1

New Features: What’s new in Windows Intune?

Contents Release Overview .......................................................................................................................................... 2

Unified Enterprise Management Solution ................................................................................................ 2

User-based Licensing .................................................................................................................................... 5

Extending Client Support .............................................................................................................................. 5

Understanding Mobile Device Management ................................................................................................ 6

Customizing the Company Portal Application .............................................................................................. 8

Distributing Windows 8 and Windows Phone 8 Applications ...................................................................... 8

Dynamic Group Configuration Wizard Updates ........................................................................................... 9

Updating Endpoint Protection Policy .......................................................................................................... 10

Summary ..................................................................................................................................................... 11

Resources: ................................................................................................................................................... 12

2

Release Overview This release of Windows Intune establishes the service as the premier way to manage personal

computers and mobile devices for both small and medium businesses and large enterprises.

Unified Enterprise Management Solution With this update, you can now manage mobile devices either directly from the cloud-based Windows

Intune management solution or with Microsoft System Center 2012 Configuration Manager with SP1 by

using a new Windows Intune connector. Figures 1 and 2 provide an overview of how these two

configurations can help manage devices either directly through the cloud or through Configuration

Manager on-premise:

FIGURE 1: WINDOWS INTUNE CLOUD CONFIGURATION

Figure 1 shows the classic cloud-based configuration; existing users of Windows Intune will be familiar

with this approach. With this arrangement, IT administrators use the Windows Intune web-based

Administrator console to access the management features on the client computers and mobile devices.

Figure 2 shows the new unified on-premises configuration, in which the administrator can use the

Configuration Manager 2012 SP1 management console to access the management features for the

supported clients.

3

FIGURE 2: WINDOWS INTUNE INTEGRATED ON-PREMISES CONFIGURATION

By using the Configuration Manager console, administrators can manage operations on a day-to-day

basis. Its single pane of glass helps to manage not only servers, desktops, and laptops, but also mobile

devices. Figure 3 shows management of all supported device types from a single console.

FIGURE 3: CONFIGURATION MANAGER CONSOLE

4

This configuration can help administrators manage all the organization’s devices through a single

console and get added insight into the ways employees use their mobile devices to access company

data.

The Configuration Manager infrastructure enables support for very large installations. This release

supports installations of up to approximately 100,000 users, computers, and mobile devices in a single

management infrastructure.

The following table summarizes the enhancements that this release of Windows Intune provides,

enhancements listed in italics are only applicable in the Windows Intune unified configuration:

Windows Intune core

updates Unified management experience with integration of on-premises Microsoft

System Center 2012 Configuration Manager with SP1

Support for up to approximately 100,000 computers through the System

Center 2012 Configuration Manager connector

Support for Windows 8 Professional and Enterprise edition clients

Installation of Windows 8 applications through a self-service portal

Direct linking of Windows Store applications to the self-service portal

Enhanced dynamic group creation wizard

Extended security policy settings

People-centric updates Support for up to five devices per managed user

Support for up to approximately 100,000 users via the System Center

Configuration Manager 2012 connector

New Company portal customization options

Mobile device

management updates Windows RT and Windows Phone 8 device management

Corporate self-service portal applications for both Windows RT and

Windows Phone 8 application installations

Extended iOS settings management support without the need for

Exchange ActiveSync

Support for up to approximately 100,000 mobile devices via the System

Center Configuration Manager 2012 connector

Configuration of Windows RT VPN through System Center 2012

Configuration Manager SP1 console

This guide is intended to provide you with information about the new features and updates that are

specific to the December 2012 Windows Intune release. If you are not familiar with Windows Intune, we

recommend that you check the Windows Intune web site at www.windowsintune.com for the full range

of features that Windows Intune provides.

5

User-based Licensing This release of Windows Intune updates adds new licensing options to help organizations with managed

users who employ multiple devices, rather than focusing on one device at a time. Each new license is for

a managed user and that single licensed user can have up to five managed devices*. This new approach

can provide more flexibility to organizations that plan to implement a “bring your own device” strategy.

Microsoft has introduced these new licensing options to help integrate Windows Intune into hybrid

management solutions that include both cloud-based and on-premise System Center-based

management systems. This unified hybrid device management license can help simplify the process of

licensing mobile and personal computer devices, because it licenses the user rather than the device.

The following list outlines these new licensing options:

1. Windows Intune. The new default option for most organizations, basic licensing now provides

access to the Windows Intune service for a user with up to five devices. It also includes use

rights to System Center Configuration Manager so that you can integrate the Windows Intune

service with an on-premises solution

2. Windows Intune with Windows Software Assurance. This option provides access to the

Windows Intune service for up to five devices per user and also includes a Windows Software

Assurance (SA) license for one of those devices. As a result, it’s a good option for organizations

that need to upgrade PCs to Windows 8 Enterprise.

3. Windows Intune Add-on for System Center Configuration Manager. Available to organizations

with an existing System Center volume licensing agreement. It extends the System Center

management capabilities through the Windows Intune cloud service to help you manage both

existing Configuration Manager managed devices and new mobile devices using the

Configuration Manager management console.

*Note: All Licenses are per user, but the Windows SA is for one primary device per user.

Extending Client Support Windows Intune can now help you manage the entire family of Windows 8 devices, including:

1. Windows 8 Professional (x86 and x64 architectures).

2. Microsoft Surface Pro.

3. Microsoft Surface.

4. Windows RT devices.

5. Windows Phone 8 devices.

Windows Intune classifies Microsoft Surface, Windows RT, and Windows Phone 8 devices as mobile

devices (see below for details). Windows 8 and Microsoft Surface Pro devices are classified as fully

managed PC devices, on which Windows Intune management and Endpoint Protection agents are

installed. With the addition of these new clients, and the new capabilities of System Center

Configuration Manager SP1, the management capabilities of the unified solution provides one of the

6

most comprehensive range of clients supported in the industry. As a result, you’ll be better equipped to

manage the needs of a Bring Your Own Device (BYOD) infrastructure.

Understanding Mobile Device Management In this release of Windows Intune a new direct management capability provides the Mobile Device

Management (MDM) features to Windows RT, Windows Phone 8, and iOS devices. Modern devices no

longer require an Exchange ActiveSync (EAS) connection in place to support the MDM solution. Instead,

end users can enroll devices to the Windows Intune service and the built-in management services of

these mobile devices directly provide the capabilities to manage the device. There is no need to

compromise security on the device or install unsupported third-party agents.

Windows RT and Windows Phone 8 devices include a Company Apps setting that the user can employ to

initiate the device enrollment process. Figure 4 shows this option listed in the Windows RT Company

Apps enrollment screen.

This enrollment process identifies the device to the Windows Intune management service and

establishes a trusted communication channel by using a security certificate on the device. After this

enrollment has occurred, Windows Intune can manage the device and the user can install the Company

portal app that provides the user with a view of the available corporate applications.

FIGURE 4: WINDOWS RT COMPANY APPS SETTING

Note: If a user tries to install the Company portal app before they have enrolled the device they will be

notified that they need to enroll the device before they can complete the Company portal installation.

7

After the user has enrolled the device, Windows Intune applies the organization’s mobile device policies

and reports detailed inventory information back to the management service.

While direct management is the recommended management solution, both Windows Intune

configurations still fully supports EAS-based settings. If your organization wishes to keep EAS for

Exchange connected devices, the recommended approach is to apply EAS settings through Configuration

Manager to manage all mobile devices in the same management console. In the cloud configuration you

can manage EAS-connected devices by using the Windows Intune Exchange connector. This option is the

recommended method for older smartphone platforms such as Windows Phone 7 and Android-based

devices. It can also be useful to help discover devices that have not enrolled with the Windows Intune

service directly.

The following table lists the supported operating systems for each of these device types*:

Mobile Device Operating System MDM Method

Microsoft Surface Windows RT Direct

Windows RT Windows RT Direct Windows Phone 8 8.0 Direct

Windows Phone 7 7.0 or later EAS

iPad and iPad2, iPhones, iPod Touch iOS 4.0 or later Direct

Android-based phones and mobile devices Android 2.1 or later EAS

* The full list of supported features depends on the capabilities of the mobile device.

If your organization has standardized on EAS for configuring your current mobiles devices, you can

continue to do so with for newer devices through EAS. In this case, Windows Intune integrates both with

EAS and direct management so that you can use whatever solution best meets your organization’s

needs.

*Note: Microsoft Surface devices are classed as Mobile devices and Microsoft Surface Pro devices are fully managed PC devices.

8

Customizing the Company Portal Application In the previous release of Windows Intune, administrators accessed company applications, device

management and IT support features through an online Web portal. In this new release, Windows 8 can

access these features through a new self-service Portal (SSP) Windows 8 application. Figure 5 shows

how this portal looks to a user connected to the service from within Windows 8.

FIGURE 5: WINDOWS INTUNE WINDOWS 8 COMPANY APP

The SSP application provides a feature-rich, touch-optimized user experience that can speed access to IT

published applications, provides direct links to IT approved Windows Store applications, and can also

include links to web-based applications that users can access through the device’s web browser.

The final feature area of the Company Portal application focuses on providing users with customizable

information to help them contact IT support in the event that they need assistance from the company

helpdesk.

Distributing Windows 8 and Windows Phone 8 Applications Microsoft has extended the software distribution feature of Windows Intune to support both Windows

8 and Windows Phone 8 applications. As a result, you can now use the same wizard to publish your line-

9

of-business applications to Windows 8 computers, Windows RT devices, and Windows Phone 8 devices.

Figure 6 shows the updated Add Software wizard and the supported software options.

FIGURE 6: ADD SOFTWARE WIZARD

Microsoft has extended the software distribution feature of Windows Intune to support both Windows

8 and Windows Phone 8 applications. As a result, you can now use the same wizard to publish your line-

of-business applications to Windows 8 computers, Windows RT devices, and Windows Phone 8 devices.

Dynamic Group Configuration Wizard Updates The new release of Windows Intune also helps to simplify some of the Administration console tasks,

based on feedback Microsoft received from customers. An administrator can create dynamic groups for

users based on security group membership or on values in Active Directory properties, such as people

managed by the same person. To make this process easier, the Groups wizard has been streamlined to

enables you to include and exclude objects in the same view. Figure 7 shows how this new arrangement

works.

10

FIGURE 7 NEW GROUP CREATION WIZARD

In the Criteria Membership screen in Figure 7, if the Start group membership with field has the value

Empty group, then you can browse for members of security groups or members that have the same

managers. If you select All Users in the Parent group option, this new group inherits members from the

parent group and you can then use the Exclude members’ options to adjust membership based on

security groups or managers.

Updating Endpoint Protection Policy Finally, we have extended the control an administrator has over the Windows Intune Endpoint

Protection agent installation process. In this release, administrators can get more control over how the

Windows Intune Endpoint Protection agents and user interface behave. Figure 8 shows these new

Endpoint protection policy controls.

11

FIGURE 8 NEW ENDPOINT PROTECTION POLICY CONTROLS

With these new controls, administrators can disable the Windows Intune Endpoint Protection user

interface all together, so that the computer is protected but the agent does not allow the user to

interact with the application. In this situation the administrator manages all the Endpoint Protection

configuration settings through the Windows Intune Agent Settings policy settings.

Summary With this release, Windows Intune significantly extends the reach of its management solution and

enhances existing features through the following changes:

Unified management with Microsoft System Center 2012 Configuration Manager with SP1

More flexible user licensing options

Windows 8 support

Windows RT and Windows Phone 8 device management

Enhanced iOS direct device management

Support for Windows 8 applications publishing

Improved Dynamic Group creation wizard

Enhanced Endpoint protection policy

Many other improvements have been made to enhance the overall speed, scalability, and performance

of the service. As a result, you’ll get a flexible and integrated management environment for all your

devices.

To sign up for a trial of this release of Windows Intune, sign up at the Windows Intune website at:

http://www.microsoft.com/en-us/windows/windowsintune/try-and-buy.aspx

12

Finally, if you are interested in some of the other features included in System Center 2012 Configuration

Manager with SP1 see What’s New in Configuration Manager SP1 on TechNet library at:

http://technet.microsoft.com/en-us/library/jj591552.aspx

Resources: Windows Intune website: http://www.windowsintune.com

Windows Intune Online Help: http://onlinehelp.microsoft.com/en-us/windowsintune.latest

Windows Intune TechNet: http://technet.microsoft.com/windows/intune

Windows Intune Team Blog: http://blogs.technet.com/b/windowsintune/

Some information relates to pre-released product and services which may be substantially modified before it’s commercially

released. Microsoft makes no warranties, express or implied, with respect to the information provided here. Some products and

services are not available in all languages or in all countries or regions and may be taken from the English version of prerelease

software. Some features and functionality may require use of the Windows Intune service and System Center 2012 Configuration

Manager SP1.

© 2012 Microsoft Corporation