Microsoft released the initial version of Windows Intune, its cloud-based PC-management service, in March 2011, providing basic Microsoft System
Center-like capabilities to a wider audience. As I explained in "Windows Intune Brings PC Management Into the Cloud,"
the initial release covered the basics (minus one glaring functional hole) and saw adoptions across a range of customer segments. Because Intune is a
cloud-based service, Microsoft isn't beholden to the slow, monolithic upgrade strategy that comes with traditional, on-premise servers. So a scant
seven months later, in October 2011, the company provided a significant update to Intune. Already, this update, which I call Intune 2, fills that
functional hole and significantly increases the value of this service.
As a refresher, Intune is essentially a standalone service that exists outside of whichever internal infrastructure you might have in your environment.
For small businesses -- even very small businesses, such as startups -- this independence from a formal infrastructure is a huge benefit.
Intune can easily manage disparate, physically isolated PCs as long as they're connected to the Internet.
For larger businesses with an Active Directory (AD) infrastructure, Intune provides basic AD acknowledgement -- it respects and gives precedent to any
Group Policies that you've established, for example -- but no true integration. This approach isn't necessarily a negative, however. According to
Microsoft, some interesting scenarios have unfolded in these businesses: Machines that are rarely or never connected directly to the local network,
such as laptops of frequent travelers or even executives' home machines, can be managed more easily using Intune than using AD. In these situations,
treating isolated machines differently often makes sense.
Intune provides a core set of functionality. You can manage individual computers or groups of computers to
-
process security fixes and other updates
-
ensure that each machine is up-to-date with security software, such as the Microsoft Forefront Endpoint Protection client, which resembles
Microsoft Security Essentials and is provided with Intune
-
receive alerts when things go awry
-
view per-PC software inventories
-
oversee (though not enforce) software licensing to ensure that you're in compliance
-
create flat policies that are simpler than, but do not fully integrate with, AD Group Policies
-
create and view reports
-
accomplish other administrative duties
Unlike with System Center, you manage Intune remotely, through a simple web-based interface. Clients are monitored and updated remotely, over the
Internet. Intune is provided as a subscription service, so you pay a per-PC monthly fee. (More about licensing costs later.) Note that there are some
additional benefits to doing this price scheme, including Windows 7 Enterprise upgrade rights for each managed PC. And for an additional $1 per PC per
month, you also gain access to the excellent capabilities in the Microsoft Desktop Optimization Pack (MDOP).
On the flipside, Intune is not as full-featured as System Center, though Microsoft has been vocal about quickly achieving partial parity -- where doing
so makes sense -- through a series of updates to the service. Intune 2 is the first major step in that direction.
What's New in Intune 2: Software Distribution
When I examined the initial Intune service in early 2011, I was pretty impressed overall. (You can see my reaction in "Windows Intune Brings PC
Management Into the Cloud.") That said, I noted one major missing feature, and I had some concerns about the pricing model. I felt, and still feel,
that very small businesses are unlike to pony up the required per-PC monthly fee, no matter how rich the experience. Microsoft has yet
to address my pricing concerns -- more on that in a bit -- but did add in that missing feature. And it's a big one: software distribution.
Thanks to Intune 2's new software-distribution functionality, you can now arbitrarily deploy software applications and updates to client PCs that are
managed by the service. Think about that for a second. The only client-side requirement is that these PCs be connected to the Internet and have the
Intune client agent installed on them. The administrator, from the simple web-based interface, can manage which applications are deployed to which PCs.
And then that happens, automatically, over the Internet.
Now, depending on the complexity of the application that you want to deploy, this process might require some work. If you've spent any time deploying
software in a managed, AD-based environment, the methodology here is second nature, and the application packages that you create are identical to those
that you'd deploy through AD or System Center. But because Intune targets a more diverse customer base, many of whom have never performed that type of
deployment, things can get a bit tricky.