[Edited April 25, 2012 to update the BrancheCache information]
Microsoft has started to release details of Windows 8 Enterprise, which is important for Windows Intune subscribers who are wondering what they will eventually be able to take advantage of. Note that my commentary is based on the information that is available today, and that there could be further announcements that clarify some points.
As would be expected, it builds on top of the functionalities of Windows 8 Professional, and adds the following capabilities, which of course are subject to change as we get closer to the release.
Windows To Go
When I was first reviewing the Build content, the session on Windows To Go certainly got my attention. More recently I got even more excited when my Kingston contact mentioned that there may be something in the goodies pipeline if I behave myself. The ability to carry a Windows installation around on a high speed USB flash drive is certainly appealing for a variety of scenarios, and it tops the list of new capabilities in my eyes. As to how Windows Intune will support this from a licensing and a technical perspective is something we will need to wait on.
For anyone who is reading has worked for an organisation that has deployed DirectAccess they will know how fantastic a solution it can deliver. Removing the requirement to use a VPN to access your corporate network resources is a huge plus, especially for those who must go through extensive security checks each time they establish a VPN connection, or need to find their smartcard or RSA key.
For Windows Intune customers who have limited on premises infrastructure, and instead rely on cloud servics such as Office 365 or another hosted solution, DirectAccess doesn’t really bring much to the table. However, for customers who are still in a world where on premise applications are required, it does simplify the user experience for accessing resources, and it does really help to blur the line between the corporate network and the Internet.
If Bitlocker is something that sounds important to you, the main piece of advice I can give you now is plan your hardware purchases to include a TPM chip. This will instantly rule out most consumer oriented laptops, desktops, and x86 tablets. For those of you with MacBooks, unfortunately Apple has decided you don’t need a TPM. Just like they decided they don’t like number pads, or maybe even numbers. You think I’m joking? iPhone – no number keys. MacBook Pro – even the 17″ model – no number pad. The new iPad? It doesn’t have a version number. I think this subject involves future discussion, possibly over alcoholic beverages, and possibly while wearing tinfoil hats.
There is very good news on this front – the April 2012 Pre-Release of Windows Intune is adding support for BrancheCache for updates and software distribution. This is a huge benefit, and it is being delivered without any real infrastructure requirements.
What you need to be wary of though is that it is a peer caching mechanism, so if the machines on the same network are all desktops, and all tend to be turned on for similar hours, the caching system will work well. If they are laptops that come and go, or machines that have aggressive power saving policies to put them to sleep after short amounts of inactivity, the updates will need to be downloaded again across the internet if they can’t be found.
For a small network with a handful of computers, there are definitely benefits here in terms of speed of update delivery as well as bandwidth savings. For larger organisations, or their branche offices, this is also a great capabiliy, which makes this a welcome change for all.
AppLocker rules are normally deployed via Group Policy, so again the applicability will be determind by the on site infrastructure. A small organisation without an Active Directory isn’t going to benefit the same way that a larger organisation will.
I don’t see the VDI enhancements as being a major player in the Windows Intune space. My logic behind this is that if you are going down the VDI path with Microsoft, you are probably committed to the various members of the System Center family which really bring Microsoft’s VDI story together when combined with MDOP (which as previously discussed, is an add on option for WIndows Intune today).
However… before I’m accused of thinking too small here, the April 2012 Pre-Release of Windows Intune and the new Company Portal has made me wonder if there is perhaps a chance that at some point in time there may be better integration with App-V, or even the ability to launch published applications via an RDP session. As I don’t have any connection to the Windows Intune team this is purely speculation, but if we take a look at the additional capabilities that Azure has received, such as the virtual machine role, and now much tighter integration with Windows Intune via the directory services,, there are many different possible paths that Microsoft could take this on, without necessarily requiring on premise or 3rd party hosted VDI solutions.
New Windows 8 App Deployment
As this is a domain joined PC feature, the AD capablities of the organisation may be what determines how applicable this capability is going to be to Windows Intune subscribers.
The benefits really depend on the organisation and the infrastructure they have, but as we get closer to release some of these scenarios and random thoughts should be clarified.