TechnologyMay 22, 2013

Microsoft Windows Intune – 5 Great Features and One Pitfall

Nick Mulenos

Windows Intune, Microsoft’s Cloud-based client device management solution, continues to garner attention from small and medium-sized businesses since its release in July of 2011. It’s easy to understand why the business community gravitates toward this product. Instead of installing an expensive management server, they simply log in to a portal to manage their devices. Having recently worked with Intune, I have come across many convenient features, as well as, some pitfalls that should be considered. In this blog post, I have identified the top five features I have come to appreciate. We will cover those in detail below.

Feature 1:  Cloud-Based Management

Windows Intune is a Cloud-based service, which lives in Microsoft’s Windows Azure Cloud Services. This is extremely beneficial to companies who are looking to get rid of their on-premise management infrastructure or to begin managing client machines and devices without standing up an on-premise management infrastructure.

Figure 1: System Overview Pane

 Another benefit to the Cloud is that your client devices are managed through the Internet, not through your on-premise domain. That’s right; your road warriors are covered. Any time one of your client machines connects to the Internet, it receives updates from the Intune service. That means no more giving admin privileges to your road warriors because of their distance to the office.

The Cloud-based feature I most enjoyed from Intune is the ability for an administrator to manage their client machines from anywhere. As long as they are connected to the Internet, administrators can log in to the Intune portal and manage away, which is extremely convenient. This is done through the Intune Management Console, shown on the System Overview Pane in Figure 1 above.

Feature 2:  Reports and System Logs

Most detailed information about your managed client machines can be allocated and collected into what Intune calls Reports. The reports pane in the administrator console (Figure 2) is a powerful tool that allows you to view software and hardware inventories with amazing levels of detail. Do you need the specific hard drive models on a group of clients? Easy, create a report. Do you need to know which specific clients have evil torrent software? Easy, create a report. The information is presented to you in collapsed form, giving you the opportunity to get as granular as necessary. Even if your specific report is collected by group, you can drill down into each piece of inventory and find a model number or client name. The last beauty of this feature is that all reports can be exported to your local machine in .csv or .html.


Figure 2:  Reports Overview Pane

Feature 3:  Policy Creation and Conflict Management

With the Intune service, the creation and management of policies are fairly simple. The policy administration pane is easily accessible from the Policy tab in the Administration Console. The Policy Pane is shown below in Figure 3. At first glance, policies appear quite rudimentary, but fear not, each Intune Policy hides the granular aspects until you enable the policy. As you explore each policy, you will notice they are actually quite robust and skillfully hide their detail until they are enabled.

Figure 3:  Policy Pane

You may be wondering if Intune Policies conflict with existing Group Policies. The answer is no. Not only does Intune coexist with your current Group Policies, it automatically alerts you when your policies conflict with its own. The administrator is notified via the Alerts pane that a conflict between Intune and Group Policy has been detected. Until the issue is resolved, the client is managed by the more restrictive of the two policies. When used in conjunction with your current policy infrastructure, the Windows Intune service proves to be a robust and convenient tool.   Feature 4:  Remote Task Creation and Management

The Intune service allows administrators a small, but powerful set of remote tasks to execute on their client devices. The most notable of these are the ability to force a policy update and force a restart of the client device. The Refresh Policies option is visible in Figure 4. By default, the Intune service updates client devices about every eight hours. With these handy remote tasks, you can force client machines to update their policies or restart the next time they connect to the Intune Service (next time they connect to the Internet).



Figure 4:  Remote Task Menu

Figure 5:  Remote Task Status Pane

The remote task features don’t stop there. After requesting a remote task, the Intune service stores the information about that task in the bottom right corner of the Administrator Console (shown above in Figure 5). When you click on the tasks, you can see whether the task is queued, running, successful, or failed. You are able to also select multiple client devices and request a remote task with one right-click, instead of having to administer each client device individually. Remote task creation and management proves to be quite simple in the Windows Intune service.

Feature 5:  Software Installation (Push or Make Available)

One of the greatest features of the Intune service is the ability to silently push software packages and updates to client devices. The software features can be managed through the Software pane in the Administration Console, which is shown below in Figure 6.


Figure 6:  Managed Software Pane

You have a few options when publishing software through the Intune service. You can either silently push to the client device or make an install package available for optional download using a URL. In both scenarios, the install package is encrypted on the administrator’s machine and uploaded to the Cloud. The next time the client accesses the Intune service (accesses the Internet), the software will either be silently pushed or the client will be notified of newly published software available for download. The Intune service becomes extremely useful when managing the installation of software across a large number of client devices.

This leads me into the pitfall of the current version of Windows Intune.

Pitfall:  Uninstallation of Managed Software and Updates

You may wonder why I consider this feature a pitfall with Intune, since it appears as though it could be quite convenient. Uninstallation of managed software is a great feature, especially from the Cloud. However, the problem exists in that most software and updates do not yet support uninstallation via Intune. This includes Microsoft security updates and hotfixes, as well as, widely used software such as Adobe Reader and Mozilla Firefox. Microsoft claims that managed software can be uninstalled, when in fact even office 2010 presented problems when we attempted to remove it. This may be one of the features in progress through Microsoft’s six-month update cycle, but as of now it is fully baked. Hopefully, we’ll see wider uninstall support in subsequent releases.

In the meantime, the workaround for this uninstallation issue is to pack command lines into an .msi package and push the package as an update. This can be burdensome especially when you need to build a specific .msi for each software package you wish to uninstall. As it currently stands, uninstallation through the Intune service requires a significant amount of expertise and administrative overhead.

Final Point

In summary, Microsoft’s Windows Intune is a powerful tool to manage client machines through the Cloud. Although the software contains a few shortcomings, it has a wonderful suite of features and is worth considering for a wide array of businesses. A great benefit is that Intune is on a six-month update cycle, so new and improved features are well on their way.

Are you considering adopting a device management solution and need additional information or real world expertise? Credera has extensive experience in designing, planning, and implementing systems management solutions. If you have questions about this blog post or general IT infrastructure, please contact us or tweet us @CrederaMSFT.