Windows Intune 3.0 Microsoft Cloud-based Device Management – More Than Just a Curiosity

Initial released in March 2011 at the Microsoft Management Summit 2011 in Las Vegas, Windows Intune was Microsoft’s first toe in the water of cloud-based management services for business desktops.  Initial designed to appeal to small to medium-sized companies with up to 500 desktops, it offered a minimal feature set with just the bare bones needed to secure and control basic of desktop services. Nevertheless, there was strong early interest,with all 1,000 test places taken just 24 hrs after the initial public beta was launched in April 2010.  When Microsoft first launched Windows Intune it was easy to misunderstand; combining as it did operating system and application management services, remote support services, and anti-malware services along with a Software Assurance-like Windows upgrade license. As a management solution it was limited, certainly not capable of meeting the needs of more customers with more complex environments. At the same time though it offered sophisticated features that abstracted complexity of managing different operating system releases, and as a cloud-based service it was easy for organizations lacking in skill IT support staff to obtain remote support services from MSPs.

As befits a cloud based service, Microsoft has rewarded early adopters with a rapid refresh cycle. Version 2.0 was released in October 2011, with version 3.0 shipping in last month. During this time Intune has grown in stature, rapidly adding features and scaling out to allow it to support the needs of larger organizations, and most recently extending the boundaries of the service beyond Windows desktops to support mobile devices via  Microsoft Exchange ActiveSync.

Intune is competitively priced at $11 per device/month ( £7.25 in the UK) with volume discounts available to purchasers of 250 licenses or more. Not so expensive as to open the door to alternatives such as DaaS, while at the same time making it an attractive sales opportunity for Microsoft’s extensive channel. Microsoft offers the additional incentive of providing existing Software Assurance customers with a worthwhile discount, as well as offering cut price access to the Microsoft Desktop Optimization Pack (MDOP) add-on for customers wanting more features than Intune provides out-of-the-box.

New in Intune  3.0

  • An enhanced Windows Intune administration console and a new Windows Intune account portal which goes a long way to improve the management experience as well as providing a user-centric management capabilities. Microsoft still relies on Silverlight for the management interface closing the door admin’s looking to armchair based administration on Android or iOS tablets.
  • Windows Intune now uses the Azure Active Directory, which means that you can now synchronize user accounts with an on-premises Active Directory using Active Directory Federation Services. The ability to integrate Windows Intune with on-site Active Directory Domain Service environment makes it possible to synchronize users and security groups between a local Active Directory environment and  Windows Intune. This one feature goes furthest to extend the value of Intune making it possible to replace less complex System Center environments under many circumstances. This change also means that admins no longer need to use Windows Live IDs to sign-on to manage Intune.
  • Windows Intune and Windows Intune mobile company portals provide user with self-service capabilities. As a result, they can install available applications on their computers and mobile devices as needed, and they can perform other common tasks without needing to call the IT help desk.
  • The management reach of the Windows Intune service has now been extended to include mobile devices. Windows Intune supports Windows Phone 7 or later, iOS 4.0–based devices or later, and Android 2.1-based devices 2.1 or later. Mobile device users get a good deal here with Microsoft allowing up to four mobile devices to be managed for each desktop seat. The usual Microsoft caveats tying mobile devices to physical devices still apply though. Each of these mobile devices can now be managed with the Windows Intune service. Windows Intune uses Microsoft Exchange ActiveSync (EAS) to integrate management of users’ mobile devices with the customer’s business infrastructure and to enforce  the organization’s mobile device access policies. Where a mobile device does not support a specific policy Intune can be configured to permit or deny access to that device.
As before, endpoint protection included in Windows Intune is powered by the same Forefront anti-malware engine used by System Center Endpoint Protection 2012 and can deliver alerts and infection reports in a similar manner.

Overall system scalability is significantly improved over previous releases, supporting up to 5,000 PCs in a single management domain, with a clear indication of intent to scale beyond this limit in future releases.

All PCs covered by Windows Intune may be upgraded to Windows 7 Enterprise and in future Windows 8 as long as the qualifying OS is one of the following editions of Windows: Business, Professional, Ultimate, or Enterprise.

Windows Intune is not without its faults. Its continued reliance on an on-premise Exchange Server is an unwelcome holdover for a cloud based management service. Microsoft needs to address this in the next release of Intune or it will start to face a backlash as its target customers push for greater cloud adoption. At the same time,  Microsoft is still struggling to come to terms with the “as a Service” nature of cloud-based offerings. This is most visible in the way that Intune is licensed. Unlike many other cloud hosted services, the Windows Intune subscription term is annual. Payments can be made monthly, and doing month 2 through the end of the initial subscription, customers can request to discontinue their service, but they will be responsible for paying for the entire initial 12-month subscription. This is in many respects a symptom of Microsoft’s overall cloud maturity.  There’s a clear intent to get there, but it will take another iteration before Intune is fully baked.