Microsoft’s Windows Intune, which launched in March, lets you remotely secure, monitor, manage, and assist PCs via the Internet. One of the first cloud-based PC management systems available, it’s basically a streamlined, less-expensive variant of Microsoft’s long-lived Systems Management Server (SMS).
Intune is a great value for smaller organizations that don’t already have a PC management tool. But larger organizations can use it to help manage the mobile workers’ laptops. IT providers can use it to manage corporate clients.
[See our slideshow for a tour of how Intune works]
In this article, I’ll explain the major features of Windows Intune, and how to get started with the service. Since the administration console of Intune is Web-based and Microsoft-hosted, there’s no server to set up. You use an online console to centrally manage client computers; and from the console, you can check computer statistics, change settings, deploy software, and provide remote assistance anywhere in the world via the Internet.
What Does Intune Include?
Microsoft charges $11 per PC per month for the cloud-based service, and the price includes a free upgrade to Windows 7 Enterprise (and future versions) for each PC. Microsoft offers a 30-day free trial for up to 25 client PCs. After that you can purchase licenses for up to 20,000 PCs with no minimum number.
Windows Intune provides nine main features and coverage areas.
Malware protection: Intune Endpoint Protection is built to protect client computers against viruses, spyware, and other malware. It’s similar to Microsoft’s Forefront Endpoint Protection (FEP) and to the free Microsoft Security Essentials for consumers. You can push antivirus settings to the clients via policies, and you can remotely start scans and update virus definitions.
Windows Firewall customization: You can also push the main settings for Windows Firewall to clients by creating policies.
Remote assistance: This feature enables users to request remote assistance from administrators via the client software, which is called Windows Intune Center. Once you accept and start the assistance, Microsoft Easy Assist handles the remote connection. It supports text chat, file transfers, and desktop and software sharing.
Alerts and notifications: After logging on to the admin console, you can see alerts about issues involving your clients, and you can arrange to have email notifications sent to customizable recipients by alert type. Alerts aren’t limited to addressing the update status or security status of clients. Other alerts cover such health and security issues as crashing, memory failures, disk corruption, and browsing errors. These alerts let you monitor PCs and possibly recognize problems before they become major issues.
Software distribution: You can push Microsoft and other third-party software programs out to clients in the form of EXE, MSI, or MSP files, but they must support silent installation, without any user interaction required. You upload the installation files to your freely provided Windows Azure online storage space, and Intune downloads the files from there when it deploys them to clients. You can even specify prerequisites for the clients, such as supported OSs or updates.
Windows update management: This capability lets you view updates for Windows, service packs, and applications that are installed on client PCs. You can also limit installation of updates.
Installed software: The option to view installed software covers program information (including version number and vendor name) for the software on each client–a great convenience when you’re taking inventory of software or you’re troubleshooting software problems.
Hardware information: You can view the hardware details of each PC you mange with Intune, including system, processor, BIOS, disk, network adapter, video controller, monitor, and printer information.
Software license tracking: This functionality can help you track used and available seats for your software titles from Microsoft Volume Licensing, Microsoft Retail Licenses, Original Equipment Manufacturer (OEM) licenses for Microsoft software, and third-party software licenses.
What Your Clients Need for Intune
The computers or clients that you want to manage remotely with Intune must be running one of the following editions of Windows (in either 32-bit or 64-bit): Windows XP Professional, Service Pack 2 or SP 3; Windows Vista Enterprise, Ultimate, or Business edition; or Windows 7 Enterprise, Ultimate, or Professional edition.
Each PC that you enroll is eligible for a free upgrade to Windows 7 Enterprise (and to future Windows versions), but the PC must already be running a Business, Professional, Ultimate, or Enterprise edition of Windows. Though it’s not required, the Enterprise edition provides the best experience, and it has additional Windows features, such as BitLocker encryption.
If the client computers already have antivirus protection, you may want to uninstall them before installing the Intune client software. By default, Intune won’t activate Intune Endpoint Protection for antivirus if it detects another antivirus program on the machine. However, you can enforce its use by creating a policy with Windows Intune.
Discovering the Client Software
Once an end user opens the Intune Center from a desktop, the status of both the Windows Intune service and Windows Intune Endpoint Protection appear. Users can request remote assistance for tech support, which activates an alert on your admin console, and (if appropriately configured) emails a notification to the chosen admin. Additionally, it can display your tech support contact details.
If Windows Intune Endpoint Protection is installed, end users will see it running in their PC’s system tray.
Configuring Windows Intune
To set up Windows Intune, start by logging in to the administration console. Once there, you’ll want to configure these main settings.
Create user groups: Creating user groups comes in handy if you’d like to have a different set of update, antivirus, or firewall settings for particular groups of clients–for instance, groups organized by company department or by different security needs. To create groups, open the Computers workspace and, on the left Tasks list, click Create Computer Group. Once end-users have the client software installed on their machines, and the systems appear on the admin console, you can add them to the appropriate groups.
Create policies: You can use policies to define the settings for the antivirus tool, the Windows Intune Center, and Windows Firewall–with the ability to select specific user groups for deployment. To create policies, open the Policy workspace and, on the left Tasks list, click Create New Policy.
Configure update settings: To avoid having to approve every available update for your clients manually, you can configure Intune’s update settings to approve updates automatically based on the category (such as software title) or classification (such as critical, security, or service packs). To configure the update settings, open the Administration workspace and select the Updates page.
Configure alert and notification settings: You can choose which alerts you want to remain active, enter email addresses for notifications, and specify the email addresses that receive each alert type. To configure these settings, open the Administration workspace and select Alerts and Notifications.
Add additional administrators: If you have more IT staff to help manage Windows Intune, you can give them administrative access by entering their Windows Live ID. To do so, open the Administration workspace, select the Administrator Management page, and choose relevant the type of administrator.
When you’re ready to bring clients online, open the Administration workspace. Click Client Software Download, and then click the Download Client Software link. You can manually distribute and install the software, or you can automate the process if the client computer is joined to Active Directory or to System Center Configuration Manager. Even if you have to set this up manually, you’ll find that the simple installation doesn’t require you to input account details or settings; even end users can probably handle this.
Once Intune has installed the client software, it can take the software up to 30 minutes to download and install other required programs and agents, and to start reporting back to the admin console.
If you’ve defined different user groups, you’ll next want to assign clients to the appropriate groups as the clients appear on the admin console.
Tour the Admin Console
When you first log in to the admin console of Windows Intune, you’ll see the System Overview workspace, which shows the health and status of client PCs. This may notify you of recent malware infections or of Windows Updates that you need to approve.
Intunes’ Computers workspace first shows you similar health and status info. But here you can drill down to see a specific client PC’s status, installed software, and updates, as well as to view detected malware and to see hardware details. You can also right-click a listed PC to perform remote tasks, such as to run a virus scan, update virus definitions, or restart the PC.
The Updates workspace lets you peruse available Windows updates, view their descriptions and details, and approve or decline each for client installation.
You’ll see alerts related to malware protection in the Endpoint Protection workspace. In the Alerts workspace, you can browse alerts by category, view their details, and close them after you’ve attended to them.
The Software workspace lets you view all of the programs installed on client PCs. You can also upload and manage programs that you want to install remotely and silently. In the Licenses workspace, you can upload license information for your Microsoft and third-party titles. It will also offer statistics, such as the number of installations and the license counts for titles you’ve purchased.
The Policy workspace is a powerful component of Intune that lets you create policies to manage antivirus, firewall, and other settings on client PCs. You can specify values for the antivirus and firewall settings, let the end users choose the settings, or have them set by other means.
From the Reports workspace you can generate reports on updates, software, hardware, and license information based on criteria you select.
In the Administration workspace you can view the number of PCs you’ve activated with Windows Intune and your remaining available seats. You can also configure the Update and Alert and Notification settings–as well as manage additional Windows Intune admins.
Perform Ongoing Maintenance
Once you’ve configured Windows Intune and added clients, you should regularly log in to the admin console to check the status of each client and deal with any alerts. Some alerts vanish automatically when you resolve the underlying issue–by approving or installing updates, for example–but you must manually remove others. You can remove most alerts by opening them and clicking Close this Alert. Alternatively, in the Alerts workspace you can select the alert and then click Close Alert.
When you want to remove clients from the Windows Intune service, navigate to the client in the Computers workspace, and on the left Tasks list, click Retire. This action removes the client from the admin console and frees a spot for another client on your account. But it doesn’t remove the client software, which basically remains in place. Retired clients still receive active endpoint protection and Windows updates according to their particular Windows Update settings. End users can manually remove the client software, or you can use scripts provided in the Windows Intune documentation to automate the process.
Eric Geier is a freelance tech writer. Become a Twitter follower to keep up with his writings. He’s also the founder of NoWiresSecurity, which helps businesses protect their Wi-Fi network with Enterprise (802.1X) security.