The Microsoft Windows InTune service is a compelling PC management
offering for modest-size organizations that want endpoint protection,
configuration management and operating system upgrades without the
server infrastructure usually associated with these capabilities.
Microsoft doesn’t recommend Windows InTune for shops that are already
heavy users of Microsoft’s Group Policy for PC management, and the
hosted service is only intended for PC desktops and laptops, not server
systems. When Group Policy is used in conjunction with Windows InTune
service, Group Policy prevails, thus eliminating most of the Windows
InTune benefits. In the case where a PC is managed both by Group Policy
and Windows InTune, the Group Policy takes precedence over the Windows
InTune agent settings.
While the Windows InTune system is a new cloud/subscription offering,
Microsoft has a host of premise-based tools for PC management, including
Forefront Endpoint Protection Suite, System Center Configuration
Manager and System Center Essentials. For the most part, organizations
that are already using one of these tools--or one of the many
competitors--likely won’t benefit from adding Windows InTune into the
mix.
Windows InTune became generally available from Microsoft on March 23
and costs $11 a month per user. Never missing a chance to move users to the
Windows 7 operating system, organizations that are using professional
or enterprise-class licenses of Windows XP can upgrade to Windows 7 as
part of the Windows InTune subscription price.
Windows InTune manages Microsoft Update requests, endpoint protection
from malware and reports on the software that is installed on managed
systems. Windows InTune is hosted by Microsoft and accessed through the
Internet as a cloud service. The product also depends on a client agent
that must be installed on each user system. Windows InTune can be
used on Windows XP with Service Pack 2 and newer Windows PC systems.
In addition to providing Microsoft Updates and malware protection,
Windows InTune gathers information to provide software-license usage
along with the software installed on managed systems. All of this
information is reported on with alerts and reports that are available to
desktop administrators via a web logon to the service.
How Windows InTune Works
I tested Windows InTune starting with a late beta version and
converting to the shipping version. I used a variety of desktop, laptop
and virtual systems running in eWEEK Labs' VMware vSphere test
environment. Windows InTune does not support Mac or Linux systems or
mobile devices.
PC management platforms usually start with mapping out where the
supporting server infrastructure will be installed. Traditional PC
management tools are usually built with a central command center that
is connected to remote office depot and distribution points to keep
repetitive traffic off the WAN. All of that is gone with Windows
InTune.
Although the traditional hassle of setting up the supporting server
infrastructure is thankfully missing from Windows InTune, there is the
matter of installing the client and enrolling the managed PCs. Because
Windows InTune client depends on an account-specific certificate file,
care must be taken that the two files are deployed together and present
when installed on the end user system.
During my trials, I installed the Windows InTune client on systems that
already had an endpoint protection system in place. As would be
standard practice when replacing existing antivirus systems, I
followed the installation directions and removed the other antivirus
system before installing Windows InTune. This is no small task and IT
managers should factor this time and trouble into the overall cost of
deploying the service into an existing fleet.
The Windows InTune agents are downloaded from the subscription Web
page. Once installed the Windows InTune service worked well on my
systems. My physical and virtual client systems reported in to the
Windows InTune service without a hitch. Because the Windows InTune
client comes with the account information, there is no user
configuration required as there usually is with traditional management
systems. The Windows InTune client comes with a certificate file that
ensures that the PC agent can only connect and report to the authorized
Windows InTune account.
Administration
There are two types of administrators that can be associated with a
Windows InTune account, service and tenant. The tenant is the overall
manager and the service account is used for day-to-day operations. This
is the area where I would like to see Microsoft make significant
enhancements in future versions.
As it stood, I was able to create service accounts but I was unable to
limit these accounts to groups of users or to specific actions. Thus,
administrators in this first version of Windows InTune have too broad
powers.
On the up side, the system has rudimentary notification rules that can
send service alerts to the right person. Windows InTune comes with 380
preconfigured alert types that cover a broad range of malware and
endpoint system problems. I associated alerts with various system
administrators so that security admins were alerted when security
problems were reported by the managed system. Likewise, I configured
system alerts about failed software installations or high disk
utilization to be routed to the help desk.
A number of basic reports are also provided with the Windows InTune
service. Updates, software and licensing data can be used to show basic
system configuration on managed systems. I expect that as the service
matures, more reports and more control over custom reporting will
become available so that system managers can get detailed information
on their fleets.
IT Management News & Reviews 
