Geek of All Trades: Windows Intune - PC Management Owned by Someone Else

When it comes to monitoring and management, working with a cloud-based service could be the way to go.

Greg Shields

The cloud might not be the right thing for everyone just yet, but services hosted in the cloud are absolutely the right thing. Before you insist there’s no difference, consider the services in the cloud you’re probably already using. Your antivirus signatures and monthly Windows updates come from somewhere else. Anti-spam filters are surely gathered from somewhere outside your control. Even e-mail itself eventually moves from your internal servers through en external provider before making its way to its intended recipient.

Our industry has done itself a disservice by referring to services someone else hosts by this nebulous term “cloud.” We’ve tried to categorize the Internet manifestations of solutions we’ve used and trusted for years.

For most of us, vendor references to services “in the cloud” dredge up an irrational fear of some murky unknown. In reality, cloud services are often little different—and sometimes more useful—than those we’ve trusted for ages. Windows Intune could be a perfect example of that reality.

This is an important wake-up call. You need to realize that services hosted by someone else could be a perfect fit for managing your Windows PCs. By existing “in the cloud,” these off-site services are perfect for IT pros that can’t lock down computer assets. If you have roaming laptops, cloud-based management tools like Windows Intune can be a perfect fit for keeping control no matter where those assets go.

Even if your computers never leave the office, cloud-based solutions like Windows Intune can add management control without adding servers. One less server is one less to manage, and more time for other tasks. If you lust after the management automation only big shops enjoy, you might appreciate what Windows Intune can bring to the table.

Monitor Those PC Behaviors

Windows Intune is another of Microsoft’s growing suite of subscription-based online services. Intune centralizes inventory, patching, endpoint protection, alert notification and remote-control functions into a single Web-based console. The console itself is hosted by Microsoft. Managing your systems starts by navigating to Intune. The agent installed on each PC directs information to Microsoft, alleviating you from the care and feeding of yet another server.

Now you have an external collection of metadata about your systems. With Intune, Microsoft isn’t so much interested in storing data you consider sensitive or proprietary. The collected data relates specifically to computer configurations, a data category most consider relatively low risk.

Getting your arms around PC behaviors represents a huge benefit every IT shop needs, but few enjoy. From the Intune Web-based console (see Figure 1), you’ll see a consolidation of alertable activities and behaviors for computers under management. These are monitors for hard-to-find problems like disk corruption and memory failures. Like the alerts its big brother Microsoft System Center Operations Manager (SCOM) provides, the Intune 380 alert types deliver a detailed prognosis on the health of your PCs.

Figure 1 Windows Intune feeds you a variety of alerts.

Simplicity is one of the core Intune value propositions. That simplicity stands in sharp contrast to the rich and infinitely malleable alerting infrastructure of SCOM. While SCOM might provide a comprehensive interrelation of monitors, management packs and tuning overrides, its infrastructure is often too cumbersome for basic monitoring needs. Intune configures and tunes alerts for you. You receive limited options for enabling or disabling alerts, and for forwarding them to the correct e-mail recipient.

Protect Those Clients

The biggest Intune play lies in client protection. Intune supports endpoint protection via a tailored version of the Microsoft Forefront Endpoint Protection client. It can also deploy Microsoft updates through a centrally managed Windows Update client. Managing these settings with Intune removes them from local control. It also assures you that your policies are followed.

While both anti-malware and update support are absolutely necessary (see Figure 2), it’s one of Microsoft’s design decisions that stands out as particularly intelligent. Intune doesn’t care about the domain membership of managed clients. You can manage your clients—no matter what their domain membership—through a single, central service. They can exist in your LAN or on the Internet. They can be assets you own or those you don’t. Suddenly the risks associated with employee home PCs become less risky.

Figure 2 Intune also gives you myriad malware reports.

By making the gutsy decision to have Intune stand apart from the Windows domain, Microsoft has given you better protection for internal assets. Your employee’s home computer can now enjoy the same protection as the laptop you provision. That laptop, even if it never returns to the office, remains under management control for updates and anti-malware signatures. Keeping malware under control and out of your network—now that’s power.

Intune accomplishes this through a small set of configurable policies. Today, there are two policies for controlling agent behaviors and firewall settings. A third provides a place for you to supply contact information should users need support. These do not supersede Windows Group Policies, and there may be additional policies in the future as they’re deemed useful for connected clients.

Future Management Framework

With its built-in hardware, software and license-inventory functions, Intune gives you a reasonable level of detail for managing PCs. That said, you can’t gloss over the fact that, today, Intune services are still relatively basic. Full management automation requires additional functionality, such as deploying software, third-party updates and executing scripts, among other activities. This is a great start, though. As an online service, Intune represents a step in the right direction for Microsoft. It also stands as a framework for someday adding that future management functionality.

With online services, Microsoft is freed from product release cycles. The effort to develop new functionality is also much simpler, as agent data and the tools to manage it are centralized within the Microsoft infrastructure. Intune is an impressive start. Whether IT will trust PC management services hosted by someone else remains to be seen.

Greg Shields, MVP, is a partner at Concentrated Technology. Get more of Shields’ Jack-of-all-trades tips and tricks at ConcentratedTech.com.

Related Content

• Geek of All Trades: Configure Remote Management with Server Manager
• Geek of All Trades: 6 Tips for 100 Percent WSUS Compliance
• Geek of All Trades: The Instant Cloud - Your Office 365 Proof of Concept