Windows Intune: enterprise features without IT hassles

The trouble with enterprise-class software is that you need an enterprise-class IT department to run it. The result is that PCs in smaller organizations are managed piecemeal. As an alternative, Microsoft unveiled a new product this week that offers some of those enterprise-grade features in a subscription-based package aimed at businesses with 25 to 500 PCs. Here's my hands-on report on Windows Intune.

The trouble with enterprise-class software is that you need an enterprise-class IT department to run it. For small and medium sized businesses, that means many useful features of Windows Enterprise edition are simply impractical, not to mention too costly. The result is that PCs in those smaller organizations are managed piecemeal, with inconsistent results and, paradoxically, a greater burden on IT staff and consultants to clean up messes that could have been avoided with more consistent management.

As an alternative, Microsoft unveiled a new product this week that offers some of those enterprise-grade features in a subscription-based package aimed at businesses with 25 to 500 PCs. I got a sneak peek at Windows Intune last week and then had a chance to install the beta release on a handful of PCs here when it was officially available yesterday. Here's what you can expect.

Windows Intune is the latest addition to the Microsoft Online Services portfolio, which already includes the Business Productivity Online Standard Suite (BPOS), offering online versions of Exchange, SharePoint, Office Live Meeting, and Office Communications Online. The new offering is a cloud-based  service that allows an in-house IT department or off-premises IT consultant to manage and secure PCs remotely. (The Windows Intune home page offers more information about the service. It also includes details about how to sign up for the beta, which is open to customers and partners in North America only, specifically the U.S., Canada, Mexico, and Puerto Rico.) [Update 20-Apr: After 30 hours, the beta program was filled and is now officially closed.]

Windows Intune includes a web-based console (powered by Silverlight) that gathers information from client PCs with the help of a small stack of Windows Intune software modules. Client support requires one of the business editions of Windows: XP Professional (SP2 or later, with SP3 preferred), Vista Business, or Windows 7 Professional. It runs on x86 and x64 editions.

From the console, an administrator can:

  • Track hardware and software configurations, drilling down into details about individual systems and also seeing overall usage—making it easier to manage software licensing, for example.
  • Manage antivirus protection using the integrated Windows Intune Malware Protection engine.
  • Review available updates and then push approved updates to client systems automatically.
  • Provide remote assistance to clients who need help.

Microsoft expects the beta program to run for about a year. When it launches officially, subscribers will also gain access to two additional benefits: upgrade rights to Windows 7 Enterprise edition and access to the Microsoft Desktop Optimization Pack, which includes the incredibly useful Diagnostics and Recovery Toolset (DaRT), as well as application virtualization capabilities. Currently, those features are available only to Microsoft Volume License customers who also sign up for the Software Assurance package. (How much will it cost? For a discussion of pricing, see the last page of this post.)

So what's inside Windows Intune? My hands-on report begins on the next page.

Next page: Windows Intune, hands on -->

<-- Previous page

My hands-on tests of Windows Intune got off to a somewhat rocky start. I registered for the beta, got my welcome e-mail with logon instructions, and accessed the administrative console with relative ease. But when I tried to install the Windows Intune client software on an HP Pavilion Elite PC running Windows 7 Ultimate, the setup failed abruptly, leaving only a cryptic error code ("setup failed at stage 10 with error number 0x80230437").

With some help from Microsoft support engineers, I found the cause of the first problem. The system clock on the HP machine was set incorrectly—although the error was a mere 11 minutes, it was enough to prevent the installer from making a secure connection to the management server. After synchronizing the system clock with an NTP server, setup completed properly. I had no problems installing the client software on four additional PCs running a mix of Windows 7 and Windows XP.

The client installer is relatively small: roughly 9MB and 12MB for the 32-bit and 64-bit versions, respectively. After installation completes, the Windows Intune client goes out and installs some additional modules. In all, each client includes 11 separate software modules taking up roughly 60MB of disk space.

It took between 30 minutes and an hour for each client PC to check in via the cloud service so that I could view its status in the Windows Intune console. On the client side, I noticed that the Microsoft Antimalware engine had replaced the installed copies of Microsoft Security Essentials. (None of my test PCs were using third-party antivirus software; if they had been, I would have been prompted to uninstall that software and use the Microsoft solution in its place.)

The Windows Intune management console runs in any browser as long as Silverlight is installed. I tested it on IE7 and IE8, Safari, Firefox, and Google Chrome, all without incident. A clean System Overview page lists any tasks that need to be completed as well as overall system status for all managed PCs.

From the Computers pane, you can view all managed PCs (and organize them into groups, if necessary). Because each PC reports its status at regular intervals to the Windows Intune service, you can identify specific issues for each one. In this example, I need to approve some newly delivered updates for a Windows XP machine.

The Updates console provides an exhaustive list of all available updates and gives administrators the option to filter, search, and then approve or decline updates individually or in bulk. Its capabilities are similar to those offered by a local machine running Windows Server Update Services, except that the back end is managed at Microsoft's data center.

From the console, admins can also view an inventory of installed software and get an up-to-date hardware configuration profile for each client PC. That's handy for identifying third-party programs that need updates; it's also useful for tracking down unauthorized or improperly licensed software installations.

Alerts are available in just about every console view. A consolidated Alerts dashboard makes it easy for admins to identify issues that require immediate attention.

What does the client see? And what's missing from Windows Intune?

Next page: What's missing? -->

<-- Previous page

From the client's perspective, Windows Intune is nearly invisible. The Windows Intune Malware Protection window is nearly identical to the Microsoft Security Essentials interface. That's not surprising, given that it uses the same engine (which in turn is the same engine used in Microsoft's enterprise-class ForeFront product). The only other indication that the client software is installed is a small Windows Intune Tools option on the Programs menu, which leads to these choices:

The first two choices should be fairly self-explanatory. That last option sends a request for remote assistance to the administrator, who can use the Microsoft Easy Assist program (a variant of Microsoft Live Meeting) to share the remote user's screen and troubleshoot without having to make an onsite visit.

So, What's missing from Windows Intune? A few pieces that should be part of a comprehensive management program aren't there yet:

  • Third-party software management should be part of this package but isn't yet. Given the recent trend of using vulnerailities in programs like Adobe Reader as a vector for malware, that is a big gap.
  • There's no backup option at all. If a subscriber is also using hosted versions of Exchange and SharePoint, their e-mail and and data files stored in SharePoint are covered. But I would hope some sort of online backup and synchronization option for important local files will be available by the time this product ships.
  • Centralized policy management isn't available. Group Policy is the big selling point for enterprises that are managed as part of a Windows domain. In the Windows Intune environment, users can still install untrusted or unauthorized programs, and it's up to an administrator to monitor those installations after the fact.

And then, of course, there's the price. Or rather, the lack of one. The beta is free, and Microsoft hasn't settled on a final price for this subscription yet. Sandrine Skinner, Director of Product Management for the Windows Client group producing Windows Intune, told me,  "We're not trying to be difficult, we're still working out those details."

At a price of $10 per PC per month or less, this strikes me as a good bargain, especially given the included upgrade to Windows Enterprise edition and the availability of the MDOP tools. If it saved even a single site visit from an IT consultant each month for a business with 25 PCs, it would pay for itself at that price.

But what would you pay for a service like this? And what else would you like to see included?