Azure Bastion For Secure SSH/RDP in Preview

Microsoft has announced a new preview of a platform-based jumpbox called Azure Bastion for providing secure RDP or SSH connections to virtual machines running or hosted in Azure.

Secure Remote Connections

Most people that are using The Cloud are using virtual machines, and one of the great challenges for them is secure remote access. You need RDP or SSH to be able to run these machines in the real world.

Remember: for 99.9% of customers, servers are not cattle, they are sacred cows.

Just opening up RDP or SSH straight through a public IP address is bad – hopefully you have an NSG in place, but even that’s bad. If you enable Standard Tier Security Center, the alerts will let you know how bad pretty quickly. And if the recent scare about the RDP vulnerability didn’t wake you up to this, then maybe you deserve to have someone else’s bot farm or a bitcoin mine running in your network.

There are ways that you can secure things, but they all have the pluses and minuses.


The real reason that we have point-to-site VPN in Azure virtual network gateway was as an admin entry point to the virtual network.

The clue is in the maximum number of simultaneous connections which is 128, way too low to consider as an end user solution for a Fortune 1000, who Microsoft really do their planning for.

If you have supported end user VPN then you know that it’s right up there with password resets for helpdesk ticket numbers, even with IT people like developers. Don’t go here – it won’t end well.

Just-in-Time VM Access

JIT VM Access is a feature of Security Center Standard Tier. It modifies your NSG rules to deny managed protocols such as RDP/SSH (the deny rules are stupidly made as low priority so they don’t override any allow rules!).

When you need to remote onto a VM, an NSG rule is added for a managed amount of time to allow remote access via the selected protocol from a specific source IP address.

So, if it’s all set up right, you deny remote access to virtual machines most of the time. But you will open direct access. And the way JIT VM Access manages the rules now is wonky, so I would not trust it.

An RDP Jumpbox

This is an old method – a single virtual machine, or maybe a few of them, are made available for direct access. They are isolated into a dedicated subnet. You remote into a jumpbox, and from there, you remote into one of your application/data virtual machines.

Unfortunately, it’s still straight RDP/SSH into a machine that is directly accessible on the Internet. So in the remoting protocol vulnerability scenario, you are still vulnerable at the application layer. You could combine JIT VM Access, but now normal daily operations are going to be a drag and I guarantee you that people will invest time to undermine network security. Also, you are limited to 2 RDS connections per jumpbox without investing in a larger RDS (machines + licensing) solution.


This one is relatively new to me. At first it looked awesome. It’s a HTTPS-based service that allows you to proxy into Linux or Windows virtual machines via RDP or SSH.

All looked good until you started running Windows Server 2016 or later in your virtual machines and you needed NLA for secure connections via RDP. Then it all fell apart. The solution requires you to either disable NLA in the guest OS (boo!) or to hard code a username/password with local logon rights for your guest OS’s into the Guacamole server (double-boo!).

Azure Bastion

In case you don’t know this, a bastion host is another name for a jumpbox – an isolated machine that you bounce through. In this case, Bastion is a service that is accessible via the Azure Portal. You sign into the portal, click Connect and use the Bastion service to connect to a Linux or Windows virtual machine via SSH/RDP in the Portal. The virtual machine does not require a public IP address or a “NAT rule”, but it’s still SSH/RDP.

Azure Bastion

On the downside:

  • There’s no multi-factor authentication (MFA)
  • It requires that you sign into the Azure Portal – many people running in the guest OS might not even have those rights!
  • VNet peering is not supported – so larger enterprises are ruled out here … no one in their right mind will deploy 500 bastion hosts (one per VNet) in a large enterprise.

Microsoft did say that these things will be worked on, but when? After GA, which based on the time of year I guess will be just before/after Ignite in early November?

In my opinion, Bastion is the right idea, but more of the backlog should have been included in the minimal viable product.

A Gateway to a Better Solution

If you are a Citrix or a RDS person then you’ve been screaming for the last 5 minutes. Because you’ve been using something for years that most people still don’t know is possible. Both Citrix and RDS have the concept of an SSL gateway.

In the case of RDS, we can deploy one or more (load balanced) Windows Server virtual machines with the RDS Gateway role. If we combine that with NPS and Azure AD, we can also add MFA. With a simple tweak to the Remote Desktop Connection client (MSTSC.EXE), we can RDP to a Windows machine behind the RDS Gateway. The connection from the client to the gateway is pre-authenticated, x.509 certificate protected, HTTPS traffic encapsulating the RDP stream. That connection terminates at the RDS Gateway and then forwards as RDS to the desired Windows Server virtual machine behind it.

Unlike the previous jumpbox solution:

  • This can be a low-end machine, such as a B-Series.
  • It can scale out using a load balancer
  • Many people can relay through a single jumpbox machine.
  • You won’t need RDS licensing at all, not even to scale out to more than 2 users per gateway machine.

So – there’s no SSH here. So Linux is a problem.


We don’t really have a complete solution right now. Azure Bastion probably will be the best one in the long-run, but it has so many missing features that I couldn’t consider it now. For Windows, an RDS Gateway is probably best, and for Linux, a Guacamole server might be best.

What do you think?

The Genuine Need for Disaster Recovery In Ireland/EU

How many times have you watched or read the news, saw some story about an earthquake, hurricane, typhoon, or some other disaster and think “that will never happen here”? Stop kidding yourself; disasters can happen almost everywhere.

I’ve always considered Ireland to be relatively safe. We don’t have (anything you’d notice) earthquakes, typhoons, or tornadoes; our cattle and sheep don’t need flying licenses. Our weather is dominated by the gulf stream, keep Ireland temperate. It doesn’t get hot here (we are quite northerly) and our winters consist of cloud, rain, and normally about half a day of snow. We get the tail end of some of those hurricanes that hit the east coast US, but there’s not much left by the time they reach us – some trees get knocked over, some tiles knocked on our roofs, but it’s not too bad. Even when we look at our neighbours in England, we see how their more extreme climate causes them disasters that we don’t get. Natural disasters just don’t happen here. Or do they?

The last month or so has revealed that to be a lie. Ireland has been battered by 6 storms in the past month. The latest, Storm Frank, was preceded with warnings that the country was saturated. That means that the ground has absorbed all of the water that it can; any further rainfall will not be absorbed, and it will pool, flow, and flood.

This morning, I woke to these scenes:


Enniscorthy, Co. Wexford [Image source: Paddy Banville]

Embedded image permalink

Graignamanagh, Co. Kilkenny [Image source: Graignamanagh G.A.A]


Middleton, Co. Cork [Image source: Fiona Donnelly]

Frank isn’t finished. It’s still blowing outside my office and more rain is sure to fall. There are stories of communities being evacuated to hotels, and the above photos are just the easy ones for the media to access.

This isn’t just a case of cows trapped in fields, stick a sandbag on it and you’re sorted, or somewhere far away. This is local. And Ireland is a relatively safe place – we’re not Oklahoma, a place that some deity has decided should be subject to cat 5 tornadoes every time you’re not looking. Dorothy, the point is, that disasters happen everywhere, including in the EU where we think it safe.

Let’s bring this back to business. Businesses have been put out of action by these floods. Odds are any computers or servers were either on the ground floor or in the basement. Those machines are dead. That means those businesses are dead. They might be lucky enough to have tapes (let’s leave that for another time) stored offsite but how reliable are they and will bare-metal restore work, or will it take forever? How much money will those businesses lose, or more critically, will those businesses survive loss of customers?

This is exactly why these businesses need a disaster recovery (DR) solution. There are several reasons why they don’t have one now:

  • Fires and other unnatural disasters happen everywhere
  • They couldn’t afford one
  • The business owners didn’t think there was a need for one
  • Some resellers didn’t think there was demand for one so they never brought it up with their customers

The need is there, as we can clearly see above. And thanks to Microsoft Azure, DR has never been so affordable. FYI, it comes in at a price that is a small fraction of the cost of solutions from the likes of Irish companies such as KeepITSafe – I’ve done the competitive pricing – and it opens that customer up to more technical opportunities with hybrid cloud solutions.

Microsoft Azure Site Recovery Services (ASR) is a disaster recovery-as-a-service (DRaaS) or cloud DR site offering from Microsoft. The beauty of it is that it’s there for everyone from the small business to the large enterprise. It works with Hyper-V, vSphere or physical machines, and it works with Windows or Linux as long as the OS is supported by Azure (W2008 R2 or later on the Windows side).

Note: There is a cost overhead for vSphere or physical machines to allow for on-premises conversion and forward and in-cloud management and storage, so you need a certain scale to absorb that cost. This is why I describe ASR as being perfect for SMEs with Hyper-V and mid-large companies with Hyper-V, vSphere or physical machines.

If I had ASR in place, and I has a business on the quayside in Cork, near the Slaney in Enniscorthy, or anywhere else where the rivers were close to bursting the banks then I would perform a planned failover, requiring about 2 minutes of my time to started a pre-engineered and tested one-click failover. My machines would shut down in the desired order, flush the last bit of replication to Azure, and start up the VMs in the desired order in Azure, and my machines and data would be safe. I can failback to new equipment or stay in Azure if the disaster wipes out my servers. And if that disaster doesn’t happen, I can easily failback to new equipment, or choose to stay in Azure and not worry about local floods again.

Technorati Tags: ,,,,,

Windows 10 Is The Next Version of Windows

There’s no Windows 9. It’s called Windows 10. I know there’s got to be a story behind this, probably one that we’ll never here, and probably related to a change in management, and possibly direction.


Thank frak they did not call it “Windows” or “Windows One”, both of which were teased during the event.

You can see a video of Windows 10 in action here:

Not much was shown that we didn’t already know about. This is a very early build. I think this in conjunction with the skip of Windows 9, suggests to me that there was a re-planning quite late in the process.

The technical preview (a very early build) is out tomorrow (Oct 1st). Join the Windows Insiders program to get your hands on this, probably unstable and frequently updated, build and contribute feedback.

The goal of this build is to show that Windows 7 users can move to Windows 10, like moving from a Prius to a Tesla without re-learning to drive.

The only mention of Windows Server Threhsold was that the preview will be out after the release of the Windows 10 preview.

On the schedule of Windows 10:

  • Tech preview on Oct 1st
  • Consumer preview in early 2015
  • GA in mid-late 2015 … further convincing me that there was a re-start on planning because we originally thought RTM would be around April 2015

Joe Belfiore will be one of the keynote speakers at TechEd Europe. I think we’ll hear much more then regarding enterprise features.



Microsoft released a recording of today’s event. Why oh why could they live stream this over Azure if they were going to even bother having cameras there?


Another video was released, showing the concept of Continuum, the adaptive UI experience for convertible devices.

Windows “Threshold” (9) Press Conference Today – And I’m Concerned

Today in San Francisco, Microsoft is doing their first official unveiling of Windows codename Threshold, otherwise known as Windows 9 or Windows vNext.

Supposedly, this event was to be the enterprise unveiling. Enterprise customers are an important market for Microsoft; that’s because business decision makers have opted to upgrade from Windows XP to Windows 7, and not Windows 8/8.1, effectively choosing to make Windows 7 the next XP – a legacy OS that will exit mainstream support next year. Microsoft supposedly wants enterprises to try Windows Threshold early, and submit feedback, so that, supposedly, Microsoft will engineer the product based on feedback.

I used a lot of “supposedly’s” there, didn’t I? If I wanted to get enterprise customers interested then I would stream the unveiling live on the Internet, and not have a private press event where most of the invitees haven’t the foggiest about what enterprise customers want. It just does not make sense to me.

I wonder what value the event really has. It’s not a launch – that will likely be TechEd Europe on October 28th. The preview is not out until October. Don’t expect to hear a whisper of Windows Server or System Center for another month and a half. And come tonight, I doubt we’ll hear about anything in the Windows client OS that we do not already know – a lot of the GUI features were leaked months ago. I wonder if this event is actually Microsoft’s attempt to take control of the messaging.

There are two remaining questions:

  • Will this be a free upgrade? Enterprise customers usually have software assurance so that’s irrelevant to them. That’s more of a question for SMEs and consumers. Today is allegedly all about enterprises so I doubt we’ll hear anything.
  • What will they call it? Anything other than Windows 9 is a failure. It is rumoured that Windows Threshold will be the start of a more rapid release program, like you get with mobile devices. For enterprises: that would be hellish. Nice for consumers. It is also rumoured that Microsoft will simply call it “Windows”. Dumb! Dumb! Dumb! How is an enterprise to support something that changes frequently and has no obvious version number?

I really hope a lot of these rumours are wrong. Otherwise we’ll be contemplating Windows burning while Nadella plays his “cloud first, mobile first” fiddle.

We’ll be watching the tweets of Mary Jo Foley & Paul Thurrott, and the live blog on the Verge to find out what’s been discussed in San Francisco later this afternoon.

New Microsoft Arc Touch Bluetooth Mouse

Microsoft just announced a bunch of new peripherals, including the new Arc Touch Bluetooth Mouse. I still have the original Arc mouse, which I’ve loved for the many years that I’ve had it. In case you don’t know – I really like Microsoft’s mice and keyboards, especially their substantial mice for desktop computers.

I just picked up the new Arc Touch mouse that is Bluetooth (4.0 low power) capable (working for a distributor has it’s benefits!). The fold-to-flat award-winning design is a space saver. It auto powers off the mouse, powered by 2 x AAA batteries. And it’s light. It paired straight away with my Windows 8.1 Toshiba KIRAbook, and the touch strip works nicely with the touch interface in Windows – there’s also a slightly audible scrolling noise to simulate a wheel movement with physical feedback. It’s working well on a wooden desk with no mouse mat.


Embedded image permalink

Hopefully this new Arc mouse will last me as long as the last one has!

Technorati Tags: ,

Microsoft News Summary – 16 September 2014

Windows 9 steals the headlines this morning. No; it is not out. No; you cannot download a preview yet. And yes; the person you know who says otherwise is an idiot. We know what we know – Microsoft is planning a sneak peek event for the enterprise audience on September 30th. There are no more facts than that.


  • Emulex’s crappy drivers saga goes on: They claimed they fixed the VMQ issue. It looks like they never did any tests involving Live Migration.

System Center


  • It’s Official – Microsoft to Unveil “Next Chapter” for Windows on September 30: I think Paul Thurrott was the first to report this. It will focus on the enterprise audience – the one currently sticking with Windows 7. I guess it will be no more than a show and tell. I still believe TechEd Europe is the bigger reveal, as I reported back at TechEd North America. In the meantime, ignore every rumour and “expert” that you work with or is in the general media.


  • Azure Websites Virtual Network Integration: This is big – Azure Websites is happy to announce support for integration between your Azure VNET and your Azure Websites. Now you can integrate your websites with your VMs – in preview and only for Standard websites with up to 1 VNet connected.
  • How to host a Scalable and Optimized WordPress for Azure in minutes: Deploy the new instance from the preview portal, and be able to scale WordPress out to meet demand. Very nice solution – I could have used that for this site!
  • Azure Active Directory Basic is now GA: Azure AD Basic is now available for purchase through the volume-licensing channel – if like Premium then it will only be available through large enterprise VL programs, i.e. not Open, etc, but I don’t think SMEs want this feature, although they would like Azure RMS.





Microsoft News Summary – 12 September 2014

The big news yesterday was the leaking of screenshots of Windows “Threshold” (9). Most of them were more of the same, but we saw confirmation of some recently rumoured changes.


System Center Operations Manager

System Center Data Protection Manager


  • StorSimple Snapshot Manager: StorSimple Snapshot Manager is a Microsoft Management Console (MMC) snap-in that simplifies data protection and backup management in a Microsoft Azure StorSimple environment. You can use StorSimple Snapshot Manager to configure backup schedules and retention policies, generate on-demand backups, and clone or restore volumes.
  • The Microsoft Azure Sales Strategy for Small and Medium Enterprises: An article by me on
  • Announcing Long Term Retention for Azure Backup: Previously, we had announced long term retention for cloud backups from DPM. With this month’s release of the Azure Backup service, we are extending that capability to cloud backups from all currently supported SKUs of Windows Server and Windows Server Essentials.
  • Getting started with Azure Backup: It’s nice and easy, but resellers really could use a central portal.


Retaining my backup of PowerShell scripts for 9 years!

Windows Intune

  • Intune to support iOS 8 on Day 0: Next week iOS 8 will be released to the public, and the Windows Intune service will be ready on Day 0 to manage devices on this new version of the platform. With Managed Domains, enterprise data will be tracked from its source, which will allow management systems to better separate corporate from personal data. Document Extensions will provide significant interaction between applications, introducing new extensibility opportunities that iOS hasn’t had previously.
  • Day Zero Support for iOS 8 with Intune: Earlier this week Apple released iOS 8 to developers (public release on 9/17), and the Windows Intune service is ready to support your use of it.
  • Data sent to and from Windows Intune and System Center 2012 R2 Configuration Manager: As a Windows Intune customer, you have entrusted Microsoft to help protect your data. Microsoft values this trust, and the privacy and security of your data is one of our top concerns.

Office 365

  • Microsoft withdrew KB2889866 from Windows Update: "We are investigating an issue that is affecting the September 2014 update for Microsoft OneDrive for Business. Therefore, we have removed the update from availability for now. We apologize for any inconvenience that this might cause." < You wouldn’t care if you followed my "wait 1 month before approving updates" advice.
  • Office 365 Certificate Update Will Affect Some Exchange Deployments: On Sept. 23, 2014, Microsoft is planning a certificate change to the Microsoft Federation Gateway. Organizations that have hybrid networks combining Office 365 services with Exchange Server or that use the Microsoft Federation Gateway to establish trust relationships need to set up a certificate update process before the Sept. 23 deadline to "avoid any disruption" in service, according to Microsoft’s Wednesday announcement.


  • Azure Rights Management Administration Tool: Azure Rights Management Administration Tool installs the Windows PowerShell module for Azure Rights Management. Azure Rights Management provides the ability to enable the use of digital rights management technology in organizations that subscribe to the Office 365 services.


  • Microsoft stock hits highest price since 1999: With that in mind, Microsoft’s stock has hit a 52-week high today (Sept 6th), coming in at $45.93 at the time of closing, suggesting that Wall Street appears to approve of new CEO Satya Nadella’s direction for the company. FYI – the stock is now at $47.
  • Forget Conventional Wisdom, Microsoft (MSFT) Is A Growth Stock Again: Microsoft sales are growing at an annualized rate of over 25 percent again and the stock is up over 30 percent in the ensuing 7 months, well over double the increase in the broader market during that time.
  • (UK Government, William) Hague reassures MPs of data safety in Microsoft’s Dublin Data Centre: William Hague, the leader of the House of Commons, said there is nothing to fear after an MP said he was concerned about the security of parliamentary data stored on Microsoft’s Cloud-based servers in Europe. Billy-boy should read the news more, as one of his colleagues points out. This is exactly why Microsoft is fighting the US government on foreign-located data access.

Microsoft News Summary – 18 August 2014

The big news this morning is that Microsoft has had to withdraw 4 of last weeks automatic updates. But in other news:

Back To School 2015 – Windows 9

The company I work for is a distributor. We sell Microsoft licensing (retail, OEM, volume licensing), retail and business laptops, Apple, and much more. Every summer I see how busy our Apple sales folks get. Back-to-school is a huge season for them and Apple recognises this by getting product out in time for the shopping spree.

Meanwhile, Microsoft has been doing general availability releases in October, completely missing the season when parents go spend crazy on their precious darlings. Microsoft has effectively halved their seasons by only catching Christmas. Apple gets both the summer buzz and the winter holidays. Sure, Microsoft has gotten lots of biz from €400 laptops in this season, but we know how much that market has been shrinking thanks to the constant IDC headlines.

We know now that “Windows 9” (codename “threshold”) is coming out in April 2015 (or thereabouts). I suspect that is an RTM date. GA will probably be the end of May or start of June. That’s a good thing.

The releases of Windows 8 and Windows 8.1 have shown us that the interval between RTM and GA is not enough for OEMs to get product out onto shelves. We’ve seen October GAs and previously announced stuff has taken 4-6 months to appear in the retail channel where customers can buy it. I suspect there are two factors in the delay:

  • OEMs are slow to build and ship
  • Retailers are focusing on clearing old stock before ordering next generation stock

For Microsoft and the willing consumer that is a lose-lose perfect storm.

With GA possibly in June, that gives the channel a chance to get stock out in the market by August, the sweet spot in the back-to-school market, and even longer for products to mature for the Christmas shopping season (November onwards).

If this is what happens then I would hope that Microsoft sticks to April RTM dates.

Technorati Tags: ,

Changes Coming To Windows Intune (And The Market)

Windows Intune is Microsoft’s client device management system that is run from the cloud. That means that you don’t install a management server; you log into a portal, install agents on a client device, and manage those devices from that portal. 

The Competition

Intune competes against products such as Kaseya and Level Platforms. Intune was very late to the market versus these products. And admittedly, these products have huge market penetration and more functionality. They recognised that their target market was the small/medium enterprise (SME). A savvy product manager understands that most SMEs don’t normally have an IT department; anything beyond a password reset is usually (not always) done by a service provider (selling managed IT services). Kaseya and Level Platforms figured that out, and they sell a partner driven product, allowing white labelling, partner invoicing, centralised management, etc.

In Ireland, I’d guess that a big majority of service providers are using one of these two products to manage PCs and servers on their client sites.

Windows Intune – The Past

Windows Intune was released about 2 years ago (exact date isn’t important). As a nerd, I was interested. I saw the potential for partners to use it, and I saw the potential for large businesses to use Intune for mobile workers and small branch offices (retail POS devices).

Microsoft partners evaluated Intune. Unfortunately they found it lacking:

  • Less functionality than Kaseya or Level Platforms
  • No server management functionality – SMEs have servers too! 

But the real kicker, as I covered back in March 2011, was the price (I got some heat for that blog post from a certain devices and services company):

  • Microsoft really screwed the pooch by overpricing non-USA markets for the same cloud-based service. Eurozone markets were charged 40% more than USA customers at that time. That was moronic.
  • Bundling Software Assurance in the deal drove the price up to $11 per device. Meanwhile, the competition was around half the price.

Imagine trying to promote or sell a product that is twice the price of the competition, and has less functionality than that same competition, and the competition already has huge market penetration. And that’s why Windows Intune barely made any sales at all … anywhere on the planet.

The Shifting Sands

While Intune, Kaseya, Level Platforms are aimed at everywhere from the SME to Fortune 500, their core market is the SME. In Ireland, most of our companies are SMEs. Sure. we’re a small country of 4 million people, but it’s the same in Germany, the UK, France, Australia, Canada, and the USA. There are only so many CitiGroups, Koch Brothers, etc.

In Ireland:

  • 20% of servers are sold to companies with fewer than 100 employees
  • 75% of <25 user businesses (and there’s lots of them) don’t own a server – their primary IT cares are networking, file/print, and email
  • 55%-60% of SBS servers are estimated to be of the 2003 generation

Fact: there is no more SBS. Microsoft isn’t making a Windows Server that is a DC, Exchange server, file/print, and Sharepoint server for that market any more. The solution for that market is “the new Office”, i.e. subscriptions of Offce365 with Office 2013 included in the package (Office Web Apps, Click-to-Run, or temporary run anywhere). If you want, you can sell a Microserver to that 75% of <25 user companies with Windows Server 2012 Essentials to give them:

  • A domain controller with Group Policy
  • Cheap bulk storage in the office
  • Integration with Office365

Microsoft partners have been hearing the story about Office in the cloud since BPOS back in 2008 (or thereabouts – not that important). The majority of partners had no interest: Microsoft was direct invoicing the customer and that stole the customer relationship from the partner. Office365 just did not have market penetration with the market that mattered: the Microsoft partner. They’re the guys that advise, design, and implement IT for the SME. Microsoft screwed the pooch again (that’s one sore pooch!).

Microsoft got the same feedback the world over:

  • Change Office365 licensing so partners can resell it and they’ll be interested
  • Halve the price of Windows Intune (remove the SA obligation) and you might have a fighting chance

As of February 2013, partners will be able to resell Office 365 (with Office 2013 included) via the Open program to customers. That is a huge deal. The subscription price will also include leased Office 2013 that is installed and managed from the cloud; that means the customer gets more bang from their buck:

  • Office 2013: regularly updated from the cloud
  • Email
  • Collaboration via SharePoint (and a new app store)
  • Lync for presence, meetings, and online events
  • Plus whatever MSFT decides to add to the package

That means the role of the server in the smaller SME fades, maybe even disappears. Note: some SMEs will always need local storage, Group Policy, and/or LOB apps that can’t be cloud based, but this is not a back versus white world; it’s all shades of grey.  Maybe the server management functionality of Kaseya and Level Platforms isn’t as necessary any more!

The New Windows Intune

The current version of Windows Intune (sometimes called v3) added the ability to manage mobile devices running Android and iOS (iPhones and iPads). That includes policies and software distribution:

  • The ability to link to apps in the platform’s app store, which is included in all mobile device management products
  • App sideloading, which allows you to install an app onto a device without using an app store or jailbreaking

The management stuff is good. The app store stuff is very good for larger enterprises that could afford to get custom apps developed for mobile devices, but that just a flashy unrealistic demo for the SME.

v4 of Windows Intune is on the way, as Mary Jo Foley reported yesterday. It will be continuing support for mobile devices (including Windows Phone), and adding Windows 8/RT support too. But here’s the big news: Windows Intune pricing is changing (and in a good way).  There will be two SKUs:


Some notes:

  • Microsoft did not screw the pooch (that lucky puppy!) on the non-USA pricing, e.g. they recognized that $6 is not €6!
  • You can purchase Windows Intune without SA (no Windows 7/8 Enterprise) and still get your free managed Antivirus in the form of Endpoint Protection. The price is $6 or €4.89 per user.
  • You can choose to buy the SA SKU to lease Windows 8 Enterprise and it’s extra features
  • You can also choose to add on MDOP (not shown) if you subscribe to the SA option

€4.89 ($6) per user per month for client device management with managed antivirus. But here’s the nice bit: The likes of Forrester says that the modern worker can have up to 5 smart devices. The per user licensing of Windows Intune covers 5 devices!  Let’s compare:

Let’s say you were a Windows Intune v2 user with a PC and laptop. Your cost was €11 per device per month. Your total price is €22. With the new pricing, you are charged €4.89 per user and you can have up to 5 devices, including PCs, laptops, tablets, and smartphones.  You just saved €17.11 per month.  Nice!

BTW, Windows Intune has always allowed partners to subscribe on behalf of customers. The idea here is that you sell a managed service and include the price of the management into your service charge.  You will be able to buy on behalf and cross charge for both Windows Intune and Office365 for your managed SME customers.

What the SME Will Look Like

For the SME, the Microsoft solution is cloud-centric and looks like this:


Everything is cloud connected. Cloud-based management is perfect for mobile devices (tablets on the move, smartphones not on the network, and roaming/home users). Traditional on-site management such as LanDesk or System Center Configuration Manager aren’t really that good for those mobile devices because those management solutions are designed for the WAN, not for the Internet.

Office 365 has the same benefit: the SME with less than 25 users doesn’t want a server with 12+ GB of RAM to run SBS. Sell them Office365 and give them the same basic tools and mobility that a Fortune 500 has. No matter where they go or work, they’ll always have access to their data and communication/collaboration tools.

The managed service provider wins too:

  • They resell the solutions to their customers, offering a superior experience. The clever providers do more than just deploy; they add value, finding a unique selling point (USP) that keeps the customer coming back to them. You’ll go out of business if you rely on installing Office for a living.
  • They can manage customer infrastructure remotely: RemoteAssist via Windows Intune gets you onto customer devices, Windows Intune can install software remotely, Office365 puts critical services in the cloud that can be managed from a web browser.

What the Medium/Large Company Will Look Like

Here we’re talking about the bigger company with more complexity:


So here we see a bit of “best of both worlds”. System Center is used to deploy and manage the internal infrastructure and services on Hyper-V/private cloud. PCs and laptops on the corporate WAN are managed by System Center too.

Windows Intune is used to manage:

  • Mobile devices not on the corporate WAN
  • BYOD (laptops, tablets, phones) machines that are brought into the office and might sit on some isolated wireless networks with firewalled access to applications in the corporate WAN.
  • Devices in small branch offices, that might otherwise be too complicated to manage in System Center

With SP1, System Center 2012 can integrate with Windows Intune to give IT a single console for device management.  That unification of infrastructure is one of the goals of System Center 2012, enabling easier administration (another goal).  In this design, System Center 2012 SP1 Configuration Manager will deploy software to, patch, and provide AV for the following on the corporate WAN:

  • Windows 8/RT, and older
  • Mac OS
  • Linux
  • Windows Servers too – never forget them!

Windows Intune will manage the following mobile devices from the cloud:

  • Windows 8/RT and older tablets, PCs, and laptops
  • Android phones and tablets
  • iOS iPhones and iPads

Office can reside in both the private cloud/internal infrastructure and in the cloud via Office365.

So there you go, Windows Intune will be:

  • Cheaper
  • Be the solution for BYOD, mobile devices, home workers, and small branch offices
  • Reflect the changing nature of large enterprises with mobility and BYOD
  • Reflect the changing nature of SMEs that are moving to the cloud
  • A much more interesting solution for managed service providers, such as Microsoft partners working in the SME space