Category Archives: Enterprise

Windows Intune Breaking News…

Posted on by
1

Some big announcements earlier today on the Microsoft Server And Cloud Blog, pasted below. One of the anticipated changes that was expected with Windows Intune moving into the Server & Tools business alongside System Center – the unbundling of Windows Enterprise Upgrades from Intune subscriptions will open up Windows Intune to a new base of customers, and the integration with System Center helps to position Windows Intune firmly as Microsoft’s solution for mobile device management, including Windows Phone 8 and Windows RT devices.

Obviously there is much more to be announced, but it’s great to see the Intune team discussing new capabilities prior to them being rolled out in beta or production.

Let the cut and pasting begin…

Interoperability of Windows Intune and System Center Configuration Manager Console

The proliferation of mobile devices presents unique challenges for organizations of all sizes.  These devices run various operating systems.  With the concept of Bring Your Own Device (BYOD), they’re likely to be owned and controlled by the individual and cannot be “managed” like a typical corporate-controlled PC.  They’re also typically not on the corporate network but instead utilize the Internet for connectivity, even to access corporate data.  These challenges require flexibility in the way corporate policies are defined, such as determining which policies can and should be applied to which devices, and how those devices should be managed.

Microsoft offers two separate endpoint management solutions – System Center 2012 Configuration Manager for on-premises management, and Windows Intune for management through the cloud.

With System Center 2012 Configuration Manager Service Pack 1 and the next version of Windows Intune, Microsoft is taking the first step in delivering interoperability between these products through Configuration Manager’s administration console.

This will enable customers to add mobile devices managed through the cloud with Windows Intune into their System Center 2012 Configuration Manager Service Pack 1 console and manage all the devices through one tool.

While you can continue to use Windows Intune as your “fully in the cloud” management solution for PC and mobile device managment, the interoperability of our on-premises and cloud services is a big step forward for organizations that want to manage all of their devices from one place.

Management of Windows RT devices and Windows Phone 8

If you already have System Center 2012 Configuration Manager, SP1 and the next version of Windows Intune will enable you to extend the reach of your management infrastructure to include mobile devices via the cloud.

Windows Phone 8 and Windows RT devices will be managed by the next release of Windows Intune.

IT Pros will have the flexibility of using either the Windows Intune or Configuration Manager 2012 SP1 console to set mobile security policies, distribute mobile apps and view reports.  We’ll share more details as we get closer to the next release of Windows Intune.

Windows Intune Licensing Changes

To help organizations benefit from our Windows Intune and Configuration Manager SP1 solution for BYOD and other device management scenarios, we are changing our licensing for Windows Intune in the next release:

  • We are shifting from a per-device to a per-user licensing model.  Each user license for Windows Intune covers up to 5 managed devices.
  • There will be a Windows Intune user license that includes the rights to System Center 2012 Configuration Manager, enabling organizations to manage those devices through either Windows Intune or Configuration Manager, or both.
  • Organizations that already own System Center 2012 Configuration Manager licenses, such as through the Core CAL, will have access to Windows Intune at a reduced price.
  • Today, all managed PCs covered by a Windows Intune license may be upgraded to Windows Enterprise as long as the qualifying OS is one of the following editions of Windows: Business, Professional, Ultimate, or Enterprise.  This will continue to be available, but we will also make a version of Windows Intune available without rights to Windows Enterprise, thereby lowering the cost for organizations that are not ready to move to the latest operating system.

Further details on pricing will be provide at a later date.

My TechEd North American experiences so far…

Posted on by
Reply

The first three days have been great so far, here’s a quick summary…

Day 0 – Pre Con Session – Configuration Manager 2012

This full day event was something that I attended for a couple of reasons, one of them to see what I could pick up that could be applied to to ever evolving world of Windows Intune, and also to help get me up to speed for a current project. I can report success on both fronts, I walked away very happy with the day, despite being jetlagged and in a zombie like state towards the end.

Day 1

Up until know I wasn’t paying a huge amount of attention to what was happening with Windows Server 2012, so the opening keynote absolutely blew me away. The combination of Hyper-V on Windows Server 2012, System Center 2012 and the new Windows Azure Virtual Machine offerings caught me by surprise with their capabilities and integration. I’ve already got a few ideas floating in my head for things I can do here, and you’ll no doubt read about them over the coming months.

Other sessions attended during the day drilled down further on the Azure VM capabilities and more Hyper-V 2012 deep dive sessions. I also spent some time catching up with a few members of the Windows Intune team to chat about what’s new, and about Windows Intune June 2012 release going live. Over the course of the last few days though I’ve been accumulating a few more questions and scenarios to run by them, wish me luck in getting straight answers.

Day 2

The opening keynote on Windows 8 really lacked the spark that Monday’s keynote had. This wasn’t the fault of Windows 8, but the demonstrations didn’t really show me too much that I hadn’t seen or heard of before, and after all of the Build content I had consumed I guess I shouldn’t have been surprised. The Windows To Go demo got interest, and I hoped that the follow up session would include a giveaways of Windows To Go on a USB3 Flash Drive like at Build, but alas I had to settle for some good content instead. I wonder if Windows To Go is a supported platform for Windows Intune? Considering that it’s based on Windows 8 Enterprise, I am leaning towards it being supported, it seems like a match made in heaven to me.

There was an Intune session I attended which really didn’t hit the mark for me, I didn’t feel the content accurately matched the session description, and I would have preferred it to have been delivered by the product team members who were in attendance. I was hoping for some additional tips and tricks rather than an entry level run through of the product capablities, which I am already somewhat familiar with.

If you had of told me prior to TechEd that I would have voluntarily attended a session on SMB 3.0, I would have laughed, but after the Hyper-V deep dive sessions I realised I needed to get to this session. I also had a chat to some of the storage team in the Expo area, and the main thing that hit me was just how great the advances are. Anyone looking to build Hyper-V cluster environments in the coming months really has to consider whether they want to build on Windows Server 2008 R2, or bet the farm on Windows Server 2012. I’m caught in this dilemna, as one project I’m involved with at the moment is turning into a 4 node Hyper-V cluster with failover iSCSI storage on the backend, but SMB 3.0 makes this all so much easier. I think a rapid migration to Windows Server 2012 may be part of the equation, maybe I need to approach Microsoft and convince them this would be a great case study. Lucky I know who to harass on this one.

The other session that I attended covered deploying Windows 8 on MDT 2012. It was good to hear that Update 1 should be in beta some time next month, and will enable some more advanced Windows 8 deployment scenarios, including App side loading. ARM/WOA support is absent, but apparently that’s due to the extremely limited access to WOA devices for those outside of the selected few. I’m still waiting to be convinced of WOA’s role, especially when the price point rumours have it higher than what many may expect.

What’s next?

There are still several more Windows Intune sessions running including an Enterprise focused one tomorrow I am looking forward to, as well as asking more questions of the Intune and storage teams. Hyper-V will also get more session attention, there are still a few gaps I’m looking to fill.

Windows 8 Enterprise Edition Features And How They Relate To Windows Intune

Posted on by
1

[Edited April 25, 2012 to update the BrancheCache information]

Microsoft has started to release details of Windows 8 Enterprise, which is important for Windows Intune subscribers who are wondering what they will eventually be able to take advantage of. Note that my commentary is based on the information that is available today, and that there could be further announcements that clarify some points.

As would be expected, it builds on top of the functionalities of Windows 8 Professional, and adds the following capabilities, which of course are subject to change as we get closer to the release.

Windows To Go

When I was first reviewing the Build content, the session on Windows To Go certainly got my attention. More recently I got even more excited when my Kingston contact mentioned that there may be something in the goodies pipeline if I behave myself. The ability to carry a Windows installation around on a high speed USB flash drive is certainly appealing for a variety of scenarios, and it tops the list of new capabilities in my eyes. As to how Windows Intune will support this from a licensing and a technical perspective is something we will need to wait on.

DirectAccess

For anyone who is reading has worked for an organisation that has deployed DirectAccess they will know how fantastic a solution it can deliver. Removing the requirement to use a VPN to access your corporate network resources is a huge plus, especially for those who must go through extensive security checks each time they establish a VPN connection, or need to find their smartcard or RSA key.

For Windows Intune customers who have limited on premises infrastructure, and instead rely on cloud servics such as Office 365 or another hosted solution, DirectAccess doesn’t really bring much to the table. However, for customers who are still in a world where on premise applications are required, it does simplify the user experience for accessing resources, and it does really help to blur the line between the corporate network and the Internet.

If Bitlocker is something that sounds important to you, the main piece of advice I can give you now is plan your hardware purchases to include a TPM chip. This will instantly rule out most consumer oriented laptops, desktops, and x86 tablets. For those of you with MacBooks, unfortunately Apple has decided you don’t need a TPM. Just like they decided they don’t like number pads, or maybe even numbers. You think I’m joking? iPhone – no number keys. MacBook Pro – even the 17″ model – no number pad. The new iPad? It doesn’t have a version number. I think this subject involves future discussion, possibly over alcoholic beverages, and possibly while wearing tinfoil hats.

BrancheCache

There is very good news on this front – the April 2012 Pre-Release of Windows Intune is adding support for BrancheCache for updates and software distribution. This is a huge benefit, and it is being delivered without any real infrastructure requirements.

What you need to be wary of though is that it is a peer caching mechanism, so if the machines on the same network are all desktops, and all tend to be turned on for similar hours, the caching system will work well. If they are laptops that come and go, or machines that have aggressive power saving policies to put them to sleep after short amounts of inactivity, the updates will need to be downloaded again across the internet if they can’t be found.

For a small network with a handful of computers, there are definitely benefits here in terms of speed of update delivery as well as bandwidth savings. For larger organisations, or their branche offices, this is also a great capabiliy, which makes this a welcome change for all.

AppLocker

AppLocker rules are normally deployed via Group Policy, so again the applicability will be determind by the on site infrastructure. A small organisation without an Active Directory isn’t going to benefit the same way that a larger organisation will.

VDI Enhancements

I don’t see the VDI enhancements as being a major player in the Windows Intune space. My logic behind this is that if you are going down the VDI path with Microsoft, you are probably committed to the various members of the System Center family which really bring Microsoft’s VDI story together when combined with MDOP (which as previously discussed, is an add on option for WIndows Intune today).

However… before I’m accused of thinking too small here, the April 2012 Pre-Release of Windows Intune and the new Company Portal has made me wonder if there is perhaps a chance that at some point in time there may be better integration with App-V, or even the ability to launch published applications via an RDP session. As I don’t have any connection to the Windows Intune team this is purely speculation, but if we take a look at the additional capabilities that Azure has received, such as the virtual machine role, and now much tighter integration with Windows Intune via the directory services,, there are many different possible paths that Microsoft could take this on, without necessarily requiring on premise or 3rd party hosted VDI solutions.

New Windows 8 App Deployment

As this is a domain joined PC feature, the AD capablities of the organisation may be what determines how applicable this capability is going to be to Windows Intune subscribers.

Conclusion

The benefits really depend on the organisation and the infrastructure they have, but as we get closer to release some of these scenarios and random thoughts should be clarified.

MDOP component applicability to different types of Windows Intune users

Posted on by
1

The last update gave a quick run down on what MDOP includes, but now it’s time to see how these components can be used in various types of organizations. We will start with with an unmanaged, distributed workforce, and add structure and potentially complexity through each example. The chart at the end of the post gives each component an applicability rating, but remember that these are just the views of the author, and I am more than willing to be swayed to change my view.

Unmanaged Distributed PCs
This is probably the scenario that will benefit the least from Windows Intune, as many of the components require a more traditional well designed, highly available network infrastructure to allow their effective deployment and maintenance. The ability to install Windows Intune onto unmanaged and distributed PCs, which covers distributed non-domain joined PCs means that some of the MDOP inclusions just aren’t applicable, and then others like the Application Inventory Service may have some very short term value, but DaRT is definitely a very useful addition to the IT arsenal.

Unmanaged Centralized PCs
The big differentiator here is that we have bandwidth. Just what MDOP tools can we start using if we aren’t part of an AD domain? While many in the world of IT have spent years arguing over the best directory or network operating system to deploy, there are still many networks running in peer to peer mode in the SMB space, and while we may want to provide them some more infrastructure, it may not always be as applicable as we like to think. It pains me to write this, as I was a user on one of the first NT style domain rollouts, and then also a lab rat on one of the first AD global domain rollouts, so I fully appreciate the benefits of a directory

Lightly Managed Distributed PCs
Now we have added domain joined PCs into the mix, even if they are at the other end of slow connections and the AD management is quite basic. Suddenly the AGMP tool starts to bring value, and more of the MDOP components start lighting up for applicability.

Lightly Managed Centrally Located PCs
Now we have bandwidth an Active Directory capabilities, what more could we ask for? Well, a lot, and that’s why MDOP and other tools exist. This is where MDOP really starts to shine.

Well Managed Distributed Or Centrally Located PCs
I’ve included this category for the sake of it, but in reality I don’t see anyone swapping out their existing management solution for Windows Intune unless they have some very specific requirements to do so. An ontpremise solutions such as System Center may be more complex to deploy and support than Windows Intune, but the capabilities the combined System Center family offer far exceed anything that Windows Intune will be offer for quite a while.

Unmanaged
Distributed		 Unmanaged
Centralised		 Lightly Managed
Distributed		 Lightly
Managed
Centralised		 Well Managed
Application
Inventory
Service
(AIS)		 Low Low Low Low Low
Application Virtualization (App-V) Low Low Medium High High
Enterprise Desktop Virtualization
(MED-V)		 Low Low Medium High High
Diagnostics and Recovery Toolset (DaRT) High High High High High
BitLocker Administration and Monitoring
(MBAM)		 Low Low High High High
Advanced Group Policy Management
(AGMP)		 Low Low High High High

I don’t want to go into the ratings of everything above, but I do want to focus on a few of them.

Firstly AIS is listed as Low across the board, and the reason for this is that AIS is the basis for the software reporting capabilities that are in Windows Intune. There is a small window of opportunity for AIS to provide some inventorying capabilities as it is a lighter footprint client than the Windows Intune install, but this wouldn’t be a normal scenario.

App-V and MED-V only receive Medium scores in distributed environments due to the potential bandwidth requirements for deployments. If bandwidth isn’t a concern they can both become High.

DaRT is useful across the board as it will help solve issues with non-booting PCs, which is great inside of a large organisation, but also highly valuable if you have to do any remote recovery and repair work.

Looking at the chart, one of the things that should be clear is that MDOP shines when it has the right infrastructure to work with. While Microsoft would like all of its customers to have some type of Software Assurance (SA) on the desktop OS, combined with MDOP, that isn’t the case. Windows Intune allows customers who chose not to go down this path, or missed the window of opportunity, to get many of the benefits of SA without an SA agreement. Now that I’ve typed that out, I think I may have to write an article comparing a Windows Intune subscription with SA. That will be the first licensing post for the site!

What’s Included In The Microsoft Desktop Optimization Pack add on for Windows Intune

Posted on by
Reply

The MDOP add on for Windows Intune is an interesting offering from Microsoft, allowing subscribers to get even more of the capabilities that would usually only be available to a customer under a Microsoft volume license agreement that included desktop software assurance.

MDOP is a collection of technologies from Microsoft, and here’s a description of it in Microsoft’s own words…looks like we need to remind them that it’s available via Windows Intune as well…

MDOP
The Microsoft Desktop Optimization Pack (MDOP) is a suite of technologies available as a subscription for Software Assurance customers. MDOP helps to improve compatibility and management (App-V/MED-V), reduce support costs (DaRT), improve asset management (AIS) and improve policy control (MBAM/AGPM).

MDOP

Application Virtualization

Microsoft Application Virtualization (App-V) transforms applications into centrally managed services that are never installed and don’t conflict with other applications.

Microsoft Enterprise Desktop Virtualization
MED-V removes the barriers to Windows upgrades by resolving application incompatibility with Windows 7 and delivering applications in a Windows XP-based application compatibility workspace. Upgrades can proceed on schedule, and users can take advantage of the power of Windows 7 right away without losing access to applications they need while IT departments can remediate incompatible applications.

Advanced Group Policy Management
Microsoft Advanced Group Policy Management (AGPM), a core component of the Microsoft Desktop Optimization Pack for Software Assurance, makes it easier for IT organizations to keep enterprise-wide desktop configurations up to date, enabling greater control, less downtime, and reduced total cost of ownership (TCO).

Diagnostics and Recovery Toolset
Microsoft Diagnostics and Recovery Toolset, a core component of the Microsoft Desktop Optimization Pack for Software Assurance, helps IT teams make PCs safer to use, keeps employees productive, and enables desktops that are easier and less expensive to manage. Administrators can easily recover PCs that have become unusable, rapidly diagnose probable causes of issues, and quickly repair unbootable or locked-out systems, all faster than the average time it takes to reimage the machine. When necessary, you can also quickly restore critical lost files.

Bitlocker Administration And Monitoring
Organizations around the world rely on BitLocker Drive Encryption and BitLocker To Go to protect data on Windows 7 PCs and portable storage devices. To make large-scale BitLocker implementations easier to manage, enterprises turn to Microsoft® BitLocker® Administration and Monitoring (MBAM).

Asset Inventory Service
Microsoft Asset Inventory Service (AIS), a core component of the Microsoft Desktop Optimization Pack for Software Assurance, provides a comprehensive view of your enterprise’s desktop software and hardware environment. AIS helps reduce total cost of ownership (TCO) and improve license compliance through advanced software inventory scanning and by translating inventory data into actionable information.

Well, all of this is well and good, but how well will these work for your company? That is the topic for the next post, where I will delve into what organisations of different sizes may benefit from with MDOP, as all of the pieces aren’t necessarily right for everyone.