Managing Windows RT tablets & Windows Intune Licensing Changes


Windows 8 RT is a new member of the Windows family, and one that’s caused/causing some confusion when it comes to management. It transpired a while ago that Windows RT pcs/tablets will not be able to join Active Directory domains and since then, people have been wondering exactly how they’d manage these devices. Well the answer is here – Windows Intune & System Center Configuration Manager (SCCM) SP1.

“Windows Phone 8 and Windows RT devices will be managed by the next release of Windows Intune.  IT Pros will have the flexibility of using either the Windows Intune or Configuration Manager 2012 SP1 console to set mobile security policies, distribute mobile apps and view reports.  We’ll share more details as we get closer to the next release of Windows Intune.”

As Windows Intune is becoming more of a star, it’s getting some licensing changes too – always a favourite thing of mine :-)

  1. We are shifting from a per-device to a per-user licensing model.  Each user license for Windows Intune covers up to 5 managed devices.
  2. There will be a Windows Intune user license that includes the rights to System Center 2012 Configuration Manager, enabling organizations to manage those devices through either Windows Intune or Configuration Manager, or both
  3. Organizations that already own System Center 2012 Configuration Manager licenses, such as through the Core CAL, will have access to Windows Intune at a reduced price
  4. We will also make a version of Windows Intune available without rights to Windows Enterprise, thereby lowering the cost for organizations that are not ready to move to the latest operating system.

That final point is something I’ve been hoping to see since the first release of Intune. I’ve always felt that having the desktop OS and a systems management product intertwined muddy the waters and made it a more difficult proposition in many cases; so this is a positive move that will enable Intune to shine in its own light.

It’s also interesting to note that SP1 of SCCM will be able to manage other types of devices including:

  • Windows Embedded Thin Clients
  • Point of Sale (PoS) terminals
  • Digital Signage
  • Kiosks

as well as:

  • Distribution point for Windows Azure to help reduce infrastructure costs
  • Automation of administrative tasks through PowerShell support
  • Management of Mac OS X clients and Linux and UNIX servers
  • I’m pleased to see this move to bring Windows RT into the management fold, making it easier for partners AND customers to tell, understand and take part in the Windows 8 story.

    See the whole post over at:

    http://blogs.technet.com/b/server-cloud/archive/2012/09/10/system-center-2012-configuration-manager-sp1-beta-and-windows-intune-update.aspx

    System Center 2012 Licensing Changes


    System Center 2012 is getting closer and today saw Microsoft release details of the new licensing models.

    Currently the various System Center products (SCCM, SCOM, SCSM, DPM etc) can be purchased individually or as bundles, from 2012 however it’s bundles only. There will be 2 flavours:

    • Standard
    • DataCenter

    with the difference being the number of OSEs (Operating System Environments) that can be managed:

    image

    Following DPM 2010’s lead there will now be no more console server licences or SQL needed, simply Management Licences for the endpoints being managed.

    Determining the number of licences needed will involve knowledge of the virtual environment & physical processors, similar to SQL:

    image

     

    System Center 2012 has a much greater focus on “The Cloud” and as such:

    image

    This enables organizations to move to a hybrid infrastructure much more easily.

    What if I already have System Center?

    If you have System Center with Software Assurance that is current at the time of 2012 General Availability you will receive the following grants:

    image

    What about Client devices?

    More changes abound here too, there are now 3 Client ML offerings:

    image

    It’s important to note that, as with the Server MLs:

    “Components included in the Client MLs are not available separately”

    Opinion

    Overall I think this is a good move. Again, Microsoft are modifying their licensing to make it more dynamic, more future proof and more accessible to companies going forwards.

    Yes, there will be situations where it works out more expensive for some companies but for the vast majority this is a great move…they’ll have the ability to deploy a wider range of System Center products with streamlined licensing, which is good for everyone Smile

    That said, I’m off to review a number of proposals to see how they map to the new models and what changes need to be made – good times! (Thing is, I actually mean that Winking smile)

    Any questions, let me know.

    Microsoft Windows Intune: Online Systems Management


    Microsoft Windows InTune is the new Cloud based systems management tool from Microsoft, formerly known as “System Center Online” and has been long awaited. The ability to manage multiple locations/organizations from one central, online point is attractive to a lot of people for a lot of reasons…so let’s take a look @ InTune.

    There are at least 10 sections inside InTune so I’m going to cover them in a number of posts, we’ll start with – System Overview:

    image

    image

    This is the first screen you see when you log in to the Windows InTune Admin Console and it immediately gives you a great overview of yours systems. It shows:

    • If Machines are infected/unprotected
    • If there are updates for your machines
    • A number of other alerts

    Malware Protection:

    From here you can see which machines have Malware protection turned off completely and also if they have overdue scans or specific parts of the protection, such as USB device scanning, turned off.

    1 click takes you to a list of machines, from where you can turn on protection.

    Updates:

    This, not surprisingly, gives you a list of all the updates that are available for you machines be they for the OS or applications.

    One issue with this is that, as default, it shows you ALL possible updates:

    image

    however, these can easily be filtered:

    image

    image

    Another problem I have noticed is that it wants to give my laptop updates for Office 2007, as well as Office 2010; oddly, this doesn’t happen with my other 2010 machines. I had a number of issues when upgrading Office versions and I’m inclined to believe that there are some Office 2007 remnants on the machine that are being picked up by Intune.

    Should you choose to approve an update for a machine/machines, you then reach this screen:

    image

    Choose the groups on which you want to install the updates, click approve and job done!

    I feel it would be a smoother experience and require less clicks, if you could see the machine names on the same screen as all the updates. Currently, you must:

    • Select the update
    • click on “x computers need this update”
    • Check the groups/machines
    • Go back to the previous screen
    • Approve Update

    Showing the machines names/groups on the initial screen would remove a lot of that.

    You can also access the updates via the individual machine screen, I’ll cover that in a later post.

    Alerts by Type:

    This section, as well as the above, also includes other types of alerts…not just updates and malware. This is where InTune starts to differentiate itself from other products, for example:

    image

    If I click through, it tell me:

    image

    That is pretty cool, and something that is very useful for System Admins. I didn’t expect InTune to cover things like this, certainly not in the beta, so I’m pleasantly surprised Smile However, you can’t initiate the defrag from InTune.

    The 2 options on the right hand side “Create Computer Group” and “View a Report” will be covered in later posts.

    Summary:

    This is a brief look at just the first screen of Microsoft Windows InTune but I’m sure you will agree that it already looks very interesting. So stay tuned for the remaining posts in this series (at least 9!) and ask any questions you may have in the comments Smile

    Cheers

    Rich

    Microsoft Windows Intune: Second Beta


    Microsoft Windows Intune is a new product aimed at managing pcs in a new way. My original post can be found here:

    Read Windows Intune

    The initial beta was restricted to the US, Canada, Mexico & Puerto Rico and 1000 participants. Microsoft have now opened that up to another 10,000 users in the following countries:

    image

    To be eligible you need to deploy it to at least 5 machines and start within 1 week.

    If you’re interested, go and sign up here:

    http://www.microsoft.com/windows/windowsintune/windowsintune-experience.aspx

    Pricing

    The pricing of Windows InTune has now been confirmed for the States and it is:

    $11 per user per month

    That gets you:

    • Cloud based Desktop Management service
    • Anti Virus and Anti-Spyware
    • Windows 7 Enterprise Desktop Upgrades

    and, for an extra $1 per user per month, you can get the whole MDOP suite too. More MDOP info here:

    Read Microsoft MDOP

    Partner Features

    Many partners will be looking to InTune to provide them with a new way of generating revenue, through the ability to remotely manage their customers machines. This will reduce the need to travel thus saving money on hotels and petrol and increasing profit margins. Microsoft have quickly, and cleverly, added in a new feature aimed at making this as easy as possible…the “Multi – Account Console”:

    This will allow partners to quickly and easily see a top level view of all the customers they manage and, through filtering, spot those needing urgent assistance immediately.

    Feedback:

    There is already a lot of positive feedback on Windows InTune from the first beta, such as:

    “I save about 40% of the time I used to spend managing PC updates, thanks to Windows Intune. It frees me up to focus on developing more custom applications—and bring on more customers”

    “I think we could expand our customer base by at least 10-15 percent immediately”

    “It accelerates their (customers) decision to make the move (to Windows 7)”

    The Future:

    Early 2011 will see the general availability of Windows Intune in the countries listed in the 1st screenshot above. It will then move to more European & Latin countries as well as “select” Asian locations.

    I’ve signed up to the beta and will hopefully have some post following up on that experience soon.

    The MS Blog post can be found here.

    Windows Intune


    Windows Intune is the newest addition to the Microsoft Online Services stable…and it’s a biggie! Do you remember System Center Online Desktop Manager (SCODM)? Did you notice that it all went quiet on that front? Well here it is with a new name…

    What is it?

    Windows Intune is a cloud based, central management system aimed at SMB’s of up to 250 machines (or so).

    “Windows Intune simplifies how businesses manage and secure PCs using Windows cloud services and Windows 7—so your computers and users can operate at peak performance, from virtually anywhere.”

    Intune covers many of the areas that IT Managers find difficult and time consuming such as:

    • Managing Updates
    • Pro-active monitoring
    • Malware Protection
    • Asset Tracking (Hardware & Software)
    • Remote Assistance
    • Setting Security Policies

    Windows Intune screenshot

    Extra Features:

    It’s not just great central systems management that Intune gives you also get:

    Software Assurance: Subscribing to InTune allows you to upgrade all your machines to Windows 7 Enterprise and take advantage of features including:

      • Bit Locker to Go
      • Federated Search
      • Direct Access
      • and more

    You also receive

    “new features or updates to Windows Intune or the Windows operating system automatically as long as your subscription is active”

    so say “Hello” to Windows 8 further down the line :-)

    Despite this, you can run Vista, or even XP, as your corporate desktop OS.

    MDOP: The Microsoft Desktop Optimization Pack is a great set of tools including MED-V & App-V that make managing your environment easier and more cost effective. See more info here. The Asset Inventory Service (AIS) component of MDOP is already included as part of InTune.

    How can I get it?

    It’s currently in beta, limited to 1000 customers in US, Canada, Mexico & Puerto Rico. If one of those is you locale, go sign up here:

    http://www.microsoft.com/online/windows-intune.mspx

     

    Relation to existing Products.

    Microsoft have had on-site management products for years. First SMS & MOM and now the System Center family such as:

    • SCCM (System Center Configuration Manager)
    • SCOM (System Center Operations Manager)
    • SCE (System Center Essentials)

    These products are becoming more and more popular among both corporate customers and the education sector, and have been marked by Steve Ballmer as an area of big focus for the coming years. Microsoft have also put a lot of effort into their Online Services but could still do with a real killer product to help those small to medium businesses (SMB’s) fully embrace “The Cloud”. Thus it make sense that they’ve combined the 2 and created InTune.

    My thoughts are all around how InTune will sit alongside products and offering that already exist. It is very much an online version of System Center Essentials, although InTune can’t do Application Deployment and SCE doesn’t include any ForeFront Protection. A breakdown is below:

    image

    However I do think that it could cause a lot of confusion when it comes to Software Assurance. As a Channel Licensing Specialist I, and my company, have done a lot of work around Software Assurance – especially as it relates to Windows 7. It seems to me that InTune may well undermine a lot of the work we (and other partners) have done in this area to show the whole range of benefits that SA offers…many of which aren’t included with the new offering.

    It will also muddy the waters when it comes to purchasing Windows 7 & SA now. InTune is slated to be available in many more countries with 12 months of the beta; so companies considering Software Assurance within the next 6-12 months (say) may now push the projects back in order to evaluate InTune. Not great for partners or the channel.

    Conclusion

    As a product, I think InTune is great. I’m a big of BPOS (as a concept, although it hasn’t reached its potential yet) and adding management tools to the Suite is really good way of both bolstering the Online offering and helping more people reap the benefits of Microsoft’s management expertise.

    I am however, more cautious about it’s effect on the perception of SA and project timelines over the coming 12 to 18 months.

    To find out more about Windows InTune, go here:

    http://www.microsoft.com/windows/windowsintune/default.aspx

    Microsoft System Center Configuration Manager (SCCM) Dashboard


    System Center, in particular Config Manager aka SCCM, is becoming more and more popular with customers and clients at work. People looking to start enhancing and automating tasks such as OS deployment, app distribution, patch management etc as well as those who’ve started down this path, often with Altiris, and are now looking for a more rounded solution, are all asking for/happy to listen to information about SCCM. There’s more info on SCCM as a product here but in this post I specifically want to talk about the Dashboard that’s in beta.

    About the Dashboard

    System Center Config Manager Dashboard’s aim is to make it even easier for IT administrators to access and digest key information about their network and infrastructure, quickly and effortlessly even when not at the Management Console. The Dashboard lets you:

    • Track OS & App deployments
    • Track Security updates
    • Check the health status of computers
    • Check compliance with IT regulations

    all via a customizable web interface. It’s based on Windows Sharepoint Services (WSS) so it’s key features include:

  • Easy access to key information without using the Configuration Manager console  
  • Centralized view of Configuration Manager data sets
  • Data can be viewed in graph, table, or Dundas* gauge formats
  • You can create custom dashboards for different departments, based on site user’s group membership.
  • *I will try and confirm is this is limited to Dundas or whether SAP’s Crystal Xcelsius can be used here too.

    Join the Beta Program

    Sign up to the English only Beta here.

    How it works:

    Here’s a great diagram from the technet site:

    Ff369719.image1(en-us,TechNet.10).jpg

    The Process Flow goes a little something like this:

  • An IT Service Manager requests a new data set.
  • The IT Administrator uses the Dashboard Configuration Web Part to define the new data set.
  • The IT Administrator stores the configuration information for the new data set (the information is saved in the Windows SharePoint Services Content database).
  • The IT Administrator adds a new copy of the Dashboard Viewer Web Part to the default Configuration Manager Dashboard and then modifies the Web part to display the new data set.
  • The IT Service Manager browses to the Configuration Manager Dashboard site.
  • Windows SharePoint Services queries the Configuration Manager site database as specified by the data set configuration.
  • Windows SharePoint Services renders the new data set using the Dashboard Viewer Web Part.
  • The Technet page is here:

    http://technet.microsoft.com/en-us/library/ff369719.aspx

    Microsoft Data Protection Manager 2010 & Seagate


    Microsoft’s Data Protection Manager (DPM) is soon to arrive in it’s 2010 incarnation (first half 2010) so this week’s TechEd Conference is revealing a host of new features.

    DPM is currently a Windows focused product which, while not surprising, is quite limiting in many corporate IT environments these days. So with 2010, Microsoft have joined together with Seagate and OEM’d their i365 software to extend protection to heterogeneous environments including:

    • Linux
    • Unix
    • Netware
    • IBM iSeries
    • Oracle
    • VMWare

    A great list…but you’ll notice no Mac support :-)

    This will instantly remove one of the main barriers to DPM adoption in enterprises,as many places have at least a few Linux/Unix servers running in their datacenters.

    Microsoft will also be offering online backups via Seagate’s EVault service and datacenters. It includes data compression and data de-duplication to reduce bandwidth hit and has:

    “a network of SAS 70 Type II certified, Tier 3 and 4 hosting facilities, WAN optimised backup and recovery, disaster recovery experts and processes, and a 12-year track record protecting data for over 22,000 customers across the globe”

    according to Seagate.

    What I find strange is that this doesn’t utilise any of Microsoft’s online services…in particular Microsoft Azure. With BPOS offering an online hosted archive, it seems strange that this technology can’t be extended to store other, non email, data too.

    Is using eVault just a temporary measure until Azure is fully up and running? I don’t know but I would expect that it’s in the long term plan to fold all this inside Azure…maybe some kind of Seagate purchase will happen?!

    I’m also keen to find out if the data compression and de-duplication are offered to customers who choose to back up on-site to local tape, NAS, SAN etc. De-Dupe is one of the big features Symantec are touting for the next release of Backup Exec (14 I guess to keep with superstition); if MS are including that too then it will really steal some thunder!

    Thanks to The Register for this…

    Free Microsoft Virtualization e-book


    Microsoft books are usually pretty excellent with great content covering great products in great details…but they can often be pretty expensive too. However Microsoft have made available, for free-yep completely gratis-a wonderful e-book on their Virtualization technologies. Called “Understanding Microsoft Virtualization Solutions”, it covers:

    • Hyper-V
    • App-V
    • MED-V
    • Virtual Machine Manager (VMM)

    and more…and is fantastic! It’s full of great information, how-to’s & descriptions aswell as diagrams such as:

    image

    Go and download right now here.

    System Center Desktop Error Monitoring (SCDEM)


    SCDEM is the newest addition to the MDOP family and it’s a corker!

    What does it do?

    SCDEM captures all application & OS failures across your enterprise and stores them in one central location, to enable your technicians to track, monitor and pro-actively respond to issues.

    This is like a local version of the “Send error report to Microsoft” box you sometimes get when apps crash and hang. While it’s good for MS to have this information, in a larger enterprise it’s more immediately useful for the in-house IT team to have it. This way they can identify error trends and match them up to recent changes they’ve made to the network, desktops, 3rd party software etc-thus quickly identifying, and (hopefully) fixing, the problem.

    It also enables you to create a company specific knowledge base of fixes for errors.

    Advantages of SCDEM

    Increase productivity of users: Once SCDEM has been running for a while, IT will have had a chance to identify and correct the vast majority of common issues. That means that there will be less errors on the desktops and thus less downtime for users. The internal knowledge base will also make it easier for end users to be pro-active and solve their own issues without having to log a ticket with the help desk.

    Easy Deployment: Due to it using the standard Windows error reporting system, all it takes to get SCDEM deployed to however many 1000’s of PC’s you have with a single Group Policy in Active Directory-nice huh? :-)

    Advanced Reporting: SCDEM provides many different reports to show which applications crash most, when they crash etc so that IT can make well informed decisions when it comes to patching and fixing.

    For anyone who is using SCDEM and having problems, I’ve just found a great whitepaper on Troubleshooting this program. Download here. The Technet blog post is here.

    If you head over to this Technet blog, you can see a great video of SCDEM in action-here.

    Application Virtualization (App-V)


    Microsoft App-V is what was formerly known as SoftGrid and it’s some pretty clever stuff :-)

    It’s main feature is to virtualize applications, this isolates them on the users workstation and reduces application conflicts-thus reducing end user downtime. However the apps can still fully interact with each other such as copy & paste etc so still giving the users the experience they’re used to.

    The latest version is 4.5 and major highlights include:

  • HTTP streaming. Support for streaming virtual applications from an IIS server (v6 or v7) providing dramatic performance and scalability improvements for large App-V deployments.
  • Re-designed Sequencer. Simplifies the process and reduces the complexity of creating virtual application packages.
  • Dynamic Suite Composition (DSC) for MSI packages. Consolidate virtual environments, control virtual application interaction, enable faster, easier administration.
  • Seamless integration with System Center Configuration Manager 2007 R2. Allows customers to easily deploy virtual applications through the System Center Configuration Manager 2007 R2 infrastructure and scale their deployments.
  • Client cache improvements. The maximum size of the client cache has been increased to 1 TB.
  • Improved Manageability. Integration and support for VSS writer, Operations Manager management pack, ADM template.
  • Accessibility. The product is now Section 508 compliant, bringing App-V in line with Microsoft shipping requirements.
  • Most conversations I have with schools include App-V as they often have odd bits of software like “Science for GCSE 1997” and “Maths is brilliant V 2.3” that don’t play nice with each other-and App-V is a great way to solve that.

    See the Technet MDOP page here.

    Advantages of using App-V:

  • Streams applications on demand over the Internet or via the corporate network to desktops, terminal servers, and laptops.
  • Automates and simplifies the application management lifecycle by significantly reducing regression and application interoperability testing.
  • Accelerates Windows and application deployments by reducing the image footprint.
  • Reduces the end-user impacts associated with application upgrades, patching, and terminations. No reboots required, no waiting for applications to install, and no need to uninstall when retiring applications.
  • Enables controlled application use when users are completely disconnected.
  • Integrates with System Center Configuration Manager to enable physical and virtual deployments through the same people, process and technologies.
  • Licensing:

    It needs to be noted that there are 2 version of App-V available to buy.

    App-V as part of MDOP: For use in standard environments.

    App-V for Terminal Services: For use in Terminal Service environments only. App-V’s application virtualization allows any application to run alongside any other—even applications that normally conflict, multiple versions of the same application, and many applications that previously could not run under Terminal Services.

    Terminal Services