Managing from the cloud with Windows Intune

Simon May 2

Securing and managing the devices that users take for granted when accessing the cloud is forefront in the minds IT Professionals everywhere and there are lots of solutions to make things more secure. What about desktops PCs?

Everyone in the desktop world is accustomed to managing, patching, remote controlling and securing computers, but are there new opportunities presented by the cloud? The answer is of course yes. Windows Intune is a new Microsoft product that allows you to manage Windows computers from the cloud, without the back end infrastructure normally associated with endpoint management.

One of the most striking benefits and one that resonates very strongly with those responsible for paying for business IT is the potential cost savings that come from not having to intensively manage infrastructure. Windows Intune is a pretty cool product because it allows for management of corporate PCs without the need to deploy costly servers and spend time engineering that back end infrastructure normally required in a corporate environment. Not only that but some interesting license benefits make Windows Intune exceptionally attractive for some organisations. First off let's understand what this new offering does.

Manage Windows Update

Windows Update is one of Microsoft's largest publically available cloud services providing patches and updates to millions of computers around the world each day absorbing the scale required on busy days like patch Tuesday (the 2nd Tuesday of every month when Microsoft releases patches). In fact, if you ever try to update a computer from Windows Update, you'll find that the service is there, ready to serve. Contrast that to the "traditional" approach whereby you have a Windows Server Update Services (WSUS) server installed in your business to achieve control over the patches applied to corporate computers and you'll see that, while it's an essential service, it's another server to run, another server to manage and another server buy. WSUS is perfect for some circumstances but increasingly while WSUS provides both local caching of updates and control over which are applied, the caching is a reducing requirement with increased bandwidth.

With Windows Intune you have control over which updates are applied to which computers and when within your organisation. All updates are pulled from the highly available public Windows Update service, reducing the need for a local WSUS server. Why this need for control? Occasionally an update can cause issue with an incompatible line of business (LOB) application. Windows Intune allows you to group computers together to apply updates or to reject them so you can create a scenario just like I have in my test lab:

I have a "testing" group that applies all Windows Updates automatically, when I'm sure they've not caused any issues with the applications running on those machines I allow my "corporate" group to apply the updates but I have a group of special machines "CXO office" that only allow updates to be installed when manually approved. This scenario allows me to retain control, something that some people fear they will lose with cloud.

Malware protection

Windows Intune comes with anti-malware software built in that uses the Microsoft Forefront Endpoint Protection and Microsoft Security Essentials technology to provide a highly reliable yet simple to use solution. The testing I've done found every test virus in seconds as you'd expect but the notifications to the end user are simple, elegant, unobtrusive and easy to understand. The centralised management that's built in lets administrators know that malware was detected and what action was taken to resolve the issue or if there was a reason that the issue couldn't be resolved, it lets the admin know what to do next. When it's a known malware problem the admin is given detailed information from the Microsoft security response centre which makes their workflow even easier by giving them useful follow up hints.

Updates to the malware protection features are handled through Windows Update so as long as you've got an Internet connection updates area available and they're controlled in the same way as Windows Update. That makes it simple to introduce testing or validation if your business needs it.

Manage Windows Firewall

Increasingly with laptops and devices being more mobile a device firewall is essential and increasingly so within the corporate environment. If you're wondering why they're necessary, here are a couple of examples.

First you need to defend those devices when they are used in less secure locations, like a coffee shop when your sales guys are having a meeting.

Secondly within the corporate network you are likely having (lets call them) uncontrolled devices coming in, someone brings their mobile phone in and connects to the corporate Wi-Fi network or the like. You don't know what could be on that device so better to protect all your devices to some degree and one way is with device firewalls. Windows includes one as standard in all versions from XP to Windows 7 and Windows Intune allows you to centralise that management, to be able to push out policies to devices and even to be able to open or close firewall ports on those devices.