SCCM For Poor - Windows Intune at Glance

by Dmitry Kirsanov 8. February 2012 13:00

imageHow many products of major brands float under your radar, unnoticed and unevaluated? Perhaps Windows Intune is one of them, but if you are Windows system administrator – that’s the one product you should know about, whether you’re using it or not. So this post is about Windows Intune.

In short, the Windows Intune cloud service is a Swiss knife which contains features of other Microsoft products, so in order to perfectly understand all why’s and how’s, you should understand the basic principles of these products and technologies:

All of them require servers in order to operate, and in case of SCCM – even more additional servers, like Microsoft SQL Server 2008 and Windows Deployment Services and in some scenarios even Microsoft Exchange 2010. If you have a company with less than 300 computers, chances are – you are not using SCCM. However, the SCCM is a very sophisticated deployment manager, allowing you to do wonderful things. For instance, you could deploy software packages to a group of computers and control that process. Deploy operating system company-wide and define various rules for it. Imagine – the whole sky scraper full of computers could be deployed from the state of bare metal in the about one hour, and each division of the company will get their own settings – software packages, operating system settings and whatever you could imagine.

Use Case Scenario for System Center Configuration Manager (SCCM)

This is a real life example of how SCCM could be used in your company. Imagine, that you have 5 IT administrators and approximately 2000 users working with notebooks. Most of them require mobility, as they are auditors, and this requirement of mobility changed the IT culture of the company so much, that all other employee started to use notebooks as well – although people could use dock stations and external keyboards and monitors at their desks, they could take their workstations to the meetings and business trips, or even home when that’s permitted by security policy and has any business benefits.

Obviously, when you have 5 guys serving 2000 users, your system should be automated to the maximum, or you won’t handle the flow of support cases. That’s when SCCM comes to the rescue.

When any employee, a typical user of his notebook, realizes that he needs, say, Microsoft PowerPoint 2010 to be installed, he doesn’t call his system administrator. Instead, he goes to the corporate intranet page where he clicks “Manage My Software” and clicks the checkbox in front of “Microsoft PowerPoint 2010” title. If this thing was marked as “Free to install by request”, it is installed to his machine in a few minutes, automatically, and server deducts one license from PowerPoint 2010 license pool.

Besides, user may want to replace his operating system or report malfunction – say, computer is responding slower. In that case he goes to the same web page and requests, with the same simple check box selection, a new computer. According to the workflow (an algorithm that you can edit or create and which dictates how cases are flowing from initiation to conclusion), his request may undergo the supervisor’s acceptance, and then the most interesting thing happens.

IT department receives brand new notebook from hardware supplier, with blank hard drive – nothing is installed on it. They register that new computer in their system (mainly – giving it a name and writing down the MAC address of it’s network interface), connect it to the local network, switch it on – and without any additional moves from their side, it’s being deployed with requested software in a matter of minutes. Then – it is carried to the workplace and old computer is shut down and moved to recycling while new one is switched on and all user’s documents and settings are already there. So, for the end user, it took around two minutes - her computer was replaced and she didn’t notice any changes – her documents and mail are exactly where they were before. And what’s important – it didn’t take more than 5 minutes of IT personnel active participation as well.

Basically, SCCM is what stands above the WSUS and Deployment Services, but as you’ve seen – it can do a lot more.

However, it has a problem. The price and requirements. You would need to have quite decent hardware to make it work as designed. And system administrator with high qualification to set up and operate it. Because, you know, you need quite an experience to setup SCCM, SQL, WSUS and anything else you would love to have… Unless you are that qualified system administrator, of course, and in that case – my congratulations, you are one of a few qualified enough.

So while large companies with large scale of hardware devices and well established IT departments could afford such solution, small companies – you know, those, who are buying Windows Server Small Business Edition (SBS) – could not.

So the same way that Windows Small Business Server was an answer to small companies, who could not afford both full scale server operating system and full scale system administrator to operate it, the Windows Intune was designed for those who needs their systems to operate smoothly but can’t afford to do it properly.

Besides, that was yet another opportunity to use the “CLOUD” buzzword in order to attract customers.

The Microsoft’s SaaS trend

As described previously, Microsoft is trying to make all of it’s products to have cloud-based counterparts. Office, CRM, Team Foundation Service – they all have both offline and online versions, but at the same time Microsoft has solutions that were born in the cloud – like the SkyDrive.

Solution that could replace using SCCM, WSUS and allow centralized corporate system administration, would require something more. A hybrid system which is both the cloud and offline solution. Or neither, depends from how to look at it.

Windows Intune Architecture

So, Microsoft made their new service similar to a clockwork – many parts working together, although autonomously.

It has the client side, the server side (which resides in the cloud) and the administration console. The client side is a program that has to be installed on each workstation that you want to manage using Windows Intune, and to manage all the workstations you will need to use the administration console, which supposedly could work in any browser but normally works only if you are using Microsoft Internet Explorer.

The client is connecting to the server and gets all the files and settings from it, as well as uploading reports.

Windows Intune Features

Windows Intune Screenshot

Although the service is not in beta phase anymore, and it was officially released in summer of 2011, some features are still as buggy as anthill.

For example, you can add Windows 7 Home Basic edition to your collection of computers and it will work as any other workstation, managed by Windows Intune. But you will get a warning in the management console, stating that you’ve installed the agent on “Unsupported edition of Windows”.

However, you can not install Windows Intune agent on any server operating system, like Windows Server 2008. So it seems like the commercial artificial impediment, which doesn’t add to trust.

Anyone could run your agent on his workstation and his workstation will be added to your collection of workstations. That costs about 11$ / month.

You must be an administrator to install the Windows Intune client and (although the official documentation states otherwise) you can not install Windows Intune client using Active Directory – it will just fail, stating that you should be an administrator. So, if you will try to install it using the Active Directory, you will end up having all your users having error message popping out on every log on. This is the outcome for many other actions within the Windows Intune as well.

Licensing functionality is not functional at all. I mean – you may create the pool of licenses for your product and expect one license to be deducted after each installation. Well, you could expect like forever, because it won’t happen. It’s no more useful than an Excel sheet. Perhaps Notepad page would be a closer comparison.

Software Installation is a great way to get more calls for support than usually. Imagine, that you are installing a popular application which has automatic updates functionality. Say – Chrome, Firefox or Paint.NET. You could install it using Intune – it will install as an update (and chances are – not automatically, but only after user will interact with the popup). But after this application – Chrome or Paint.NET – will update itself, the Intune agent will think that it’s not installed. And guess what? It will run the installation again. And this time it will fail, because it would try to install an older version of the already installed product. It will show an error message on every login.

After you uninstall the Intune Agent, it doesn’t uninstall any changes made by Intune nor does it remove any software installed by Windows Intune.

Still, Intune allows you to install and use the corporate antivirus, and even remove the existing antivirus solution you had on machine that you join to Windows Intune environment. This is especially handy when you are dealing with crapware like any product of Symantec. As you know, Windows notebooks are sold packed with lots of software titles which are little better than viruses.

The Windows Intune Client Side

I have mixed feelings about the main work horse of the Windows Intune.

In order to join the computer to the Windows Intune environment, you have to run the client setup program together with a little binary file which poses as the key, containing the information about your Windows Intune profile. The process is straightforward, and it makes all the changes to your system without asking additional questions.

It will install the Microsoft Antivirus – Microsoft Forefront Endpoint Protection. The signature updates will be delivered automatically as well. You can set it in the administration console – whether you want to leave your existing antivirus in place or replace it by Forefront. My advice is to replace, especially if you have something like Symantec Antivirus or even worse – Norton Internet Security, which usually comes together with cheap notebooks.

The agent also queries the server for policies that you set in administration console, and applies them accordingly. It also takes over the Windows Update functionality and supplies system updates from Windows Intune server.

The Policies are very like the Active Directory policies, excerpt that in Windows Intune, your computers don’t have to be connected to any Active Directory. They could belong to different domains, or not being connected at all. For example, Windows 7 Home edition can’t join the Active Directory domain, but can normally participate in Windows Intune environment.

However, Windows Intune gives you the right to use Windows 7 Corporate Edition. Which adds a little point to use Windows Intune.

The Windows Intune Administration Console

It’s Microsoft Silverlight applet which connects to the Windows Intune services. Written in Silverlight means that it works in any browser. But it doesn’t. If you’ll try to deploy any software using Windows Intune Administration Console, you will notice problems trying to upload the setup files to the server. However, most features are accessible also from other browser in case you are MSIE-sick.

Windows Intune Screenshot
As you may notice, the Windows Updates functionality is very similar to the one of WSUS.

For some reason, Microsoft decided to not make their administration console MMC-based applet, perhaps for the sake of mobility, but it mostly looks and feels like the modern MMC-based applets of Microsoft System Center servers.

Windows Intune Automation

Is not even promised. There is no API or SDK for Windows Intune and chances are – you won’t see it ever. So – no business model for you on top of Windows Intune. Which is for good, because even though you might see that you could cut your IT department in a half by simply rolling out the Windows Intune, it’s not the case. In my opinion, the bugs and frustration caused by Windows Intune functionality would overload your support unit.

However, I found that it’s possible to automate the Windows Intune functionality, at least till the next hidden update of the back end. You could just decompile the Silverlight application using Reflector (it decompiles nicely right into the C# code) and see what web services it uses and how. Then – your application could mimic that behavior and pretend it’s a normal Silverlight applet with a normal user behind the keyboard, not a HAL 9000-alike entity.

However, Microsoft may change the whole system any moment, so any attempt to automate the Windows Intune is futile.


When I am thinking about Windows Intune, I can’t get rid of one very obvious comparison. Windows Intune is like German porn – no plot, no general idea, it looks like movie but it’s not, but still there are consumers. I wonder if Windows Intune and German porn movies target the same audience.

As one IT specialist mentioned in March of 2011 in reply to the news about Windows Intune being released – “When they say “hit the street”, they mean “ … after it’s been thrown out of a window in frustration””.

It will take some time for Microsoft to make Windows Intune a great product worth it’s subscription fee. We’ll return to that topic when it will happen. Perhaps next year?

blog comments powered by Disqus

Month List