John Joyner offers a detailed look at Windows Intune, a cloud-based PC management product that could be a big hit for SMBs that need help with managing updates and anti-malware protection.
Management of the anti-virus and operating system updates on employee computers is a top priority for companies. We know that if no one looks after these tasks, our company is open to more liability, possible work outages, data theft -- lots of bad stuff. Microsoft has a new product for the small to medium business called Windows InTune. It's a true cloud-based PC management product that does a good job at handling the PC updating and the anti-malware management everyone needs. The product looks like a great fit for the very small shop, also for a very distributed company of any size.
How it works (high-level)
After you purchase an InTune subscription, you get a unique InTune agent install file customized to know it is part of your company's subscription. You install the InTune management agent on each PC in the company. The agent wakes up and pulls its configuration over the Internet from the Microsoft InTune cloud, and installs the Forefront Endpoint Protection agent for anti-virus/anti-malware protection.On an ongoing basis, the InTune agent keeps the Windows operating system and applications updated, and the anti-malware software configured to your company policies. You get near-real-time email alerts of malware outbreaks in your company. If this product lives up to its potential, it could be a big win for Microsoft, its customers, and even Microsoft partners. Figure A shows the web-based InTune administration console as you see it after logging in over the Internet.
Figure A - The InTune administration console: Your PC management dashboard in the Microsoft cloud
Meeting the business need for a secure workplace
We need to know that all our company computers have anti-malware installed, and that the anti-malware software is running, and is updated; as well as knowing the status of critical and security updates for Windows, Office, IE, and other applications. For the small and mid-size company network administrator, a simple and effective way to do these tasks with the same console would really be welcome.
A typical network might use the free Windows Server Update Services (WSUS) application for management of general operating system, application and driver patching, and a security vendor's anti-malware management application, such as McAfee's ePolicy Orchestrator or Symantec's AntiVirus Corporate Edition. Some downsides to these approaches are the dependence on Active Directory group policy in the case of WSUS, and the overhead of maintaining another vendor relationship and management stack for the dedicated security applications like McAfee and Symantec.
There are on-premise complete PC-management solutions that combine updating and anti-malware, such as Microsoft's System Center Configuration Manager 2007 R3 with built-in support for Forefront Endpoint Protection 2010 deployment, and many competitive offerings in the business PC management and help desk markets. These "all in one management environments" can have a steep learning curve, a high care and feeding cost, and be overkill in some environments.
Insufficient resources (time, people, and tools) to properly manage critical PC update and malware-protection tasks are a common problem at companies. Many companies seek outsourcing of these tasks, and/or cloud-based PC management products, to ease the burdens of compliance and security.
Microsoft's new solution for PC management from the cloud
Microsoft released InTune in March 2011. We worked with InTune during the beta cycle, both in-house, and at a few customer sites. Numerous times malware was detected, cleaned, and alerted on. The updating piece is pretty much set and forget. If there are updating exceptions (PCs with update failures, for example), they are simple to identify and follow up on. InTune got a thumbs up from our beta testers for handling update installation.
The retail price of an InTune seat is $11 per month. That price includes the anti-malware agent and updates, and Windows 7 upgrade and downgrade rights for any PC with an InTune license. There are volume discounts available above 250 seats. InTune does not require or even care about your Windows domain(s) or workgroups; each InTune client reports directly to the Microsoft cloud, where the administrator sees a combined status dashboard in a web browser.
A capable anti-virus product
The anti-virus/anti-malware component downloaded, installed, and configured by InTune is the Forefront Endpoint Protection (FEP) agent, the same enterprise anti-malware product IT customers can license and install manually, or automatically using System Center Configuration Manager. People have great reactions to the FEP client. The FEP client builds on Microsoft's former Forefront Client Security (FCS) product, with a noticeable performance boost. It is nimble for such a scanning utility, with very fast scan times and a small system footprint.
Software inventory in the cloudInTune leverages the vast Microsoft cloud database of known PC applications to identify and assemble a software inventory of what's installed on your PCs. Figure B shows the software inventory reporting feature of InTune.
Figure B - The online inventory report of installed PC software can be exported to an .HTML or a .CSV file
There is a Microsoft Partner model available. Companies with InTune subscriptions can authorize a service provider to manage PCs on their behalf. The service provider can receive the InTune notifications and perform follow up according to the terms of a service level agreement. Partners that refer customers to InTune receive a small bounty and a slim share of the subscription revenue in future years.
Room for improvement in some areas
A downside to the current InTune release is that servers are not supported; you can only install the InTune client on client PC computers. Another feature lacking is more detail in the notification emails about malware events. These alerts are generic, such as "a new type of malware was seen," usually requiring drilling into the web-based GUI to find more details, such as the names of the computer(s) involved.
Recommended next reading
(Click on the FAQ link there to see tons of details about the InTune service.)
(Microsoft self-discloses current and historical InTune datacenter availability.)