Week 6 at Microsoft was, predictably, brilliant. Great stuff going on here.
I was just catching up on my feeds when I spotted this on lifehacker they’ve run a Hive Fiver poll to find out what tools people use to manage their life and personal projects and OneNote along with Evernote and plain text ala Notepad have come out on top. What a great result, OneNote is an unsung hero of Office but it’s getting more praise day by day as people discover its usefulness. It’s even in our most basic SKUs now so home users get the benefits.
A couple of super cool features of OneNote 2010 that you might not realise are super cool till you try them:
OneNote can sync notebooks to Office Web Apps and that does two very cool things for you. The first is that you can access that notebook anywhere, any time in the browser. Cool sync feature number two is that if you’re using multiple PCs, like I do every day, then that notebook will stay in sync across multiple PCs. Synctastic!
OneNote can create outlook tasks so when you take notes in a meeting they can instantly become part of your task management system. A powerful use of this is when someone sends you an email with lots of tasks in it, copy and paste it to OneNote covert them to tasks. Deleting the task in OneNote leaves that task in your Outlook.
In part one I gave a brief overview the Updates features of Windows Intune and of what Intune does as a whole and why infrastructure free management is cool. Now we’ll skim through the other features…
Lets take a look: Malware protection
To understand how malware protection works I infected my own machine. Not with anything scary but with the eicar test virus, always a handy call. When I say I infected it I don’t really mean that, what I actually did is started to download it and within a second – before the bits had started to land on my PC the anti-virus engine, which is based on Forefront so you know it’s enterprise class spotted it and let me know – as the user. It took less than 5 minutes for the console to flag the hit and only a couple of seconds more for the alert email to hit my inbox (see part six for this über admin feature).
On the console I could see that I had malware to follow up, which computer had taken the hit and what it had done to stop it. Another neato feature is that Intune makes it really easy to findout about the malware from the Microsoft Malware Protection Center.
Firewall management comes in the form of policies to manage Windows Firewall delivering the ability to control connections that can be made and blocked to the PC and even to control what the user is shown when the firewall stops a program from accessing the network. Further more it’s possible to control the firewall exceptions for specific applications letting you stop any computers in a group with Virtual PC installed allowing access to your network, for example.
Knowing which computers have had an infection is really handy so you can know which ones to go fix and how much better is it knowing before the user calls you…you could call them…that would be good service wouldn’t it?
Lets take a look: Firewall
This ability to go down to detail on the firewall is great, but the fact that it uses Windows Firewall reduces the footprint that you need to manage on a client. Policies can be combined, applied to groups and again a computer can be a member of more than one group. That gives you very nice control of the Windows firewall. There’s not much more to say about this really…it’s a critically important security mechanism and handled simply.
Lets take a look: Remote Assistance
Remote assistance is one of the most important offerings of Windows Intune offering simple, easy to use, request based remote control to help your users through their darkest hour. They deleted the pictures of their kids and they don’t know what the recycle bin is. And it’s 2 in the morning. And you’re on call. Familiar? Surely not.
Firing off a remote assistance request sends an alert to the console, and if you have alerting setup for it, off to your email inbox. With that you can view and take control of your users desktop to sort out their emergency. What makes this nice is that the console gives you a one stop shop to resolve the query.
Under the hood we use a great component called Easy Assist to establish the connection and you know you’re getting quality kit here because it’s part of our Live Meeting product and Microsoft uses it too. That’s provenance for you.
One question I’ve already been asked about this is why can’t I just take control of the users PC without them having to start things off. The obvious answer is security. Giving the user control of the request allows them to make sure they don’t have something confidential on screen when the administrator takes control or sees the screen. It’s better for your users. All they need do is open the Windows Intune Center on their PC and select the link to start request remote assistance, they can cancel it if they fix their problem too. You’ll get an email as the administrator if you’ve setup the alerts too.
Lets take a look: Software Inventory, Licensing and Reporting
Want to know what’s been installed well Software Inventory is where you’re headed and the inventory is pretty comprehensive. What’s great is that it there’s a “category” grouping so you can easily sort the inventory by that column and see what different types of security software are installed. From there it’s a single click to see which computers it’s installed on. There’s a great video on the Intune blog that gives you a 2 minute intro to the feature.
Software Licensing is a way to have Windows Intune automagically compare your estate to your license files like you’d get if you have an EA.
Reports is the place to go to find out what’s really going on though license wise. From here you can generate a report that allows you to understand exactly what software is deployed and if you’ve got licenses entered it will show your license status. All isn’t lost though if you don’t have an EA and this is were someone could add amazing value with this tool..the reports can be exported to CSV and with a little tinkering you could create an Excel file that cross references your licenses. Value add, right there.
Lets take a look: Alerting
It’s better when you get alerted to something as it happens before your user calls you and complains. Intune does this for you. This is an excerpt form the email I got when I infected my PC with EICAR, it took about 5 minutes for me to get the mail in total.
This gives me all the info I need to know what’s happening, it got followed up with a “follow-up” actions email and a resolved email. Alerts are managed through the Administration panel and they exist for all sorts of things, even corrupt file systems and repetitive crashes of Office 2003. The alert types are predefined but you can enable and disable them and you can specify the recipients who need to know about stuff. Requests for remote assistance come in the same way.
The end…but wait there’s more
That’s a very brief, 2 post overview of Intune. There’s more too it, but it doesn’t get much more complex than this, and the simplicity is why I really like this product. You’ll be up and running with it in hours, not days. I’ve got some more posts on this in the pipeline but here are the top resources for the beta right now:
Right now you should apply to join the beta – but remember we want people to try this out, we only have 10,000 places available and they’re filling up fast, but we want people with at least 5 computers to deploy to. You should also check out the official Windows Intune blog too for more.
I was just browsing around on TechNet for info and came across Paul Addams blog and a post about UAC. It’s one of the best write ups of what UAC is and why you should be using it not turning it off that I’ve seen. It goes into superb technical detail too.
USER Account Control… but I’m an ADMIN! by Paul Adams
Before we get into this it’s very important to note that Windows Intune is in Beta and things will change. It will still be very cool though…
Managing the Windows PCs in your business is essential if you want to have happy users and want to reduce the threats posed by missed updates, malware and other hassles. It’s also a huge bonus when you know exactly what software is being used in your business (and that you’re licensed for it!) and I’m sure it gives you a warm fuzzy feeling when you get to help out a user without having to leave your desk. Normally you need a server infrastructure to get the best of all this.
Wouldn’t it be brilliant if you could manage all the PCs in your business without having deploy and manage a server infrastructure to do it? Well that’s where Windows Intune steps in to help you out. It’s our new cloud based management solution (currently in Beta) that allows you to manage all the PCs in your business from a console that runs in your web browser and sits in the cloud. No infrastructure needed.
The key things that Intune does for you functionality wise (and there are what I’d call bonuses, BIG bonuses in addition):
So what are the bonuses? How about Windows 7 Enterprise and Software Assurance? That’s a heck of a bonus no? That means that every PC that you install Intune on and pay for will always have the right to have the newest Windows version in line with the Enterprise SKU…and that means you get security features like BitLocker. That in my eyes is a heck of a bonus.
Who’s it good for
If you don’t have any PC management in your organisation and you’re small to mid size, in my opinion Windows Intune is a no-brainer. From day one of using Intune you’ll have a better understanding of your Windows client environment than you’ve ever had.
If you’ve got other PC management in place (that doesn’t have the power of System Center), you are small to mid size and you maintain infrastructure for it you should evaluate Windows Intune, it could save you a fortune.
If you don’t have software assurance then you should consider Windows Intune so you can keep your stuff up to date.
If your remote people have lots of issues that prevent them getting inside your network through your VPN then you should consider Windows Intune because you can manage that PC the second there’s an internet connection. Great if you enforce minimum requirements like having a minimum malware signature level before your users can connect.
If you’re providing a managed PC service for your customers then its awesome once you get your head around direct billing. If you’d like to know more about this let me know.
Finding the sides
Windows Intune isn’t supported on servers and whilst it’s got a fairly comprehensive feature set for managing PCs it’s not got the granularity required by large organisations yet and before doing a large deployment you’ll need to think about networking. Other than that, there aren’t really any, you can technically manage as many clients as you like.
So, lets take a look at some of the highlights of what Windows Intune has to offer and no I’m going through this step by step – there are videos for that.
Lets take a look: Updates
Windows Update is our biggest cloud service, in fact it’s THE biggest cloud service out there, there a millions upon millions of users getting updates from the service every day. Windows Update provides a fire hose of updates direct from source (yep that’s us) for every supported version of Windows and Office and more. Some businesses like a little more control over the fire hose which is why we provide a product called Windows Server Update Service for large businesses. WSUS gives them the ability to control what updates go to what PCs allowing them to create groups of PCs to receive the updates first to make sure they don’t encounter issues such as incompatibility their Line of Business (LOB) applications. The problem with this is that the WSUS server is inside the business network so clients can’t get those updates if they aren’t connected and also it requires infrastructure which smaller business might find costly to deploy.
Welcome Windows Intune.
Windows Intune adds a level of control to that fire hose, a more directed hose nozzle in if you will, allowing the administrator to identify the specific updates to allow and creation of groups of machines to target for specific updates. Just like you’d do in a test environment to ensure your LOB applications play nice.
Inside the console, which is available once you have your account, you find that it’s split into the different aspects that Windows Intune manages. Selecting Updates is the rather obvious way to manage updates and from here the Update Status panel shows you how many updates you have to approve and so on. Updates are split into Critical, Security, Definition Updates (we’ll do this in part 2), Service Packs, Rollups and Mandatory. This last section basically contains the updates necessary to manage a PC with Intune, you see we use the Windows Update service on the PC to keep things in check, neat eh…no extra load for a software update agent.
Updates can be approved or declined meaning that they will be blocked from installing. When an update is approved or declined the flag is set against a particular group of machines giving you some granularity of control…and it’s possible for a single machine to be a member of more than one group. Another very handy feature is that the properties of each update include detailed information about behaviour, severity of the problem being patched and deeper detail such as KB articles.
In part two I take a look at Intune’s Malware protection, Firewall and Remote Assistance and then we’ll take a look at Alerting, Software and Hardware reporting and licensing. Subscribe to my blog so you don’t miss it.