Windows Intune getting started guide
Upcoming SlideShare
Loading in...5
×
 

Windows Intune getting started guide

on

  • 11,270 views

 

Statistics

Views

Total Views
11,270
Views on SlideShare
10,374
Embed Views
896

Actions

Likes
0
Downloads
91
Comments
0

9 Embeds 896

http://blogs.msdn.com 875
http://impassibilibly.rssing.com 6
http://www.hanrss.com 3
http://www.microsoft.com 3
http://www.newsblur.com 3
https://www.mseducommunity.com 2
http://indictment7.kassuri.com 2
http://i1.blogs.msdn.com 1
http://exurban.rssing.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Windows Intune getting started guide Windows Intune getting started guide Document Transcript

  • ContentsWindows Intune June 2012 Release Getting Started Guide ........................................................... 3Configure Your Windows Intune Environment ................................................................................ 4 Signing up for Windows Intune .................................................................................................... 5 Already Subscribing to Windows Intune? .................................................................................... 6 New to Windows Intune? ............................................................................................................. 6 Already using Active Directory Domain Services and Exchange Server? ................................... 7 Features and Benefits of Windows Intune ................................................................................... 7 Client Software and Hardware Requirements .............................................................................. 8 Supported Browsers for Administrators and Users ...................................................................... 9 New and Enhanced Web-Based Tools for Administrators ........................................................... 9 Getting Started with the Windows Intune Account Portal .......................................................... 10 Getting Started with the Windows Intune Administrator Console .............................................. 12 Web-Based Portals to Provide Self-Service Capabilities for Users ........................................... 14 Getting Started with the Windows Intune Company Portal ........................................................ 14 Getting Started with the Windows Intune Mobile Company Portal ............................................ 16 Administrator Roles .................................................................................................................... 17 Partners with Delegating Administration .................................................................................... 19 Partners managing customers on the Windows Intune October 2011 release ......................... 19 Delegated Administration Partners for the Windows Intune June 2012 release ....................... 19 Setting up Policies in the Windows Intune Administrator Console ............................................ 20 Next Steps .................................................................................................................................. 23 See Also ..................................................................................................................................... 23Add Computers, Users, and Mobile Devices to Windows Intune .................................................. 24 Planning for Endpoint Protection and Managed Computer Bandwidth Usage .......................... 24 Adding Computers to Windows Intune ....................................................................................... 25 Adding Windows Intune to Deployment Images ........................................................................ 26 Adding Users and Security Groups to Windows Intune ............................................................. 27 Mobile Device Support ............................................................................................................... 29 User-to-Device Linking ............................................................................................................... 30 Enhancements to Groups .......................................................................................................... 31 Planning Considerations for Creating Groups ........................................................................... 32 Creating Device Groups to Organize Computers ...................................................................... 32 Creating User Groups to Organize Users .................................................................................. 34 Managing Updates and Automatic Approval Rules ................................................................... 36 Setting Up Email Alert Notifications ........................................................................................... 38 Next Steps .................................................................................................................................. 39 See Also ..................................................................................................................................... 40Assess the Health of Your IT Environment and Assist End Users ................................................ 40 Creating Custom Reports ........................................................................................................... 40
  • Exporting an Endpoint Protection Status Report .................................................................... 41 Using Filters to Create a Report ............................................................................................. 42 Creating Software Inventory Reports...................................................................................... 43Working with Licensed Software ................................................................................................ 44Working with Remote Assistance ............................................................................................... 46Next Steps .................................................................................................................................. 47See Also ..................................................................................................................................... 47
  • Windows Intune June 2012 ReleaseGetting Started GuideWindows Intune is an integrated, cloud-based client management solution that provides tools,reports, and upgrade licenses to the latest version of Windows. Windows Intune helps keep yourcomputers up-to-date and secure, and lets your users more securely access and install targetedlicensed software applications and perform other common tasks, from virtually anywhere.This guide describes key concepts that can help you start learning how to get the most out ofWindows Intune. It includes step-by-step instructions to help you set up a new Windows Intuneenvironment and selected tasks to complete so that you can explore the range of features inWindows Intune. It is designed to complement the following other resources: Windows Intune Product Guide: This product guide provides detailed information about Windows Intune. If you are not familiar with Windows Intune, you may want to review this guide first. What’s New in Windows Intune: This overview will help you learn about what has changed in this release of Windows Intune. You can review this guide for an introduction to the new features in this release of Windows Intune. Windows Intune Online Help: The online Help provides step-by-step procedures, comprehensive guidance, best practices, and checklists. Topics address planning and implementing your Windows Intune deployment; distributing licensed software; using Windows Intune to help secure your computers, mobile devices, and data; working with Windows Intune reports; and monitoring, alerting, and troubleshooting Windows Intune. We recommend that you review the online Help for additional guidance, after you have reviewed this guide.To illustrate the guidelines and recommendations in this guide, sample screenshots taken fromdemonstration environments will help show you how to customize your Windows Intuneenvironment to meet your business needs.This guide consists of the following topics: Configure Your Windows Intune Environment This topic will help you to:  Sign up for a Windows Intune subscription.  Learn about the key features and benefits of Windows Intune, and how you can make the most of this release.  Understand the operating system requirements for mobile devices and client computers, and browser requirements for the Windows Intune administrator console and Windows Intune company portal.  Learn about new web-based administrative tools and enhancements, including support for your connected mobile devices, such as mobile phones and tablet devices. 3
  •  Understand administrator roles for Windows Intune and how to add and delegate administrators.  Set up policies with recommended or custom settings to deploy to managed computers or users’ mobile devices. Add Computers, Users, and Mobile Devices to Windows Intune This topic will help you to:  Add computers to Windows Intune by installing the Windows Intune client software on computers that you want to manage.  Manually add users and security groups to the Windows Intune account portal, or activate synchronized users and add them to the Windows Intune user group in the Windows Intune account portal.  Learn how mobile devices are added to Windows Intune.  Understand user-to-device linking and link a user to a computer.  Learn about enhancements to groups in Windows Intune, which let you create user and device groups that have dynamic membership queries; create device groups to organize computers; and create user groups so that you can deploy mobile security policies to that group for members’ mobile devices.  Set up automatic update approval rules to help ensure that important updates are rapidly deployed and set an installation deadline for automatic update approvals.  Configure alert notifications to help ensure that you or other administrators receive email notifications about the latest alerts. Assess the Health of Your IT Environment and Assist End Users This topic will help you to:  Create a custom report to identify computers that have pending updates, export an Endpoint Protection status report, and use filters to create a hardware report.  Learn about the capabilities available in Windows Intune for making licensed software available to users.  Respond to a user request for remote assistance and remote control that user’s managed computer to provide assistance.For more information, we recommend that you visit the Windows Intune Zone on TechNet.Configure Your Windows Intune EnvironmentThis topic will help you complete the following tasks: Sign up for a Windows Intune subscription. Learn about the key features and benefits of Windows Intune, and how you can make the most of this release. 4
  •  Understand the operating system requirements for mobile devices and client computers, and browser requirements for the Windows Intune administrator console and Windows Intune company portal. Learn about new web-based administrative tools and enhancements, including support for your connected mobile devices, such as mobile phones and tablet devices. Understand administrator roles for Windows Intune and how to add and delegate administrators. Set up policies with recommended or custom settings.Signing up for Windows IntuneWhen you sign up for Windows Intune, you do not need to use or create a Windows Live ID tosign in to the service. Windows Intune is now integrated with the Windows Azure Active Directory,the same directory service that is used by Microsoft Office 365. This change enables newfeatures and provides you with a more flexible way to control access to your Windows Intuneaccount.If you already have a Microsoft Online Service such as Microsoft Office 365 and you sign up forWindows Intune, we recommend that you use the user ID for your existing Microsoft OnlineService. This allows for the users to be shared across all your Microsoft Online Services.If Windows Intune is the first Microsoft Online Service for your organization, when you sign up forWindows Intune, you create a user name and a new domain name that together become the userID for your global administrator account. You use this user ID, with the password that you alsocreate, every time that you sign in to Windows Intune.Use the following procedure to sign up for the free Windows Intune trial. The trial can be used onup to 25 devices. To sign up for the Windows Intune trial 1. Go the Windows Intune Try and Buy page: http://www.microsoft.com/en- us/windows/windowsintune/try-and-buy.aspx, and then click the trial sign-up link. Important If you are using Microsoft Office 365, on the Sign up page, click the Sign in link and sign in with the same user ID that you are using for Office 365. If you are not using Microsoft Office 365, proceed to Step 2. 2. Select the country or region where your organization will use Windows Intune, and then select the language that you want to use for business communications. 3. Type your first and last names and your organization name. Your first and last name will be displayed on the Windows Intune account portal after you sign in. 4. Type the complete mailing address of your organization. Note that the email address that you provide is where you will receive password reset information if you forget your password and request a reset. Service, billing, and promotional information that you choose to receive will also be sent to this email address. 5. Type a descriptive name for your new domain so that it is in the following format: 5
  • contoso.onmicrosoft.com. Click Check availability to ensure that the domain name is available. 6. Type a user name, and then type a password. Retype the password to confirm it. 7. Type the numbers and letters that you see in the picture box. The characters are not case-sensitive. This step confirms that a person—not an automated program—is signing up for an account. 8. Review the service agreement, and if you agree, click I accept and continue to complete the sign-up process. After you sign up, you are automatically signed in to the Windows Intune account portal as an administrator. 9. An email message that contains your account information is sent to the email address that you provided during the sign-up process, to confirm that the account is active. Keep this email message to refer to if you forget your user ID or the website address where you sign in to Windows Intune. You can click the link that is included in that email or go to the Windows Intune administrator console at https://admin.manage.microsoft.com or the Windows Intune account portal at https://account.manage.microsoft.com and sign in.Already Subscribing to Windows Intune?If you are already a Windows Intune subscriber, after your account is migrated to the newrelease, you are prompted to create a new account. You have a few weeks to create this newaccount. However, we recommend that you create it as soon as possible so that you can takeadvantage of the new Windows Intune features. Important To try the new Windows Intune features before your existing Windows Intune account is migrated to the new release, you can sign up for a new trial account for this release of Windows Intune. If you do this, it is important that you do not try to link a new trial account for this release of Windows Intune to the Microsoft Online domain that you want to use in your production environment. Instead, you need to create a temporary domain for the trial. By doing this, you can then use your preferred Microsoft Online domain when your production account is migrated to the new release.New to Windows Intune?If you are new to Windows Intune, you will be prompted to create a new account when you signup for a new Windows Intune trial. If you already have a Microsoft Online domain, we recommendthat you use the same domain name for your Windows Intune account. If you do not have anexisting Microsoft Online domain, you can specify a new domain name that is unique to yourorganization, for example:mycompanyname.onmicrosoft.comWhere “mycompanyname” is the domain name that is unique to your organization. 6
  • Already using Active Directory Domain Servicesand Exchange Server?Windows Intune now uses the same authentication mechanism as Office 365, so that you canintegrate Windows Intune with your existing Active Directory Domain Services (AD DS)environment. As mentioned, if you are new to Windows Intune, when you sign up for a newWindows Intune account, you need to create a user ID. After you create a user ID, you can linkthat user ID with your organization’s AD DS environment. This will enable you to synchronizeexisting users and security groups in AD DS with Windows Intune so that they appear in theWindows Intune account portal. Important If you have an on-premises deployment of Exchange Server 2010 Service Pack 1 or later, Windows Intune can also provide support for your users’ connected Exchange ActiveSync-enabled mobile devices.Features and Benefits of Windows IntuneIn this release, Windows Intune enhances the functionality of its management solution andimproves existing features. The core cloud services that Windows Intune provides have beenupdated to provide greater functionality and performance. If you integrate Windows Intune withAD DS, user accounts and security groups will automatically appear in the Windows Intuneaccount portal through directory synchronization. This makes it easier for you to add users tomanage with Windows Intune. Finally, if you integrate Windows Intune with AD DS and on-premises Exchange Server 2010, you can provide support for mobile devices in yourorganization. Important To ensure that your AD DS and Exchange Server infrastructure is properly prepared for Windows Intune, we strongly recommend that you review the Help topics mentioned in the following list, so that you understand the additional configuration steps that may be required.Following are the capabilities provided by the Windows Intune core, AD DS synchronized, andmobile device-enabled scenarios: Core cloud services: Provides enhancements to alerts, policy, updates, and remote tasks, and user-centric management. The new user-centric management capabilities provided by Windows Intune include the ability to make licensed software applications available for users to download to their computers, deploy policies to users, and let users add computers that need to be managed by Windows Intune and remove computers that no longer need to be managed by Windows Intune. These capabilities require no new network or server infrastructure, and minimal computer hardware. 7
  •  AD DS synchronized: Enables user accounts and security groups to automatically appear in the Windows Intune account portal through directory synchronization. You can then activate users and include them as members of the Windows Intune user group, so that you can manage them with Windows Intune. These capabilities require AD DS synchronization. For information about how to set up AD DS synchronization, see Active Directory Synchronization: Roadmap. Note If Active Directory Federation Services (AD FS) 2.0 is deployed in your environment, users can sign in to Windows Intune by using their existing on-premises Active Directory credentials, instead of their user ID for Microsoft Online Services. For information about AD FS 2.0, see Prepare for Single Sign-On. Mobile device-enabled: Windows Intune uses Microsoft Exchange ActiveSync (EAS) to integrate users’ mobile devices with your business infrastructure, and to enforce your organization’s mobile device access policies. With Windows Intune, you can:  Automatically discover mobile devices that access corporate data through Microsoft Exchange Server.  Define mobile device access rules to govern which mobile devices can access Exchange Server.  Deploy policies to users to help secure the corporate data that is stored on their mobile devices.  Let users access and install licensed internal line-of-business software applications that you make available to their mobile devices.  Retire mobile devices from Windows Intune and Exchange Server, or let users perform this task.  Wipe data from mobile devices that are lost or stolen, or let users perform this task. These capabilities require an environment with AD DS synchronization and on-premises Exchange Server 2010 Service Pack 1 or later with Exchange ActiveSync enabled. For information, see Connecting Windows Intune to your Exchange Server in the Windows Intune online Help.Client Software and Hardware RequirementsTo be managed by Windows Intune, computers must have the Windows Intune client softwareinstalled, an Internet connection, and a supported operating system. The Windows Intune clientsoftware can be installed on both x86-based and x64-based editions of supported editions ofWindows Vista and Windows 7 operating systems, and it can be installed on x86-based editionsof Windows XP with Service Pack 3. You can install the Windows Intune client software oncomputers that are running any of the following Windows operating systems: Windows XP Professional, Service Pack (SP) 3 Windows Vista Enterprise, Ultimate, or Business editions Windows 7 Enterprise, Ultimate, or Professional editions 8
  • For Windows 7 or Windows Vista-based computers, the Windows Intune client software has noadditional hardware requirements. However, to install the client software on Windows XP basedcomputers, you should ensure that the computer has a CPU clock speed of 500 megahertz (MHz)or faster and a minimum of 256 megabytes (MB) of RAM.You must be a member of the local Administrators group on the computer on which you want toinstall the Windows Intune client software.Windows Intune provides support for Windows Phone 7, iPhones, iPads, and Android devices.Windows Intune does not require client software to be installed on mobile devices. The followingtable lists supported operating systems and the Windows Intune features that are available forcomputers and mobile devices running specific operating systems. Note You can apply mobile security policies and mobile device access rules to any device that connects to Exchange Server through Exchange ActiveSync. The full range of management tasks that can be performed depends on the capabilities of the connected mobile device.Supported Browsers for Administrators and UsersAs an administrator of the Windows Intune service, you should also ensure that the browser thatyou use when you sign into the Windows Intune administrator console has Silverlight 4.0, or later,installed.The Windows Intune company portal is supported on the following web browsers: Windows Internet Explorer 7 and later Google Chrome version 15 and later Mozilla Firefox 5.0 and laterThe Windows Intune company portal may run on other web browsers, but with limited featuresupport. We recommend that where possible, users connect to the Windows Intune companyportal by using a supported web browser.New and Enhanced Web-Based Tools forAdministratorsIn this release of Windows Intune, new and enhanced web-based administrative tools areavailable to help you manage your Windows Intune account, users, and client computers, and tosupport connected mobile devices.The following table describes the new features and enhancements that are available. 9
  • Name Description and capabilitiesWindows Intune This portal lets you manage your Windows Intune subscription and specify theaccount portal users who can access Windows Intune. From the Windows Intune account portal, you can sign up for Windows Intune, review guidance and download tools to set up single sign-on or Active Directory synchronization, manually add user accounts and security groups (if AD DS is not deployed in your environment), activate synced users (if AD DS is deployed in your environment), set up and manage service settings, check service status, access online Help, and purchase subscription licenses. You can also access the Windows Intune administrator console and the Windows Intune company portal. Users can access the Windows Intune account portal to change their password. URL - https://account.manage.microsoft.com Note Prior to the April 2012 pre-release of Windows Intune, the Microsoft Online Services Customer Portal was used for account management (https://mocp.microsoftonline.com).Windows Intune This console has been enhanced. This console lets you configure managementadministrator and security settings for managed computers and users, configure and monitorconsole alerts, deploy licensed software to computers, make licensed software available for users to install on their computers and mobile devices, view hardware and software inventory, run license reports*, add service administrators, and download the Windows Intune Exchange Connector and Windows Intune client software. *Disclaimer: This feature is provided for convenience only and accuracy is not guaranteed. You should not rely on it to confirm your compliance with your license agreements. We do not utilize data gathered from the software license management feature to investigate potential violations of or compliance with our licensing agreements. URL - https://admin.manage.microsoft.comGetting Started with the Windows Intune AccountPortalWhen you sign in to the Windows Intune account portal, the Admin Overview page appears. Onthis page, the links under Admin shortcuts provide you with quick access to commonadministrative tasks. Use these links to reset user passwords, add new users and assign them tothe Windows Intune user group, and open a new service request. You can perform additionaladministrative tasks in other areas of the Overview page as follows: 10
  •  Header: The links in Windows Intune header at the top of the Overview page provide you with quick access to the Windows Intune administrator console and the Windows Intune company portal. Navigation pane: You can use this pane, on the leftmost side of the portal, to perform the following tasks:  Setup: Click Overview to learn how to integrate AD DS (single sign-on or Active Directory synchronization) with your Windows Intune environment.  Management: Click the links to perform the following tasks:  Users: Add or remove users, change user details and settings, activate synced users, and reset user passwords.  Security Groups: Add, edit, or remove security groups.  Domains: Add or remove domains.  Subscriptions: Purchase and manage Windows Intune subscriptions, buy additional licenses and add-ons, update credit card information, and view bills.  Support: Click Overview to access links to online Help and community resources or to manage delegated administrators. To open a service request for a technical issue, click Service Requests. To view the status of the Windows Intune service, including planned maintenance, go to the Service Health page. Resources and Community pane: You can use this pane, on the rightmost side of the portal, to quickly access the following resources:  Windows Intune online Help: To access the online Help, under Resources, click Search online Help.  Windows Intune Zone: To access the Windows Intune Zone, under Community, click Springboard.  Windows Intune ForumsThe following screenshot shows the Admin Overview page of the Windows Intune accountportal. 11
  • Getting Started with the Windows IntuneAdministrator ConsoleThe first time that you sign in to the Windows Intune administrator console, the Getting Startedpane on the System Overview page appears. In the Getting Started pane, brief instructions andlinks help you download and deploy the Windows Intune client software on computers that youwant to manage. If AD DS and on-premise Exchange Server 2010 SP1 are deployed in yourenvironment, you can download the Windows Intune Exchange Connector and take additionalsteps to use Windows Intune to make licensed, internal line-of-business software applicationsavailable for users to install on mobile devices, deploy policies to users for their mobile devices,or wipe and remove those devices.The following screenshot shows the Getting Started pane in the Windows Intune administratorconsole.On the System Overview page, there are three main panes: Workspace shortcuts pane: This pane, on the leftmost side of the console, includes icons for each Windows Intune workspace. Clicking an icon in this pane opens the corresponding navigation pane and Overview page, where you can view status summaries and perform management tasks that are relevant to that workspace. Navigation pane: This pane, to the right side of the workspace shortcuts pane, provides access to the Overview page and additional items for each workspace. The navigation pane provides a view of the hierarchy for each workspace. Clicking Overview in the navigation pane opens the Overview page for a workspace. Clicking another item displays more detailed information. Depending on the item that you click, the information displayed might be a list of relevant items, such as a list of all updates or a list of all malicious software, or a Properties page that is relevant to the item. 12
  •  Overview page: This page is available for all workspaces. It appears on the right side of the navigation pane, displays status summaries, and includes a Tasks area and a Search box. The Tasks area provides commands that let you perform management tasks for a workspace. The Search box lets you search across a global list that is relevant to the workspace. For example, you can search a list of all updates by entering the relevant KB number. For most workspaces, a Learn About area includes links to topics that provide information about the workspace and how to perform key management tasks.The following screenshot shows the System Overview page.When you first open the Windows Intune administrator console, no computers or mobile devicesare shown in the console, because you have not yet added computers to the Windows Intuneservice, or added users and linked them to devices (computers). Take a few minutes to explorethe workspaces and other areas of the Windows Intune administrator console. For example, ifyou click the Groups icon in the navigation pane, and then click All Users, notice that the AllUsers view comprises two default user groups: All Users and Unassigned Users. In the AllUsers group, notice that your tenant administrator account appears. Likewise, when you click AllDevices, notice that the All Devices view comprises two default groups: All Devices andUnassigned Devices.Before you add computers, additional user accounts, and mobile devices to the Windows Intuneadministrator console, we recommend that you explore the Windows Intune company portal andthe Windows Intune mobile company portal, and then add or delegate administrators and setpolicies in the Windows Intune administrator console. 13
  • Web-Based Portals to Provide Self-ServiceCapabilities for UsersTwo web-based portals let your users perform common tasks without the need to involve yourorganization’s IT help desk. Tasks that users can perform include installing licensed software thatyou make available on their computers and mobile devices, adding computers that need to bemanaged by Windows Intune, removing computers that no longer need to be managed byWindows Intune, wiping data from compromised mobile devices, and adding or removing mobiledevices. For users who do need to contact their IT help desk, you can provide customized ITcontact information that is suitable for your organization.Because Windows Intune supports common tasks for both computers and mobile devices,Windows Intune includes two portals to provide an optimized user experience for each type ofdevice. The following table describes the tools that Windows Intune provides for users toaccomplish these tasks:Name Description and CapabilitiesWindows This web-based portal is optimized for computers. Authorized users can accessIntune this portal, sign in to Windows Intune, browse applications that you makecompany available, install applications on their computers, and contact their IT Help desk.portal They can also add computers that need to be managed by Windows Intune, add mobile devices, remove computers that no longer need to be managed by Windows Intune, and wipe data from mobile devices or remove mobile devices from Windows Intune and Exchange Server. URL - https://portal.manage.microsoft.comWindows This web-based portal is optimized for mobile devices. Authorized users canIntune access this portal, sign in to Windows Intune, browse and install licensed internalmobile line-of-business software applications that you make available, install thecompany applications on their mobile devices, and contact their IT Help desk.portal URL - https://m.manage.microsoft.comGetting Started with the Windows IntuneCompany PortalAfter you add users to Windows Intune, you can make applications available for your users toinstall on their computers and let users perform other common tasks without the need to call theirIT Help desk. By visiting the Windows Intune company portal, users can view the applications thatare available to install, and then install those applications. The Windows Intune company portal isavailable from any location with Internet access. This portal helps reduce support costs byproviding a way for users to add their own computers so that the computers can be managed byWindows Intune and to remove computers that are no longer to be managed by Windows Intune. 14
  • If your Windows Intune environment is configured to support mobile devices, users can also addmobile devices to connect to Windows Intune, wipe data from lost or stolen mobile devices, andremove mobile devices from Windows Intune and Exchange Server. You can customize theWindows Intune company portal to display your company name, contact information for your IThelp desk, and color preferences. For more information, see Customizing the Windows Intunecompany portal in the Windows Intune online Help.We recommend that you explore the Windows Intune company portal to familiarize yourself withthe experience and features that it can provide for your users.To sign in to the Windows Intune company portal, users must sign in with their user ID forWindows Intune, or if you have AD FS 2.0 single sign-on deployed in your environment, they cansign in with their existing credentials. If you do not have AD FS 2.0 single sign-on deployed, youneed to create a new user ID for each user account that you add to Windows Intune. As part ofthis process, a temporary password is generated that you can give to new users, along with eachuser’s user ID, so that they can sign in to the Windows Intune company portal. For informationabout how to add a user to Windows Intune, see “To add users to the Windows Intune accountportal” later in this guide.When users sign into the Windows Intune company portal, they can view the following areas: Apps: Users can click this tile to access the Applications list, where they can browse or search for licensed software applications that you make available for them to install on their computers. Users can sort and browse the list of available applications alphabetically (for more than 20 applications) by publisher or date published, or they can search for an application by title. After users choose an application that they want to install, they can view details about the application and then select the computers on which to install the application. Messages inform users when their computers do not meet the requirements for an application, if an application is already installed on their computers, and when an installation is pending or has failed. When an installation has failed, users can retry the installation. Note To view and install applications that you make available for users to install on their mobile devices, users must access the Windows Intune mobile company portal by using their mobile device. All My Devices: Users can click this tile to view the list of computers that are managed by Windows Intune. They can add computers to be managed by Windows Intune, rename managed computers, remove computers that are no longer to be managed by Windows Intune, and view the list of installed software on their computers. Contact IT: Users can click this tile to view the contact information that you specify for your company’s IT help desk. Options include your company name, system administrator name, phone, and email address, and additional information. You can also specify a website URL and name that users can visit to access online technical support. Note The Windows Intune online Help provides information that you or other administrators in your company can provide to users, to help them get started with using the 15
  • Windows Intune company portal. For more information, see Using the Windows Intune company portal in the Windows Intune online Help.The following screenshot shows the Windows Intune company portal.Getting Started with the Windows Intune MobileCompany PortalWhen your environment is configured to support mobile devices, you can make internal licensedline-of-business software applications available for your users to install on supported mobiledevices. Users can view the applications that are available for them to install on their mobiledevices and then install those applications by visiting the Windows Intune mobile company portal,at https://m.manage.microsoft.com. Users can also contact their IT help desk. In addition toWindows Phone 7, the mobile company portal supports devices that run the iOS and Androidoperating systems.We recommend that you explore the mobile company portal to familiarize yourself with theexperience and features that it can provide for your users.To sign in to the Windows Intune mobile company portal, users must sign in with their user ID forWindows Intune, or, if you have AD FS 2.0 single sign-on deployed in your environment, they cansign in with their existing credentials.When users sign into the Windows Intune mobile company portal, they can view the followingareas: 16
  •  Get Apps: Users can click this tile to access the Get Apps section, where they can view the list of licensed internal line-of-business software applications that you make available for them to install on their mobile devices. After users choose an application that they want to install, they can view details about the application and then install it. Messages inform users when their mobile device does not meet the requirements for an application or if the application requires additional settings to be configured on their mobile device. Contact IT: Users can click this tile to access the Contact IT section, where they can do the following:  Call their IT help desk  Send an email to their IT help desk  Access their internal IT websiteAdministrator RolesThe following administrator roles provide you and other administrators with access to theWindows Intune administrator console. Windows Intune tenant administrator: These administrators have full administrative rights to the Windows Intune administrator console. They can perform all operations in the console, including adding or deleting Windows Intune service administrators. In addition, they can assign other tenant administrators by using the Windows Intune account portal. Note that tenant administrators must be assigned in the Windows Intune account portal; you cannot use the Windows Intune administrator console to assign a tenant administrator. Note By default, when you subscribe to Windows Intune, you become a global administrator for Microsoft Online Services and a tenant administrator for the Windows Intune administrator console. As a global administrator for Microsoft Online Services, you have the same privileges across all Microsoft Online Services for your organization, and you can add other tenant administrators for the Windows Intune administrator console. Windows Intune service administrator: There are two levels of console access: Full access and read-only.  Full access: These service administrators have full administrative rights to the Windows Intune administrator console and therefore they can perform all operations in the console, including adding or deleting other service administrators.  Read-only access: These service administrators have read-only rights and therefore they cannot modify data in the console; they can only view data in the console and run reports. You can assign service administrators by using the Windows Intune administrator console. These administrators must have a user ID and password, and they must be a member of the Windows Intune user group. If an individual does not have a user ID, a tenant administrator must create one for him or her by using the Windows Intune account portal and then ensure that the individual is a member of the Windows Intune user group. 17
  • Note The Windows Intune service administrator is not the same as the service administrator that is displayed in the Windows Intune account portal. The service administrator for Microsoft Online Services that is displayed in the Windows Intune account portal manages service requests and monitors service health. Delegated administrators: These administrator roles are new for Windows Intune in this release. These administrators are partners who you have authorized to administer your Windows Intune account. You assign these administrators by using the Windows Intune account portal. There are two types of delegated administrators:  Delegated Administrator Partner (DAP): These delegated administrators are tenant administrators for Windows Intune, and therefore they have full administrative access to the Windows Intune administrator console. Important If you are using another Microsoft Online Service, be aware that Delegated Administrator Partners are granted full access to all Microsoft Online Services for your organization, not just to Windows Intune.  Delegated Helpdesk Partner (DHP): These delegated administrators are read-only administrators for Windows Intune, and therefore they cannot modify data in the Window Intune administrator console; they can only view data in the console and run reports. Note If you are using another Microsoft Online Service, be aware that Delegated Helpdesk Partners are granted access to all Microsoft Online Services for your organization, not just to Windows Intune.For information about how to add a Windows Intune service administrator, see Adding andManaging Administrators in the Windows Intune online Help.Use the following procedure to add a Windows Intune tenant administrator. To add Windows Intune tenant administrators 1. Open the Windows Intune account portal. 2. In the header, click Admin. 3. In the left pane, under Management, click Users. 4. On the Users page, select the check box next to the names of the users that you want to assign tenant administrator permissions to, and then click Edit. 5. Click Settings. 6. On the Settings page, under Assign role, select Yes, select Global administrator, and then click Next. 7. Under Set sign-in status, confirm that Allowed is selected, and then click Save. 18
  • Partners with Delegating AdministrationAs mentioned, if you are a Microsoft Online Services global administrator and you want someoneelse to administer your Windows Intune account, you can delegate this role to a Microsoft partnerwith Delegated Administration privileges.This process must be initiated by your Microsoft partner. The partner sends you an email askingyou if you want to give them permissions to act as a delegated administrator. To add a delegated administrator 1. Read the partner’s terms in the email. 2. To authorize the agreement, click the link to go to an authorization page in the Windows Intune account portal. You may be asked to sign into your Windows Intune account to complete this verification. To manage a delegated administrator 1. Sign in to the Windows Intune account portal. 2. Under Support, click Overview. 3. Click Delegated administrators. Partners managing customers on the Windows Intune October 2011 release If you are a partner that manages customers who use the Windows Intune release prior to June 2012, you can continue to use the same sign in and URL for your customers. When you sign in to the Windows Intune administrator console, you will see only the accounts of customers who are using the pre-June 2012 release. When these customers are upgraded to the June 2012 release, you must manage their accounts by using the process that is described in the next section. Delegated Administration Partners for the Windows Intune June 2012 release If you are a partner and you want to manage customers who are using the Windows Intune June 2012 release, you will need to do the following. To become a Delegated Administration Partner for Windows Intune June 2012 release customers 1. Get your Windows Intune June 2012 release Internal Use Rights benefits from the Microsoft Partner Network. 2. In order to offer Delegated Administration to your customers, you must be a 19
  • Delegated Administration Partner. 3. Sign in to your Windows Intune June 2012 release subscription, and navigate to the Partner area. You will find the ability to offer Trial and Paid subscriptions to customers. 4. When you sign in to the Windows Intune administrators console with your user ID, you will see only the accounts of customers who are using the June 2012 release. 5. When you sign in to the Windows Intune account portal, you will be able to manage the subscriptions for your June 2012 release customers.Setting up Policies in the Windows IntuneAdministrator ConsoleWindows Intune policies provide settings that control mobile device security, software updates,Windows Intune Endpoint Protection, Windows Firewall settings, and the end-user experience inthe Windows Intune Center, which is installed on all computers that are managed by WindowsIntune. The Windows Intune Center lets users request remote assistance, start EndpointProtection, and check for updates for their computers. The Windows Intune Center is installed onall computers that are managed by using Windows Intune. Computer policies work no matterwhich domain your computers or users are joined to, or even if they are not joined to a domain.Mobile policies work on any mobile devices that are connected to your Exchange environmentthrough Exchange ActiveSync.Policy templates also now include the option to deploy policies with recommended settings, sothat you can easily create and deploy policies that implement best practices.When you plan how to deploy policies to computers in your environment, keep in mind that youcan use policies to modify the default client behavior during the client enrollment process. For thisreason, before you add computers to Windows Intune, we recommend that you create a WindowsIntune Agent Settings policy for all computers to establish a baseline. Important Another consideration to keep in mind when you are planning to deploy policies to computers is that Windows Intune policy management is not connected to Group Policy. Although the two policy management systems serve the same purpose, their scopes of management vary, and they operate independently. If you are using Windows Intune in an environment that also includes Group Policy, note that domain-level Group Policy typically takes precedence over Windows Intune policy, unless a domain-joined managed computer cannot connect to the domain controller. If connectivity to the domain controller is unavailable, Windows Intune policy is applied to the managed computer. To avoid policy conflicts that can occur from having competing policy management systems, we recommend that when you deploy the Windows Intune client software to computers, you ensure that the computers that are managed by Windows Intune policy are not also receiving direction from Group Policy for the same configuration settings. For more information, see Planning Around Group Policy in the Windows Intune online Help. 20
  • The following procedure describes how to set up a Windows Intune Agent Settings policy forcomputers. To set up a Windows Intune Agent Settings policy for computers 1. Open the Windows Intune administrator console. 2. In the workspace shortcuts pane, click the Policy icon. 3. Under Tasks, click Create New Policy. 4. In the Create a New Policy dialog box, the following policy templates are displayed in the list of templates in the left pane:  Mobile Security Policy  Windows Firewall Settings  Windows Intune Agent Settings  Windows Intune Center Settings Note For detailed information about specific policy settings, see Policy Settings Reference in the Windows Intune online Help. 5. Select the Windows Intune Agent Settings template. The agent settings control the Endpoint Protection and software update settings for the corresponding agents that will be installed on the managed computers when you add them to Windows Intune, user-to- device linking, and network bandwidth utilization. 6. In the right pane, under Windows Intune Agent Settings, do one of the following:  Click Create and Deploy a Policy with the Recommended Settings. To view the settings before you create the policy, click View the recommended settings that will be used as the default for this policy.  Click Create and Deploy a Custom Policy, and then click Create Policy. After you click Create Policy, you can review and configure the available policy settings. Windows Intune Agent settings include:  Scan Schedule: Specify whether to schedule a daily quick scan or full scan, and whether to run a full scan after Windows Intune Endpoint Protection is installed, to obtain a baseline of the client’s health.  Update and application detection frequency: Specify how often the Windows Intune agent checks for new updates and licensed software applications.  User-Device Linking: Specify whether to let users link their accounts to computers or mobile devices that are not linked to any other user accounts. Click the information icon next to each setting to learn about each setting and to view the recommended value, where appropriate. 7. After you configure the settings that you want to apply in your default policy, type a name and an optional description for the policy, and then click Save Policy. 8. When prompted to specify whether you want to deploy the policy now, click Yes. 9. In the Select the groups to which you want to deploy this policy dialog box, select 21
  • the device groups to which you want to deploy this policy. Windows Intune Agent settings can only be deployed to computers, so only device groups (which contain computers) are available for selection. Because you have not yet added computers to be managed by Windows Intune and created device groups, click All Devices, and then click Add. As you add computers to be managed by Windows Intune and create computer groups, you can edit this policy and deploy it to different groups as needed. 10. Repeat these steps as needed for the Windows Intune Center Settings and Windows Firewall Settings policy templates. You can use the Windows Intune Center Settings policy to configure the contact information that appears in the Windows Intune Center on managed computers. You can set details such as email addresses or telephone numbers for users to contact if they need support. You can use the Windows Firewall Settings policy to control the local Windows Firewall on managed computers and to create exceptions to open specific firewall ports that enable or disable features such as File and Print services or remote administration.If your environment meets the requirements for mobile device support as described earlier in thistopic, you can use the following procedure to set up a Mobile Security Policy for mobile devices inyour organization. This policy template includes settings that let you define whether a password isrequired for mobile devices that synchronize with Exchange Server, the password length andtype, and whether encryption is required on mobile devices (if it is supported; not all mobiledevices support encryption). To set up a mobile security policy 1. Open the Windows Intune administrator console. 2. In the workspace shortcuts pane, click the Policy icon. 3. Under Tasks, click Create New Policy. 4. In the Create a New Policy dialog box, select the Mobile Security Policy template. 5. In the right pane, under Mobile Security Policy, do one of the following:  Click Create and Deploy a Policy with the Recommended Settings. To view the settings before you create the policy, click View the recommended settings that will be used as the default for this policy.  Click Create and Deploy a Custom Policy, and then click Create Policy. After you click Create Policy, you can review and configure the available policy settings. For example, Mobile Security Policy settings include:  Enforcement: Specify whether to allow mobile devices that do not comply with some or all settings in the policy synchronize with Exchange Server.  Password: Specify password length, complexity, and whether a device is wiped after a certain number of password attempts fail.  Email download: Specify whether to let users download email attachments to their mobile device. Click the information icon next to each setting to learn about each setting and to view the recommended value, where appropriate, as shown in the following screenshot. 22
  • 6. After you configure the settings that you want to apply in your policy, type a name and an optional description for the policy, and then click Save Policy. 7. When prompted to specify whether you want to deploy the policy now, click Yes, and then select the user groups that you want to deploy this policy to (this policy can only be deployed to user groups, not to device groups). For example, click All Users, and then click Add to deploy this policy to all users that you are managing.As you create and deploy more specialized policies to other device groups and user groups inyour organization, be aware that all policies are applied to the computers and users in thosegroups; however, the policy that is applied at the lowest level in the Windows Intune grouphierarchy takes precedence if another Windows Intune policy setting is conflicting.Next StepsThe next topic, Add Computers, Users, and Mobile Devices to Windows Intune, helps you addcomputers and users to Windows Intune and understand how mobile devices are added toWindows Intune, link users to computers, organize devices and users into groups, manageupdates, and set up alert notifications.See AlsoAssess the Health of Your IT Environment and Assist End Users 23
  • Add Computers, Users, and Mobile Devicesto Windows IntuneThis topic will help you complete the following tasks: Add computers to Windows Intune by installing the Windows Intune client software on computers that you want to manage. Manually add users and security groups to the Windows Intune account portal, or activate synchronized users and add them to the Windows Intune user group in the Windows Intune account portal. Learn how mobile devices are added to Windows Intune. Understand user-to-device linking and link a user to a computer. Learn about enhancements to groups in Windows Intune, which let you create user and device groups that have dynamic membership queries; create device groups to organize computers; and create user groups so that you can deploy mobile security policies to that group for members’ mobile devices. Set up automatic update approval rules to help ensure that important updates are rapidly deployed and set an installation deadline for automatic update approvals. Configure alert notifications to help ensure that you or other administrators receive email notifications about the latest alerts.Planning for Endpoint Protection and ManagedComputer Bandwidth UsageBefore you add computers to the Windows Intune service, consider your needs for endpointprotection. Determine whether you want to use Windows Intune Endpoint Protection instead of anexisting endpoint protection application, or to continue to use an existing endpoint protectionapplication. For information about how to implement either approach so that your managedcomputers are not left in an unsecured state, see Replacing Your Existing Malware Protectionand Continuing to Use Your Existing Malware Protection in the Windows Intune online Help.Also keep in mind that Windows Intune-managed computers use network bandwidth for WindowsIntune-related operations. Before you install the Windows Intune client software on computersthat you want to manage, you should consider the existing amount of network usage and theamount that will be added by the requests made by Windows Intune-managed computers. Forinformation about the variables that impact bandwidth planning for Windows Intune and forcomprehensive deployment planning guidance, see Planning for Client Deployment andEnrollment in the Windows Intune online Help. 24
  • Adding Computers to Windows IntuneBefore you can manage a computer by using Windows Intune, you must download and install theWindows Intune client software package on the computer — this can be a physical computer or avirtual machine. Warning The Windows Intune package contains unique account identifiers. If unauthorized or malicious users gain access to the software package, they can add computers to the account that is represented by its embedded certificate. To avoid unauthorized access, we recommend the following best practices: After you download the package, store it in a secure location. When you deploy the client software, put the package on a shared, secure location that provides read-only access to required users only. Set the location as inaccessible to the Everyone group. Protect the network that contains both the shared location and the destination client by using IPsec or a similar security technology. To download the client software installation package 1. Open the Windows Intune administrator console. 2. In the workspace shortcuts pane, click the Administration icon. 3. In the navigation pane, click Client Software Download. 4. Ensure that the targeted computer meets the minimum software and hardware requirements that are described earlier in this guide, in Configure Your Windows Intune Environment. 5. Click Download Client Software. The client software is contained in a compressed (zipped) folder that can be opened or saved. When you are prompted to choose what you want to do with Windows_Intune_Setup.zip, click Save, and then save the zipped folder to a secure location. Important Do not rename or move the extracted WindowsIntune.accountcert (ACCOUNTCERT) file or the client software installation fails. 6. After the download is complete, click Open Folder and then follow the steps in the next procedure.Repeat the following procedure on every computer that you want to add in the Windows Intuneservice. To install the client software on a computer 1. Open the folder where you saved the installation package. 2. Double-click the Windows_Intune_Setup.zip folder, and then click Extract all files. 25
  • 3. In the Select a Destination and Extract Files dialog box, browse to a secure location to which the Windows Intune setup files will be extracted, and then click Extract. When the extraction is complete, a new window opens showing the files in the specified destination folder similar to that shown in the following screenshot. You can copy the files to a network share, a thumb drive, or deploy the files by using an electronic software deployment (ESD) system. However, it is important to keep both files together because the ACCOUNTCERT file is required by the setup application when it is run. Important Do not rename or separate the extracted ACCOUNTCERT file from the setup application or the client software installation fails. 4. If you want to use a standard installation process, ensure that you are logged on to the targeted computer with an account that is a member of the local Administrators group, double-click the Windows _Intune_Setup.exe file, and then follow the instructions in the Setup Wizard to complete the installation. 5. After the installation is complete, restart the computer. A restart is needed to complete the installation of the protection and update agents, and to download any required endpoint protection definitions or other agent updates. The managed computer should appear in the Windows Intune administrator console within a few minutes, but it can take up to 30 minutes for all the agents to be completely installed and to report all inventory and status updates.Adding Windows Intune to Deployment ImagesFor a standard installation process to complete successfully, a live Internet connection isrequired. In some situations, this might not be possible at the time of installation; for example, ifyou install the agent into a deployment image that will be used to create a number of computerdeployments. In this case, you can use a command-line argument to schedule a task that willattempt to add the computer at a later time. For information about how to complete this type of 26
  • installation, see Installing the Client Software as Part of an Image in the Windows Intune onlineHelp.Adding Users and Security Groups to WindowsIntuneWith this release of Windows Intune, you can now add and manage users, so that you can targetavailable licensed software and deploy policies to user groups. You can also let users access theWindows Intune company portal to perform common tasks without involving their IT help desk.The Windows Intune company portal enables users to add their own computers to WindowsIntune, so that the computers can be managed by Windows Intune, and to remove computersthat no longer need to be managed by Windows Intune. Users can also install licensed softwareapplications that you make available.If you add security groups to Windows Intune in the Windows Intune account portal, when youcreate a user group in the Windows Intune administrator console that has dynamic membershipqueries, you can specify security group membership as one of the query criteria for that usergroup.For users and security groups to appear in the Windows Intune administrator console, you mustsign in to the Windows Intune account portal and do one of the following: Manually add users or security groups, or both, to the account portal. Use Active Directory synchronization to populate the account portal with synchronized users and security groups. After the synchronized users and security groups are added to the account portal, you must activate the synced users and assign them membership in the Windows Intune user group to manage them in the Windows Intune administrator console. You do not need to activate the synced security groups. The Windows Intune user group is not a security group, but a group that enables you to identify users who are to be managed by Windows Intune. After you add users to the Windows Intune user group in the Windows Intune account portal, they appear in the list of users in the Windows Intune administrator console and are available to be managed.Use the following procedure to manually add users to the Windows Intune account portal. To manually add users to the Windows Intune account portal 1. Open the Windows Intune account portal. 2. In the header, click Admin. 3. In the left pane, under Management, click Users. 4. On the Users page, click New, and then click User. 5. On the Details page, complete the user information. Click the arrow next to Additional details to add optional user information such as job title or department, and then click Next. 6. On the Settings page, if you want the user to have an administrator role, select Yes, and select an administrator role from the list. 27
  • 7. Under Set user location, select the user or users’ work location, and then click Next. 8. On the Group page, under Windows Intune user group, ensure that the name of the user is selected. 9. On the Send results in email page, select Send email to send a user name and temporary password (Windows Intune creates the password automatically) for the newly created user to yourself and the recipients of your choice by email. Enter email addresses separated by semicolons (;), and then click Create. You can enter a maximum of five email addresses. 10. On the Results page, the new user name and a temporary password are displayed. After you review the results, click Finish. Note You can import multiple user accounts into Windows Intune from a single file source. The file must be a comma-separated values (CSV) file and adhere to the required format. For more information, see Add Multiple Users with Bulk Import in the Windows Intune online Help.Use the following procedure to manually add security groups to the Windows Intune accountportal. To manually add security groups to the Windows Intune account portal 1. Open the Windows Intune account portal. 2. In the header, click Admin. 3. In the left pane, under Management, click Security Groups. 4. On the Security Groups page, click New. 5. On the Details page, type a display name and description for the group, and then click Save. 6. On the Select members page, from the List type list, select which type of members you want to add to the new security group: Users or Groups (other security groups). The available members for the selected list type are displayed under Available members. 7. Select the check box next to each member that you want to add, and then click Add. The added members are displayed in the Selected members list. 8. To remove a member from the Selected members list, select the check box next to the member that you want to remove, and then click Remove. 9. After the list of members is complete, click Save and Close.Use the following procedure to activate synced users (users who have been added to theWindows Intune account portal through Active Directory synchronization), and to add them to theWindows Intune user group. To activate synced users and add them to the Windows Intune user group 1. Open the Windows Intune account portal. 28
  • 2. In the header, click Admin. 3. In the left pane, under Management, click Users. 4. On the Users page, select the check box next to the user or users that you want to activate, and then click Activate synced users. Note To access all of the synchronized users, you can create a customized view of those users in the View list. To do this, select the check box next to Synchronized users only on the New view page when you create the view. After creating the view, return to this step of the procedure, select the new view from the View list, and then select the top check box in the user list to select all users in that view. Note that all synchronized users have a sync icon next to their display name. 5. Under Set user location, select the user or users’ work location, and then click Next 6. Under Windows Intune user group, select the Windows Intune user name, and then click Next. 7. On the Send results in email page, select Send email to send a user name and temporary password for the activated user or users to yourself and/or recipients of your choice by email. Enter email addresses separated by semicolons (;), and then click Activate. 8. On the Results page, the new user or users and a corresponding temporary password are displayed. After you review the results, click Finish. After you activate synced users and assign them membership in the Windows Intune user group, you can manage them in the Windows Intune administrator console.Mobile Device SupportWindows Intune provides the following capabilities for mobile device support: A unified experience across all devices through:  Automatic discovery of mobile devices that access Exchange Server  User-centric views for device inventory  A single console (the Windows Intune administrator console) to manage computers and mobile devices The ability to help secure corporate data on mobile devices through:  Targeting Exchange ActiveSync polices to user groups. Policies include settings that let you set requirements for password length and encryption (if it is supported by the mobile device).  Setting device access rules by device family or model  Retiring and/or wiping lost, stolen, or otherwise compromised mobile devices. The ability to make licensed internal line-of-business applications available for your users through:  Hosting and targeting licensed internal line-of-business applications to user groups 29
  •  Self-service capabilities for your users, which enable them to download internal line-of- business applications to their mobile devicesPrerequisites for supporting mobile devices with Windows Intune are as follows: An on-premises component to orchestrate communication between Exchange Server 2010 Service Pack 1 and later, and Windows Intune A computer that has access to the Exchange environment. The computer must meet the following requirements:  The computer must run Windows Server 2008 Service Pack 2 (64-bit) or Windows Server 2008 R2.  .NET Framework 4.0 and PowerShell 2.0 must be installed on the computer.  The computer must be joined to the Exchange Server domain.  The computer must have Internet access.When your environment is configured to support mobile devices, Windows Intune automaticallydiscovers all the mobile devices that belong to the users who have been added to WindowsIntune. The mobile devices appear in the Windows Intune administrator console in the AllDevices group, or on the Devices tab in the user properties page for the users to whom thedevices are linked.User-to-Device LinkingUser-to-device linking provides you with a management bridge between users and their devices.After you link users to their devices, you can deploy licensed software applications to users (thatare then applied to their linked computers). You can also deploy policies that are applied to users’computers and mobile devices, and make specific licensed software applications available forusers to install. Users can sign in to the Windows Intune company portal or Windows Intunemobile company portal, review the applications that you have made available, and they can thenchoose whether to install any of the applications.There are two ways to link users to devices: automatically and manually. Mobile devices areautomatically linked to users during the discovery process. Computers are automatically linked tousers when users add their computers to Windows Intune by using the Windows Intune companyportal.You can use the following procedure to manually link a user to a computer. Manually link a user to a computer 1. Open the Windows Intune administrator console. 2. In the workspace shortcuts pane, click the Groups icon. 3. In the navigation pane, click All Devices. 4. In the Search devices box, type the partial or full name of the computer to which you want to link a user. The name of the computer, if located, appears in the list. 5. With the name of the computer selected, click Link User. 30
  • 6. In the Link User dialog box, a list of available users is displayed. If the list is long, you can type the name of the user to whom you want to link the computer in the Search users box. If the computer is already linked to a user, the name and UPN of the user appear under Current User. If the computer is orphaned (not linked to any user), No User appears under Current User. 7. After you locate the user, click the name of the user. Every time that you select a new user name from the list, the New user section above the list is updated to display the selected user. When you clear the search criteria or run a search, none of the users in the list is selected and you will need to select a new user from the list. 8. In the Link User dialog box, the name of the user whom you selected is displayed under New user. Confirm that the specified user is the correct user, and then click OK.You can also modify a user-to-device link in the Windows Intune administrator console for acomputer. Doing this is useful when you want to link a computer that is currently linked to oneuser to a different user. You can also remove a user-to-device link for a computer so that it is notlinked to any users. Note You cannot create or modify user-to-device links for mobile devices.Enhancements to GroupsEnhancements to groups in Windows Intune provide you with increased power and flexibility formanaging groups. Following are enhancements to groups: Groups can now include users or devices (mobile devices and computers), but not both. In previous releases of Windows Intune, groups included computers, not users or mobile devices. Groups can have dynamic membership queries or rules, static membership, or mixed membership. When you create a dynamic membership query, you define the criteria that determines the query that Windows Intune runs to retrieve the list of group members. The group is automatically updated with members that meet the criteria whenever changes occur. You can also create groups that have static membership lists. These are groups that you manually define by explicitly adding members. In previous releases of Windows Intune, groups only included explicitly defined static membership lists. They did not have dynamic membership queries or rules, or mixed membership. Note Active Directory Domain Services (AD DS) is not required to create user groups or device groups that include users or computers, but for device groups to include mobile devices, your environment must be configured as described earlier in this guide to support mobile devices, and the mobile devices must be discovered and added to the Windows Intune 31
  • inventory. If your environment is not configured to support mobile devices, they will not appear in the Windows Intune inventory and be available to add to device groups. If AD DS is not configured in your environment, you can manually add users and security groups in the Windows Intune account portal, as described earlier in this topic.Planning Considerations for Creating GroupsIt is important to plan carefully before you organize computers, mobile devices, and users intogroups in Windows Intune. Following are key considerations to keep in mind when you plan forcreating user or device groups in Windows Intune: A group can have direct members (static membership), dynamic query-based members, or both. You cannot change a group’s parent. The membership of a parent group defines the possible membership of the child group. Members must belong to a parent group in order for them to be added to a child group. This enhancement from previous releases of Windows Intune simplifies the process of identifying group membership and identifying areas of possible conflicting policy settings. Group membership is recursive. That is, when you specify criteria for a user or device group based on a dynamic membership query (such as membership in a specific Active Directory security group or a specific manager in Active Directory), all direct and indirect users will be members of that group. For example: If user A is a member of security group X in Active Directory And security group X is a member of security group Y in Active Directory If you create a group based on a membership query in Windows Intune that includes all members of security group Y, user A will be a member of the group. One member can belong to multiple groups.Creating Device Groups to Organize ComputersYou can create device groups to target the deployment of policies, updates, and licensedsoftware applications to managed computers.The following procedure describes how to create a device group. Keep in mind that the followingprocedure is meant to provide one example of how to set up your first device groups. You cancustomize this approach to meet your organizations needs. For example, you might want tocreate such a group to organize all computers in your organization’s corporate headquarters site,and then create additional groups for your additional sites, based on geographical location. Or,you might organize computer groups by the operating systems that computers run or by businessfunction. To create a device group to organize computers 1. Open the Windows Intune administrator console. 32
  • 2. In the workspace shortcuts pane, click the Groups icon. Note the default groups: All Users, Unassigned Users, All Devices, and Unassigned Devices. The All Devices group contains all computers, and if applicable, all mobile devices, that have been added to Windows Intune. The Unassigned Devices group contains computers, and if applicable, mobile devices, that you have not yet assigned to a group. If you have not configured your Windows Intune environment to support mobile devices, these groups will not contain mobile devices, and you cannot add mobile devices to them.3. On the Groups Overview page, under Tasks, click Create Group.4. In the Group Name box, type Headquarters Computers, and then in the Description box, type All computers in corporate Headquarters site.5. Under Select a parent group, click All Devices, so that the new group appears at the top level of the device groups, and then click Next.6. Under Select device type, select Computer.7. Click the Browse button to the right of the filter members based on organizational units box.8. In the Select Organizational Units dialog box, select the OU that you want to add to the group (for example, the Headquarters OU), click Add to add it to the Selected organizational units box, and then click OK to close the dialog box.9. Click the Browse button to the right of the Add specific members box.10. In the Add Remove Members dialog box, select the computers that you want to add to the group, click Add to add them to the Selected specific members box, and then click OK to close the dialog box.11. Review the list of computers that appears under Add specific members, and if the list is correct, click Next.12. To exclude members from the group, click the Browse button to the right of the Excluded members box, select the computers that you want to exclude from the group, click Add, and then click OK to close the dialog box.13. Review the list of computers that appears under Excluded members, and if the list is correct, click Next.14. On the Summary page, review the details about the group, and if they are correct, click Finish.You can repeat these steps for all device groups that you want to create. The followingscreenshot shows three examples of grouping strategies that you can use. 33
  • By default, groups are sorted alpha-numerically. After you create the device groups that you need, you can deploy licensed software applications, updates, and policies to these groups.Creating User Groups to Organize UsersGroups that have dynamic membership queries are useful when you need to target groups whosemembership may change frequently, and you do not want to manually update the group. If youknow that you need to add or exclude specific devices or users in a group, you can always do so,so that they are always included or excluded as needed.The following procedure provides an example of how to create a user group. For example, youmay need to create a policy to target a pilot group of users in a specific department, such asDevelopment, to test a mobile security policy before implementing the policy to other departmentsthroughout your production environment. A user group that specifies membership in anassociated Active Directory security group or security group that you have manually added to theWindows Intune account portal lets you target users in the Development department. That way,you can deploy the policy to those users. Because the group query is dynamic, whenevermembership in the security group that you specify as a criteria for your group membershipchanges, so does the membership of your target group. Also, because mobile devices areautomatically linked to users after they are discovered and added to Windows Intune, the mobilesecurity policy that you deploy to the target user group will be applied to members’ mobiledevices. 34
  • Keep in mind that the following procedure is meant to provide one example of how to set up yourfirst user groups. You can customize this approach to meet your organizations needs. To create a user group 1. Open the Windows Intune administrator console. 2. In the workspace shortcuts pane, click the Groups icon. Note the default groups: All Users, Unassigned Users, All Devices, and Unassigned Devices. The All Devices group contains all computers and mobile devices that have been added to Windows Intune. The Unassigned Devices group contains computers and mobile devices that you have not yet assigned to a group. 3. On the Groups Overview page, under Tasks, click Create Group. 4. In the Group Name box, type Mobile Security Users Pilot, and then in the Description 35
  • box, type For users in the Development department, as shown in the following screenshot. 5. Under Select a parent group, click All Users, so that the new group appears at the top level of the user groups, and then click Next. 6. Click the Browse button to the right of the Filter members based on security group box. 7. In the Select Security Group dialog box, select the security group that you want to specify, click Add to add it to the Selected security groups box, and then click OK to close the dialog box. In this example, the Development security group is specified because this security group includes the specific users to whom the mobile security policy can be applied. 8. To add specific members who are not members of the security group that you specified, click the Browse button to the right of the Add specific members box, select the users who you want to add to the group, click Add, and then click OK to close the dialog box. In this example, you can add another specific member outside the Development department, such as another administrator, who may need to evaluate the effectiveness of the policy. 9. Review the list of users that appears under Add specific users, and if the list is correct, click Next. 10. On the Summary page, review the details about the group, and if they are correct, click Finish. You can repeat these steps for all user groups that you want to create.Managing Updates and Automatic Approval RulesYou can deploy Windows Intune policies, software updates, and licensed software packages tothe device groups that you created earlier (if you followed the steps in the “To create a devicegroup to organize computers” procedure). If you want to closely manage all the updates that aredeployed by Windows Intune, you can use the Updates workspace to approve or decline eachupdate one by one. However, to ensure that all critical and security updates are installed asquickly as possible on your managed computers, you can set up automatic update approval rulesand deadlines for installation of approved updates.The following procedure describes how to set up an automatic update approval rule that you canuse to help automate the process of approving updates. To set up an automatic update approval rule and deployment date for computers 1. Open the Windows Intune administrator console. 2. In the workspace shortcuts pane, click the Administration icon. 3. In the navigation pane, under Administration, click Updates. 4. Scroll down to the Automatic Approval Rules area, and then click New. 5. On the Name page, type a name for the rule, such as Default Approval Rule, and then 36
  • click Next.6. On the Select Product Categories page, select the check boxes that correspond to the categories you want, and then click Next to start the Create Automatic Approval Rule wizard.7. Select the classifications for which you want the updates approved automatically, and then click Next. We recommend that you select the Critical Updates, Definition Updates, and Security Updates categories as shown in the following screenshot to help protect your managed computers from new threats or vulnerabilities.8. Select the device groups to which you want to apply this rule. To apply the rule to all managed computers, select the All Devices group, and then click Add.9. To set a deployment deadline for updates that fall within the categories and classifications that you have specified for automatic approval, select the Enforce an installation deadline for these updates check box, select an installation deadline from the list, and then click Next.10. On the Summary page, review the information about the automatic update approval rule to ensure that it is correct, and if it is, click Finish to close the wizard.11. On the Service Settings: Updates page, under Automatic Approval Rules, do one of the following:  Click Run Selected to force this rule to evaluate all updates and to make them available for the managed computers the next time they check in. After the evaluation is completed, click Save.  Click Save to make the rule apply only to future updates as they are released.If you selected the Critical Updates, Security Updates, and Definition Updatesclassifications, as the managed computers check in to the service (by default, every 8 hours),they are instructed to apply updates in these classifications as soon as the updates areavailable.For updates that you want to approve manually, you can use the Updates workspace toreview and approve them. There are two types of updates that can be managed in Windows 37
  • Intune: Microsoft updates and non-Microsoft updates.  Microsoft updates: These updates are automatically made available through the Windows Intune service. For these updates you need to select the update and then approve each one for deployment to the groups that you select. You can approve these updates for individual computer groups or for higher-level groups, such as the All Devices group, and then use inheritance to approve the updates for all lower-level groups. To select multiple updates to approve at one time, press and hold the Ctrl or Shift key while selecting the updates that you want to approve.  Non Microsoft updates: To approve these updates, you first need to obtain the update package — usually a Windows Installer (.msi) or Windows Installer patch (.msp) file, or an .exe program file. After you have the update package for a non-Microsoft application, you need to use the Upload task in the Update workspace to upload the file into Windows Intune. The Upload task starts the Windows Intune Software Publisher wizard, which guides you through the process of creating an update package that can then be approved for deployment in the same way as Microsoft updates. Note The first time that you click the Upload task, Windows Intune automatically downloads and installs the Windows Intune Software Publisher. Windows Intune software publishing only supports updates that require no user interaction during installation.Setting Up Email Alert NotificationsWindows Intune tracks alerts for managed computers and for mobile devices that you canmonitor in the Alerts workspace. You can also configure Windows Intune to send email alertnotifications directly to specified email accounts. To set up alert notifications 1. Open the Windows Intune administrator console. 2. In the workspace shortcuts pane, click the Administration icon. 3. In the navigation pane, click Alerts and Notifications. 4. On the Alerts and Notifications overview page, click Select Recipients for Email Notifications. 5. In the list of available recipients, select a recipient who can receive the email notifications, and then click Add. Note Adding an email recipient does not grant the recipient administrative access to the Windows Intune administrator console. To grant recipients administrative access to the console, you need to also add the recipient as a service administrator. 6. In the Add Email Recipient dialog box, type the name, email address and preferred 38
  • language for the recipient, and then click OK. To add recipients, repeat steps 5 and 6 as needed. 7. In the navigation pane, click Notification Rules. 8. In the Notification rule list, click the rule that corresponds to the alerts that you want to recipients to be notified about, as shown in the following screenshot. You can select email recipients for only one alert rule at a time. Note At a minimum, we recommend that you set up alert notifications for Remote Assistance Requests. These alerts are generated by users who open a remote assistance request from the Windows Intune Center on their client computers, and therefore the requests are often time-critical. 9. Click Select Recipients, and then select the check boxes that correspond to the recipients who should receive notification email messages when the alerts specified in the notification rule are raised. 10. Click OK to close the Select Recipients dialog box. You can also click Create New Rule on the Notification Rules page to run the Create Notification Rule wizard and create rules that meet your organizations specific needs.Next StepsThe next topic, Assess the Health of Your IT Environment and Assist End Users helps you createcustom reports to assess the health of your managed computers and learn about the capabilitiesof Windows Intune for making licensed software available to users. You will also learn how torespond to a user request for remote assistance and remote control that user’s managedcomputer to provide assistance. 39
  • See AlsoConfigure Your Windows Intune EnvironmentAssess the Health of Your IT Environmentand Assist End UsersThis topic will help you complete the following tasks: Create a custom report to identify computers that have pending updates, export an Endpoint Protection status report, and use filters to create a hardware report. Learn about the new capabilities available in this release of Windows Intune for making licensed software available to users. Respond to a user request for remote assistance and remote control that user’s managed computer to provide assistance.Creating Custom ReportsThe monitoring and reporting capabilities of Windows Intune can help you quickly identify and acton critical issues. For example, you may want to know, how many computers have a particularapplication or update installed? What Windows Intune policy settings are conflicting? Whatmalware was blocked? How many mobile devices are quarantined or blocked from accessingExchange Server? Windows Intune includes a set of report templates that you can use as is, oryou can create reports based on views within the workspaces in the Windows Intuneadministrator console. All of these reports can be printed or exported as either an HTML orcomma-separated value (.csv) file (also known as comma-delimited file). This lets you export thedata from Windows Intune, and then import this information into Microsoft Excel or anotherapplication to format and customize it as needed.The following procedure describes how to create a report to help identify computers that havepending updates to be installed. When an update is pending, it has been approved, but some ofthe computers to which the update is targeted have not yet tried to install the update. To create a report to identify computers that have pending updates 1. Open the Windows Intune administrator console. 2. In the workspace shortcuts pane, click the Reports icon. 3. On the Reports Overview page, click Update Reports. 4. On the Create New Report page, under Select update classification, click All. 5. Under Select update status, select Pending. 6. Under Select MSCR rating, leave Not specified selected. 7. Under Select effective approval, leave All selected. 40
  • 8. Under Select computer groups, leave All Devices selected. 9. To save this custom report for future use, click Save As or Save, and then type a name for the report so that you can view it again later. 10. To view the new report, click View Report. You can use this information to identify computers that have updates outstanding, and then start the process of troubleshooting the updates.Exporting an Endpoint Protection Status ReportThe Windows Intune administrator console lets you quickly identify and investigate when malwareis first detected or was recently resolved on managed computers. In most situations, WindowsIntune Endpoint Protection generates Informational alerts that provide you with an up-to-dateview of malware that was detected and removed from managed computers. When additionalfollow-up is required (for example, when malware is first detected or when recently resolvedmalware needs follow-up), Windows Intune generates a Critical or Warning alert so that you cancontact the user and use Remote Assistance to troubleshoot the issue.The following procedure describes how to create an Endpoint Protection status report to list thealerts that indicate malware that has been detected or was recently resolved. To export an Endpoint Protection status report 1. Open the Windows Intune administrator console. 2. In the workspace shortcuts pane, click the Alerts icon. 3. In the navigation pane, under All Alerts, click Endpoint Protection The Alerts page displays a list of the malware-related alerts that were generated on all managed computers, as shown in the following screenshot. 41
  • 4. To export this list, click the Export list icon on the right side of the taskbar. 5. In the Export dialog box, in the Export format list, select the type of file to which you want to export your report, and then click Export. You can export your report to either of the following formats: Comma-separated values (.csv) file format or webpage (.html) file format. Note Wherever the Print or Export icons appear in the Windows Intune administrator console, you can print or export the data displayed in that view. 6. In the Save As dialog box, browse to or type a path and file name for the export file, and then click Save. This creates an exported report that you can then import into your preferred reporting or data manipulation application. 7. After the report has been exported, click Close.Using Filters to Create a ReportIn the Windows Intune administrator console, you can use filters to narrow your search results,investigate specific issues, and create reports. For example, you can use filters to display lists ofspecific devices; updates; malware issues; users or devices with software installation failures andpolicy setting conflicts or other errors; noncompliant mobile devices that are blocked or allowedaccess to the corporate network; and active alerts that were generated within a specific timeframe, alerts of a specific severity level, or closed alerts. Some filters differ slightly in name anddefinition, depending on the workspace and the tab that you are viewing. 42
  • You can use filters with a specific selection in the navigation pane, or with All Users or AllDevices selected. When you have a filter selected, your searches are constrained against thatfilter until you make a new selection or clear the filter.The following procedure describes how to create a hardware report with computer details. To use filters to create a hardware report with computer details 1. Open the Windows Intune administrator console. 2. In the workspace shortcuts pane, click the Groups icon. 3. In the navigation pane, click All Devices. 4. In the Filters list, under Hardware, click Computer details and user account. Choosing this filter displays a list of the computers in your environment and provides specific data about each computer, such as the Chassis Type, Manufacturer, Model, Operating System, Total Disk Space, and other details. You can right-click any data column heading and then customize which columns you want to appear in the view. 5. After you customize the view as needed, click Print List or Export List to either create a printed report or export this view to a file.Creating Software Inventory ReportsWhen you install the Windows Intune client software on your computers, the client builds adetailed inventory of the software applications that are installed on each computer, and thenreports that data to the Windows Intune service. You can use either the Software workspace orDetected Software Reports in the Reports workspace to view, print, or export this information.One key report that you can create is a software inventory report, which is a computer-by-computer list of all software installed on managed computers in your Windows Intuneenvironment. The following procedure describes how to create a software inventory report. To create a software inventory report 1. Open the Windows Intune administrator console. 2. In the workspace shortcuts pane, click the Reports icon. 3. In the navigation pane, click Detected Software Reports. 4. In the Create New Report page, leave all customization options at their default settings, and then click View Report. This generates a detailed software inventory report of all software that is installed on the computers in your Windows Intune environment, and it identifies the publisher, the category, and the number of installation instances. Tip You can sort the list by clicking the applicable column heading, and you can also expand any software title in the list to show which computers it is installed on by clicking the directional arrow next to the list item, and then clicking the directional 43
  • arrow next to Computers. To export the full report, perform the following steps: 5. On the taskbar, click the Export icon. 6. In the Export format list, click .csv File, clear the Export summary data only check box, and then click Export. This exports a .csv file that contains a list of all software found on managed computers in your environment, and the computers on which the software is installed. This report includes any software recognized by the Windows Intune service, not just Microsoft products. You can then import this information into Microsoft Excel or another application to format and customize it as needed.Working with Licensed SoftwareWindows Intune enables you to deploy and install licensed software applications to managedcomputers or make these applications available to selected user groups. In addition, this releaseof Windows Intune lets you upload licensed software and make it available to selected usergroups. After you upload the software and make it available to selected user groups, users towhom the software is targeted can sign in to the Windows Intune company portal or the WindowsIntune mobile company portal and view the licensed software applications that you have madeavailable for them. They can then select the software applications that they want to download andinstall on their devices, and you can track software adoption across your organization. Forexample, after you make a mobile device application available for employees, you can monitorthe number of users to whom the application is targeted, the number of users who attempted toinstall the application, and view details about each of the users 44
  • The following screenshot shows several licensed software applications, including a licensedinternal line-of-business travel planning application. This application has been made available tousers with mobile devices that run iOS and Android operating systems.For information about the process for deploying licensed software to managed computers orselected user groups, and for making licensed software available to selected user groups, seeSoftware distribution in the Windows Intune online Help.When you deploy software to device groups and user groups, it is important to understand thatsoftware installation packages are typically larger than software updates; therefore you may needto take steps to help minimize the impact of a deployment on the Internet connection for a site.Windows Intune uses the peer distribution platform in Windows 7 (Professional, Enterprise,Ultimate), which is one of the technologies that powers BranchCache. BranchCache DistributedCache mode is automatically enabled by the Windows Intune client. This can help optimizeInternet bandwidth for software updates and software application downloads. For moreinformation, see Whats New in Windows Intune. 45
  • Working with Remote AssistanceRemote tasks in Windows Intune let you run a quick scan or full scan, update malware definitions,restart computers, refresh policy, and refresh inventory on managed computers. RemoteAssistance lets you view and control a managed computer remotely so that you can support yourusers from virtually anywhere. The remote assistance process starts when a user sends arequest for remote assistance. To do so, the user double-clicks the Windows Intune Center iconin the notification area on the taskbar of the managed computer to open the Windows IntuneCenter, and then clicks Request remote assistance from your system administrator.After the user clicks Request remote assistance from your system administrator, a RemoteAssistance request is sent to the Windows Intune service. Important We recommend that you set up email alert notifications for Remote Assistance requests to ensure that email notifications are sent to you or other administrators automatically. This will help minimize the wait time for a user in need of assistance. For step-by-step instructions for setting up email alert notifications, see the “Set up Email Alert Notifications” section in the second topic in this guide, Add Computers, Users, and Mobile Devices to Windows Intune.The following procedure describes how to respond to a Remote Assistance request: To respond to a Remote Assistance request 1. Open the Windows Intune administrator console. 2. In the workspace shortcuts pane, click the Alerts icon. 3. In the navigation pane, click Remote Assistance. Note By default, remote assistance alerts are set at the Critical alert level. 4. In the Alerts view, click the request in the list. 5. Under Recommended Actions near the bottom on the page, click Approve request and launch Remote Assistance. 6. In the A New Remote Assistance Request is Pending window, click Accept the remote assistance request. 7. Do one of the following:  If this is the first time that you have responded to a remote assistance request, click Accept Terms and Install Client to install the Remote Assistance via Microsoft Easy Assist software.  Otherwise click Join the Session. 8. In the Join Session dialog box, type a name in the Display Name box, such as Helpdesk or Administrator, and then click Join. The session window opens and you must wait until the user joins the session from the managed computer. This process can take a few minutes, depending on the network 46
  • bandwidth available. After the session is established, the user sees the Remote Assistance via Microsoft Easy Assist control windows. The user must click OK to enable you to see his or her desktop. 9. You then receive a confirmation message that the user has joined the session. In the message, click OK to see the user’s desktop in a window on your computer. 10. To share control of the user’s desktop, on the toolbar of the session window, click Request Control. The user then receives a confirmation message that you are requesting shared control as shown in the following figure. After the user clicks Yes in the confirmation message, you can control the managed computer. In addition to the option to share control of the managed computer during the remote assistance session, you also can chat with the user, and transfer files to and from the user’s computer. These options are all accessible by using the main session controls. At the end of the support session, we recommend that you return to the Windows Intune administrator console and close the original remote assistance alert. This makes it easier to identify new requests that are received.Next StepsThis guide has helped you get started with several key tasks, so that you can configure yourWindows Intune environment and use Windows Intune to manage your computers and users, andto provide support for mobile devices. For more information about using Windows Intune, werecommend that you visit the Windows Intune Online Help and the Windows Intune Zone onTechNet.See AlsoConfigure Your Windows Intune EnvironmentAdd Computers, Users, and Mobile Devices to Windows Intune 47