Revisiting Microsoft Intune for Cloud-based Systems Management

Patching, Inventory, Remote Control, and Pushing Policies from the Cloud

When Microsoft Intune first came out a couple years ago at well over $15/user per month and effectively only did patching of systems from the cloud, I wondered who the heck would pay that much money for something you can do for free (simply using Windows Update from the cloud).  But that was version 1.0 of Intune, or what Microsoft officially called Wave “A” of the product.

Here we are, 2-years later and on Wave “C” (ie: v3.0 of the product) and I’d have to say, we have a LOT of our customers in the process of moving to Intune.  Why?  Here’s what Intune provides now for a monthly subscription cost of $11/user/month (retail (cheaper if you have more than 250-users, already have an enterprise agreement with Software Assurance, etc):

  • Upgrade rights for Windows 7 Enterprise:  So for all of your Windows computers, you can upgrade them to Windows 7 (and Windows 8) without having to buy a separate Windows license.  It’s effectively Software Assurance for Windows AND it’s the “Enterprise” edition of Windows, which for small businesses, you typically can’t buy the Enterprise edition (unless you buy an Enterprise Agreement that has a breakeven for orgs typically with more than 220 users).  Windows Enterprise gives you things like DirectAccess, BranchCache, Bitlocker, AppLocker, rights to run Windows in a VDI environment, and multi-lingual user support
  • Centralized Administration Console:  Intune has a centralized (web-based) admin console where the administrator can see Intune managed desktops, laptops, and mobile phones at a glance, see the patch/update status, dig in to hardware/software inventory, apply policies, etc.
  • Hardware and Software Inventory:  Your endpoints will be scanned and all hardware / software inventory will be updated to the centralized Intune admin console so you can get an accurate inventory of software installed and in use in computers, as well as can do hardware validation to confirmation whether systems are capable of running Windows 7 or 8, or running out of disk space, or the like.  Note:  Inventory is done on Windows clients AND Mobile phones, so you can do mobile device management with Intune
  • Mobile Phone Management:  On the topic of mobile phone management, Intune will inventory and control policies for mobile phones including Windows Phone 7 and later, Apple iOS 4.x / 5.x and later (ie: iPads and iPhones), and Android v2.1 and later.  Mobile phone management with Intune is integrated with ActiveSync, so the phone needs to sync with something like Microsoft Exchange where the Intune policies and management are enforced through a sync with Exchange.
  • Software Patching / Updating:  Intune patches and updates Windows client systems for systems that are “joined” to a Microsoft Active Directory domain as well as systems that are NOT joined to Active Directory.  This is a big thing as many products on-premise require the managed Windows system to be AD joined, Intune provides the same capabilities for just standalone systems.
  • Software Catalog / Software Distribution:  Intune provides a “software catalog” where an organization can upload packages that user’s can then download and install on their computers, things like Visio, Office, Lync client, Java apps, Adobe Acrobat, Autocad, etc.  For Windows-based systems, software in the Software Catalog can be tagged to be Pushed to Intune managed Windows endpoints automatically.  This can allow the organization the ability to do either direct Software Distribution or allow users to more benignly logon to an “App Catalog” and pick/choose applications and download/install them on their own.  The organization can create its own packages and put them in their own Intune online catalog so that specific features can be installed on user systems based on how the organization wants the app installed.
  • Anti-Malware:  Intune also includes anti-malware (anti-virus/anti-spam) endpoint protection software as part of the license, so you can ensure endpoints are protected, and leverage the patching/update capability of Intune to keep the signature files for anti-malware up to date.  Microsoft uses the same technology as they provide in System Center 2012 Endpoint Protection, and thus an enterprise class anti-malware solution
  • Remote Control:  Intune provides the ability for administrators to remotely control Windows endpoints to provide helpdesk support of users no matter where they are, and again, regardless of whether the endpoint system is domain attached or not.  Intune is one of the BEST solutions available for simple remote control support for any managed endpoint system because of the flexibility of remote control supporting domain attached and non-domain attached Windows endpoints.
  • Active Directory Federation:  This is a slick function built in to Intune, effectively the ability to sync the organization’s Active Directory with Intune so that policies, management, etc are done in association with “user accounts” in Active Directory as it relates to managed Intune endpoints.  So when Intune identifies an iPhone and a Windows tablet under Intune management, those devices are associated with an authorized AD user.  This makes user / device association, identification, and ultimately device policy management easier as policies can be applied by AD user…
  • Policies/Settings Management:  Intune provides organizations the ability to push policies and settings to endpoint systems, similar to “group policies” when a system is connected to a corporate network, but since these endpoints are not necessarily domain joined and connected to the corporate network, these policies / settings can be applied to “any” Intune managed endpoint, domain attached or not.
  • Proactive Alerting:  Intune has the ability to provide system “health” information back to the Intune console for pre-defined monitoring tasks that impact the overall “health” of the managed endpoint.  The Intune administrator can see and report on the health of systems many times before users call in with a problem.
  • License Agreement Management:  Intune has the ability for organizations to import (or manually key in) licenses (Microsoft and non-Microsoft) that the organization has purchased, and then compare the license entitlement with what Intune finds in the inventory compilation process.  This helps organizations understand any gaps in licensing, and can proactively manage licenses (ie: delete software on systems that do not need the software) to remain in compliance with software entitlements.

So what’s not in Intune that some orgs may want/need:

  • Apple Mac Management:  Currently, Intune does not provide any endpoint management for Apple Macs whether that’s patching, software distribution, remote control, or anti-malware.  This is something Microsoft will no doubt provide support for in an upcoming release being that with System Center 2012 SP1 on-premise, Microsoft is including a Mac management agent as well as Endpoint Protection (anti-malware) for Macs, so this is something that will no doubt be forthcoming
  • Over the Air Updates of Mobile Devices:  Intune currently does not push updates “over the air” to mobile devices, so despite things like Apple iOS v5.x and v6.x devices having the ability to do updates over the air, Intune cannot force updates right now.  Organizations CAN generate a report to identify that a mobile phone might be running a “bad” version of OS like iOS 6.0 that should be updated to a more current version to fix the ActiveSync bug in 6.0 that then allows IT to notify the user to update their device, so this can be done through notification, just not active forcing right now.
  • Operating System Deployment:  Intune will not push out an operating system to endpoints, like do a Windows XP to Windows 7 upgrade.  Most OS images are 2gb, 5gb, 10gb in size, so trying to push a full OS from the cloud could suck up a lot of bandwidth, as such, OS deployments are currently on-premise only.
  • Integration with System Center 2012 On-Premise:  Currently Intune is standalone, managed from a Cloud-based admin console and does not tie into an organization’s on-premise Sysetm Center 2012 Configuration Manager console, however in the next major release of Intune from Microsoft (called Wave “D”), it has been stated that Microsoft will provide SCCM/2012 integration and management with Intune.
  • Management of Servers:  Currently Intune is focused at managing client endpoints like desktops, laptops, and mobile phones, it does not manage servers in the datacenter.  For datacenter server management, Microsoft’s solution is System Center 2012 Configuration Manager on-premise.  Microsoft has made no reference to supporting servers with Intune in the future yet, for now and the foreseeable future, it would seem an on-premise Ssytem Center 2012 solution is still best for server management
  • Enterprise Helpdesk:  Intune has a “light” central admin console, it provides views of software inventory, hardware inventory, status of patches and updates, and the like, but it is not a full blown helpdesk system.  Users can submit a request for support, and admins can use the Intune admin console to remote control an endpoint system, however if you are looking for a full helpdesk system where support tickets can be entered, incidents can be delegated, support information provided, and open tickets recorded and reported, currently Microsoft only provides System Center 2012 Service Manager on-premise as the solution.  The use of SC/2012 Service Manager is in line with Microsoft’s focus of providing datacenter support with the on-premise System Center 2012 product that also includes server management, server patching/updating, virtual machine management, and enterprise datacenter monitoring, all components of SC/2012.

So where does Intune fit in?  It most certainly fits in to small-ish organizations (under 500 users) that have primarily Windows-based systems as well as a mixed variety of mobile phones and tablets (ie: Windows, Apple, Android) where the organization wants endpoint management, remote control support for PCs, anti-malware, inventory, policy management, etc and doesn’t want to setup servers inhouse.  This fits very well with organizations moving to Office 365 in the cloud, as the organization leverages Exchange / Lync / SharePoint in the cloud and gets rid of internal servers for those resources, following suit with Intune for endpoint management tends to be the next step where it makes sense.Intune fits mid and large size organizations in strategic areas, as an example, we had a client that had thousands of users, had a full System Center 2012 on-premise implementation to support servers and client systems that it intends to keep, but had a remote office that was not easy to fit into the traditional endpoint management of System Center (ie: systems are not joined to the domain, systems were mostly mobile users, lots of systems are BYOD user owned, organization needed to ensure it could monitor and track anti-malware and enforce certain policies, but in a lighter manner than traditional domain-attached systems).  Intune fit this environment perfectly as it addressed the management needs without the big brother footprint.Another environment where Intune fit perfectly was an organization that had kiosks and remote systems that were internet connected, but not domain attached (thousands of these systems worldwide).  By installing Intune on the systems, the organization was able to apply policies, identify the systems, control the systems, but it required far less overhead than putting on VPN clients, implementing WAN connections, domain attachment of the endpoints, or the like.Can’t say that Intune is perfect for everyone right now if the org has a lot of Macs or looking for an OS Deployment solution or server management solution, of which the organization can look at System Center 2012 on-premise or wait for an upcoming update from Microsoft to Wave “D” of Intune (which the waves seem to cover every 6-9 months, this latest Wave “C” came out June/2012).  As with any service in the cloud, the major releases come pretty frequently and if it has been more than a year since you tried something or checked up on something, you need to re-review the solution as the cloud solution may likely have the full support you are looking for now.Hope this helps, a bit of an inside view of Intune in the cloud!Several other postings I’ve done on Windows Server 2012 and Exchange 2013, just click the Next Article or Previous Article buttons on this blog post to get to other articles I’ve covered, or to see a listing of all of the various blog posts I’ve done over the years.  Hopefully this information is helpful! an early adopter partner of Microsoft that works with Microsoft technologies 2-3 years before the products are released to the general public.  Rand is the author of the books “Windows Server 2012 Unleashed”, over 1565-pages of tips, tricks, best practices, and lessons learned on Windows 2012 by Sams Publishing; “Exchange 2013 Unleashed”, the first book in the world on Exchange 2013 based on over a year of early adopter production implementations of the latest version of Exchange, and “System Center 2012 Unleashed”, a 1000+ page book released in the Spring of 2012 based on over 2-1/2 years of early adopter deployments of System Center 2012.

Rand Morimoto is the President of Convergent Computing (

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10