems.

We took the easy option and installed the client agent locally under an administrator account, in just a couple of minutes.

After the local Windows Intune client icon appeared on the desktop, Intune prompted our Windows 7 Ultimate 32-bit system for a restart to update its files and services.

Intune downloads and installs a further four agents, and sets up a number of services. The four agents are Microsoft Online Management Policy Agent, Systems Center Operations manager 2007 R2 Agent, Windows Intune Endpoint Protection Agent, and the Windows Intune Monitoring Agent.

The services installed are the Windows Intune Center, Microsoft Policy Platform, Windows Firewall Configuration Provider, and Windows Intune Endpoint Protection [see picture].

Not all companies like using software agents installed on each computer that needs managing. Many prefer agent-less asset management for several reasons, such as avoiding worries about potential challenges in managing agent upgrades.

User console
Users can open the user console to receive Intune updates, start an Intune Endpoint Protection scan or open Microsoft Easy Assist to get administrator remote assistance [see picture].

Administration console

Administrators can manage their firms' desktops by logging onto their Live accounts and browsing to the Intune admin console.

Here they're presented with 10 sidebar tabs, including options to manage patches, software updates, security, software licensing, and deal with alerts generated by the desktop Intune client software [see picture].

There's a system overview tab offering a check on the number of systems being managed; and a computers overview tab, which gives a named list of all the computers that have an Intune client on them.

Admins can create Intune Computer Groups to manage systems. A computer group can be used to manage, say, desktops based in a single location or department, or based on system hardware and associated operating systems.

There are three main status monitors for Intune clients visible on the overview tab: Alerts, Updates and Endpoint Protection.

The Updates tab allows administrators to manage what Microsoft software can be loaded onto desktops, and the status of any software updates that need to be installed on users' systems.

The Endpoint Protection tab shows status indicators denoting the presence of malware on users systems.

The Policy tab can be used to determine how software is updated and when, and how Endpoint Protection is configured.

Admins define policies to, for example, schedule specific times for malware scans to execute, and what types of files will be scanned [see picture].

The last tab, Administration, gives an overview of the number of systems the administrator is managing, duplicating the system overview tab, but also provides options to deploy the Intune client software through the server-based Group Policy settings used in Active Directory.

The Administration tab also defines which software product categories can be managed, although we could only see Microsoft software packages. This could include, for instance, application virtualisation or high performance computing software – HPC Pack.

Administrators can also download the latest Intune client software from Microsoft's Intune web site.

One thing firms may be unsure of is what happens if there's a service outage. In the administration tab, there is an option to view the current service status, and there's also a status history [see picture].

There's also a Reports tab to give detailed information on software and licences installed on  systems, and the License tab allows admins to manage the software licensing.

Conclusions
In the limited time we used Intune, we found that it performed well, but this was on an admittedly limited rollout.

We suspect a larger rollout of desktop systems would take some time to settle down, before admins got everything running smoothly. For example, the 30-days free 25-licence offer of Intune would only expose triallists to one of Microsoft's patching cycles to check whether systems performed as expected.