Windows Intune

Systems management tools are often expensive and complex, requiring a dedicated infrastructure. Targeted at large enterprises, they're well placed to manage hundreds, if not thousands, of desktops. So what happens if you need to manage ten or twenty — or just three or four — PCs? That's where Microsoft's new cloud-based IT management solution, Windows Intune comes in.

Best thought of as a cloud-hosted mashup of Windows System Update Services and System Center Essentials, Intune is a simple management tool designed for workgroup devices. There's no need for client machines to be part of an Active Directory domain, and no need to install a server, making it an ideal solution for managing small office/home office networks and for keeping control of the PCs in a branch office.

Installation
Intune is simple enough to use. Log in, and you're presented with a Silverlight user interface that's reminiscent of the desktop System Center product. A menu pane lets you switch between different views, with each view loading quickly. If you're new to Intune you'll start in the System Overview as it's here you'll get quick access to tasks — and also where you can download the client software.

Along with its management agent, Intune's client software includes a version of Forefront Endpoint Protection, replacing the anti-malware tools on a managed PC

All the PCs and notebooks you're managing need to have agent software installed on them, to report system health back to the Intune service and to manage update deployment. The agent also includes an endpoint security tool based on the Forefront Endpoint Protection tools, giving Intune users enterprise-grade security. Once you've downloaded the client software, it's easy enough to put it onto a USB stick to manage multiple installs. The client software comes with a bundled security certificate, and you'll need to ensure that this is kept with the installer, as it's needed to associate an Intune agent with an online Intune account. The beta version of Intune had separate 32- and 64-bit agent installers, which have been brought together in the final release to simplify deployment.

Once PCs have accounts you can sort them into groups to simplify management. All you need to do is switch to the Computers workspace, where you can create and manage groups, adding appropriate PCs to each group. There's no restriction on the number of groups, and it's up to you just what groups you create — perhaps one for office desktops and one for notebooks. You can drill down into each individual machine's status, checking for alerts and updates that need to be deployed. Other options let you see what software is installed where, helping you pinpoint potential problems.

Security and updates
Intune is clear and easy to use, allowing you to monitor basic security and update status without leaving your browser. You can quickly see what updates need to be approved, and then select the machines that need to be updated. Drilling down, you get details of each update, with details of exactly what they're for so you can choose what to deploy and when. The Endpoint Protection section monitors the security client installed alongside the Intune agent software, giving you an overview of detected malware and the ability to manage your response centrally.

Drilling down into Intune's update list allows you to see just what each update is, so you can approve the updates you want to deploy

Update management is probably the most complex task in Intune, and it really does make it easy for even part-time administrators. Choosing what to deploy is just a couple of clicks — and if an update is a critical security patch you can set a deadline for when it's to be installed. If deadlines aren't met you'll be alerted, and can then choose just how to encourage delinquent users to install necessary updates! You don't need to manually approve every update, as there's the option of automatically approving certain classes of updates. This lets you automatically approve security updates, say, while controlling application updates until they've been tested for compatibility. If you've got an enterprise agreement with Microsoft you can also use Intune to manage licences, helping ensure compliance. There's only support for Microsoft's licence formats at this point, but Intune can provide a software audit for all managed PCs, so it can still be used to monitor compliance with other licensing agreements.

Large-scale Windows management is policy driven, and it's not surprising that Intune comes with its own policy management tools. There's deliberately no crossover with Active Directory policies, as Intune PCs can be separately managed through Active Directory. Instead you're able to set policies for Intune Agents, and for the Intune Center desktop application — as well as managing the firewall settings on remote PCs. Policies can handle endpoint protection operations, ensuring PCs are scanned regularly. You can also use them to manage update deployments, including enforcing system restarts if they're necessary.

Alerts and support requests
Alerts are an important part of Intune, and there's a whole section of the service devoted to managing alerts. There's an overview to show you what's most important, and you can then drill down into the current set of alerts and choose what to respond to, and how. Alerts can be managed inside Intune, or you can arrange to have them emailed to administrators who can then triage in their inbox before working with the most important tasks.

Users can make support requests via Intune, using the Easy Assist cloud-hosted support tool. You can use this to chat with users, share desktops and upload and download files — letting you work with a user wherever they might be. The service works well when you have remote users, as all you need is an internet connection. There are some idiosyncrasies with Easy Assist, though, and it feels a little odd to find yourself on a Live Meeting site in order to set up a connection.

One of the biggest changes between the release version of Intune and the beta we looked at back in 2010 is support for multiple accounts. If you're an ISV or a consultant supporting several small businesses, this is where you're able to quickly see the health of your clients' networks. You'll be able to see if agents have deployed correctly, and if there are any alerts or updates needing to be deployed.

Conclusions
Cloud tools certainly simplify things for small and medium-sized businesses. There's no need for additional infrastructure, and complex tools can be wrapped in a way that makes them accessible even for part-time IT professionals. It's good to see Microsoft finally rolling out Windows Intune, as it's something that's been needed for a long time. It's not everything you'll need to manage a small network, but it's more than enough to get started and to stay on top of key issues (such as updates and PC security). The cloud approach means Microsoft will be able to add extra features to Intune quickly without you needing to install new versions — something we're definitely looking forward to!

Pricing is good, with the option of a 30-day free trial for up to 25 PCs. If you decide to purchase Intune it's priced at £7.25 per PC per month. The paid subscription also includes upgrade rights for every managed PC to Windows 7 Enterprise.