windows intune getting started guide
DESCRIPTION
TRANSCRIPT
Contents
Windows Intune June 2012 Release Getting Started Guide ........................................................... 3
Configure Your Windows Intune Environment ................................................................................ 4
Signing up for Windows Intune .................................................................................................... 5
Already Subscribing to Windows Intune? .................................................................................... 6
New to Windows Intune? ............................................................................................................. 6
Already using Active Directory Domain Services and Exchange Server? ................................... 7
Features and Benefits of Windows Intune ................................................................................... 7
Client Software and Hardware Requirements .............................................................................. 8
Supported Browsers for Administrators and Users ...................................................................... 9
New and Enhanced Web-Based Tools for Administrators ........................................................... 9
Getting Started with the Windows Intune Account Portal .......................................................... 10
Getting Started with the Windows Intune Administrator Console .............................................. 12
Web-Based Portals to Provide Self-Service Capabilities for Users ........................................... 14
Getting Started with the Windows Intune Company Portal ........................................................ 14
Getting Started with the Windows Intune Mobile Company Portal ............................................ 16
Administrator Roles .................................................................................................................... 17
Partners with Delegating Administration .................................................................................... 19
Partners managing customers on the Windows Intune October 2011 release ......................... 19
Delegated Administration Partners for the Windows Intune June 2012 release ....................... 19
Setting up Policies in the Windows Intune Administrator Console ............................................ 20
Next Steps .................................................................................................................................. 23
See Also ..................................................................................................................................... 23
Add Computers, Users, and Mobile Devices to Windows Intune .................................................. 24
Planning for Endpoint Protection and Managed Computer Bandwidth Usage .......................... 24
Adding Computers to Windows Intune ....................................................................................... 25
Adding Windows Intune to Deployment Images ........................................................................ 26
Adding Users and Security Groups to Windows Intune ............................................................. 27
Mobile Device Support ............................................................................................................... 29
User-to-Device Linking ............................................................................................................... 30
Enhancements to Groups .......................................................................................................... 31
Planning Considerations for Creating Groups ........................................................................... 32
Creating Device Groups to Organize Computers ...................................................................... 32
Creating User Groups to Organize Users .................................................................................. 34
Managing Updates and Automatic Approval Rules ................................................................... 36
Setting Up Email Alert Notifications ........................................................................................... 38
Next Steps .................................................................................................................................. 39
See Also ..................................................................................................................................... 40
Assess the Health of Your IT Environment and Assist End Users ................................................ 40
Creating Custom Reports ........................................................................................................... 40
Exporting an Endpoint Protection Status Report .................................................................... 41
Using Filters to Create a Report ............................................................................................. 42
Creating Software Inventory Reports...................................................................................... 43
Working with Licensed Software ................................................................................................ 44
Working with Remote Assistance ............................................................................................... 46
Next Steps .................................................................................................................................. 47
See Also ..................................................................................................................................... 47
3
Windows Intune June 2012 Release Getting Started Guide
Windows Intune is an integrated, cloud-based client management solution that provides tools,
reports, and upgrade licenses to the latest version of Windows. Windows Intune helps keep your
computers up-to-date and secure, and lets your users more securely access and install targeted
licensed software applications and perform other common tasks, from virtually anywhere.
This guide describes key concepts that can help you start learning how to get the most out of
Windows Intune. It includes step-by-step instructions to help you set up a new Windows Intune
environment and selected tasks to complete so that you can explore the range of features in
Windows Intune. It is designed to complement the following other resources:
Windows Intune Product Guide: This product guide provides detailed information about
Windows Intune. If you are not familiar with Windows Intune, you may want to review this
guide first.
What’s New in Windows Intune: This overview will help you learn about what has changed in
this release of Windows Intune. You can review this guide for an introduction to the new
features in this release of Windows Intune.
Windows Intune Online Help: The online Help provides step-by-step procedures,
comprehensive guidance, best practices, and checklists. Topics address planning and
implementing your Windows Intune deployment; distributing licensed software; using
Windows Intune to help secure your computers, mobile devices, and data; working with
Windows Intune reports; and monitoring, alerting, and troubleshooting Windows Intune.
We recommend that you review the online Help for additional guidance, after you have
reviewed this guide.
To illustrate the guidelines and recommendations in this guide, sample screenshots taken from
demonstration environments will help show you how to customize your Windows Intune
environment to meet your business needs.
This guide consists of the following topics:
Configure Your Windows Intune Environment
This topic will help you to:
Sign up for a Windows Intune subscription.
Learn about the key features and benefits of Windows Intune, and how you can make the
most of this release.
Understand the operating system requirements for mobile devices and client computers,
and browser requirements for the Windows Intune administrator console and Windows
Intune company portal.
Learn about new web-based administrative tools and enhancements, including support
for your connected mobile devices, such as mobile phones and tablet devices.
4
Understand administrator roles for Windows Intune and how to add and delegate
administrators.
Set up policies with recommended or custom settings to deploy to managed computers
or users’ mobile devices.
Add Computers, Users, and Mobile Devices to Windows Intune
This topic will help you to:
Add computers to Windows Intune by installing the Windows Intune client software on
computers that you want to manage.
Manually add users and security groups to the Windows Intune account portal, or activate
synchronized users and add them to the Windows Intune user group in the Windows
Intune account portal.
Learn how mobile devices are added to Windows Intune.
Understand user-to-device linking and link a user to a computer.
Learn about enhancements to groups in Windows Intune, which let you create user and
device groups that have dynamic membership queries; create device groups to organize
computers; and create user groups so that you can deploy mobile security policies to that
group for members’ mobile devices.
Set up automatic update approval rules to help ensure that important updates are rapidly
deployed and set an installation deadline for automatic update approvals.
Configure alert notifications to help ensure that you or other administrators receive email
notifications about the latest alerts.
Assess the Health of Your IT Environment and Assist End Users
This topic will help you to:
Create a custom report to identify computers that have pending updates, export an
Endpoint Protection status report, and use filters to create a hardware report.
Learn about the capabilities available in Windows Intune for making licensed software
available to users.
Respond to a user request for remote assistance and remote control that user’s managed
computer to provide assistance.
For more information, we recommend that you visit the Windows Intune Zone on TechNet.
Configure Your Windows Intune Environment
This topic will help you complete the following tasks:
Sign up for a Windows Intune subscription.
Learn about the key features and benefits of Windows Intune, and how you can make the
most of this release.
5
Understand the operating system requirements for mobile devices and client computers, and
browser requirements for the Windows Intune administrator console and Windows Intune
company portal.
Learn about new web-based administrative tools and enhancements, including support for
your connected mobile devices, such as mobile phones and tablet devices.
Understand administrator roles for Windows Intune and how to add and delegate
administrators.
Set up policies with recommended or custom settings.
Signing up for Windows Intune When you sign up for Windows Intune, you do not need to use or create a Windows Live ID to
sign in to the service. Windows Intune is now integrated with the Windows Azure Active Directory,
the same directory service that is used by Microsoft Office 365. This change enables new
features and provides you with a more flexible way to control access to your Windows Intune
account.
If you already have a Microsoft Online Service such as Microsoft Office 365 and you sign up for
Windows Intune, we recommend that you use the user ID for your existing Microsoft Online
Service. This allows for the users to be shared across all your Microsoft Online Services.
If Windows Intune is the first Microsoft Online Service for your organization, when you sign up for
Windows Intune, you create a user name and a new domain name that together become the user
ID for your global administrator account. You use this user ID, with the password that you also
create, every time that you sign in to Windows Intune.
Use the following procedure to sign up for the free Windows Intune trial. The trial can be used on
up to 25 devices.
1. Go the Windows Intune Try and Buy page: http://www.microsoft.com/en-
us/windows/windowsintune/try-and-buy.aspx, and then click the trial sign-up link.
Important
If you are using Microsoft Office 365, on the Sign up page, click the Sign in link and
sign in with the same user ID that you are using for Office 365.
If you are not using Microsoft Office 365, proceed to Step 2.
2. Select the country or region where your organization will use Windows Intune, and
then select the language that you want to use for business communications.
3. Type your first and last names and your organization name. Your first and last name
will be displayed on the Windows Intune account portal after you sign in.
4. Type the complete mailing address of your organization. Note that the email address
that you provide is where you will receive password reset information if you forget
your password and request a reset. Service, billing, and promotional information that
you choose to receive will also be sent to this email address.
5. Type a descriptive name for your new domain so that it is in the following format:
To sign up for the Windows Intune trial
6
contoso.onmicrosoft.com. Click Check availability to ensure that the domain name
is available.
6. Type a user name, and then type a password. Retype the password to confirm it.
7. Type the numbers and letters that you see in the picture box. The characters are not
case-sensitive. This step confirms that a person—not an automated program—is
signing up for an account.
8. Review the service agreement, and if you agree, click I accept and continue to
complete the sign-up process.
After you sign up, you are automatically signed in to the Windows Intune account
portal as an administrator.
9. An email message that contains your account information is sent to the email
address that you provided during the sign-up process, to confirm that the account is
active. Keep this email message to refer to if you forget your user ID or the website
address where you sign in to Windows Intune.
You can click the link that is included in that email or go to the Windows Intune
administrator console at https://admin.manage.microsoft.com or the Windows Intune
account portal at https://account.manage.microsoft.com and sign in.
Already Subscribing to Windows Intune? If you are already a Windows Intune subscriber, after your account is migrated to the new
release, you are prompted to create a new account. You have a few weeks to create this new
account. However, we recommend that you create it as soon as possible so that you can take
advantage of the new Windows Intune features.
To try the new Windows Intune features before your existing Windows Intune account is
migrated to the new release, you can sign up for a new trial account for this release of
Windows Intune. If you do this, it is important that you do not try to link a new trial
account for this release of Windows Intune to the Microsoft Online domain that you want
to use in your production environment. Instead, you need to create a temporary domain
for the trial. By doing this, you can then use your preferred Microsoft Online domain when
your production account is migrated to the new release.
New to Windows Intune? If you are new to Windows Intune, you will be prompted to create a new account when you sign
up for a new Windows Intune trial. If you already have a Microsoft Online domain, we recommend
that you use the same domain name for your Windows Intune account. If you do not have an
existing Microsoft Online domain, you can specify a new domain name that is unique to your
organization, for example:
mycompanyname.onmicrosoft.com
Where “mycompanyname” is the domain name that is unique to your organization.
Important
7
Already using Active Directory Domain Services and Exchange Server? Windows Intune now uses the same authentication mechanism as Office 365, so that you can
integrate Windows Intune with your existing Active Directory Domain Services (AD DS)
environment. As mentioned, if you are new to Windows Intune, when you sign up for a new
Windows Intune account, you need to create a user ID. After you create a user ID, you can link
that user ID with your organization’s AD DS environment. This will enable you to synchronize
existing users and security groups in AD DS with Windows Intune so that they appear in the
Windows Intune account portal.
If you have an on-premises deployment of Exchange Server 2010 Service Pack 1 or
later, Windows Intune can also provide support for your users’ connected Exchange
ActiveSync-enabled mobile devices.
Features and Benefits of Windows Intune In this release, Windows Intune enhances the functionality of its management solution and
improves existing features. The core cloud services that Windows Intune provides have been
updated to provide greater functionality and performance. If you integrate Windows Intune with
AD DS, user accounts and security groups will automatically appear in the Windows Intune
account portal through directory synchronization. This makes it easier for you to add users to
manage with Windows Intune. Finally, if you integrate Windows Intune with AD DS and on-
premises Exchange Server 2010, you can provide support for mobile devices in your
organization.
To ensure that your AD DS and Exchange Server infrastructure is properly prepared for
Windows Intune, we strongly recommend that you review the Help topics mentioned in
the following list, so that you understand the additional configuration steps that may be
required.
Following are the capabilities provided by the Windows Intune core, AD DS synchronized, and
mobile device-enabled scenarios:
Core cloud services: Provides enhancements to alerts, policy, updates, and remote tasks,
and user-centric management. The new user-centric management capabilities provided by
Windows Intune include the ability to make licensed software applications available for users
to download to their computers, deploy policies to users, and let users add computers that
need to be managed by Windows Intune and remove computers that no longer need to be
managed by Windows Intune.
These capabilities require no new network or server infrastructure, and minimal computer
hardware.
Important
Important
8
AD DS synchronized: Enables user accounts and security groups to automatically appear in
the Windows Intune account portal through directory synchronization. You can then activate
users and include them as members of the Windows Intune user group, so that you can
manage them with Windows Intune.
These capabilities require AD DS synchronization. For information about how to set up AD
DS synchronization, see Active Directory Synchronization: Roadmap.
If Active Directory Federation Services (AD FS) 2.0 is deployed in your environment,
users can sign in to Windows Intune by using their existing on-premises Active
Directory credentials, instead of their user ID for Microsoft Online Services. For
information about AD FS 2.0, see Prepare for Single Sign-On.
Mobile device-enabled: Windows Intune uses Microsoft Exchange ActiveSync (EAS) to
integrate users’ mobile devices with your business infrastructure, and to enforce your
organization’s mobile device access policies. With Windows Intune, you can:
Automatically discover mobile devices that access corporate data through Microsoft
Exchange Server.
Define mobile device access rules to govern which mobile devices can access Exchange
Server.
Deploy policies to users to help secure the corporate data that is stored on their mobile
devices.
Let users access and install licensed internal line-of-business software applications that
you make available to their mobile devices.
Retire mobile devices from Windows Intune and Exchange Server, or let users perform
this task.
Wipe data from mobile devices that are lost or stolen, or let users perform this task.
These capabilities require an environment with AD DS synchronization and on-premises
Exchange Server 2010 Service Pack 1 or later with Exchange ActiveSync enabled. For
information, see Connecting Windows Intune to your Exchange Server in the Windows Intune
online Help.
Client Software and Hardware Requirements To be managed by Windows Intune, computers must have the Windows Intune client software
installed, an Internet connection, and a supported operating system. The Windows Intune client
software can be installed on both x86-based and x64-based editions of supported editions of
Windows Vista and Windows 7 operating systems, and it can be installed on x86-based editions
of Windows XP with Service Pack 3. You can install the Windows Intune client software on
computers that are running any of the following Windows operating systems:
Windows XP Professional, Service Pack (SP) 3
Windows Vista Enterprise, Ultimate, or Business editions
Windows 7 Enterprise, Ultimate, or Professional editions
Note
9
For Windows 7 or Windows Vista-based computers, the Windows Intune client software has no
additional hardware requirements. However, to install the client software on Windows XP based
computers, you should ensure that the computer has a CPU clock speed of 500 megahertz (MHz)
or faster and a minimum of 256 megabytes (MB) of RAM.
You must be a member of the local Administrators group on the computer on which you want to
install the Windows Intune client software.
Windows Intune provides support for Windows Phone 7, iPhones, iPads, and Android devices.
Windows Intune does not require client software to be installed on mobile devices. The following
table lists supported operating systems and the Windows Intune features that are available for
computers and mobile devices running specific operating systems.
You can apply mobile security policies and mobile device access rules to any device that
connects to Exchange Server through Exchange ActiveSync. The full range of
management tasks that can be performed depends on the capabilities of the connected
mobile device.
Supported Browsers for Administrators and Users As an administrator of the Windows Intune service, you should also ensure that the browser that
you use when you sign into the Windows Intune administrator console has Silverlight 4.0, or later,
installed.
The Windows Intune company portal is supported on the following web browsers:
Windows Internet Explorer 7 and later
Google Chrome version 15 and later
Mozilla Firefox 5.0 and later
The Windows Intune company portal may run on other web browsers, but with limited feature
support. We recommend that where possible, users connect to the Windows Intune company
portal by using a supported web browser.
New and Enhanced Web-Based Tools for Administrators In this release of Windows Intune, new and enhanced web-based administrative tools are
available to help you manage your Windows Intune account, users, and client computers, and to
support connected mobile devices.
The following table describes the new features and enhancements that are available.
Note
10
Name Description and capabilities
Windows Intune
account portal
This portal lets you manage your Windows Intune subscription and specify the
users who can access Windows Intune. From the Windows Intune account
portal, you can sign up for Windows Intune, review guidance and download
tools to set up single sign-on or Active Directory synchronization, manually add
user accounts and security groups (if AD DS is not deployed in your
environment), activate synced users (if AD DS is deployed in your
environment), set up and manage service settings, check service status,
access online Help, and purchase subscription licenses. You can also access
the Windows Intune administrator console and the Windows Intune company
portal. Users can access the Windows Intune account portal to change their
password.
URL - https://account.manage.microsoft.com
Note
Prior to the April 2012 pre-release of Windows Intune, the Microsoft Online
Services Customer Portal was used for account management
(https://mocp.microsoftonline.com).
Windows Intune
administrator
console
This console has been enhanced. This console lets you configure management
and security settings for managed computers and users, configure and monitor
alerts, deploy licensed software to computers, make licensed software
available for users to install on their computers and mobile devices, view
hardware and software inventory, run license reports*, add service
administrators, and download the Windows Intune Exchange Connector and
Windows Intune client software.
*Disclaimer: This feature is provided for convenience only and accuracy is not
guaranteed. You should not rely on it to confirm your compliance with your
license agreements. We do not utilize data gathered from the software license
management feature to investigate potential violations of or compliance with
our licensing agreements.
URL - https://admin.manage.microsoft.com
Getting Started with the Windows Intune Account Portal When you sign in to the Windows Intune account portal, the Admin Overview page appears. On
this page, the links under Admin shortcuts provide you with quick access to common
administrative tasks. Use these links to reset user passwords, add new users and assign them to
the Windows Intune user group, and open a new service request. You can perform additional
administrative tasks in other areas of the Overview page as follows:
11
Header: The links in Windows Intune header at the top of the Overview page provide you
with quick access to the Windows Intune administrator console and the Windows Intune
company portal.
Navigation pane: You can use this pane, on the leftmost side of the portal, to perform the
following tasks:
Setup: Click Overview to learn how to integrate AD DS (single sign-on or Active
Directory synchronization) with your Windows Intune environment.
Management: Click the links to perform the following tasks:
Users: Add or remove users, change user details and settings, activate synced
users, and reset user passwords.
Security Groups: Add, edit, or remove security groups.
Domains: Add or remove domains.
Subscriptions: Purchase and manage Windows Intune subscriptions, buy additional
licenses and add-ons, update credit card information, and view bills.
Support: Click Overview to access links to online Help and community resources or to
manage delegated administrators. To open a service request for a technical issue, click
Service Requests. To view the status of the Windows Intune service, including planned
maintenance, go to the Service Health page.
Resources and Community pane: You can use this pane, on the rightmost side of the
portal, to quickly access the following resources:
Windows Intune online Help: To access the online Help, under Resources, click Search
online Help.
Windows Intune Zone: To access the Windows Intune Zone, under Community, click
Springboard.
Windows Intune Forums
The following screenshot shows the Admin Overview page of the Windows Intune account
portal.
12
Getting Started with the Windows Intune Administrator Console The first time that you sign in to the Windows Intune administrator console, the Getting Started
pane on the System Overview page appears. In the Getting Started pane, brief instructions and
links help you download and deploy the Windows Intune client software on computers that you
want to manage. If AD DS and on-premise Exchange Server 2010 SP1 are deployed in your
environment, you can download the Windows Intune Exchange Connector and take additional
steps to use Windows Intune to make licensed, internal line-of-business software applications
available for users to install on mobile devices, deploy policies to users for their mobile devices,
or wipe and remove those devices.
The following screenshot shows the Getting Started pane in the Windows Intune administrator
console.
On the System Overview page, there are three main panes:
Workspace shortcuts pane: This pane, on the leftmost side of the console, includes icons
for each Windows Intune workspace. Clicking an icon in this pane opens the corresponding
navigation pane and Overview page, where you can view status summaries and perform
management tasks that are relevant to that workspace.
Navigation pane: This pane, to the right side of the workspace shortcuts pane, provides
access to the Overview page and additional items for each workspace. The navigation pane
provides a view of the hierarchy for each workspace. Clicking Overview in the navigation
pane opens the Overview page for a workspace. Clicking another item displays more
detailed information. Depending on the item that you click, the information displayed might be
a list of relevant items, such as a list of all updates or a list of all malicious software, or a
Properties page that is relevant to the item.
13
Overview page: This page is available for all workspaces. It appears on the right side of the
navigation pane, displays status summaries, and includes a Tasks area and a Search box.
The Tasks area provides commands that let you perform management tasks for a
workspace. The Search box lets you search across a global list that is relevant to the
workspace. For example, you can search a list of all updates by entering the relevant KB
number. For most workspaces, a Learn About area includes links to topics that provide
information about the workspace and how to perform key management tasks.
The following screenshot shows the System Overview page.
When you first open the Windows Intune administrator console, no computers or mobile devices
are shown in the console, because you have not yet added computers to the Windows Intune
service, or added users and linked them to devices (computers). Take a few minutes to explore
the workspaces and other areas of the Windows Intune administrator console. For example, if
you click the Groups icon in the navigation pane, and then click All Users, notice that the All
Users view comprises two default user groups: All Users and Unassigned Users. In the All
Users group, notice that your tenant administrator account appears. Likewise, when you click All
Devices, notice that the All Devices view comprises two default groups: All Devices and
Unassigned Devices.
Before you add computers, additional user accounts, and mobile devices to the Windows Intune
administrator console, we recommend that you explore the Windows Intune company portal and
the Windows Intune mobile company portal, and then add or delegate administrators and set
policies in the Windows Intune administrator console.
14
Web-Based Portals to Provide Self-Service Capabilities for Users Two web-based portals let your users perform common tasks without the need to involve your
organization’s IT help desk. Tasks that users can perform include installing licensed software that
you make available on their computers and mobile devices, adding computers that need to be
managed by Windows Intune, removing computers that no longer need to be managed by
Windows Intune, wiping data from compromised mobile devices, and adding or removing mobile
devices. For users who do need to contact their IT help desk, you can provide customized IT
contact information that is suitable for your organization.
Because Windows Intune supports common tasks for both computers and mobile devices,
Windows Intune includes two portals to provide an optimized user experience for each type of
device. The following table describes the tools that Windows Intune provides for users to
accomplish these tasks:
Name Description and Capabilities
Windows
Intune
company
portal
This web-based portal is optimized for computers. Authorized users can access
this portal, sign in to Windows Intune, browse applications that you make
available, install applications on their computers, and contact their IT Help desk.
They can also add computers that need to be managed by Windows Intune, add
mobile devices, remove computers that no longer need to be managed by
Windows Intune, and wipe data from mobile devices or remove mobile devices
from Windows Intune and Exchange Server.
URL - https://portal.manage.microsoft.com
Windows
Intune
mobile
company
portal
This web-based portal is optimized for mobile devices. Authorized users can
access this portal, sign in to Windows Intune, browse and install licensed internal
line-of-business software applications that you make available, install the
applications on their mobile devices, and contact their IT Help desk.
URL - https://m.manage.microsoft.com
Getting Started with the Windows Intune Company Portal After you add users to Windows Intune, you can make applications available for your users to
install on their computers and let users perform other common tasks without the need to call their
IT Help desk. By visiting the Windows Intune company portal, users can view the applications that
are available to install, and then install those applications. The Windows Intune company portal is
available from any location with Internet access. This portal helps reduce support costs by
providing a way for users to add their own computers so that the computers can be managed by
Windows Intune and to remove computers that are no longer to be managed by Windows Intune.
15
If your Windows Intune environment is configured to support mobile devices, users can also add
mobile devices to connect to Windows Intune, wipe data from lost or stolen mobile devices, and
remove mobile devices from Windows Intune and Exchange Server. You can customize the
Windows Intune company portal to display your company name, contact information for your IT
help desk, and color preferences. For more information, see Customizing the Windows Intune
company portal in the Windows Intune online Help.
We recommend that you explore the Windows Intune company portal to familiarize yourself with
the experience and features that it can provide for your users.
To sign in to the Windows Intune company portal, users must sign in with their user ID for
Windows Intune, or if you have AD FS 2.0 single sign-on deployed in your environment, they can
sign in with their existing credentials. If you do not have AD FS 2.0 single sign-on deployed, you
need to create a new user ID for each user account that you add to Windows Intune. As part of
this process, a temporary password is generated that you can give to new users, along with each
user’s user ID, so that they can sign in to the Windows Intune company portal. For information
about how to add a user to Windows Intune, see “To add users to the Windows Intune account
portal” later in this guide.
When users sign into the Windows Intune company portal, they can view the following areas:
Apps: Users can click this tile to access the Applications list, where they can browse or
search for licensed software applications that you make available for them to install on their
computers. Users can sort and browse the list of available applications alphabetically (for
more than 20 applications) by publisher or date published, or they can search for an
application by title. After users choose an application that they want to install, they can view
details about the application and then select the computers on which to install the application.
Messages inform users when their computers do not meet the requirements for an
application, if an application is already installed on their computers, and when an installation
is pending or has failed. When an installation has failed, users can retry the installation.
To view and install applications that you make available for users to install on their
mobile devices, users must access the Windows Intune mobile company portal by
using their mobile device.
All My Devices: Users can click this tile to view the list of computers that are managed by
Windows Intune. They can add computers to be managed by Windows Intune, rename
managed computers, remove computers that are no longer to be managed by Windows
Intune, and view the list of installed software on their computers.
Contact IT: Users can click this tile to view the contact information that you specify for your
company’s IT help desk. Options include your company name, system administrator name,
phone, and email address, and additional information. You can also specify a website URL
and name that users can visit to access online technical support.
The Windows Intune online Help provides information that you or other administrators
in your company can provide to users, to help them get started with using the
Note
Note
16
Windows Intune company portal. For more information, see Using the Windows
Intune company portal in the Windows Intune online Help.
The following screenshot shows the Windows Intune company portal.
Getting Started with the Windows Intune Mobile Company Portal When your environment is configured to support mobile devices, you can make internal licensed
line-of-business software applications available for your users to install on supported mobile
devices. Users can view the applications that are available for them to install on their mobile
devices and then install those applications by visiting the Windows Intune mobile company portal,
at https://m.manage.microsoft.com. Users can also contact their IT help desk. In addition to
Windows Phone 7, the mobile company portal supports devices that run the iOS and Android
operating systems.
We recommend that you explore the mobile company portal to familiarize yourself with the
experience and features that it can provide for your users.
To sign in to the Windows Intune mobile company portal, users must sign in with their user ID for
Windows Intune, or, if you have AD FS 2.0 single sign-on deployed in your environment, they can
sign in with their existing credentials.
When users sign into the Windows Intune mobile company portal, they can view the following
areas:
17
Get Apps: Users can click this tile to access the Get Apps section, where they can view the
list of licensed internal line-of-business software applications that you make available for
them to install on their mobile devices. After users choose an application that they want to
install, they can view details about the application and then install it. Messages inform users
when their mobile device does not meet the requirements for an application or if the
application requires additional settings to be configured on their mobile device.
Contact IT: Users can click this tile to access the Contact IT section, where they can do the
following:
Call their IT help desk
Send an email to their IT help desk
Access their internal IT website
Administrator Roles The following administrator roles provide you and other administrators with access to the
Windows Intune administrator console.
Windows Intune tenant administrator: These administrators have full administrative rights to
the Windows Intune administrator console. They can perform all operations in the console,
including adding or deleting Windows Intune service administrators. In addition, they can
assign other tenant administrators by using the Windows Intune account portal. Note that
tenant administrators must be assigned in the Windows Intune account portal; you cannot
use the Windows Intune administrator console to assign a tenant administrator.
By default, when you subscribe to Windows Intune, you become a global
administrator for Microsoft Online Services and a tenant administrator for the
Windows Intune administrator console. As a global administrator for Microsoft Online
Services, you have the same privileges across all Microsoft Online Services for your
organization, and you can add other tenant administrators for the Windows Intune
administrator console.
Windows Intune service administrator: There are two levels of console access: Full access
and read-only.
Full access: These service administrators have full administrative rights to the Windows
Intune administrator console and therefore they can perform all operations in the console,
including adding or deleting other service administrators.
Read-only access: These service administrators have read-only rights and therefore they
cannot modify data in the console; they can only view data in the console and run
reports.
You can assign service administrators by using the Windows Intune administrator console.
These administrators must have a user ID and password, and they must be a member of the
Windows Intune user group. If an individual does not have a user ID, a tenant administrator
must create one for him or her by using the Windows Intune account portal and then ensure
that the individual is a member of the Windows Intune user group.
Note
18
The Windows Intune service administrator is not the same as the service
administrator that is displayed in the Windows Intune account portal. The service
administrator for Microsoft Online Services that is displayed in the Windows Intune
account portal manages service requests and monitors service health.
Delegated administrators: These administrator roles are new for Windows Intune in this
release. These administrators are partners who you have authorized to administer your
Windows Intune account. You assign these administrators by using the Windows Intune
account portal. There are two types of delegated administrators:
Delegated Administrator Partner (DAP): These delegated administrators are tenant
administrators for Windows Intune, and therefore they have full administrative access to
the Windows Intune administrator console.
If you are using another Microsoft Online Service, be aware that Delegated
Administrator Partners are granted full access to all Microsoft Online Services for
your organization, not just to Windows Intune.
Delegated Helpdesk Partner (DHP): These delegated administrators are read-only
administrators for Windows Intune, and therefore they cannot modify data in the Window
Intune administrator console; they can only view data in the console and run reports.
If you are using another Microsoft Online Service, be aware that Delegated
Helpdesk Partners are granted access to all Microsoft Online Services for your
organization, not just to Windows Intune.
For information about how to add a Windows Intune service administrator, see Adding and
Managing Administrators in the Windows Intune online Help.
Use the following procedure to add a Windows Intune tenant administrator.
1. Open the Windows Intune account portal.
2. In the header, click Admin.
3. In the left pane, under Management, click Users.
4. On the Users page, select the check box next to the names of the users that you want to
assign tenant administrator permissions to, and then click Edit.
5. Click Settings.
6. On the Settings page, under Assign role, select Yes, select Global administrator, and
then click Next.
7. Under Set sign-in status, confirm that Allowed is selected, and then click Save.
Note
Important
Note
To add Windows Intune tenant administrators
19
Partners with Delegating Administration As mentioned, if you are a Microsoft Online Services global administrator and you want someone
else to administer your Windows Intune account, you can delegate this role to a Microsoft partner
with Delegated Administration privileges.
This process must be initiated by your Microsoft partner. The partner sends you an email asking
you if you want to give them permissions to act as a delegated administrator.
1. Read the partner’s terms in the email.
2. To authorize the agreement, click the link to go to an authorization page in the Windows
Intune account portal. You may be asked to sign into your Windows Intune account to
complete this verification.
To manage a delegated administrator
1. Sign in to the Windows Intune account portal.
2. Under Support, click Overview.
3. Click Delegated administrators.
Partners managing customers on the Windows Intune October 2011 release If you are a partner that manages customers who use the Windows Intune release prior to
June 2012, you can continue to use the same sign in and URL for your customers. When you
sign in to the Windows Intune administrator console, you will see only the accounts of
customers who are using the pre-June 2012 release. When these customers are upgraded to
the June 2012 release, you must manage their accounts by using the process that is
described in the next section.
Delegated Administration Partners for the Windows Intune June 2012 release If you are a partner and you want to manage customers who are using the Windows Intune
June 2012 release, you will need to do the following.
To become a Delegated Administration Partner for Windows Intune June 2012 release customers
1. Get your Windows Intune June 2012 release Internal Use Rights benefits from the
Microsoft Partner Network.
2. In order to offer Delegated Administration to your customers, you must be a
To add a delegated administrator
20
Delegated Administration Partner.
3. Sign in to your Windows Intune June 2012 release subscription, and navigate to the
Partner area. You will find the ability to offer Trial and Paid subscriptions to
customers.
4. When you sign in to the Windows Intune administrators console with your user ID,
you will see only the accounts of customers who are using the June 2012 release.
5. When you sign in to the Windows Intune account portal, you will be able to manage
the subscriptions for your June 2012 release customers.
Setting up Policies in the Windows Intune Administrator Console Windows Intune policies provide settings that control mobile device security, software updates,
Windows Intune Endpoint Protection, Windows Firewall settings, and the end-user experience in
the Windows Intune Center, which is installed on all computers that are managed by Windows
Intune. The Windows Intune Center lets users request remote assistance, start Endpoint
Protection, and check for updates for their computers. The Windows Intune Center is installed on
all computers that are managed by using Windows Intune. Computer policies work no matter
which domain your computers or users are joined to, or even if they are not joined to a domain.
Mobile policies work on any mobile devices that are connected to your Exchange environment
through Exchange ActiveSync.
Policy templates also now include the option to deploy policies with recommended settings, so
that you can easily create and deploy policies that implement best practices.
When you plan how to deploy policies to computers in your environment, keep in mind that you
can use policies to modify the default client behavior during the client enrollment process. For this
reason, before you add computers to Windows Intune, we recommend that you create a Windows
Intune Agent Settings policy for all computers to establish a baseline.
Another consideration to keep in mind when you are planning to deploy policies to
computers is that Windows Intune policy management is not connected to Group Policy.
Although the two policy management systems serve the same purpose, their scopes of
management vary, and they operate independently. If you are using Windows Intune in
an environment that also includes Group Policy, note that domain-level Group Policy
typically takes precedence over Windows Intune policy, unless a domain-joined managed
computer cannot connect to the domain controller. If connectivity to the domain controller
is unavailable, Windows Intune policy is applied to the managed computer.
To avoid policy conflicts that can occur from having competing policy management
systems, we recommend that when you deploy the Windows Intune client software to
computers, you ensure that the computers that are managed by Windows Intune policy
are not also receiving direction from Group Policy for the same configuration settings. For
more information, see Planning Around Group Policy in the Windows Intune online Help.
Important
21
The following procedure describes how to set up a Windows Intune Agent Settings policy for
computers.
1. Open the Windows Intune administrator console.
2. In the workspace shortcuts pane, click the Policy icon.
3. Under Tasks, click Create New Policy.
4. In the Create a New Policy dialog box, the following policy templates are displayed in
the list of templates in the left pane:
Mobile Security Policy
Windows Firewall Settings
Windows Intune Agent Settings
Windows Intune Center Settings
Note
For detailed information about specific policy settings, see Policy Settings
Reference in the Windows Intune online Help.
5. Select the Windows Intune Agent Settings template. The agent settings control the
Endpoint Protection and software update settings for the corresponding agents that will
be installed on the managed computers when you add them to Windows Intune, user-to-
device linking, and network bandwidth utilization.
6. In the right pane, under Windows Intune Agent Settings, do one of the following:
Click Create and Deploy a Policy with the Recommended Settings. To view the
settings before you create the policy, click View the recommended settings that
will be used as the default for this policy.
Click Create and Deploy a Custom Policy, and then click Create Policy. After you
click Create Policy, you can review and configure the available policy settings.
Windows Intune Agent settings include:
Scan Schedule: Specify whether to schedule a daily quick scan or full scan, and
whether to run a full scan after Windows Intune Endpoint Protection is installed,
to obtain a baseline of the client’s health.
Update and application detection frequency: Specify how often the Windows
Intune agent checks for new updates and licensed software applications.
User-Device Linking: Specify whether to let users link their accounts to
computers or mobile devices that are not linked to any other user accounts.
Click the information icon next to each setting to learn about each setting and to view
the recommended value, where appropriate.
7. After you configure the settings that you want to apply in your default policy, type a name
and an optional description for the policy, and then click Save Policy.
8. When prompted to specify whether you want to deploy the policy now, click Yes.
9. In the Select the groups to which you want to deploy this policy dialog box, select
To set up a Windows Intune Agent Settings policy for computers
22
the device groups to which you want to deploy this policy. Windows Intune Agent settings
can only be deployed to computers, so only device groups (which contain computers) are
available for selection. Because you have not yet added computers to be managed by
Windows Intune and created device groups, click All Devices, and then click Add. As
you add computers to be managed by Windows Intune and create computer groups, you
can edit this policy and deploy it to different groups as needed.
10. Repeat these steps as needed for the Windows Intune Center Settings and Windows
Firewall Settings policy templates.
You can use the Windows Intune Center Settings policy to configure the contact
information that appears in the Windows Intune Center on managed computers. You can
set details such as email addresses or telephone numbers for users to contact if they
need support. You can use the Windows Firewall Settings policy to control the local
Windows Firewall on managed computers and to create exceptions to open specific
firewall ports that enable or disable features such as File and Print services or remote
administration.
If your environment meets the requirements for mobile device support as described earlier in this
topic, you can use the following procedure to set up a Mobile Security Policy for mobile devices in
your organization. This policy template includes settings that let you define whether a password is
required for mobile devices that synchronize with Exchange Server, the password length and
type, and whether encryption is required on mobile devices (if it is supported; not all mobile
devices support encryption).
1. Open the Windows Intune administrator console.
2. In the workspace shortcuts pane, click the Policy icon.
3. Under Tasks, click Create New Policy.
4. In the Create a New Policy dialog box, select the Mobile Security Policy template.
5. In the right pane, under Mobile Security Policy, do one of the following:
Click Create and Deploy a Policy with the Recommended Settings. To view the
settings before you create the policy, click View the recommended settings that
will be used as the default for this policy.
Click Create and Deploy a Custom Policy, and then click Create Policy. After you
click Create Policy, you can review and configure the available policy settings. For
example, Mobile Security Policy settings include:
Enforcement: Specify whether to allow mobile devices that do not comply with
some or all settings in the policy synchronize with Exchange Server.
Password: Specify password length, complexity, and whether a device is wiped
after a certain number of password attempts fail.
Email download: Specify whether to let users download email attachments to
their mobile device.
Click the information icon next to each setting to learn about each setting and to view
the recommended value, where appropriate, as shown in the following screenshot.
To set up a mobile security policy
23
6. After you configure the settings that you want to apply in your policy, type a name and an
optional description for the policy, and then click Save Policy.
7. When prompted to specify whether you want to deploy the policy now, click Yes, and
then select the user groups that you want to deploy this policy to (this policy can only be
deployed to user groups, not to device groups). For example, click All Users, and then
click Add to deploy this policy to all users that you are managing.
As you create and deploy more specialized policies to other device groups and user groups in
your organization, be aware that all policies are applied to the computers and users in those
groups; however, the policy that is applied at the lowest level in the Windows Intune group
hierarchy takes precedence if another Windows Intune policy setting is conflicting.
Next Steps The next topic, Add Computers, Users, and Mobile Devices to Windows Intune, helps you add
computers and users to Windows Intune and understand how mobile devices are added to
Windows Intune, link users to computers, organize devices and users into groups, manage
updates, and set up alert notifications.
See Also Assess the Health of Your IT Environment and Assist End Users
24
Add Computers, Users, and Mobile Devices to Windows Intune
This topic will help you complete the following tasks:
Add computers to Windows Intune by installing the Windows Intune client software on
computers that you want to manage.
Manually add users and security groups to the Windows Intune account portal, or activate
synchronized users and add them to the Windows Intune user group in the Windows Intune
account portal.
Learn how mobile devices are added to Windows Intune.
Understand user-to-device linking and link a user to a computer.
Learn about enhancements to groups in Windows Intune, which let you create user and
device groups that have dynamic membership queries; create device groups to organize
computers; and create user groups so that you can deploy mobile security policies to that
group for members’ mobile devices.
Set up automatic update approval rules to help ensure that important updates are rapidly
deployed and set an installation deadline for automatic update approvals.
Configure alert notifications to help ensure that you or other administrators receive email
notifications about the latest alerts.
Planning for Endpoint Protection and Managed Computer Bandwidth Usage Before you add computers to the Windows Intune service, consider your needs for endpoint
protection. Determine whether you want to use Windows Intune Endpoint Protection instead of an
existing endpoint protection application, or to continue to use an existing endpoint protection
application. For information about how to implement either approach so that your managed
computers are not left in an unsecured state, see Replacing Your Existing Malware Protection
and Continuing to Use Your Existing Malware Protection in the Windows Intune online Help.
Also keep in mind that Windows Intune-managed computers use network bandwidth for Windows
Intune-related operations. Before you install the Windows Intune client software on computers
that you want to manage, you should consider the existing amount of network usage and the
amount that will be added by the requests made by Windows Intune-managed computers. For
information about the variables that impact bandwidth planning for Windows Intune and for
comprehensive deployment planning guidance, see Planning for Client Deployment and
Enrollment in the Windows Intune online Help.
25
Adding Computers to Windows Intune Before you can manage a computer by using Windows Intune, you must download and install the
Windows Intune client software package on the computer — this can be a physical computer or a
virtual machine.
The Windows Intune package contains unique account identifiers. If unauthorized or
malicious users gain access to the software package, they can add computers to the
account that is represented by its embedded certificate. To avoid unauthorized access,
we recommend the following best practices:
After you download the package, store it in a secure location.
When you deploy the client software, put the package on a shared, secure location that
provides read-only access to required users only. Set the location as inaccessible to the
Everyone group.
Protect the network that contains both the shared location and the destination client by using
IPsec or a similar security technology.
1. Open the Windows Intune administrator console.
2. In the workspace shortcuts pane, click the Administration icon.
3. In the navigation pane, click Client Software Download.
4. Ensure that the targeted computer meets the minimum software and hardware
requirements that are described earlier in this guide, in Configure Your Windows Intune
Environment.
5. Click Download Client Software.
The client software is contained in a compressed (zipped) folder that can be opened or
saved. When you are prompted to choose what you want to do with
Windows_Intune_Setup.zip, click Save, and then save the zipped folder to a secure
location.
Important
Do not rename or move the extracted WindowsIntune.accountcert
(ACCOUNTCERT) file or the client software installation fails.
6. After the download is complete, click Open Folder and then follow the steps in the next
procedure.
Repeat the following procedure on every computer that you want to add in the Windows Intune
service.
1. Open the folder where you saved the installation package.
2. Double-click the Windows_Intune_Setup.zip folder, and then click Extract all files.
Warning
To download the client software installation package
To install the client software on a computer
26
3. In the Select a Destination and Extract Files dialog box, browse to a secure location to
which the Windows Intune setup files will be extracted, and then click Extract.
When the extraction is complete, a new window opens showing the files in the specified
destination folder similar to that shown in the following screenshot.
You can copy the files to a network share, a thumb drive, or deploy the files by using an
electronic software deployment (ESD) system. However, it is important to keep both files
together because the ACCOUNTCERT file is required by the setup application when it is
run.
Important
Do not rename or separate the extracted ACCOUNTCERT file from the setup
application or the client software installation fails.
4. If you want to use a standard installation process, ensure that you are logged on to the
targeted computer with an account that is a member of the local Administrators group,
double-click the Windows _Intune_Setup.exe file, and then follow the instructions in the
Setup Wizard to complete the installation.
5. After the installation is complete, restart the computer. A restart is needed to complete
the installation of the protection and update agents, and to download any required
endpoint protection definitions or other agent updates.
The managed computer should appear in the Windows Intune administrator console within a
few minutes, but it can take up to 30 minutes for all the agents to be completely installed and
to report all inventory and status updates.
Adding Windows Intune to Deployment Images For a standard installation process to complete successfully, a live Internet connection is
required. In some situations, this might not be possible at the time of installation; for example, if
you install the agent into a deployment image that will be used to create a number of computer
deployments. In this case, you can use a command-line argument to schedule a task that will
attempt to add the computer at a later time. For information about how to complete this type of
27
installation, see Installing the Client Software as Part of an Image in the Windows Intune online
Help.
Adding Users and Security Groups to Windows Intune With this release of Windows Intune, you can now add and manage users, so that you can target
available licensed software and deploy policies to user groups. You can also let users access the
Windows Intune company portal to perform common tasks without involving their IT help desk.
The Windows Intune company portal enables users to add their own computers to Windows
Intune, so that the computers can be managed by Windows Intune, and to remove computers
that no longer need to be managed by Windows Intune. Users can also install licensed software
applications that you make available.
If you add security groups to Windows Intune in the Windows Intune account portal, when you
create a user group in the Windows Intune administrator console that has dynamic membership
queries, you can specify security group membership as one of the query criteria for that user
group.
For users and security groups to appear in the Windows Intune administrator console, you must
sign in to the Windows Intune account portal and do one of the following:
Manually add users or security groups, or both, to the account portal.
Use Active Directory synchronization to populate the account portal with synchronized users
and security groups. After the synchronized users and security groups are added to the
account portal, you must activate the synced users and assign them membership in the
Windows Intune user group to manage them in the Windows Intune administrator console.
You do not need to activate the synced security groups.
The Windows Intune user group is not a security group, but a group that enables you to
identify users who are to be managed by Windows Intune. After you add users to the
Windows Intune user group in the Windows Intune account portal, they appear in the list of
users in the Windows Intune administrator console and are available to be managed.
Use the following procedure to manually add users to the Windows Intune account portal.
1. Open the Windows Intune account portal.
2. In the header, click Admin.
3. In the left pane, under Management, click Users.
4. On the Users page, click New, and then click User.
5. On the Details page, complete the user information. Click the arrow next to Additional
details to add optional user information such as job title or department, and then click
Next.
6. On the Settings page, if you want the user to have an administrator role, select Yes, and
select an administrator role from the list.
To manually add users to the Windows Intune account portal
28
7. Under Set user location, select the user or users’ work location, and then click Next.
8. On the Group page, under Windows Intune user group, ensure that the name of the
user is selected.
9. On the Send results in email page, select Send email to send a user name and
temporary password (Windows Intune creates the password automatically) for the newly
created user to yourself and the recipients of your choice by email. Enter email
addresses separated by semicolons (;), and then click Create. You can enter a maximum
of five email addresses.
10. On the Results page, the new user name and a temporary password are displayed. After
you review the results, click Finish.
You can import multiple user accounts into Windows Intune from a single file source. The
file must be a comma-separated values (CSV) file and adhere to the required format. For
more information, see Add Multiple Users with Bulk Import in the Windows Intune online
Help.
Use the following procedure to manually add security groups to the Windows Intune account
portal.
1. Open the Windows Intune account portal.
2. In the header, click Admin.
3. In the left pane, under Management, click Security Groups.
4. On the Security Groups page, click New.
5. On the Details page, type a display name and description for the group, and then click
Save.
6. On the Select members page, from the List type list, select which type of members you
want to add to the new security group: Users or Groups (other security groups).
The available members for the selected list type are displayed under Available
members.
7. Select the check box next to each member that you want to add, and then click Add. The
added members are displayed in the Selected members list.
8. To remove a member from the Selected members list, select the check box next to the
member that you want to remove, and then click Remove.
9. After the list of members is complete, click Save and Close.
Use the following procedure to activate synced users (users who have been added to the
Windows Intune account portal through Active Directory synchronization), and to add them to the
Windows Intune user group.
1. Open the Windows Intune account portal.
Note
To manually add security groups to the Windows Intune account portal
To activate synced users and add them to the Windows Intune user group
29
2. In the header, click Admin.
3. In the left pane, under Management, click Users.
4. On the Users page, select the check box next to the user or users that you want to
activate, and then click Activate synced users.
Note
To access all of the synchronized users, you can create a customized view of
those users in the View list. To do this, select the check box next to
Synchronized users only on the New view page when you create the view.
After creating the view, return to this step of the procedure, select the new view
from the View list, and then select the top check box in the user list to select all
users in that view. Note that all synchronized users have a sync icon next to their
display name.
5. Under Set user location, select the user or users’ work location, and then click Next
6. Under Windows Intune user group, select the Windows Intune user name, and then
click Next.
7. On the Send results in email page, select Send email to send a user name and
temporary password for the activated user or users to yourself and/or recipients of your
choice by email. Enter email addresses separated by semicolons (;), and then click
Activate.
8. On the Results page, the new user or users and a corresponding temporary password
are displayed. After you review the results, click Finish.
After you activate synced users and assign them membership in the Windows Intune user
group, you can manage them in the Windows Intune administrator console.
Mobile Device Support Windows Intune provides the following capabilities for mobile device support:
A unified experience across all devices through:
Automatic discovery of mobile devices that access Exchange Server
User-centric views for device inventory
A single console (the Windows Intune administrator console) to manage computers and
mobile devices
The ability to help secure corporate data on mobile devices through:
Targeting Exchange ActiveSync polices to user groups. Policies include settings that let
you set requirements for password length and encryption (if it is supported by the mobile
device).
Setting device access rules by device family or model
Retiring and/or wiping lost, stolen, or otherwise compromised mobile devices.
The ability to make licensed internal line-of-business applications available for your users
through:
Hosting and targeting licensed internal line-of-business applications to user groups
30
Self-service capabilities for your users, which enable them to download internal line-of-
business applications to their mobile devices
Prerequisites for supporting mobile devices with Windows Intune are as follows:
An on-premises component to orchestrate communication between Exchange Server 2010
Service Pack 1 and later, and Windows Intune
A computer that has access to the Exchange environment. The computer must meet the
following requirements:
The computer must run Windows Server 2008 Service Pack 2 (64-bit) or Windows Server
2008 R2.
.NET Framework 4.0 and PowerShell 2.0 must be installed on the computer.
The computer must be joined to the Exchange Server domain.
The computer must have Internet access.
When your environment is configured to support mobile devices, Windows Intune automatically
discovers all the mobile devices that belong to the users who have been added to Windows
Intune. The mobile devices appear in the Windows Intune administrator console in the All
Devices group, or on the Devices tab in the user properties page for the users to whom the
devices are linked.
User-to-Device Linking User-to-device linking provides you with a management bridge between users and their devices.
After you link users to their devices, you can deploy licensed software applications to users (that
are then applied to their linked computers). You can also deploy policies that are applied to users’
computers and mobile devices, and make specific licensed software applications available for
users to install. Users can sign in to the Windows Intune company portal or Windows Intune
mobile company portal, review the applications that you have made available, and they can then
choose whether to install any of the applications.
There are two ways to link users to devices: automatically and manually. Mobile devices are
automatically linked to users during the discovery process. Computers are automatically linked to
users when users add their computers to Windows Intune by using the Windows Intune company
portal.
You can use the following procedure to manually link a user to a computer.
1. Open the Windows Intune administrator console.
2. In the workspace shortcuts pane, click the Groups icon.
3. In the navigation pane, click All Devices.
4. In the Search devices box, type the partial or full name of the computer to which you
want to link a user.
The name of the computer, if located, appears in the list.
5. With the name of the computer selected, click Link User.
Manually link a user to a computer
31
6. In the Link User dialog box, a list of available users is displayed. If the list is long, you
can type the name of the user to whom you want to link the computer in the Search
users box.
If the computer is already linked to a user, the name and UPN of the user appear under
Current User. If the computer is orphaned (not linked to any user), No User appears
under Current User.
7. After you locate the user, click the name of the user.
Every time that you select a new user name from the list, the New user section above
the list is updated to display the selected user. When you clear the search criteria or run
a search, none of the users in the list is selected and you will need to select a new user
from the list.
8. In the Link User dialog box, the name of the user whom you selected is displayed under
New user. Confirm that the specified user is the correct user, and then click OK.
You can also modify a user-to-device link in the Windows Intune administrator console for a
computer. Doing this is useful when you want to link a computer that is currently linked to one
user to a different user. You can also remove a user-to-device link for a computer so that it is not
linked to any users.
You cannot create or modify user-to-device links for mobile devices.
Enhancements to Groups Enhancements to groups in Windows Intune provide you with increased power and flexibility for
managing groups. Following are enhancements to groups:
Groups can now include users or devices (mobile devices and computers), but not both. In
previous releases of Windows Intune, groups included computers, not users or mobile
devices.
Groups can have dynamic membership queries or rules, static membership, or mixed
membership. When you create a dynamic membership query, you define the criteria that
determines the query that Windows Intune runs to retrieve the list of group members. The
group is automatically updated with members that meet the criteria whenever changes occur.
You can also create groups that have static membership lists. These are groups that you
manually define by explicitly adding members. In previous releases of Windows Intune,
groups only included explicitly defined static membership lists. They did not have dynamic
membership queries or rules, or mixed membership.
Active Directory Domain Services (AD DS) is not required to create user groups or device
groups that include users or computers, but for device groups to include mobile devices,
your environment must be configured as described earlier in this guide to support mobile
devices, and the mobile devices must be discovered and added to the Windows Intune
Note
Note
32
inventory. If your environment is not configured to support mobile devices, they will not
appear in the Windows Intune inventory and be available to add to device groups.
If AD DS is not configured in your environment, you can manually add users and security
groups in the Windows Intune account portal, as described earlier in this topic.
Planning Considerations for Creating Groups It is important to plan carefully before you organize computers, mobile devices, and users into
groups in Windows Intune. Following are key considerations to keep in mind when you plan for
creating user or device groups in Windows Intune:
A group can have direct members (static membership), dynamic query-based members, or
both.
You cannot change a group’s parent.
The membership of a parent group defines the possible membership of the child group.
Members must belong to a parent group in order for them to be added to a child group.
This enhancement from previous releases of Windows Intune simplifies the process of
identifying group membership and identifying areas of possible conflicting policy settings.
Group membership is recursive. That is, when you specify criteria for a user or device group
based on a dynamic membership query (such as membership in a specific Active Directory
security group or a specific manager in Active Directory), all direct and indirect users will be
members of that group. For example:
If user A is a member of security group X in Active Directory
And security group X is a member of security group Y in Active Directory
If you create a group based on a membership query in Windows Intune that includes all
members of security group Y, user A will be a member of the group.
One member can belong to multiple groups.
Creating Device Groups to Organize Computers You can create device groups to target the deployment of policies, updates, and licensed
software applications to managed computers.
The following procedure describes how to create a device group. Keep in mind that the following
procedure is meant to provide one example of how to set up your first device groups. You can
customize this approach to meet your organization's needs. For example, you might want to
create such a group to organize all computers in your organization’s corporate headquarters site,
and then create additional groups for your additional sites, based on geographical location. Or,
you might organize computer groups by the operating systems that computers run or by business
function.
1. Open the Windows Intune administrator console.
To create a device group to organize computers
33
2. In the workspace shortcuts pane, click the Groups icon.
Note the default groups: All Users, Unassigned Users, All Devices, and Unassigned
Devices.
The All Devices group contains all computers, and if applicable, all mobile devices, that
have been added to Windows Intune. The Unassigned Devices group contains
computers, and if applicable, mobile devices, that you have not yet assigned to a group.
If you have not configured your Windows Intune environment to support mobile devices,
these groups will not contain mobile devices, and you cannot add mobile devices to
them.
3. On the Groups Overview page, under Tasks, click Create Group.
4. In the Group Name box, type Headquarters Computers, and then in the Description
box, type All computers in corporate Headquarters site.
5. Under Select a parent group, click All Devices, so that the new group appears at the
top level of the device groups, and then click Next.
6. Under Select device type, select Computer.
7. Click the Browse button to the right of the filter members based on organizational
units box.
8. In the Select Organizational Units dialog box, select the OU that you want to add to the
group (for example, the Headquarters OU), click Add to add it to the Selected
organizational units box, and then click OK to close the dialog box.
9. Click the Browse button to the right of the Add specific members box.
10. In the Add Remove Members dialog box, select the computers that you want to add to
the group, click Add to add them to the Selected specific members box, and then click
OK to close the dialog box.
11. Review the list of computers that appears under Add specific members, and if the list is
correct, click Next.
12. To exclude members from the group, click the Browse button to the right of the
Excluded members box, select the computers that you want to exclude from the group,
click Add, and then click OK to close the dialog box.
13. Review the list of computers that appears under Excluded members, and if the list is
correct, click Next.
14. On the Summary page, review the details about the group, and if they are correct, click
Finish.
You can repeat these steps for all device groups that you want to create. The following
screenshot shows three examples of grouping strategies that you can use.
34
By default, groups are sorted alpha-numerically. After you create the device groups that you
need, you can deploy licensed software applications, updates, and policies to these groups.
Creating User Groups to Organize Users Groups that have dynamic membership queries are useful when you need to target groups whose
membership may change frequently, and you do not want to manually update the group. If you
know that you need to add or exclude specific devices or users in a group, you can always do so,
so that they are always included or excluded as needed.
The following procedure provides an example of how to create a user group. For example, you
may need to create a policy to target a pilot group of users in a specific department, such as
Development, to test a mobile security policy before implementing the policy to other departments
throughout your production environment. A user group that specifies membership in an
associated Active Directory security group or security group that you have manually added to the
Windows Intune account portal lets you target users in the Development department. That way,
you can deploy the policy to those users. Because the group query is dynamic, whenever
membership in the security group that you specify as a criteria for your group membership
changes, so does the membership of your target group. Also, because mobile devices are
automatically linked to users after they are discovered and added to Windows Intune, the mobile
security policy that you deploy to the target user group will be applied to members’ mobile
devices.
35
Keep in mind that the following procedure is meant to provide one example of how to set up your
first user groups. You can customize this approach to meet your organization's needs.
1. Open the Windows Intune administrator console.
2. In the workspace shortcuts pane, click the Groups icon. Note the default groups: All
Users, Unassigned Users, All Devices, and Unassigned Devices.
The All Devices group contains all computers and mobile devices that have been added
to Windows Intune. The Unassigned Devices group contains computers and mobile
devices that you have not yet assigned to a group.
3. On the Groups Overview page, under Tasks, click Create Group.
4. In the Group Name box, type Mobile Security Users Pilot, and then in the Description
To create a user group
36
box, type For users in the Development department, as shown in the following
screenshot.
5. Under Select a parent group, click All Users, so that the new group appears at the top
level of the user groups, and then click Next.
6. Click the Browse button to the right of the Filter members based on security group
box.
7. In the Select Security Group dialog box, select the security group that you want to
specify, click Add to add it to the Selected security groups box, and then click OK to
close the dialog box.
In this example, the Development security group is specified because this security group
includes the specific users to whom the mobile security policy can be applied.
8. To add specific members who are not members of the security group that you specified,
click the Browse button to the right of the Add specific members box, select the users
who you want to add to the group, click Add, and then click OK to close the dialog box.
In this example, you can add another specific member outside the Development
department, such as another administrator, who may need to evaluate the effectiveness
of the policy.
9. Review the list of users that appears under Add specific users, and if the list is correct,
click Next.
10. On the Summary page, review the details about the group, and if they are correct, click
Finish.
You can repeat these steps for all user groups that you want to create.
Managing Updates and Automatic Approval Rules You can deploy Windows Intune policies, software updates, and licensed software packages to
the device groups that you created earlier (if you followed the steps in the “To create a device
group to organize computers” procedure). If you want to closely manage all the updates that are
deployed by Windows Intune, you can use the Updates workspace to approve or decline each
update one by one. However, to ensure that all critical and security updates are installed as
quickly as possible on your managed computers, you can set up automatic update approval rules
and deadlines for installation of approved updates.
The following procedure describes how to set up an automatic update approval rule that you can
use to help automate the process of approving updates.
1. Open the Windows Intune administrator console.
2. In the workspace shortcuts pane, click the Administration icon.
3. In the navigation pane, under Administration, click Updates.
4. Scroll down to the Automatic Approval Rules area, and then click New.
5. On the Name page, type a name for the rule, such as Default Approval Rule, and then
To set up an automatic update approval rule and deployment date for computers
37
click Next.
6. On the Select Product Categories page, select the check boxes that correspond to the
categories you want, and then click Next to start the Create Automatic Approval Rule
wizard.
7. Select the classifications for which you want the updates approved automatically, and
then click Next.
We recommend that you select the Critical Updates, Definition Updates, and Security
Updates categories as shown in the following screenshot to help protect your managed
computers from new threats or vulnerabilities.
8. Select the device groups to which you want to apply this rule. To apply the rule to all
managed computers, select the All Devices group, and then click Add.
9. To set a deployment deadline for updates that fall within the categories and
classifications that you have specified for automatic approval, select the Enforce an
installation deadline for these updates check box, select an installation deadline from
the list, and then click Next.
10. On the Summary page, review the information about the automatic update approval rule
to ensure that it is correct, and if it is, click Finish to close the wizard.
11. On the Service Settings: Updates page, under Automatic Approval Rules, do one of
the following:
Click Run Selected to force this rule to evaluate all updates and to make them
available for the managed computers the next time they check in. After the evaluation
is completed, click Save.
Click Save to make the rule apply only to future updates as they are released.
If you selected the Critical Updates, Security Updates, and Definition Updates
classifications, as the managed computers check in to the service (by default, every 8 hours),
they are instructed to apply updates in these classifications as soon as the updates are
available.
For updates that you want to approve manually, you can use the Updates workspace to
review and approve them. There are two types of updates that can be managed in Windows
38
Intune: Microsoft updates and non-Microsoft updates.
Microsoft updates: These updates are automatically made available through the
Windows Intune service. For these updates you need to select the update and then
approve each one for deployment to the groups that you select. You can approve these
updates for individual computer groups or for higher-level groups, such as the All
Devices group, and then use inheritance to approve the updates for all lower-level
groups. To select multiple updates to approve at one time, press and hold the Ctrl or Shift
key while selecting the updates that you want to approve.
Non Microsoft updates: To approve these updates, you first need to obtain the update
package — usually a Windows Installer (.msi) or Windows Installer patch (.msp) file, or
an .exe program file. After you have the update package for a non-Microsoft application,
you need to use the Upload task in the Update workspace to upload the file into
Windows Intune. The Upload task starts the Windows Intune Software Publisher wizard,
which guides you through the process of creating an update package that can then be
approved for deployment in the same way as Microsoft updates.
Note
The first time that you click the Upload task, Windows Intune automatically
downloads and installs the Windows Intune Software Publisher.
Windows Intune software publishing only supports updates that require no user
interaction during installation.
Setting Up Email Alert Notifications Windows Intune tracks alerts for managed computers and for mobile devices that you can
monitor in the Alerts workspace. You can also configure Windows Intune to send email alert
notifications directly to specified email accounts.
1. Open the Windows Intune administrator console.
2. In the workspace shortcuts pane, click the Administration icon.
3. In the navigation pane, click Alerts and Notifications.
4. On the Alerts and Notifications overview page, click Select Recipients for Email
Notifications.
5. In the list of available recipients, select a recipient who can receive the email
notifications, and then click Add.
Note
Adding an email recipient does not grant the recipient administrative access to
the Windows Intune administrator console. To grant recipients administrative
access to the console, you need to also add the recipient as a service
administrator.
6. In the Add Email Recipient dialog box, type the name, email address and preferred
To set up alert notifications
39
language for the recipient, and then click OK.
To add recipients, repeat steps 5 and 6 as needed.
7. In the navigation pane, click Notification Rules.
8. In the Notification rule list, click the rule that corresponds to the alerts that you want to
recipients to be notified about, as shown in the following screenshot. You can select
email recipients for only one alert rule at a time.
Note
At a minimum, we recommend that you set up alert notifications for Remote
Assistance Requests. These alerts are generated by users who open a remote
assistance request from the Windows Intune Center on their client computers,
and therefore the requests are often time-critical.
9. Click Select Recipients, and then select the check boxes that correspond to the
recipients who should receive notification email messages when the alerts specified in
the notification rule are raised.
10. Click OK to close the Select Recipients dialog box.
You can also click Create New Rule on the Notification Rules page to run the Create
Notification Rule wizard and create rules that meet your organization's specific needs.
Next Steps The next topic, Assess the Health of Your IT Environment and Assist End Users helps you create
custom reports to assess the health of your managed computers and learn about the capabilities
of Windows Intune for making licensed software available to users. You will also learn how to
respond to a user request for remote assistance and remote control that user’s managed
computer to provide assistance.
40
See Also Configure Your Windows Intune Environment
Assess the Health of Your IT Environment and Assist End Users
This topic will help you complete the following tasks:
Create a custom report to identify computers that have pending updates, export an Endpoint
Protection status report, and use filters to create a hardware report.
Learn about the new capabilities available in this release of Windows Intune for making
licensed software available to users.
Respond to a user request for remote assistance and remote control that user’s managed
computer to provide assistance.
Creating Custom Reports The monitoring and reporting capabilities of Windows Intune can help you quickly identify and act
on critical issues. For example, you may want to know, how many computers have a particular
application or update installed? What Windows Intune policy settings are conflicting? What
malware was blocked? How many mobile devices are quarantined or blocked from accessing
Exchange Server? Windows Intune includes a set of report templates that you can use as is, or
you can create reports based on views within the workspaces in the Windows Intune
administrator console. All of these reports can be printed or exported as either an HTML or
comma-separated value (.csv) file (also known as comma-delimited file). This lets you export the
data from Windows Intune, and then import this information into Microsoft Excel or another
application to format and customize it as needed.
The following procedure describes how to create a report to help identify computers that have
pending updates to be installed. When an update is pending, it has been approved, but some of
the computers to which the update is targeted have not yet tried to install the update.
1. Open the Windows Intune administrator console.
2. In the workspace shortcuts pane, click the Reports icon.
3. On the Reports Overview page, click Update Reports.
4. On the Create New Report page, under Select update classification, click All.
5. Under Select update status, select Pending.
6. Under Select MSCR rating, leave Not specified selected.
7. Under Select effective approval, leave All selected.
To create a report to identify computers that have pending updates
41
8. Under Select computer groups, leave All Devices selected.
9. To save this custom report for future use, click Save As or Save, and then type a name
for the report so that you can view it again later.
10. To view the new report, click View Report.
You can use this information to identify computers that have updates outstanding, and
then start the process of troubleshooting the updates.
Exporting an Endpoint Protection Status Report
The Windows Intune administrator console lets you quickly identify and investigate when malware
is first detected or was recently resolved on managed computers. In most situations, Windows
Intune Endpoint Protection generates Informational alerts that provide you with an up-to-date
view of malware that was detected and removed from managed computers. When additional
follow-up is required (for example, when malware is first detected or when recently resolved
malware needs follow-up), Windows Intune generates a Critical or Warning alert so that you can
contact the user and use Remote Assistance to troubleshoot the issue.
The following procedure describes how to create an Endpoint Protection status report to list the
alerts that indicate malware that has been detected or was recently resolved.
1. Open the Windows Intune administrator console.
2. In the workspace shortcuts pane, click the Alerts icon.
3. In the navigation pane, under All Alerts, click Endpoint Protection
The Alerts page displays a list of the malware-related alerts that were generated on all
managed computers, as shown in the following screenshot.
To export an Endpoint Protection status report
42
4. To export this list, click the Export list icon on the right side of the taskbar.
5. In the Export dialog box, in the Export format list, select the type of file to which you
want to export your report, and then click Export.
You can export your report to either of the following formats: Comma-separated values
(.csv) file format or webpage (.html) file format.
Note
Wherever the Print or Export icons appear in the Windows Intune administrator
console, you can print or export the data displayed in that view.
6. In the Save As dialog box, browse to or type a path and file name for the export file, and
then click Save.
This creates an exported report that you can then import into your preferred reporting or
data manipulation application.
7. After the report has been exported, click Close.
Using Filters to Create a Report
In the Windows Intune administrator console, you can use filters to narrow your search results,
investigate specific issues, and create reports. For example, you can use filters to display lists of
specific devices; updates; malware issues; users or devices with software installation failures and
policy setting conflicts or other errors; noncompliant mobile devices that are blocked or allowed
access to the corporate network; and active alerts that were generated within a specific time
frame, alerts of a specific severity level, or closed alerts. Some filters differ slightly in name and
definition, depending on the workspace and the tab that you are viewing.
43
You can use filters with a specific selection in the navigation pane, or with All Users or All
Devices selected. When you have a filter selected, your searches are constrained against that
filter until you make a new selection or clear the filter.
The following procedure describes how to create a hardware report with computer details.
1. Open the Windows Intune administrator console.
2. In the workspace shortcuts pane, click the Groups icon.
3. In the navigation pane, click All Devices.
4. In the Filters list, under Hardware, click Computer details and user account.
Choosing this filter displays a list of the computers in your environment and provides
specific data about each computer, such as the Chassis Type, Manufacturer, Model,
Operating System, Total Disk Space, and other details. You can right-click any data
column heading and then customize which columns you want to appear in the view.
5. After you customize the view as needed, click Print List or Export List to either create a
printed report or export this view to a file.
Creating Software Inventory Reports
When you install the Windows Intune client software on your computers, the client builds a
detailed inventory of the software applications that are installed on each computer, and then
reports that data to the Windows Intune service. You can use either the Software workspace or
Detected Software Reports in the Reports workspace to view, print, or export this information.
One key report that you can create is a software inventory report, which is a computer-by-
computer list of all software installed on managed computers in your Windows Intune
environment. The following procedure describes how to create a software inventory report.
1. Open the Windows Intune administrator console.
2. In the workspace shortcuts pane, click the Reports icon.
3. In the navigation pane, click Detected Software Reports.
4. In the Create New Report page, leave all customization options at their default settings,
and then click View Report.
This generates a detailed software inventory report of all software that is installed on the
computers in your Windows Intune environment, and it identifies the publisher, the
category, and the number of installation instances.
Tip
You can sort the list by clicking the applicable column heading, and you can also
expand any software title in the list to show which computers it is installed on by
clicking the directional arrow next to the list item, and then clicking the directional
To use filters to create a hardware report with computer details
To create a software inventory report
44
arrow next to Computers.
To export the full report, perform the following steps:
5. On the taskbar, click the Export icon.
6. In the Export format list, click .csv File, clear the Export summary data only check
box, and then click Export.
This exports a .csv file that contains a list of all software found on managed computers in
your environment, and the computers on which the software is installed. This report
includes any software recognized by the Windows Intune service, not just Microsoft
products. You can then import this information into Microsoft Excel or another application
to format and customize it as needed.
Working with Licensed Software Windows Intune enables you to deploy and install licensed software applications to managed
computers or make these applications available to selected user groups. In addition, this release
of Windows Intune lets you upload licensed software and make it available to selected user
groups. After you upload the software and make it available to selected user groups, users to
whom the software is targeted can sign in to the Windows Intune company portal or the Windows
Intune mobile company portal and view the licensed software applications that you have made
available for them. They can then select the software applications that they want to download and
install on their devices, and you can track software adoption across your organization. For
example, after you make a mobile device application available for employees, you can monitor
the number of users to whom the application is targeted, the number of users who attempted to
install the application, and view details about each of the users
45
The following screenshot shows several licensed software applications, including a licensed
internal line-of-business travel planning application. This application has been made available to
users with mobile devices that run iOS and Android operating systems.
For information about the process for deploying licensed software to managed computers or
selected user groups, and for making licensed software available to selected user groups, see
Software distribution in the Windows Intune online Help.
When you deploy software to device groups and user groups, it is important to understand that
software installation packages are typically larger than software updates; therefore you may need
to take steps to help minimize the impact of a deployment on the Internet connection for a site.
Windows Intune uses the peer distribution platform in Windows 7 (Professional, Enterprise,
Ultimate), which is one of the technologies that powers BranchCache. BranchCache Distributed
Cache mode is automatically enabled by the Windows Intune client. This can help optimize
Internet bandwidth for software updates and software application downloads. For more
information, see What's New in Windows Intune.
46
Working with Remote Assistance Remote tasks in Windows Intune let you run a quick scan or full scan, update malware definitions,
restart computers, refresh policy, and refresh inventory on managed computers. Remote
Assistance lets you view and control a managed computer remotely so that you can support your
users from virtually anywhere. The remote assistance process starts when a user sends a
request for remote assistance. To do so, the user double-clicks the Windows Intune Center icon
in the notification area on the taskbar of the managed computer to open the Windows Intune
Center, and then clicks Request remote assistance from your system administrator.
After the user clicks Request remote assistance from your system administrator, a Remote
Assistance request is sent to the Windows Intune service.
We recommend that you set up email alert notifications for Remote Assistance requests
to ensure that email notifications are sent to you or other administrators automatically.
This will help minimize the wait time for a user in need of assistance. For step-by-step
instructions for setting up email alert notifications, see the “Set up Email Alert
Notifications” section in the second topic in this guide, Add Computers, Users, and Mobile
Devices to Windows Intune.
The following procedure describes how to respond to a Remote Assistance request:
1. Open the Windows Intune administrator console.
2. In the workspace shortcuts pane, click the Alerts icon.
3. In the navigation pane, click Remote Assistance.
Note
By default, remote assistance alerts are set at the Critical alert level.
4. In the Alerts view, click the request in the list.
5. Under Recommended Actions near the bottom on the page, click Approve request
and launch Remote Assistance.
6. In the A New Remote Assistance Request is Pending window, click Accept the
remote assistance request.
7. Do one of the following:
If this is the first time that you have responded to a remote assistance request, click
Accept Terms and Install Client to install the Remote Assistance via Microsoft Easy
Assist software.
Otherwise click Join the Session.
8. In the Join Session dialog box, type a name in the Display Name box, such as
Helpdesk or Administrator, and then click Join.
The session window opens and you must wait until the user joins the session from the
managed computer. This process can take a few minutes, depending on the network
Important
To respond to a Remote Assistance request
47
bandwidth available. After the session is established, the user sees the Remote
Assistance via Microsoft Easy Assist control windows.
The user must click OK to enable you to see his or her desktop.
9. You then receive a confirmation message that the user has joined the session. In the
message, click OK to see the user’s desktop in a window on your computer.
10. To share control of the user’s desktop, on the toolbar of the session window, click
Request Control. The user then receives a confirmation message that you are
requesting shared control as shown in the following figure. After the user clicks Yes in the
confirmation message, you can control the managed computer.
In addition to the option to share control of the managed computer during the remote
assistance session, you also can chat with the user, and transfer files to and from the user’s
computer. These options are all accessible by using the main session controls. At the end of
the support session, we recommend that you return to the Windows Intune administrator
console and close the original remote assistance alert. This makes it easier to identify new
requests that are received.
Next Steps This guide has helped you get started with several key tasks, so that you can configure your
Windows Intune environment and use Windows Intune to manage your computers and users, and
to provide support for mobile devices. For more information about using Windows Intune, we
recommend that you visit the Windows Intune Online Help and the Windows Intune Zone on
TechNet.
See Also Configure Your Windows Intune Environment
Add Computers, Users, and Mobile Devices to Windows Intune