Last week I was at Microsoft site following a technical workshop of Windows Intune.
Windows Intune is a cloud based services which provides client management solution for managing and securing PC’s for small and midsize companies in any location throughout the internet. Today companies are facing challenges in managing PC’s. Think about multiple configurations, different versions and licenses. Lack of insight and reactive response instead of pro-active to support issues are topics on top of mind of administrators. Windows Intune provides online PC management from anywhere over the internet. The management console is browser-based (Silverlight is required), so administrators can be anywhere. Windows Intune requires no server infrastructure, offers per-seat licensing and it is easy to deploy, use and maintain.
A Windows Live ID is required to register a Windows Intune account. The initial Live ID account is automatically tenant administrator. Tenant administrator can add additional Windows Intune service administrators (by Windows Live ID) if required. Windows Intune is therefore suitable for multi tenancy purpose. The Windows Intune Administrator console provides a clear interface to simplify administration. The health of multiple organizations if applicable is displayed in one a single page. Further into the organization the health of all managed clients is shown.
With Windows Intune it is possible to transfer managed clients to another organizations (multi-homed clients is not supported). Concerning clients must be retired and the Windows Intune components must be reinstalled including the new generated certificate. When an organization is registered a unique certificate is generated which is included with the installation source files. The private certificate is used to point managed clients to the correct organization. When extracted the Windows Intune source files consist of 2 MSI’s (x86/x64) and can be installed by several options: manually, group policy and ESD (Enterprise Software Distribution).
The installation of the Windows Intune downloads the agent from the Windows Intune service and consists of a number of components which requires a reboot for the Windows Intune Endpoint. When the installation completes, the agent reports to Windows Intune within 30 minutes. Port 80 and 443 are all that is required for agent communications to Windows Intune services which is fine for most organizations.
During the installation of Windows Intune Agent the following components will be installed on the managed clients:
- Windows Intune
- Windows Intune Center
- Windows Intune Endpoint Protection
- Windows Intune Monitoring Agent
- Microsoft Online Management Policy Agent
- Microsoft Easy Assist
- Microsoft Platform Policy
- Microsoft Easy Assist
- Microsoft Operations Manager 2007 R2 Agent
- Windows Firewall Configuration Provider
- Microsoft Online Management Update Manager
During the installation of Windows Intune Endpoint will determine if there is an existing Antivirus Software available, if not Windows Intune Endpoint Protection will be installed automatically (Microsoft Security Essentials or Forefront Endpoint Protection can be upgraded based on existence of Endpoint Protection policies). If there is an existing Antivirus Software and recognized by Windows Intune installer the current Antivirus Software will be uninstalled and install Windows Intune Endpoint Protection. This behavior can be set up by defining Windows Intune policies as well as the configuration of Windows Intune Endpoint.
Configuration of Windows Intune agents will be controlled and managed by policies. Policies enables you to centrally control settings on managed computers. After you create policies, you deploy them to one or more computer groups. More on that later. Policy settings will become available as “updates” by Windows Intune Updates to the Windows Intune agents. Be carefully with planning your policies update schedule as there some limitations in the current version of Windows Intune (low refresh interval). In case of Active Directory presence make sure that group policies take precedence over Windows Intune policies. In case of Windows Intune policy conflicts – policies will be applied in order based on timestamp (date created/modified).
Three policies types are available:
- Windows Intune Agent Settings
- Windows Intune Center Settings
- Windows Firewall Settings
With the use of Windows Intune policies you’re able to tighten your security of managed computers. Alongside Windows Intune Endpoint Protection policy Window Intune Firewall provides you extensive options including network profile and predefined Firewall Exceptions, what makes configuring you firewall policies easier.
Windows Intune subscriptions include license rights for Windows 7 Enterprise, activation keys are provided by Windows Intune subscribers. Additional Microsoft provides a broad set of guidance and tools which ease your migration to Windows 7. Tools like Microsoft Assessment Planning (MAP) and Application Compatibility Toolkit (ACT) which assess your current IT environment, application compatibility, identify virtualization candidates and Windows 7 hardware readiness.
Windows Intune is supported by the following Operating Systems:
- Windows XP Professional (SP2 of SP3)
- Windows Vista (Business/Enterprise/Ultimate)
- Windows 7 (Professional /Enterprise/Ultimate)
In my next post of Windows Intune I will cover the creating and populating groups, Windows Intune Update process, proactive monitoring of managed clients by alerts. And finally software management, reporting and Remote Assistance