Windows InTune Orchestrates PCs via the Cloud

The new Microsoft Windows InTune subscription service keeps user desktops and laptops up-to-date and secure via a clould-based service.

The Microsoft Windows InTune service is a compelling PC management offering for modest-size organizations that want endpoint protection, configuration management and operating system upgrades without the server infrastructure usually associated with these capabilities.

Microsoft doesn't recommend Windows InTune for shops that are already heavy users of Microsoft's Group Policy for PC management, and the hosted service is only intended for PC desktops and laptops, not server systems. When Group Policy is used in conjunction with Windows InTune service, Group Policy prevails, thus eliminating most of the Windows InTune benefits. In the case where a PC is managed both by Group Policy and Windows InTune, the Group Policy takes precedence over the Windows InTune agent settings.

While the Windows InTune system is a new cloud/subscription offering, Microsoft has a host of premise-based tools for PC management, including Forefront Endpoint Protection Suite, System Center Configuration Manager and System Center Essentials. For the most part, organizations that are already using one of these tools--or one of the many competitors--likely won't benefit from adding Windows InTune into the mix.

Windows InTune became generally available from Microsoft on March 23 and costs $11 a month per user. Never missing a chance to move users to the Windows 7 operating system, organizations that are using professional or enterprise-class licenses of Windows XP can upgrade to Windows 7 as part of the Windows InTune subscription price.

Windows InTune manages Microsoft Update requests, endpoint protection from malware and reports on the software that is installed on managed systems. Windows InTune is hosted by Microsoft and accessed through the Internet as a cloud service. The product also depends on a client agent that must be installed on each user system. Windows InTune can be used on Windows XP with Service Pack 2 and newer Windows PC systems.

In addition to providing Microsoft Updates and malware protection, Windows InTune gathers information to provide software-license usage along with the software installed on managed systems. All of this information is reported on with alerts and reports that are available to desktop administrators via a web logon to the service.

How Windows InTune Works

I tested Windows InTune starting with a late beta version and converting to the shipping version. I used a variety of desktop, laptop and virtual systems running in eWEEK Labs' VMware vSphere test environment. Windows InTune does not support Mac or Linux systems or mobile devices.

PC management platforms usually start with mapping out where the supporting server infrastructure will be installed. Traditional PC management tools are usually built with a central command center that is connected to remote office depot and distribution points to keep repetitive traffic off the WAN. All of that is gone with Windows InTune.

Although the traditional hassle of setting up the supporting server infrastructure is thankfully missing from Windows InTune, there is the matter of installing the client and enrolling the managed PCs. Because Windows InTune client depends on an account-specific certificate file, care must be taken that the two files are deployed together and present when installed on the end user system.

During my trials, I installed the Windows InTune client on systems that already had an endpoint protection system in place. As would be standard practice when replacing existing antivirus systems, I followed the installation directions and removed the other antivirus system before installing Windows InTune. This is no small task and IT managers should factor this time and trouble into the overall cost of deploying the service into an existing fleet.

The Windows InTune agents are downloaded from the subscription Web page. Once installed the Windows InTune service worked well on my systems. My physical and virtual client systems reported in to the Windows InTune service without a hitch. Because the Windows InTune client comes with the account information, there is no user configuration required as there usually is with traditional management systems. The Windows InTune client comes with a certificate file that ensures that the PC agent can only connect and report to the authorized Windows InTune account.


There are two types of administrators that can be associated with a Windows InTune account, service and tenant. The tenant is the overall manager and the service account is used for day-to-day operations. This is the area where I would like to see Microsoft make significant enhancements in future versions.

As it stood, I was able to create service accounts but I was unable to limit these accounts to groups of users or to specific actions. Thus, administrators in this first version of Windows InTune have too broad powers.

On the up side, the system has rudimentary notification rules that can send service alerts to the right person. Windows InTune comes with 380 preconfigured alert types that cover a broad range of malware and endpoint system problems. I associated alerts with various system administrators so that security admins were alerted when security problems were reported by the managed system. Likewise, I configured system alerts about failed software installations or high disk utilization to be routed to the help desk.

A number of basic reports are also provided with the Windows InTune service. Updates, software and licensing data can be used to show basic system configuration on managed systems. I expect that as the service matures, more reports and more control over custom reporting will become available so that system managers can get detailed information on their fleets.