Pros & Cons
-
- Centralized way to manage critical PC housekeeping tasks.
- Eliminates need for some third-party tools.
- Can manage PCs on or off company network.
- Robust Remote Assistance support, inventory tracking and reporting
-
- No integration with Active Directory.
- Quirky workflow with PC update process.
- Policy management not as granular as Group Policy.
- Maybe expensive for some organizations.
Windows Intune Specs
| OS Compatibility: | Windows 7 |
| OS Compatibility: | Windows Vista |
| OS Compatibility: | Windows XP |
| Tech Support: | Yes. |
| Type: | Business |
| Type: | Professional |
Microsoft recently beefed up its cloud service portfolio with Windows Intune, a cloud-based PC management service. With Windows Intune, businesses can manage updates, security, and asset information as well as remotely connect to any PC within their organizations, whether the PC is on- or off-site. Combining elements of Windows Server Update Services (WSUS), Security Essentials, Microsoft Forefront, and Remote Assistance, Intune lets system administrators manage updates as well as endpoint management and security, centrally, on the client side. At $11 per PC, per month; Intune offers a centralized way to administer PCs especially for organizations with limited IT support.
Windows Intune; The Breakdown
Windows Intune isn't a replacement for Group Policy or System Center. While admins can use Intune to configure some policies, it doesn't offer policy management as granular as GP —especially for larger Windows domains and those needing to follow compliance regulations. System Center allows for more management of virtualized environments and SQL and Exchange, as well as complex infrastructure management. Intune provides a good way to manage many of the day-to-day PC housekeeping tasks that can take up a large chunk of IT's time.
While there isn't much conjecture as to how widely-adopted Intune will be by businesses, there has been some criticism about Intune's price of $11 per PC, per user. Some feel it's too expensive especially for the SMB. Although IDC published a study stating that companies saved on average $703 per PC, per year due to user productivity savings, IT staff savings, and the reduced cost of acquiring other management and security tools, I believe that the service may be expensive for some smaller organizations. Smaller businesses should do the math and figure out if Intune can actually cut costs if they are investing in other products to perform all of these critical IT functions. It's worth mentioning, the price also comes with an upgrade to Windows 7 Enterprise for XP and Vista clients.
Although Intune has some quirks associated with the update approval process, the more I used the service and the more familiar I became with the interface, the more value I found in Intune.
Administrator and Client Setup
There are two parts of the Intune service: the Administrator console and the client agent. The former is a Windows Live service that you sign up for. You can try Intune for free for 30 days and manage up to 25 PCs. Machines running the Administrator console need Silverlight 3.0 or later. The console is the dashboard for managing all PCs in an organization.
Once you have the console installed you can manually install the client agents or perform an automatic rollout with Group Policy or through System Center Configuration Manager Scripts. You can also install the client software on virtual machines. The client is the vehicle through which the Administrator controls PCs.
The Administrator Console
Access to the Administrator console requires a Windows Live ID account to access Microsoft's Online Services Customer Portal. From the portal, users can try or buy Intune. Most Administrators, after logging into the console, will only have one account with one Intune environment to manage. If a user's Windows Live ID has been granted Service or Tenant administrator rights, that user will see the Multi-Account console after log on. It's a way for Service Providers or large IT support organizations to manage multiple customers.
The Administrator console opens up a navigation panel which has links to Workspaces – the groups of features in Intune. Workspaces includes Tasks, Alerts, System and Reports as well as other management capabilities. The navigational panel reveals a System Overview that details the state of managed computers. I already had a few managed computers in my demo environment. System Overview displayed that my managed PCs had no endpoint protections issues and that I had 78 new updates to apply. Now of course, you won't see any PCs to begin with since you have to add them. Be aware, too, that it can take up to a half hour after you install client agents until information for those clients begins to appear in the Admin console interface.
There is a lot of management available in Intune. Administrators can push out updates and Service Packs to clients per a defined schedule or all at once. They can also set policies, deploy endpoint and firewall settings, view alerts, create and export reports and even check the installed software listing and licensing information of managed PCs.
Working with Intune
I tested out a couple of different tasks in the service. One thing I quickly noticed is that there is no integration with Active Directory or Group Policy. That means any organizational units (OUs) you already have configured won't transfer over into Intunes. Instead, you have to create groups and place PCs in them. Specific actions can be performed on groups such as applying policies and endpoint configurations or updates schedules.
Lack of integration with AD may be a hassle for organizations with hundreds of PCs that are already in structured OUs, although they have the ability to recreate these OUs as groups. Microsoft does not recommend using Intune policies for tasks you already have set in Group Policy. If you do, Group Policy always takes precedent.
I added a new PC to my Intune environment by installing the client. If you are wondering how a client knows which Intune environment it "belongs" to, it's due to "windowsintune.accountcert." This is a file which is a certificate that identifies your organization; each client agent install is associated with a specific Intunes account via the .accountcert file.
The Remote Assistance is a particularly handy feature, as users can request assistance from within the Intune client software. Administrators can designate an email account to forward remote assistance requests. These requests can be routed to IT support staff.
After a user sends an assistance request, admins can view the request in the Intune Administration console, almost instantaneously. The console displays the time the request was sent, who received the alert e-mail and the machine the request was sent from.
I had designated myself to receive remote support requests through email. The email had a link to view the request, but only via signing in to the Administrator console. The request has to be "accepted" in the console and Easy Assist needs to be installed on the machine from which you want to provide remote support. It's not as convoluted as it sounds, because everything is done through the console.
Remote Assistance allows desktop sharing, file transfers, chat requests and you can request a reboot and reconnect. Intunes also offers the ability to record the session.
I also went through the process of pushing updates and Windows Service Pack 1 to clients. I had to click "Approve" quite a few times in different windows to get updates installed. For instance, I clicked "Approve" when the console showed one machine in one of my groups needing SP1. I only saw a "pending installation" status after approving even though the deployment policy was set to "can request restart, will not request user input." I also had another link to approve the same update on the same group of computers, again. I approved it once again, this time setting the update deadline to "as soon as possible." After a while, I saw that the client was updated. Still, there were too many "approve" links for the same process and it was tricky figuring out if the update had happened. This particular area of the interface should be simpler, too many windows open as you go through the approval process.
Thoughts on Intune
Even though the update approval process could have a better workflow, it's still a better option than managing updates on individual machines. Having control over updates on PCs is better than having individual PCs set to run Windows Updates. Updates can sometimes break software—one good way to use Intune is to have a group of test machines to push out updates to test them and then rolling them out to production machines.
Intune may be expensive for smaller businesses. Yet, consider that it offers you an all-in-one management solution: endpoint protection, security, update management, inventory tracking, licensing and software management plus reporting. That's a lot of useful third-party software your organization can avoid purchasing.
I am concerned with how efficiently Intune manages XP clients. It seems to be tailor-made for Windows 7. In fact, on the Technet website there are a few user postings about problem pushing rollouts to XP Clients. All the more reason businesses may want to consider upgrading to Window 7. Microsoft's focus of late has been more seamless integration of Windows 7 with the cloud. If you're primarily a Microsoft shop, you'll want to take advantage of the results.
Windows Intune is a valuable service and for organizations comprised mostly of Windows PCs that need strong management—if they can afford it. Intune has a few niggling issues. It doesn't have the the granular capabilities of Group Policy, and it doesn't integrate with Active Directory. But what Windows Intune does—managing clients and the fast and furious world of Windows Updates—it does very well.
More Small Business Software Reviews:
Final Thoughts
Windows Intune
Windows Intune nicely integrates several Microsoft management products into one, centralized cloud-based system. It's a boon for reigning in management tasks in Windows-client heavy organizations