I just put together a short video highlighting some of the new capabilities of the Windows Intune April 2012 Pre-Release, the precursor to video updates delving into more detailed videos explaining the new features in more detail.
^ Scroll to Top
For those of you attending TechEd North America in June, here are the current list of Windows Intune sessions on offer. I will be attending these, and if you want to get to together at the event to discuss what you are doing with Windows Intune, search for intunedin on the TechEd user portal
WCL329 Windows Intune: Cloud Based PC Management (Technical Overview)
Speaker(s): Elias Mereb, Erdal Ozkaya
Tuesday, June 12 at 10:15 AM – 11:30 AM
Windows Client | Breakout Session | 300 – Advanced
Cloud Computing is changing the way we manage PCs in the enterprise. In this session we take a deep dive exploration into the cloud based Windows management solution. We explore all the security features, how to manage updates, how to create policies, and how to upload and deploy software, all this from a single web management console.
WCL328 Windows Intune for the Enterprise
Speaker(s): David Nudelman
Wednesday, June 13 at 5:00 PM – 6:15 PM
Windows Client | Breakout Session | 300 – Advanced
How can Enterprise-level companies benefit from Windows Intune? In this session, Windows Expert – IT Pro MVP David Nudelman shares his experiences with Windows Intune in large corporations.
WCL386 Windows Intune User and Device Management
Thursday, June 14 at 1:00 PM – 2:15 PM
Windows Client | Breakout Session | 300 – Advanced
No session description yet, but I think we can get an idea of what it will cover from the April 2012 Pre-Release and associated documentation.
^ Scroll to Top
[Edited April 25, 2012 to update the BrancheCache information]
Microsoft has started to release details of Windows 8 Enterprise, which is important for Windows Intune subscribers who are wondering what they will eventually be able to take advantage of. Note that my commentary is based on the information that is available today, and that there could be further announcements that clarify some points.
As would be expected, it builds on top of the functionalities of Windows 8 Professional, and adds the following capabilities, which of course are subject to change as we get closer to the release.
Windows To Go
When I was first reviewing the Build content, the session on Windows To Go certainly got my attention. More recently I got even more excited when my Kingston contact mentioned that there may be something in the goodies pipeline if I behave myself. The ability to carry a Windows installation around on a high speed USB flash drive is certainly appealing for a variety of scenarios, and it tops the list of new capabilities in my eyes. As to how Windows Intune will support this from a licensing and a technical perspective is something we will need to wait on.
For anyone who is reading has worked for an organisation that has deployed DirectAccess they will know how fantastic a solution it can deliver. Removing the requirement to use a VPN to access your corporate network resources is a huge plus, especially for those who must go through extensive security checks each time they establish a VPN connection, or need to find their smartcard or RSA key.
For Windows Intune customers who have limited on premises infrastructure, and instead rely on cloud servics such as Office 365 or another hosted solution, DirectAccess doesn’t really bring much to the table. However, for customers who are still in a world where on premise applications are required, it does simplify the user experience for accessing resources, and it does really help to blur the line between the corporate network and the Internet.
If Bitlocker is something that sounds important to you, the main piece of advice I can give you now is plan your hardware purchases to include a TPM chip. This will instantly rule out most consumer oriented laptops, desktops, and x86 tablets. For those of you with MacBooks, unfortunately Apple has decided you don’t need a TPM. Just like they decided they don’t like number pads, or maybe even numbers. You think I’m joking? iPhone – no number keys. MacBook Pro – even the 17″ model – no number pad. The new iPad? It doesn’t have a version number. I think this subject involves future discussion, possibly over alcoholic beverages, and possibly while wearing tinfoil hats.
There is very good news on this front – the April 2012 Pre-Release of Windows Intune is adding support for BrancheCache for updates and software distribution. This is a huge benefit, and it is being delivered without any real infrastructure requirements.
What you need to be wary of though is that it is a peer caching mechanism, so if the machines on the same network are all desktops, and all tend to be turned on for similar hours, the caching system will work well. If they are laptops that come and go, or machines that have aggressive power saving policies to put them to sleep after short amounts of inactivity, the updates will need to be downloaded again across the internet if they can’t be found.
For a small network with a handful of computers, there are definitely benefits here in terms of speed of update delivery as well as bandwidth savings. For larger organisations, or their branche offices, this is also a great capabiliy, which makes this a welcome change for all.
AppLocker rules are normally deployed via Group Policy, so again the applicability will be determind by the on site infrastructure. A small organisation without an Active Directory isn’t going to benefit the same way that a larger organisation will.
I don’t see the VDI enhancements as being a major player in the Windows Intune space. My logic behind this is that if you are going down the VDI path with Microsoft, you are probably committed to the various members of the System Center family which really bring Microsoft’s VDI story together when combined with MDOP (which as previously discussed, is an add on option for WIndows Intune today).
However… before I’m accused of thinking too small here, the April 2012 Pre-Release of Windows Intune and the new Company Portal has made me wonder if there is perhaps a chance that at some point in time there may be better integration with App-V, or even the ability to launch published applications via an RDP session. As I don’t have any connection to the Windows Intune team this is purely speculation, but if we take a look at the additional capabilities that Azure has received, such as the virtual machine role, and now much tighter integration with Windows Intune via the directory services,, there are many different possible paths that Microsoft could take this on, without necessarily requiring on premise or 3rd party hosted VDI solutions.
New Windows 8 App Deployment
As this is a domain joined PC feature, the AD capablities of the organisation may be what determines how applicable this capability is going to be to Windows Intune subscribers.
The benefits really depend on the organisation and the infrastructure they have, but as we get closer to release some of these scenarios and random thoughts should be clarified.^ Scroll to Top
You can now sign up for the Windows Intune April 2012 Pre-Release here. and I’ve recorded the steps to do so.
You can read the official announcement from Microsoft on the Windows Team Blog.^ Scroll to Top
Fresh from my inbox is the news that MDT 2012 is available from the Microsoft Download Center. With all of the other activity at MMS 2012 it would have been easy for this one to slip under the radar, but after having used the pre-release it bought in some welcome changes.
· Support for Configuration Manager 2012
· Customizable deployment questions
· Ease Lite Touch installation
· Secure deployments
· Reliability and flexibility
· Support for Windows 8
Support for Configuration Manager 2012:This update provides support for Configuration Manager 2012 RC2 releases. MDT 2012 fully leverages the capabilities provided by Configuration Manager 2012 for OS deployment. The latest version of MDT offers new User-Driven Installation components and extensibility for Configuration Manager 2007 and 2012. Users now also have the ability to migrate MDT 2012 task sequences from Configuration Manager 2007 to Configuration Manager 2012.
Customize deployment questions:For System Center Configuration Manager customers, MDT 2012 provides an improved, extensible wizard and designer for customizing deployment questions.
Ease Lite Touch installation:The Microsoft Diagnostics and Recovery Toolkit (DaRT) is now integrated with Lite Touch Installation, providing remote control and diagnostics. New monitoring capabilities are available to check on the status of currently running deployments. LTI now has an improved deployment wizard user experience. Enhanced partitioning support ensures that deployments work regardless of the current structure.
Secure Deployments:MDT 2012 offers integration with the Microsoft Security Compliance Manager (SCM) tool to ensure a secure Windows deployment from the start.
Reliability and flexibility:Existing MDT users will find more reliability and flexibility with the many small enhancements and bug fixes and a smooth and simple upgrade process.
Support for Windows 8:MDT 2012 provides support for deploying Windows 8 Consumer Preview and Windows Server “8” Beta in a lab environment.^ Scroll to Top
More Windows Intune documentation has hit the Microsoft download center, this time it’s the What’s New in the Windows Intune April 2012 Pre-Release document.
The document covers the following information, which gives a pretty good idea of where Windows Intune is heading.
Greater Control with a New Sign-in Service
Updated and New Administration Consoles
Mobile Device Management
The Windows Intune Company Portal: A New Self-Service Portal for Your End-Users
Enhanced Group Management
Integration with Microsoft Active Directory Domain Services Recommended Policy Settings
Mobile Security Policy
Improved Alert Customization
New Updates Views for Update Compliance
Automatic Windows Intune Client Software Removal
^ Scroll to Top
Mentioned in the pre-release document in the last post, the Windows Intune April 2012 Pre-Release Online Help is now available, here are the links to currently available topics. Enjoy!^ Scroll to Top
Seeming to fulfill many of the predictions that there will be a new Intune beta available during the Microsoft Management Summit this week, the Windows Intune April 2012 Pre-Release Getting Started Guide is up on Microsoft’s download pages, ready for your consumption.
Stay tuned in as we analyze it and eagerley await our beta invite to come through!^ Scroll to Top
Microsoft has had some information on using MDT 2010 to build operating systems with the Windows Intune client installed already, but I thought it was worth taking a look at the process in MDT 2012 RC, and an approach for partners who may need to build images for several of their clients.
Two of the critical things to remember when deploying the Windows Intune client to new computers is that it needs internet connectivity to complete the installation. If you want to keep your build environment isolated from your production network, take a look at some of my previous posts on Threat Management Gateway as a potential solution which also offers other benefits.
The second critical thing to remember is that you can’t deploy the Windows Intune client and then run sysprep prepare for an image capture, as the machine will have already registered itself with the Windows Intune service.
Here’s a step by step guide to adding Windows Intune to your MDT 2012 RC environment.if you need to create an image for capture which includes the Windows Intune setup files and runs them after the Windows Out of Box Experience (OOBE), stay tuned, I’ll cover that in an upcoming post.
What I’ve done here is created three separate folders, each with the Windows_Intune_Setup.exe and WindowsIntune.accountcert file for three different fictitious companies I need to deploy Windows 7 to.
As we drill into the Contoso folder, you see the files for Contoso including their unique certificate.
If you right mouse click on Applications, you will see the New Application shortcut. Click this to add Contoso’s Windows Intune install to MDT 2012.
Here we choose Application with source files.
Now we can populate the details. Technically this is not the V2 client, but using a naming scheme that is consistent and easy to recognize for ease of updating in the future if Microsoft releases a new install package.
Here I have selected the Contoso folder for the source files.
We can change this folder name if we like, or alternatively you could follow a folder structure such as WindowsIntuneClient\Intune Client 1 etc to prevent the root applications folder from getting too cluttered.
Running the Windows_Intune_setup.exe with the /quiet command ensures it runs in an unattended manner.
You can quickly review the summary to ensure that everything matches your goals.
And finally we can see the progress and save the output for documentation purposes.
Next up we need to add a command to a Task Sequence to install the client, which we can do by going to the properties of the Contoso Task Sequence I had created earlier.
At first you are presented with the General tab, but it’s the Task Sequence tab that we need.
On the Task Sequence tab, we choose install a single application.
And then we can hit OK and we are ready to go!^ Scroll to Top
For all the praise that Windows 7 has received since it’s release, there’s still a great deal of Windows XP out there. You see it on people’s laptops in cafes and on planes, you see it in kiosks, you may have it in your own environment or see it when you visit your customers.
The benefit for partners
One of the big benefits of Windows Intune for the Microsoft partner community is that they can target many of their non-Software Assurance (SA) customers to the latest version of Windows on the desktop, which otherwise may not have been a regular topic of conversation. For those of you who have been in the IT game for a while, you probably remember that back in the pre-Windows XP days, desktop upgrades, especially for the SMB market, were something that was more regularly done. Not necessarily in the same timeframes as Microsoft’s much more aggressive release cycles back then, but more regularly than today.
Most SMB customers don’t have SA on their desktops, which means retail upgrades are usually the option that needs to be investigated when new versions of Windows are required for upgrade scenarios, but for many of these customers the Enterprise upgrade within the Windows Intune subscription provides a good alternative.
Two main things went wrong. Firstly the long delay between the release of Windows XP and the release of Windows Vista. Users got extremely comfortable with the Windows XP interface, and the technical teams that deployed and supported new versions of the OS got extremely adept at using the Windows XP deployment and management tools. Microsoft allowed XP and its ecosystem to become the status quo.
The second piece of the problem was Windows Vista itself. The initial release, along with the drivers that were available at launch time, left a great deal to be desired. Over time though, Windows Vista’s performance did get better, especially in the time leading up to and including the release of the first service pack. Microsoft’s anemic hardware requirements and recommendations also hurt that initial release, and some machines that were shipped as Vista capable were far from it.
By the time these performance issues were addressed, it was too late for Vista to succeed, no matter how Microsoft marketed it. IT departments breathed a sigh of relief as it bought them a few more years of being comfortable with their existing environment, and users were happy as they didn’t have to migrate and learn anything new.
During this time I was working a great deal with Microsoft’s OEM partners on the Vista OPK (the OEM version of the WAIK), and faced similar challenges here too. The resistance to moving across to new tools and deployment methods impacted their production images which they had been perfecting for years. Changes to unattended setup and a different approach to imaging and testing were just some of the issues OEMs had to overcome.
What was the impact?
For those who watched the Vista experience without getting involved, they missed some major updates to the support and deployment tools, so by the time Windows 7 was on their radar, they really had a great deal of learning to do. For those who had deployed or at least tested Vista in a limited scope, the learning curve was smaller.
This again meant that some felt alienated by the changes on the administration and deployment side clung to their XP world, while others rejoiced that they finally could see a valid replacement for the aging OS. The good thing for both groups though was that tools like the MDT and it’s forerunners got easier and more powerful, so the learning curve for new deployments continued to get easier.
Why isn’t everyone on Windows 7 already?
The list here is long and varied depending on who you talk to, but it may be as simple as time and money for some. For others it could be application compatibility issues that they fear. Others just may not care, happy to let their Windows XP environments run themselves into the ground before investigating alternatives.
Obviously you don’t want to have to work with those in the last category, as it means a rushed deployment of a new environment that is going to an absolute headache for all involved. Planning an upgrade, or in this case I prefer to see it was a migration, from XP to Windows 7, takes time and testing if it is to be a smooth process. Software and hardware compatibility testing , user training and more should all be part of the larger test plan.
What’s the solution?
Well, Windows Intune isn’t the answer for everyone looking to get Windows 7 licenses. If someone already has a management solution and anti malware software in place that they are happy with, they should perhaps look at some of Microsoft’s licensing programs to see what best suits their needs.
For those keen on Windows 7 now and needing the additional cloud services that Windows Intune provides, it should definitely be investigated. For those keen on Windows 7 upgrades, but getting distracted by all of the Windows 8 activity, Windows Intune is still a great option because the upgrade to Windows 8 is something that Intune subscribers will be able to take advantage of. Sure, it may not be an automated deployment through the cloud onto their desktop, but not too far into the Windows 8 release cycle I’m pretty sure this is going to be one of the options on offer, just make sure to bring your own Internet connection.^ Scroll to Top