Cloud Security: Managing the Cloud with Windows Intune
*Windows Intune is a new cloud-based PC management solution that can help you keep your organization’s PCs secure, updated and manageable, no matter where they’re located. We will go into detail on each workspace that is available and the benefits it provides. We’ll also delve into the technical architecture. *
What is the deal with cloud computing? Seems like that’s all we hear about these days. By now, you’ve surely done some research to figure out why you should care about the cloud, or perhaps in your case, why you shouldn't care.
The case for cloud computing as a platform for delivering IT services is compelling for many organizations. Today's IT environments have evolved into disparate, distributed landscapes that make it harder and harder to manage using traditional on-premise tools. Typically, however, there is one common denominator: Internet connectivity. So if your IT organization faces challenges, such as an increasingly mobile workforce, road warriors, geographically widespread offices, branches or locations, you might consider cloud services.
Cloud-based services have been around for some time and have usually focused on a narrow range of solutions, such as customer relationship management and e-mail. Companies who were more likely to move to these types of solutions were traditionally smaller, but that trend is changing.
In addition to small and midsize businesses (SMBs), we are now seeing larger enterprise organizations moving some of their infrastructure to the cloud. Additionally, we are seeing a wider range of offerings as a hosted service, allowing organizations to move their entire IT operations up to the cloud, rather than just parts of it. Microsoft has committed to the cloud as part of its future, offering a wide range of services such as Azure, HealthVault, Exchange Online and Live Meeting.
Going with a web-based service has a number of benefits, including:
- Easy to get up and running
- Rapid time to results
- No onsite infrastructure required
- Subscription-based utility model with a low, predictable cost
- Support for diverse IT ecosystems
- Ability to manage your Windows PCs wherever they are, from anywhere
Windows Intune is a new cloud-based PC management solution that can help you keep your organization’s PCs secure, updated and manageable, no matter where they’re located. We will go into detail on each workspace that is available and the benefits it provides. We’ll also delve into the technical architecture.
Windows Intune Architecture Overview
When developing an online service, certain criteria need to be considered:
Reliable: Nothing hurts the credibility of a cloud-based service more than finding the site is down when you’re trying to log in. Windows Intune will offer a financially backed service level agreement of 99.9 percent scheduled uptime.
Responsive: Using Windows Intune won’t save you much time if you sit there and stare at a spinning blue donut every time you perform an action.
Scalable: Following the credo that you can manage PCs anywhere and from anywhere, Windows Intune was designed with global availability. Having more PCs in your account should not slow things down, either.
Secure: Last but certainly not least, customers must be confident that their data is stored securely and safe from unauthorized access. Microsoft has been managing datacenters for years, uses state-of-the-art infrastructure and has developed detailed processes to help ensure customer data is kept safe.
At the heart of the service, SQL Server is used to house customer data in a multi-tenant format. Customer data is stored in silos, to ensure it’s kept separate and private. The service includes loadbalancing and numerous system redundancies to minimize downtime and to enhance responsiveness. In addition, the service was designed to support geo-location, which will allow it to potentially serve customers located around the world. Comprehensive monitoring of the service is in place using System Center Operations Manager, so that the operations team is proactively notified of any impending issues.
From the client side, communications with the service take place through a secure channel using Secure Socket Layer (SSL), and the Windows Communication Foundation (WCF) framework is used to broker the sessions with the web services layer the client connects through.
Figure 1: Windows Intune at a Glance
The User Experience
Because Windows Intune is available to all segments of the IT industry, it needs to be easy to use. A lot of thought was put into designing a user experience that’s both intuitive and readily available from any Internet-connected PC. Microsoft Silverlight is an aesthetically pleasing and navigable user interface,presented in the Admin console, where the various workspaces are accessible through a set of tabs that include guidance on using that particular function.
Throughout the console, you have access to “dashboard” information containing red/yellow/green indicators so you can rapidly determine the overall health of your PC population. At logical places throughout the console, you’ll find search boxes to rapidly locate the information they’re looking for. Navigation is designed so you can click on links to delve into deeper detail, or to display content relevant to the task at hand.
You can organize your computers into groups and subgroups in order to better manage subsets of your PC population. In addition, PCs can belong to multiple groups, which lets you have any number of layered logical categories. For example, you can create groups to represent geographical locations, and then have another set of groups to represent business functions, such as sales, marketing and administration.
Windows Intune also lets you have multiple administrators in an account. This can let one administrator handling remote assistance requests, while another might be responsible for managing the updates that are delivered to your managed PCs.
Figure 2: The Windows Intune Administrator Console
Windows Intune Deployment
In the spirit of a hosted service, enrolling PCs is a straightforward task. System requirements are equally simple: managed PCs need to be running Windows XP SP3 or higher and be connected to the Internet (sorry, dial-up won’t cut it). To enroll a PC, the Windows Intune client software must be installed. This is a Windows Installer file (MSI) that’s less than 10MB, and is available in 32- and 64-bit versions, downloadable from the Administrator console. The MSI file is deployed to PCs in any manner that is most appropriate for the IT environment, such as via Group Policy, software distribution tools, or even manually. The MSI installs silently on the PCs, so no user intervention is required and no end-user interruptions should be noticed. To access the Administrator Console, all you need is a Silverlight-enabled browser.
Each account in Windows Intune has its own unique MSI that has been digitally signed, so the PC it‘s installed on knows to which account it belongs. The first time the PC contacts the service, its account-specific digital certificate is exchanged for a PC-specific certificate, so now the PC is uniquely identified in the service. All communications are performed via SSL, so data is transferred securely.
Once you’ve successfully installed the MSI, it performs a number of configuration changes to the PC. First it redirects the Windows Updates settings so that the PC will now be securely contacting the Windows Intune service for its updates, thanks to its digital certificate. At this time, the PC should appear in the Administrator console as “enrolled.”
Next, the Windows Intune client downloads and installs the remainder of the Windows Intune agents that will allow the PC to be fully managed, including the Antimalware agent, the monitoring agent, and the Remote Assistance agent. Once this process is completed, the PC is fully enrolled and manageable, and all information about the PC (update status, software inventory, hardware inventory) is available for review.
The Client software also includes the “Windows Intune Center” utility, which is accessible from a shortcut on the enduser’s desktop. The Tools dialog allows the user to view his update status, access the antimalware dialog where he can choose to initiate an antimalware scan and submit requests for remote assistance. These are covered in more detail later in this article.
Figure 3: The Windows IntuneCenterDialog
Interestingly, the Microsoft team that developed Windows Intune is also the team that develops the Microsoft update services, including Windows Update and Windows Server Update Services, so it’s no surprise that update management is one of the key features in Windows Intune. Using the Updates Workspace, an administrator can view available Windows updates, select updates to install, target specific groups of PCs for installation, and schedule installations to occur at specified times. Anyone who has worked with WSUS will notice similarities in the way updates are viewed and managed in Windows Intune.
When a PC is managed by Windows Intune, update management activities are routed through the service, so PCs no longer connect directly to the Windows Update service directly. Rather, the Windows Intune service obtains its listing of available updates from WU, and then presents them to the administrator for review and action. In essence, it becomes “WSUS in the cloud.”
To make locating and managing updates simpler, a number of filters have been provided. Administrators can filter updates by product category, such as Office or Windows, and also by classification. Once an update has been located, it’s approved and scheduled for installation. The administrator can also opt to set a deadline for installation and designate specific groups of PC to receive the update. Each update includes links to related Knowledgebase articles to help the administrator better understand its purpose.
To deliver the Malware Protection capability, Windows Intune partnered with the Microsoft Endpoint Protection team. When a PC is enrolled, a check is performed to see if any third-party antimalware solution is installed. If there is, the Windows Intune Malware Protection agent will install, but will remain in a disabled state. If no antimalware solution exists, the Windows Intune Malware Protection agent will be enabled and will begin protecting the PC from malware, spyware and viruses. Malware status of all PCs is reported to the console for review by the administrator, who can view recent malware events, and jump to more detailed information about events using contextual links to Microsoft Malware Protection Center.
You can configure Malware Protection on managed PCs using the Policy Workspace, where the administrator can define scanning intervals, what is to be scanned, and a host of other options.
Monitoring and Alerts
Alerts tie many of the workspaces together, as they’re used to advise the administrator of issues such as detected malware, remote assistance requests, updates, policy and Windows Intune client health. With the Alerts Workspace, administrators can choose from a wide variety of monitoring elements and receive alerts when specified thresholds have been exceeded. Alerts can be received either through the administrator console or via e-mail to designated individuals or groups.
Windows Intune uses the System Center Operations Manager client to monitor PCs, and the output data is reported back to the Windows Intune service. Alerts can be viewed in a summary “dashboard” format for all managed computers or by category within each respective workspace. Alerts are displayed with an associated severity (informational, warning or critical) to assist administrators in prioritizing their response.
Using the Administrative Workspace, it’s possible to create a notification rule for each alert or category of alerts so that an e-mail will be sent to designated individuals for follow-up. E-mail recipients can be Windows Intune administrators or external e-mail addresses or distribution groups, so that individuals receiving e-mail notifications do not necessarily have to have access to the Windows Intune Administrator console.
Figure 4: TheAlertsWorkspace
Detailed software and hardware inventory is collected by the Windows Intune Software agent. The hardware inventory is primary to aid in the identification of PCs and to provide detailed configuration information. Hardware inventory includes items such as make, model, serial number, BIOS data, CPU, hard disk, RAM and network adapter data, as well as installed video and printer drivers.
The software inventory is performed by scanning the PC’s MSI database, registry entries and Start menu. The inventory includes publisher, title, version and application language. This information is then compared against a master software catalog and can provide additional information about the software title, such as category. The catalog also serves to rationalize software titles into more consistent groupings of publishers and versions, which removes a lot of the complexity that often surfaces when viewing software inventory data.
The output of the software inventory is found in the software report, which provides a detailed sortable listing of all installed applications, including counts and categories.
Tracking Microsoft Volume License agreements is a complex and demanding task. The Licenses Workspace allows organizations to upload their volume license agreement numbers into the service, which are then used to retrieve all the associated entitlement data from the Microsoft Volume License Service. The entitlement data can be refreshed at any time to ensure accurate information. This entitlement data is then used in a reconciliation report and compared against installed quantities. The results are available in the License report, which can be produced at any time and exported for offline storage. It should be noted that this data is private, can only be viewed by the customer, and is not used to enforce compliance.
Figure 5: The Windows Intune Software Installation Report
It should also be noted that if you are a subscriber of the Microsoft Desktop Optimization Pack (MDOP), which is a suite of IT management tools available to Volume Licensing customers who have purchased Software Assurance, you will have access the Software and License Workspaces in the Asset Inventory Service, which is included. AIS 1.5 will be migrated over to this new platform and will benefit from the new user interface and enhanced features described here.
Again, the Windows Intune Engineering team benefited from their experience with Group Policy (another area owned by the same team), to deliver some elements of policy. Note that the Policy workload in Windows Intune does not replace Group Policy, nor does it offer a parity of features—yet. In the first release, the Policy Workspace allows administrators to configure Malware Protection and Update settings, customize the Windows Intune Client Tools dialog to display specific support contact information, and define end-user firewall configurations.
For example, with this workspace, an administrator can push policy to managed computers that determines how often Malware scans take place and what kind of scan to perform (quick or full) and how often a PC checks for updates and when those updates are installed.
Rest assured that if you have Group Policies in place in your environment, your GPOs will always take precedence, so no conflicts should occur.
To round out the workspaces, a Remote Assistance feature is included. One of the most time-consuming tasks an administrator has is supporting endusers, which often involves physically visiting the PC to assist in troubleshooting end-user issues. Endusers can use the Windows Intune Tools dialog that’s available on their desktop to submit a request for assistance. Remote Assistance in Windows Intune is delivered in partnership with Microsoft Easy Assist, which is a hosted service, which is part of Microsoft Live Meeting.
When an end user makes a request, an alert is sent to the Windows Intune service. This alert can also be configured to send an e-mail to a designated individual, which can be set up in the Administration area of the console. When administrators accept the request, they’re joined to a remote desktop sharing session with the end users and can see their desktops. Upon consent of the end user, the administrator can assume control of the end users’ desktops to help them with the issues they’re having.
The ability to transfer files from one computer to the other and to chat with the enduser is also included in this feature.
Figure 6: The Administrator’s Remote Assistance dialog
Windows Intune represents Microsoft’s first foray into the world of desktop management delivered as a service and is a major pillar of the company’s overall strategy to move towards the cloud. This initial release of Windows Intune includes a comprehensive array of management capabilities, but it’s only the beginning. Expect to see more management workspaces to be introduced as the service evolves.
As of the writing of this article, Windows Intune is available as a limited beta and is expected to be available in 2011. The current beta service was received with such excitement that the all-available accounts were snatched up within 24 hours of the service’s availability. However, there will be more opportunities to try the Windows Intune cloud service.
You can find more details about the service at windowsintune.com. Visit this site regularly for update on the progress of Windows Intune. Also, the Windows Intune Team blog site provides comprehensive information about the service, as does the Windows Intune TechCenter page on TechNet.
Paul Bourgeau came to Microsoft by way of the April 2006 acquisition of Assetmetrix, a small Canadian company that delivered IT asset management as a service. He has worked in IT-related industries as a trainer, training developer, technical writer, LAN manager, and customer business and best practice consultant and implementation specialist for enterprise solution providers. He currently manages beta programs and CPE for Windows Intune and the Asset Inventory Service.