Product Reviews

Inside the Windows Intune Wave 2 Beta: New Features Overview

The updated security management service features impressive remote-management and deployment capabilities.

Back in March, Microsoft released a new systems-management service called Windows Intune. The service allows customers to enroll their PCs and manage things like Windows updates, antivirus and anti-malware applications on dispersed computers using the Internet. It also brings information from the PC, such as hardware and software details, to the service console each time systems check in.

The idea that these services could be managed on completely remote computers is pretty incredible. Windows Intune stores the information in the cloud and is accessed via the Web by administrators to approve updates and review what might be going on with enrolled computers. For the initial release, the cost of the service is $11 per month. With that service per computer, you also get a Software Assurance (SA) license for Windows 7 Enterprise as long as the machine remains on the service.

Sounds pretty appealing, right? You're able to ensure that Windows updates and antivirus definitions are being maintained on machines you manage that don't connect to headquarters very often. Of course, all of this assumes you have the staff and the time to be the perfect Windows Update administrator, but that's another issue for another time.

In mid-July, Microsoft released a public beta of the next Windows Intune release, simply called Wave 2, which includes some new features and improvements to existing features. This review will focus on the Wave 2 items. I'm excited about some of the features and not sure how I'll use others, but so far, in limited testing, Wave 2 seems like a step in the right direction.

Some of the features from the first release have been enhanced; the biggest of these is the overall experience in a browser. Performance for the administrative console (see Figure 1) is much better in Wave 2, although there are more reloads needed. But because the release is beta, that's to be expected. The Silverlight capabilities are improved (the right-click context menu works), and the app seems to play with non-Microsoft browsers better than 1.0 did.

[Click on image for larger view.]
Figure 1. The Windows Intune System Overview window.

For the most part, of the features I've gotten into, the biggest area of improvement is overall performance.

Software Deployment
One of the biggest additions to Windows Intune is storage. Microsoft is providing 2GB of storage for application deployment to enrolled systems, and additional storage will be available to purchase from the application. I suppose the second-coolest feature is managing and deploying applications right from the cloud.

Clients on corporate networks receive deployed software all the time; it frees up administrators and IT staff to work on other issues, and also aids in license management and application control. Microsoft is taking this to the cloud with Wave 2. Users will be able to upload software to the service and specify clients that the application should be deployed on. When the client checks in next, the application installation will begin.

This is huge. Now, what could previously only be accomplished with remote sessions or Active Directory when a computer arrived in the office can be done over the Internet with requirements similar to those of AD software deployments.

My beta account has a few machines enrolled, including my own work PC, which will be the guinea pig before I release much to other systems.

Deployment Desires
Integration with my on-premises AD and existing Group Policy is something I hope is considered for future versions. I know that Windows Intune and AD are different animals, but being able to import the Windows Intune clients as an organizational unit within AD and see -- and add or edit -- policies just like I might for other sections of AD would be amazing.

Being able to push my Group Policy Objects and other items up to the Windows Intune service as a backup might be something worthwhile. I know I can back these items up using third-party tools (or native tools in Windows 2008), but having an automatic failsafe in the cloud would be nice.

Licensing Agreements
Another great feature of Wave 2 is the ability to manage license agreements for both Microsoft and other vendors. For Microsoft agreements, the service will poll other aspects of licensing and retrieve the information for your licenses based on the agreement number and authorization number you provide. Once this happens, the number of licenses will appear within Windows Intune (see Figure 2).

[Click on image for larger view.]
Figure 2. Windows Intune Licenses Overview screen.

License information can be provided by entering the license number and authorization information of each agreement into the Windows Intune interface separately, or it can be uploaded via a CSV file for bulk importing (see Figure 3). Once agreements are added, they can be grouped together for easier visibility.

When adding non-Microsoft agreements, you'll need to specify additional information, including:

  • Agreement name
  • Publisher
  • Software title
  • License count
  • License start date
  • License expiration date
  • Agreement details

[Click on image for larger view.]
Figure 3. Adding licensing agreements.

Bringing licensing into Windows Intune can simplify the overall management of licensing if you put the time in on the front-end, and as new licensing is acquired. For Microsoft products, there is far less work involved, but for other applications this might be a first step depending on where the service goes as it evolves.

Licensing Longings
The ability to specify your Intune information when purchasing licenses from Microsoft and having the agreements populate as soon as the licensing order is completed is something that would be great. In addition, being able to handle outside vendor applications with the same ease as Microsoft products would be a welcome feature. I realize that doing this will require agreements between Microsoft and many other vendors, but it would certainly be something worth considering if the use of license management in Windows Intune takes off.

Remote Actions
Managing computers requires remote actions against those computers; things like checking for file existence or rebooting computers is a must. If the user is connected to a VPN, you can hit the admin share \\computername\c$ or \\computername\admin$ and look for files you may need, and you can even reboot with command-line scripts.

But what if the user isn't connected to a VPN and is just working on the Internet in the local Starbucks, getting e-mail and working on the latest sales figures in Excel? The Wave 2 beta features remote actions. They include:

  • Run a full malware scan
  • Run a quick malware scan
  • Restart computer
  • Update malware definitions

Most of the remote tasks (or actions) in Windows Intune center around malware and checking malware, because that's one of the more difficult things to do on remote computers. I like that feature set. These functions work by being queued from the time they're executed by the Windows Intune administrator. When the client checks into the service next, actions are downloaded by the agent and executed. It's likely that the user won't notice much if malware tasks are performed, as the scans can occur in the background, but rebooting the computer could have interesting results. It might be a good move to alert the user if you plan to send a restart task so the user knows it's coming.

Deployment Options
In this case, I'm not thinking of software deployment as in installing Office 2010 on a remote computer, but of options for deploying Windows Intune. After all, if you can't get the Windows Intune client on the computer, the features discussed here won't be of much use.

In the 1.0 release of Windows Intune, pushing the Windows Intune client out to systems through image deployment was an interesting situation. The results I saw from this action were mixed. Some systems worked very well when the Windows Intune client was included in the image; others did not. In the Wave 2 beta, the documentation and discussions among beta users show much better results for imaging. At the time of this writing, I haven't gotten to test this with system imaging. I plan to test this further as soon as Windows 7 is rolled out among my users.

Switching to Windows Intune
During the beginning of the Wave 2 beta, there was some discussion of a tool to help organizations migrate from on-premises solutions to Windows Intune. This has been suspended for the time being to allow the team to focus on other more widely used and requested features within the service. In my opinion, moving to Windows Intune is much like changing antivirus vendors or applications and won't take much time. As there's likely to be a way to include the application in an image deployment, the features of Windows Intune might be able to get baked into a company image for PCs. That would certainly be a great way to go.

What's Next?
The first release and latest beta of the Windows Intune service are definitely moves in the right direction. Microsoft has spent a lot of time and money working on management products that work on-premises, allowing administrators and IT staff to do their entire jobs from their own offices. Windows Intune takes a portion of that management capability -- a rather substantial portion of it -- to the cloud. Giving corporate IT administrators the ability to manage their users' PCs from anywhere is certainly easier than waiting for on-site time.

Looking at the features available in the beta release of Windows Intune, it's interesting to think about other on-premises solutions that might be headed to the cloud. Perhaps integration with AD -- or at least some Group Policy usage to and from the cloud -- might be on the long-term roadmap. What is there, or will land there, is anyone's guess at this point. It certainly is something I'd like to see. Hopefully the Windows Intune team and others at Microsoft will see this and have a few comments or even additional suggestions. Keep your eyes open for new things coming from Microsoft and the Windows Intune team, and sign up for the betas as they become available. Organizations of any size can test -- and benefit from -- the services offerings.

Installation: 20%
Features: 20%
Ease of Use: 20%
Administration: 20%
Documentation: 20%
Overall Rating:

Key: 1: Virtually inoperable or nonexistent  5: Average, performs adequately   10: Exceptional

Improvements Around the Corner
Just as I complete the coverage of features in the Windows Intune Wave 2 beta, the vNext beta has been quickly rolling through the planning stages and will likely be headed to private and then public beta very soon. The Wave 2 beta has drawn to a close to allow these and other features to become release-ready and made available in the next release of the product.

One thing I noticed about this process involving release-to-Web products is that the product cycles, especially on wide-reaching products, are very fast. While this is great news for customers using the products, it's slightly more difficult to provide information ahead of release. The Wave 2 features aren't quite baked in just yet; the new release is slated for this month. Hopefully the next iteration of Windows Intune, including the Wave 2 features, will be ready for full-on release in the near future. The features available in the beta were definitely a good inclusion, and I'm curious about what the folks on the Windows Intune team -- and the customers that help with the process -- will come up with next to make Windows Intune an even more widely used service.

Windows Intune Beta Wave 2

Pricing starts at $11 per month for previous version
Microsoft Corp.


comments powered by Disqus

Hot Resources

Subscribe on YouTube