Recently the company I work for got the change to have a conversation with a Worldwide Technical Solution Professional for Windows Intune. Exciting! So about one week ago a colleague and I went to Microsoft NL to meet up with the TSP who was at that moment visiting from the United States.
(thanks @Paul Bourgeau!)
We sat down with some questions we had and I thought it could be beneficiary for the interwebs to share this information. Probably some of you might have the same questions about Windows Intune. In the coming weeks I will be posting more “getting started” information about Windows Intune so subscribe to my blog to keep notified and keep coming back! Well here we go:
Q: Integration MS Store (W8) and Intune. What can we expect. Example: will it be possible to buy Apps from the store and deploy it through Intune?
A: A couple of things here: Windows Intune uses ‘side-loading’ to make applications available to PCs and mobile devices. This means end-users can visit a company portal, where they log in and browse applications their organization has made available to them. These are typically Line-of-business applications that are owned by the organization, and allow the end-user to be more productive on the device of their choice. This is different from the public Windows Store, where third party software developers can publish applications. It might be possible to purchase the rights to a public application and publish it in a Company portal, but this would be an arrangement between the organization and the software developer. The applications (both private and public) must be code signed by the owner, to identify its origin. The code signing process ensures the application is legitimate and is allowed to be installed on the Windows device. You can also publish a link to an application in the App Store as an “application” in the Company portal. If the end user selects the “application” he/she will be forward to the App Store.
Q: Integration Intune and System Center Configuration Manager on premise. Is it possible to make one “environment” that connects SCCM and Intune?
A: This is actually called “Defining the Management Authority”( http://technet.microsoft.com/en-us/library/jj884158.aspx). You connect the two by setting the Windows Intune Site System role in the Config Manager console. When you do this, you are asked to enter your Windows Intune organizational account information (the Intune Tenant Administrator). You then specify the user collection and site code in Config Manager for the users who will be managed in Windows Intune. If you connect Intune to SCCM the mobile devices that are managed will not even show up in the Intune Silverlight web console, all the features that Intune provides and all the management of those devices will be done out of the SCCM management console. All connections are SSL port 443 secured.
Q: Same with AD, SCOM etc. (what other infrastructure components does Windows Intune connect with)?
A: Intune can connect to AD Synch (and of course to Config Manager). You can also set up an Exchange Active Synch (EAS) connector to help manage devices that do not support direct management, such as Android devices. AD synchronization is actually a hosted service from MS Online that is used by O365 and Intune, and other online services. It is used to create the user objects in the Config Manager/Intune management solution. SCOM integration is not possible.
Q: Will it be possible to use something like GPO’s in Intune?
A: Not at the moment. If an organization already has GP in place in their environment and they apply policy to a PC through Windows Intune as well, then usually, the GPO policy will take precedence. The Intune policies are a subset that are focused on security, such as configuring firewalls, and setting up antimalware scanning schedules. More on this subject can be found here: http://technet.microsoft.com/en-us/library/jj676625.aspx
Q: On what kind of Internet Connections can Windows Intune work? I have read that Windows Intune uses approximately 5 mb per day but that can scale up to 125 mb during the initial installation fase, what does Microsoft recommend?
A: While Windows Intune requires relatively little bandwidth to operate (see http://technet.microsoft.com/en-us/library/jj662699.aspx), better connectivity is always a plus. Bandwidth usage will depend on the types of activities you perform, such as deploying patches and distributing software applications. If you are planning to use Intune for these types of activities (and you should), then you should investigate ways to optimize bandwidth usage, such as BITS or peer caching. In general the slowest connection Intune will work on is a dail-up 56k modem connection, but it’s not recommended. It’s recommended to use at least a 2 mb broadband connection.
Q: Is it possible to automate certain common administrative tasks with scripting in Windows Intune?
A: Scripting is not supported at the moment. However, it is possible to automate the distribution of updates, based on specified criteria. For example, you can set up an auto-approval rule that would automatically approve updates that fall into the ‘Critical’ category, eliminating the need to log in and manually deploy these updates every time one becomes available in the Windows Update Service.
Q: Is it possible to generate reports in multiple formats like doc, csv, xls or pdf and can these also be automated and emailed?
A: No, it’s only possible to export in csv and html format. Intune does use a lot of lists and nearly all of those and views can be exported to the previously mentioned formats. In addition, you can apply filters to the lists, to display a variety of data to meet your needs. These filtered views can also be exported.
Q: Can the System Center Endpoint Protection (SCEP) agent be installed on mobile devices, if yes then which are supported?
A: SCEP cannot be installed on mobile devices.
Q: The remote assistance functionality works with something called Easy assist. This needs to be installed on the machine when you want to use remote assistance. Fortunately you need local admin right as a user on the machine if you want to install this which is in most cases not possible. What does Microsoft recommend? Is Easy Assist to be deployed with GPO?
A: The Easy Assist actually gets installed with the installation of the Windows Intune client itself. The complete installation is made up out of 7 different component, with SCEP being the biggest chunk of the complete 125 mb package. The installation of the Windows Intune client requires admin rights, but once it is installed, it runs under the System context for the PC.
Q: What about remote assistance and windows 8 when and how will it be available?
A: Remote assistance is currently not supported in Windows 8. We have heard this feedback on the remote assistance feature, and we are investigating this for a possible future release. For now, our recommendation is to use the Remote Desktop Connection feature included in Windows 8.
Q: Why does Windows Phone 8 App Deployment need a $ 300,- Symantec certificate?
A: To enroll a Windows Phone 8 device in Windows Intune, you will need a $99,- Publisher ID and a $299,- certificate to code sign the applications with.
Q: Is there going to be an exam or partner certification status?
A: Yes, Microsoft is working on that. As a partner it’s possible to get a vTSP partner status.
Q: Does a customer really need an on-premise Exchange Server 2010 SP1 or later to support mobile devices? And if yes what kind of devices can be managed?
A: This is not necessary any more. Windows Intune supports the Windows Phone 8 and iOS platforms out of the box via direct management built into these platforms, nothing else is needed. If you want to support Android devices you still need an on-premise Exchange Server. We have also just introduced support for a connector to O365, so on-premise Exchange is no longer the only supported mail platform.
Q: What kind of company is the sweetspot for a Intune implementation?
A: Microsoft sees 2 great opportunities for Windows Intune:
1) Cloud only customers up to 5000 users.
2) Unified customers who want to benefit from their AD and SCCM environment and want to leverage Intune to extend to all their mobile devices. This unified scenario supports up to 100k devices.
All the devices used in above scenario’s can be domain- or non-domain joined. There is also a great benefit of using Intune if the devices are geographically dispersed.
Q: What happens if the endpoint device no longer is managed by an Intune license what are the steps to be taken? How to go from 1 company app store to another Intune company portal?
A: Basically you will have to unroll the device and then re-enroll to the new company portal.
Q: Is it possible to do a de-installation of software?
A: If the MSI supports it than yes you can. You will have to create a second package and use the uninstall switches for that program.
Q: Are there blog pages, mailing lists or partner webcast we can follow to keep us informed about new features?
A: There is not a mailing list but there is some online training available which you can find here:
http://www.microsoftvirtualacademy.com/Home.aspx (search under courses for Intune)
http://www.cableplugger.com/ (blog about Windows Intune)
