Online Services for PC Management: Introducing Windows IntuneMarc ShepardPrincipal Program Manager LeadMicrosoft Corporation

SESSION CODE: WCL203

Session Objectives and TakeawaysSession Objective(s):

Overview of the Windows Intune offeringDemonstrate the functionality of the Windows Intune service

Takeaways:Describe how Windows Intune relates to Microsoft’s cloud strategyDescribe how Windows Intune saves customers time and money when managing PCsDescribe the functionality and scope of the Windows Intune service

Commercial Cloud Services

BUSINESS APPSCOLLABORATION STORAGE PLATFORMMANAGEMENTPRODUCTIVITY COMMUNICATIONS

Challenges in Managing Business PCs

Solution - Cloud Services & Windows 7

Fits Your Business(Big result with low investment)

Manage & Secure PCs Anywhere(Cloud services)

The Best Windows Experience(Standardize OS on Windows 7)

Multiple Configurations,Versions, Licenses

Workers in Many Locations

Lack of Insight to PCs

High Infrastructure Investments Required

The Best Windows ExperienceGet Windows 7 Enterprise and More

BitLocker To Go

Improved UI & Search

Better Mobility Experience

Speed, reliability, and responsiveness

Standardize on a single version of Windows to increase efficiency

Upgrade to Windows 7 Enterprise

Downgrade or run any version of your choice

Upgrades to future Windows versions

Help Manage & Secure PCs AnywhereWindows Intune Cloud Service

Enable a Mobile WorkforceUsers can be managed from the office, branch office, or on the roadIT and partners can work from anywhere too

Protect PCs from malware

Manage updates

Proactively monitor PCs

Provide remote assistance

Inventory hardware and software

Set security policies

Requirements

Administrative ConsoleA browser that supports Silverlight 3.0

Managed MachinesWindows 7 Enterprise, Ultimate and ProfessionalWindows Vista Enterprise, Ultimate and BusinessWindows XP Professional, Service Pack SP2 or SP3 (recommended)

Service Architecture

Ops and Support

Windows Intune Service

MonitorSupport

Contoso.com

Admin

Windows Update AgentSCOMMalware Protection (FEP)Lantern (SCCM DCM)EZ Assist

SSL,

WCF

, Ce

rts

SSL, WCF,

LiveID

• Proven agent technology• Highly available• Secure• Multitenant• Scalable• Private

foo.com

What you DON’T need to do to deploy Windows Intune(aka “why manage through the cloud?”)

Build and maintain server infrastructurePurchase server hardware, OS licenses, management software, etc.Install and configure each server (OS, database, security software, management software, etc.)Integrate into your networking environment

Secure itDesign for security (physical, networking, database, etc.)Assess and manage security on an ongoing basis

Make it highly availableDesign and implement a high-availability configuration (no single point of failure)Design and implement health monitoring (so you can respond to issues quickly)Design and implement a disaster recovery plan (backup, recovery, document the plan, fire drills, redundancy across physical locations, etc.)

Support roaming machinesDeploy internet-facing servers with additional hardening

Capacity planning• Design for current capacity with plans to scale as your business grows

Sign Up

Getting Started with Windows Intune

Microsoft Online Log In

Create additional administrators Initial Configuration

Update Products/Classifications Auto approval rules Agent policy Groups Alerts and notifications

Download enrollment package from console

Enroll your computers

Create additional administrators (Tenant Admins)

Initial Deployment ChecklistChose a technique to deploy the enrollment MSIs

GP-SI, psexec, login script, email, ACLed public share, …Enrollment will fail after seat limit is reached

Can retire computers or purchase more seats

Define your initial group structureNewly enrolled computers go to “Unassigned Computers”Can create additional (nested) groups as needed for reporting/policy boundaries

Typically by role or region (often nested by one then the other)Machines can belong to multiple hierarchies

Configure polices as neededMalware Protection: Conditionally enabled, …Windows Update: Daily scheduled install, …Firewall: Not configured, …

If using GPOs, filter them to not apply to Windows Intune clients (else GP overrides)Add admins, configure alert notifications, deploy security updates

Microsoft Confidential

Windows Intune Deployment Overview Admin console overview, Administrators, Groups and Computer Enrollment

DEMO

Update ManagementBuilds on WSUS and Microsoft Update frameworkDesign your update management workflows. Examples:

Auto-approve security updates to “All Computers”Manually approve “needed” non-SP updates to “Test”, then to “All Computers” a week laterManually approve a needed service pack to Test, gradually rollout via existing target groups (typically in a region/role structure).

Configuration optionsProducts and classifications (what updates do you want to manage)Auto approval rules (do you want to automate initial approvals?)WUA policies (e.g., daily or weekly scheduled install)

Can customize WUA “scanning, downloading, and installing” sample vb script for advanced scenarios; patch on first boot, non-standard install schedule, etc.

Management tasks (ongoing management is a trivial amount of work each patch Tuesday):Alerts for new updates to be approvedApprove and/or decline updatesMonitor status (needed, pending, failed, etc.) at the system, group, computer and update levels

Microsoft Confidential

Malware ProtectionBuilt on the Microsoft Malware Protection Engine

Provides anti-Virus, Anti-Spyware, and Anti-Malware capabilities (cleanup, blocking, quarantine, etc)Used by Forefront Endpoint Protection and Microsoft Security Essentials

Design your malware response workflowsNetwork quarantine?Flatten or fix?Based on severity, type, instance or frequency?

Run either Windows Intune malware protection agent or a 3rd party malware protection softwareDefault policy is Windows Intune is disabled if installed when 3rd party solution is present

System-wide, per group and per computer statusComputers that are not protectedComputers with protection warnings (scan overdue, definitions out-of-date, RTP disabled, etc.)Recently resolved malware or malware needing follow upComputers running 3rd party malware protection software

Alerts for new malware (so ongoing work is just reacting per you workflow)

Microsoft Confidential

Windows Intune Ongoing Management

DEMO

Asset Management

Software InventoryAccount-wide and per-computer list of detected softwareCategorized through the Asset Inventory Service (AIS) catalog

License ManagementImport of agreement pairsRetrieval of entitlements from the Customer License Position (CLP) serviceLicense purchase and installation reports

Per-computer hardware InventoryPer computer list of hardware components

Microsoft Confidential

Windows Intune Asset Management

DEMO

The Client Experience

Local application installed on managed PCMalware ProtectionUpdate ManagementRemote Assistance

Initiated by end user requesting assistanceAlert generated in admin console“Handshake” to initiate remote assistance session

Microsoft Confidential

End-user Assistance

DEMO

Key takeaways Windows Intune is an all-in-one solution:

Cloud based security and management serviceAll you need is an internet connectionManage remote machines, manage them from anywhere

The latest version of Windows EnterpriseHighly available, secure, private, scalable, multi-tenant service

Uses proven agent technologySimple to use, but scales to a large number of machines

Does not have parity with SCCMSuitable for some targeted enterprise scenarios (acquisition, remote branches, simple needs)Roadmap is to address all business customers

• Public Beta released April 2010• US, Canada, Mexico, Puerto Rico • Opened to first 1000 customers, closed the next day due to high demand

• GA: Within a year of beta • North America and EU

Milestones

Product Overview:www.microsoft.com/online/windows-intune.mspx

TechCenter:http://social.technet.microsoft.com/Forums/en-US/category/microsoftonlineservices/

Windows Intune Team Blog:http://blogs.technet.com/windowsintune

Where do I find out more?

Weekly, Monthly and Quarterly Rhythm of Topical Content

What is the Springboard Series?

To the IT pro, our goal is• Be the definitive resource for Desktop IT pros• Open, honest; show don’t tell• Information at right time, right level across Adoption Lifecycle

Inside of Microsoft we are• A turnkey IT pro engagement platform for depth and breadth• The program to mobilize MS marketing and field to

focus on desktop OS IT pros

Visit the Springboard Series on TechNet at www.microsoft.com/springboard

The Springboard Series IT pro experience offers dynamic content and structured guidance across the adoption lifecycle

DEPLOYPILOT MANAGEEXPLOREDISCOVER

Is it worth the pain?How does it change

my work? Is our environment ready? Is the organization ready?How do I maintain

and optimize?

one-Windows TechCenter in 10 languagesVirtual Roundtable Events

Springboard Technical Experts Panel Event Support

and Resources

Straight-talk Monthly Feature Articles and Overview Guides

TalkingAboutWindowsVideo Blogs

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

Complete an evaluation on CommNet and enter to win!

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st

http://northamerica.msteched.com/registration

You can also register at the

North America 2011 kiosk located at registrationJoin us in Atlanta next year

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

JUNE 7-10, 2010 | NEW ORLEANS, LA