Windows Intune Mark Parris MCM & MVP: Directory Services @markparris http://markparris.co.uk/feed [email protected] Agenda Windows Windows Windows Windows Intune: Overview Intune: Requirements Intune: Architecture Intune: A Deeper Dive What’s Next? Questions? More Info.
Download ReportTranscript Windows Intune Mark Parris MCM & MVP: Directory Services @markparris http://markparris.co.uk/feed [email protected] Agenda Windows Windows Windows Windows Intune: Overview Intune: Requirements Intune: Architecture Intune: A Deeper Dive What’s Next? Questions? More Info.
Windows Intune Mark Parris MCM & MVP: Directory Services @markparris http://markparris.co.uk/feed [email protected] Agenda Windows Windows Windows Windows Intune: Overview Intune: Requirements Intune: Architecture Intune: A Deeper Dive What’s Next? Questions? More Info Overview Windows Intune Windows Intune is a Windows CLIENT, cloud based management solution Windows Intune works on domain and non domain joined PC’s Security is certificate based. Requires no server infrastructure to deploy. Availability Serviced from 6 Global datacenters. Availability Serviced from 6 Global datacenters. Capabilities Protect PCs from malware with centralised protection built on the Microsoft Malware Protection Engine. This leverages the same trusted technologies as Forefront Endpoint Protection and Microsoft Security Essentials. Centrally manage the deployment of Microsoft updates and service packs to all your PCs. Proactively monitor PCs with alerts on updates and threats so that they can identify and resolve issues before they significantly impact productivity. Capabilities Provide remote assistance regardless of where the partner or user is located. Track hardware and software inventory to help customers in IT planning and asset management purposes. Set security policies. Centrally manage update, firewall, and malware protection settings across all PCs, even on remote machines outside the corporate network. Requirements Windows Intune Administrative Console A browser that supports Silverlight 3.0 Clients that can be managed 32-bit & 64-bit versions of: Windows 7 Enterprise, Ultimate and Professional Windows Vista Enterprise, Ultimate and Business Windows XP Professional SP2 or SP3 (SP3 recommended) Requirements Windows Intune Hardware Internet Connection 500 MHZ CPU 256MB RAM 200MB Disk Space Additional Benefits Microsoft Desktop Optimization Pack (MDOP) Available as an optional add-on (Application Virtualization (App-V); Enterprise Desktop Virtualization (MED-V); Advanced Group Policy Management (AGPM); Diagnostics and Recovery Toolset (DaRT); BitLocker Administration and Monitoring (MBAM); Asset Inventory Service (AIS) ). Standardise the Windows Client Windows Intune subscribers can standardise on Windows 7 Enterprise or any other supported version of Windows (7, Vista or XP) and have upgrade rights to future versions of Windows. Windows Intune Architecture Agents report to the Windows Intune service Support engineers access the data via the Web-based console Ports 80 and 443 are all that is required for agent communications Windows Live ID is required for administrative access Administration Console Installation Process • Package Download • Installation • Initial Agent Install • Agent Download and Report • Reboot typically Required • Delete - WindowsIntune.accountcert Intune Components Component & Path Windows Intune %ProgramFiles%\Microsoft\OnlineManagement\Common\*.* Windows Intune Center %ProgramFiles%\Microsoft\OnlineManagement\Client UI\*.* Windows Intune Endpoint Protection %ProgramFiles%\Microsoft\OnlineManagement\Host Protection\HostProtection\*.* Windows Intune Monitoring Agent %ProgramFiles%\Microsoft\OnlineManagement\Monitoring\*.* Microsoft Online Management Policy Agent %ProgramFiles%\Microsoft\OnlineManagement\PolicyAgent\*.* Microsoft Easy Assist %ProgramFiles(x86)%\Microsoft Easy Assist\*.* Microsoft Policy Platform %ProgramFiles%\Microsoft Policy Platform\*.* Microsoft System Center Operations Manager 2007 R2 Agent %ProgramFiles%\System Center Operations Manager 2007\*.* Windows Firewall Configuration Provider %ProgramFiles%\Windows Firewall Configuration Provider\*.* Microsoft Online Management Update Manager %ProgramFiles%\Microsoft\OnlineManagement\Updates\*.* Client Software Switches Available installer switches: Windows_Intune_Setup.exe /? Windows_Intune_Setup.exe /quiet Windows_Intune_Setup.exe /extract %Temp% Deployment Methods • • • Direct Download Network Share Flash Drive • Electronic Software Distribution • Software Publishing • MDT 2010 • 3rd Party solution • Remember to protect your Cert! Installation Behaviour Changes Start Client Installation Is AV installed ? N Install WIEP Y Is MSE or FEP installed ? Y Upgrade to WIEP N Is EP Policy enabled ? N Do not install WIEP Y Is AV upgradable ? N Install WIEP in parallel Y Uninstall AV & install WIEP Script Solutions Uninstall Script Available via: mymfe.microsoft.com/WindowsIntune/Feedback.aspx?formID=615 AgentUninstall_Intune.cmd Enact Policy Now Script Available from the Windows Intune Support team. EnactPolicy.ps1 EnactPolicy.cmd Malware Protection Updates Protection Agents updated to FEP 2010 Malware Protection renamed Windows Intune Endpoint Protection. Proactive Detection 8 Hour Update Cycle Proactive Detection Generics/Heuristics Allows a single signature to detect thousands of files, using emulated behavior or binary characteristics. Dynamic Translation Translates code that accesses real resources (unsafe) into code that accesses virtualized resources (safe). Behavioral Monitoring Tracks behavior of unknown processes and known good processes gone bad. Dynamic Signature Service Queries reputation data on “interesting” files. If a file is known bad, a new signature is delivered to the requesting client in real time. Network Vulnerability Shielding Inspects all traffic for known exploits to known vulnerabilities. If system is already patched, this feature is automatically disabled. Windows Intune Update Process Microsoft Update Service Managed Computer Windows Intune administrator console 5-Approved 1-Any new updates? 2-Any new updates? 4-Approved for 3-These updates apply to me deployment? 6-Check for approved updates Windows Intune Groups The default groups are All Computers and Unassigned Computers On client installation, computers are added to both default groups Create custom groups to organize computers in your customers’ organizations Computers can belong to multiple groups Deploy updates and policies to groups Child groups inherit updates and policies from parent groups Windows Intune groups are independent of Active Directory groups Policy Application Policies enable you to centrally control settings on managed computers After you create policies, you deploy them to one or more computer groups Policy changes are distributed as updates to managed computers Policy conflicts management: Policy Application Group Policy settings take precedence Policy 1 Policy 3 Policy 2 Alerts – – Alert types: • Endpoint Protection • Monitoring • Notices • Policy • Remote Assistance • System • Updates Alert severity levels: – Critical – Warning – Informational Alerts Endpoint Protection. This appears in the console when a managed computer has been infected by malicious software and there are tasks that you should perform in Windows Intune to investigate or follow up. This type of alert also occurs if there are problems with the Endpoint Protection client. Monitoring. This appears in the console when health issues for specific applications or operating systems occur on a managed computer. These issues can include running out of disk space or there being insufficient RAM on a managed computer. Monitoring alerts are organized into subcategories that include Microsoft desktop applications such as the 2007 Microsoft Office system and the 2003 Microsoft Office System, Microsoft Office XP, Windows 7, Windows Vista, and Windows XP. Notices. This appears in the console when updated Windows Intune client software is available for download in the Administration workspace. Policy. This appears in the console when there are problems with a policy on a managed computer. Remote Assistance. This appears in the console when a user requests remote assistance. System. This appears in the console when deployment of the Windows Intune software has failed. Updates. This appears in the console when you need to review and approve security or critical updates. Alerts Recipients Service administrators use the Windows Intune administrator console to manage PCs E-mail notification recipients receive messages when particular alerts occur: Administrators can be recipients, but recipients are not necessarily administrators Recipient management involves: Adding recipients—administrators are automatically recipients Configuring notification rules Software Management • The Software workspace is built upon Microsoft Asset Inventory Service (AIS) • It provides data on installed software on all managed computers • Each software title has an entry in the list: • • Software publisher • Name • Installation count • Category Software reports are available in the Reports workspace Software Management Platform and management—Desktop and network infrastructure and management software that enables users to control the computer operating environment, hardware components and peripherals, and infrastructure services and security Education and reference—Training or help files for a specific application Home and entertainment—Applications that are primarily designed for use in or for the home, or for entertainment Content and communications—Typically includes Office productivity suites, multimedia players, file viewers, Web browsers, and collaboration tools Operations and professional—Applications that are designed for business uses such as enterprise resource management, customer relations management, and supply chain and manufacturing tasks Product manufacturing and service delivery—Product manufacturing and service delivery applications that help users create products or deliver services in specific industries Line of business—Used for critical business software such as accounting applications for an accounting firm or supply chain management for an Internet sales company Software Management Hardware Management License Management Reporting • • Windows Intune supports two types of reports: • Custom reports that export data from the current screen • Reports in the Reports workspace Report types: • Update status reports • Software reports • License reports: • Installation Report • Purchase Report Reporting Windows Intune Center Windows Update Services Endpoint Protection Remote Assistance • It is based on the Microsoft Easy Assist Live Meeting service: • Firewall “friendly”: ports 80 and 443 • Initiated by the end user • It enables: • Desktop sharing • Application sharing • Secure chat • File transfer • Multiway sessions Microsoft Easy Assist – It is only required on: • Administrator computers that Windows Intune does not manage – It enables: • Desktop sharing • Application sharing • Secure chat • File transfer • Multiway sessions http://support.microsoft.com/gp/cp_livemeeting2007_easyassist Troubleshooting Log files %programfiles%\Microsoft\OnlineManagement\Logs\ Deployment Errors http://onlinehelp.microsoft.com/en-us/windowsintune/ff628150.aspx More Information Forum: http://social.technet.microsoft.com/Forums/en-US/windowsintune/threads Blog: http://blogs.technet.com/b/windowsintune/ Facebook: http://www.facebook.com/WindowsIntune Twitter: http://twitter.com/windowsintune Springboard Series: http://windowsteamblog.com/windows/b/springboard/ What’s Next? Windows Intune Sign up for a trial account microsoft.com/windows/windowsintune/pc-management-how-to-try-and-buy.aspx Follow the trial guide: microsoft.com/windows/windowsintune/get-the-most-from-your-trial.aspx Provide feedback in the forum Help Microsoft prepare for the next release. Q&A Windows Intune Mark Parris MCM & MVP: Directory Services @markparris http://markparris.co.uk/feed [email protected] © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows 7, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.