Microsoft’s Windows Intune is a great tool to secure workstations and laptops for businesses and even consumers. Intune allows the administrator to push down security policies and security settings to a machine running the specific agent. However, comparing Windows Intune to AD Group Policy shows that Intune is not a Group Policy replacement. For one, Windows Intune is not intended to be a replacement for group policy and second the overall target group of customers is most-likely not really using group policies to configure systems.
Windows Intune provides a simple way to manage many of the day-to-day PC housekeeping tasks that would otherwise go unattended in certain environments. Small to mid-size businesses usually do not have any dedicated IT staff or if they do an IT person employed, that staff member is usually busy with many other things and system security is often way down on that list of priorities. That is where Windows Intune shines, because it is easy to configure and does not require a whole lot of attention once it is up and running. The administrator logs into the admin console and immediately sees alerts and issues related to machines that are being monitored and secured via Windows Intune.
Active Directory’s Group Policy feature is more aimed at larger environments as it allows to go really granular and detailed of how to configure workstations and laptops in an environment. Windows Intune does not go into that detail at this point. When AD Group Policy and Windows Intune meet in the same environment, Group Policy takes higher priority and will set the standards.
There is a lot of management available in Intune that is not available in AD group policy (that’s where larger environments would use Microsoft System Center Configuration Manager). Administrators can push out system updates and Service Packs to client machines based on a pre-defined schedule or manually at any given time. They can also set security policies (as discussed), deploy endpoint and firewall settings, view critical alerts, create and export reports. Windows Intune even allows to check the installed software inventory listings and licensing information of managed PCs. Admins can upload volume license information and match up their licensed inventory accordingly and correct issues.
Windows Intune does not use the Active Directory Organizational Unit structure if deployed in such an environment. Instead administrators will want to create groups and structure machines that way accordingly. Group Policy on the other side makes heavy usage of OUs in Active Directory. In general this shows that Windows Intune is not really targeted towards larger customers with thousands of seats, but more towards small and mid-sized businesses. As there is no minimum requirements, Windows Intune can be used from 1 workstation environments all the way up to 20,000 seats per account. I am sure Microsoft will raise this level beyond 20,000 soon, but I personally think that they will further improve the product with more features before doing so.
Related posts: