Windows

Microsoft's Windows InTune: This could be big

John Joyner offers a detailed look at Windows Intune, a cloud-based PC management product that could be a big hit for SMBs that need help with managing updates and anti-malware protection.

Management of the anti-virus and operating system updates on employee computers is a top priority for companies. We know that if no one looks after these tasks, our company is open to more liability, possible work outages, data theft -- lots of bad stuff. Microsoft has a new product for the small to medium business called Windows InTune.  It's a true cloud-based PC management product that does a good job at handling the PC updating and the anti-malware management everyone needs. The product looks like a great fit for the very small shop, also for a very distributed company of any size.

How it works (high-level)

After you purchase an InTune subscription, you get a unique InTune agent install file customized to know it is part of your company's subscription. You install the InTune management agent on each PC in the company. The agent wakes up and pulls its configuration over the Internet from the Microsoft InTune cloud, and installs the Forefront Endpoint Protection agent for anti-virus/anti-malware protection.

On an ongoing basis, the InTune agent keeps the Windows operating system and applications updated, and the anti-malware software configured to your company policies. You get near-real-time email alerts of malware outbreaks in your company.  If this product lives up to its potential, it could be a big win for Microsoft, its customers, and even Microsoft partners. Figure A shows the web-based InTune administration console as you see it after logging in over the Internet.

Figure A - The InTune administration console: Your PC management dashboard in the Microsoft cloud

Meeting the business need for a secure workplace

We need to know that all our company computers have anti-malware installed, and that the anti-malware software is running, and is updated; as well as knowing the status of critical and security updates for Windows, Office, IE, and other applications. For the small and mid-size company network administrator, a simple and effective way to do these tasks with the same console would really be welcome.

A typical network might use the free Windows Server Update Services (WSUS) application for management of general operating system, application and driver patching, and a security vendor's anti-malware management application, such as McAfee's ePolicy Orchestrator or Symantec's AntiVirus Corporate Edition. Some downsides to these approaches are the dependence on Active Directory group policy in the case of WSUS, and the overhead of maintaining another vendor relationship and management stack for the dedicated security applications like McAfee and Symantec.

There are on-premise complete PC-management solutions that combine updating and anti-malware, such as Microsoft's System Center Configuration Manager 2007 R3 with built-in support for Forefront Endpoint Protection 2010 deployment, and many competitive offerings in the business PC management and help desk markets. These "all in one management environments" can have a steep learning curve, a high care and feeding cost, and be overkill in some environments.

Insufficient resources (time, people, and tools) to properly manage critical PC update and malware-protection tasks are a common problem at companies. Many companies seek outsourcing of these tasks, and/or cloud-based PC management products, to ease the burdens of compliance and security.

Microsoft's new solution for PC management from the cloud

Microsoft released InTune in March 2011. We worked with InTune during the beta cycle, both in-house, and at a few customer sites. Numerous times malware was detected, cleaned, and alerted on. The updating piece is pretty much set and forget. If there are updating exceptions (PCs with update failures, for example), they are simple to identify and follow up on. InTune got a thumbs up from our beta testers for handling update installation.

The retail price of an InTune seat is $11 per month. That price includes the anti-malware agent and updates, and Windows 7 upgrade and downgrade rights for any PC with an InTune license. There are volume discounts available above 250 seats. InTune does not require or even care about your Windows domain(s) or workgroups; each InTune client reports directly to the Microsoft cloud, where the administrator sees a combined status dashboard in a web browser.

A capable anti-virus product

The anti-virus/anti-malware component downloaded, installed, and configured by InTune is the Forefront Endpoint Protection (FEP) agent, the same enterprise anti-malware product IT customers can license and install manually, or automatically using System Center Configuration Manager. People have great reactions to the FEP client. The FEP client builds on Microsoft's former Forefront Client Security (FCS) product, with a noticeable performance boost. It is nimble for such a scanning utility, with very fast scan times and a small system footprint.

Software inventory in the cloud

InTune leverages the vast Microsoft cloud database of known PC applications to identify and assemble a software inventory of what's installed on your PCs. Figure B shows the software inventory reporting feature of InTune.

Figure B - The online inventory report of installed PC software can be exported to an .HTML or a .CSV file

There is a Microsoft Partner model available. Companies with InTune subscriptions can authorize a service provider to manage PCs on their behalf. The service provider can receive the InTune notifications and perform follow up according to the terms of a service level agreement. Partners that refer customers to InTune receive a small bounty and a slim share of the subscription revenue in future years.

Room for improvement in some areas

A downside to the current InTune release is that servers are not supported; you can only install the InTune client on client PC computers. Another feature lacking is more detail in the notification emails about malware events. These alerts are generic, such as "a new type of malware was seen," usually requiring drilling into the web-based GUI to find more details, such as the names of the computer(s) involved.

Recommended next reading

Springboard Series for Windows InTune

(Click on the FAQ link there to see tons of details about the InTune service.)

Interesting

InTune Service Status Page

(Microsoft self-discloses current and historical InTune datacenter availability.)

About

John Joyner, MCSE, CMSP, MVP Cloud and Datacenter Management, is senior architect at ClearPointe, a cloud provider of systems management services. He is co-author of the "System Center Operations Manager: Unleashed" book series from Sams Publishing, ...

10 comments
somethinggood4
somethinggood4

The Windows Update client seizes control of my computer (XP, SP3) and grinds everything to a near-halt. Had to turn off auto updates on my machine at work, so that I could be sure to be uninterrupted. If this product hogs resources like wuauclt, I wouldn't go anywhere near it.

TAPhilo
TAPhilo

Sounds like marketing got involved and told them to put the word "cloud" in there. "cloud" services is the solution to everything it seems. If they put it at $5 a seat I could see it taking off - that's only $60 a year per person and that - to finance people that is reasonable. Plus if you teach your people, have good firewall and other IDS systems running, this is just a third tier and thus it SHOULD NOT be that much. It is another due dilligence for shareholders / government edicts. For any company above 200 seats I would skip it - it starts costing more for it and the local maintence still required than doing it all inhouse. A simple cost / benefit analysis can prove that. It is better to have 10 million subscribers at $5 a month than a million at $11.

deonlab
deonlab

Microsoft is now bringing out new ideas left right and center. They will only go with the ideas that make them money. Agree it is an need that can be filled. But this computer company has only gone through with the ideas that make them money. They will never give something away for free! How is this: I have paid to use windowse 7 and update the pc via the update service, now they want me to pay more for basically the same thing. They can go and redo/ rebuild the auto update function within win 7, but no they will rather call it a new product and make as if every win pc has to have it. Microsoft makes huge bucks out of companies so they just pushing more products into that market, it is going to fail somewhere down the line. Oh after all this do they give some sort of GUARANTEE? for this PAID service? If not I will do it myself so if something goes wrong it is only me to blame as MS won't take responsibility.

gordondavey
gordondavey

A couple of years ago Dell bought SaaS systems management specialists "EverDream" and have turned it into Dell Distributed Device Manager (DDM). It effectively uses the same architecture principals as Intune, but has far more features and fucntionality, and is way more mature! Worth checking out - www.dellitsaas.com

coldbrew
coldbrew

they do the same and over a 3 year period they are cost effective. It is interesting. We were faced with this same issue for auditing compliance over 2 years ago.

daryl95008
daryl95008

Add support for servers, 3rd party apps, and a privilege manager and this would be the total solution. There are other providers offering similar cloud solutions at $54/user/yr. Microsoft needs to lower their prices.

Bruno Fonseca
Bruno Fonseca

At almost 80k for 3 years for a company of 200 users plus the costs of upgrading bandwith, I haven't done the math but it seems like my Kace appliance and Mcafee Total Protection for Endpoint is a cheaper solution over the same period and does much more including NAC, 3rd Party Updates and Software deployment...

Durrp
Durrp

If this had 3rd party support it would be nifty. WSUS works fine with out the monthly cost.

ylto
ylto

Has some nice centralized management and reporting features, but 1) doesnt save on bandwidth that I can tell and 2) doesnt support 3rd party app updates. Given there are free products for managing this locally that do have more features, Intune seems like a nonstarter for me. Ill use it within a VERY narrow scope for my clients if they dont mind the additional cost, but I certainly wont be pitching it. Add the ability to do 3rd party app updates (Itunes / Browsers / Adobe Reader / Flash come to mind) and this looks a little better. Its definitely no replacement for WSUS where its already in place.

nwallette
nwallette

It never fails to surprise me how much potential there is for a decent management utility, and how that void is never filled. WSUS is too limited in ability, Systems Center products seem so poorly designed and over-complicated, and this... Do their product teams even know each other?