Contents Windows Intune June 2012 Release Getting Started Guide ........................................................... 3 Configure Your Windows Intune Environment ................................................................................ 4 Signing up for Windows Intune .................................................................................................... 5 Already Subscribing to Windows Intune? .................................................................................... 6 New to Windows Intune? ............................................................................................................. 6 Already using Active Directory Domain Services and Exchange Server? ................................... 7 Features and Benefits of Windows Intune ................................................................................... 7 Client Software and Hardware Requirements .............................................................................. 8 Supported Browsers for Administrators and Users ...................................................................... 9 New and Enhanced Web-Based Tools for Administrators ........................................................... 9 Getting Started with the Windows Intune Account Portal .......................................................... 10 Getting Started with the Windows Intune Administrator Console .............................................. 12 Web-Based Portals to Provide Self-Service Capabilities for Users ........................................... 14 Getting Started with the Windows Intune Company Portal ........................................................ 14 Getting Started with the Windows Intune Mobile Company Portal ............................................ 16 Administrator Roles .................................................................................................................... 17 Partners with Delegating Administration .................................................................................... 19 Partners managing customers on the Windows Intune October 2011 release ......................... 19 Delegated Administration Partners for the Windows Intune June 2012 release ....................... 19 Setting up Policies in the Windows Intune Administrator Console ............................................ 20 Next Steps .................................................................................................................................. 23 See Also ..................................................................................................................................... 23 Add Computers, Users, and Mobile Devices to Windows Intune .................................................. 24 Planning for Endpoint Protection and Managed Computer Bandwidth Usage .......................... 24 Adding Computers to Windows Intune ....................................................................................... 25 Adding Windows Intune to Deployment Images ........................................................................ 26 Adding Users and Security Groups to Windows Intune ............................................................. 27 Mobile Device Support ............................................................................................................... 29 User-to-Device Linking ............................................................................................................... 30 Enhancements to Groups .......................................................................................................... 31 Planning Considerations for Creating Groups ........................................................................... 32 Creating Device Groups to Organize Computers ...................................................................... 32 Creating User Groups to Organize Users .................................................................................. 34 Managing Updates and Automatic Approval Rules ................................................................... 36 Setting Up Email Alert Notifications ........................................................................................... 38 Next Steps .................................................................................................................................. 39 See Also ..................................................................................................................................... 40 Assess the Health of Your IT Environment and Assist End Users ................................................ 40 Creating Custom Reports ........................................................................................................... 40
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Contents
Windows Intune June 2012 Release Getting Started Guide ........................................................... 3
Configure Your Windows Intune Environment ................................................................................ 4
Signing up for Windows Intune .................................................................................................... 5
Already Subscribing to Windows Intune? .................................................................................... 6
New to Windows Intune? ............................................................................................................. 6
Already using Active Directory Domain Services and Exchange Server? ................................... 7
Features and Benefits of Windows Intune ................................................................................... 7
Client Software and Hardware Requirements .............................................................................. 8
Supported Browsers for Administrators and Users ...................................................................... 9
New and Enhanced Web-Based Tools for Administrators ........................................................... 9
Getting Started with the Windows Intune Account Portal .......................................................... 10
Getting Started with the Windows Intune Administrator Console .............................................. 12
Web-Based Portals to Provide Self-Service Capabilities for Users ........................................... 14
Getting Started with the Windows Intune Company Portal ........................................................ 14
Getting Started with the Windows Intune Mobile Company Portal ............................................ 16
Already using Active Directory Domain Services and Exchange Server? Windows Intune now uses the same authentication mechanism as Office 365, so that you can
integrate Windows Intune with your existing Active Directory Domain Services (AD DS)
environment. As mentioned, if you are new to Windows Intune, when you sign up for a new
Windows Intune account, you need to create a user ID. After you create a user ID, you can link
that user ID with your organization’s AD DS environment. This will enable you to synchronize
existing users and security groups in AD DS with Windows Intune so that they appear in the
Windows Intune account portal.
If you have an on-premises deployment of Exchange Server 2010 Service Pack 1 or
later, Windows Intune can also provide support for your users’ connected Exchange
ActiveSync-enabled mobile devices.
Features and Benefits of Windows Intune In this release, Windows Intune enhances the functionality of its management solution and
improves existing features. The core cloud services that Windows Intune provides have been
updated to provide greater functionality and performance. If you integrate Windows Intune with
AD DS, user accounts and security groups will automatically appear in the Windows Intune
account portal through directory synchronization. This makes it easier for you to add users to
manage with Windows Intune. Finally, if you integrate Windows Intune with AD DS and on-
premises Exchange Server 2010, you can provide support for mobile devices in your
organization.
To ensure that your AD DS and Exchange Server infrastructure is properly prepared for
Windows Intune, we strongly recommend that you review the Help topics mentioned in
the following list, so that you understand the additional configuration steps that may be
required.
Following are the capabilities provided by the Windows Intune core, AD DS synchronized, and
mobile device-enabled scenarios:
Core cloud services: Provides enhancements to alerts, policy, updates, and remote tasks,
and user-centric management. The new user-centric management capabilities provided by
Windows Intune include the ability to make licensed software applications available for users
to download to their computers, deploy policies to users, and let users add computers that
need to be managed by Windows Intune and remove computers that no longer need to be
managed by Windows Intune.
These capabilities require no new network or server infrastructure, and minimal computer
hardware.
Important
Important
8
AD DS synchronized: Enables user accounts and security groups to automatically appear in
the Windows Intune account portal through directory synchronization. You can then activate
users and include them as members of the Windows Intune user group, so that you can
manage them with Windows Intune.
These capabilities require AD DS synchronization. For information about how to set up AD
DS synchronization, see Active Directory Synchronization: Roadmap.
If Active Directory Federation Services (AD FS) 2.0 is deployed in your environment,
users can sign in to Windows Intune by using their existing on-premises Active
Directory credentials, instead of their user ID for Microsoft Online Services. For
information about AD FS 2.0, see Prepare for Single Sign-On.
Mobile device-enabled: Windows Intune uses Microsoft Exchange ActiveSync (EAS) to
integrate users’ mobile devices with your business infrastructure, and to enforce your
organization’s mobile device access policies. With Windows Intune, you can:
Automatically discover mobile devices that access corporate data through Microsoft
Exchange Server.
Define mobile device access rules to govern which mobile devices can access Exchange
Server.
Deploy policies to users to help secure the corporate data that is stored on their mobile
devices.
Let users access and install licensed internal line-of-business software applications that
you make available to their mobile devices.
Retire mobile devices from Windows Intune and Exchange Server, or let users perform
this task.
Wipe data from mobile devices that are lost or stolen, or let users perform this task.
These capabilities require an environment with AD DS synchronization and on-premises
Exchange Server 2010 Service Pack 1 or later with Exchange ActiveSync enabled. For
information, see Connecting Windows Intune to your Exchange Server in the Windows Intune
online Help.
Client Software and Hardware Requirements To be managed by Windows Intune, computers must have the Windows Intune client software
installed, an Internet connection, and a supported operating system. The Windows Intune client
software can be installed on both x86-based and x64-based editions of supported editions of
Windows Vista and Windows 7 operating systems, and it can be installed on x86-based editions
of Windows XP with Service Pack 3. You can install the Windows Intune client software on
computers that are running any of the following Windows operating systems:
Windows XP Professional, Service Pack (SP) 3
Windows Vista Enterprise, Ultimate, or Business editions
Windows 7 Enterprise, Ultimate, or Professional editions
Getting Started with the Windows Intune Administrator Console The first time that you sign in to the Windows Intune administrator console, the Getting Started
pane on the System Overview page appears. In the Getting Started pane, brief instructions and
links help you download and deploy the Windows Intune client software on computers that you
want to manage. If AD DS and on-premise Exchange Server 2010 SP1 are deployed in your
environment, you can download the Windows Intune Exchange Connector and take additional
steps to use Windows Intune to make licensed, internal line-of-business software applications
available for users to install on mobile devices, deploy policies to users for their mobile devices,
or wipe and remove those devices.
The following screenshot shows the Getting Started pane in the Windows Intune administrator
console.
On the System Overview page, there are three main panes:
Workspace shortcuts pane: This pane, on the leftmost side of the console, includes icons
for each Windows Intune workspace. Clicking an icon in this pane opens the corresponding
navigation pane and Overview page, where you can view status summaries and perform
management tasks that are relevant to that workspace.
Navigation pane: This pane, to the right side of the workspace shortcuts pane, provides
access to the Overview page and additional items for each workspace. The navigation pane
provides a view of the hierarchy for each workspace. Clicking Overview in the navigation
pane opens the Overview page for a workspace. Clicking another item displays more
detailed information. Depending on the item that you click, the information displayed might be
a list of relevant items, such as a list of all updates or a list of all malicious software, or a
Properties page that is relevant to the item.
13
Overview page: This page is available for all workspaces. It appears on the right side of the
navigation pane, displays status summaries, and includes a Tasks area and a Search box.
The Tasks area provides commands that let you perform management tasks for a
workspace. The Search box lets you search across a global list that is relevant to the
workspace. For example, you can search a list of all updates by entering the relevant KB
number. For most workspaces, a Learn About area includes links to topics that provide
information about the workspace and how to perform key management tasks.
The following screenshot shows the System Overview page.
When you first open the Windows Intune administrator console, no computers or mobile devices
are shown in the console, because you have not yet added computers to the Windows Intune
service, or added users and linked them to devices (computers). Take a few minutes to explore
the workspaces and other areas of the Windows Intune administrator console. For example, if
you click the Groups icon in the navigation pane, and then click All Users, notice that the All
Users view comprises two default user groups: All Users and Unassigned Users. In the All
Users group, notice that your tenant administrator account appears. Likewise, when you click All
Devices, notice that the All Devices view comprises two default groups: All Devices and
Unassigned Devices.
Before you add computers, additional user accounts, and mobile devices to the Windows Intune
administrator console, we recommend that you explore the Windows Intune company portal and
the Windows Intune mobile company portal, and then add or delegate administrators and set
policies in the Windows Intune administrator console.
14
Web-Based Portals to Provide Self-Service Capabilities for Users Two web-based portals let your users perform common tasks without the need to involve your
organization’s IT help desk. Tasks that users can perform include installing licensed software that
you make available on their computers and mobile devices, adding computers that need to be
managed by Windows Intune, removing computers that no longer need to be managed by
Windows Intune, wiping data from compromised mobile devices, and adding or removing mobile
devices. For users who do need to contact their IT help desk, you can provide customized IT
contact information that is suitable for your organization.
Because Windows Intune supports common tasks for both computers and mobile devices,
Windows Intune includes two portals to provide an optimized user experience for each type of
device. The following table describes the tools that Windows Intune provides for users to
accomplish these tasks:
Name Description and Capabilities
Windows
Intune
company
portal
This web-based portal is optimized for computers. Authorized users can access
this portal, sign in to Windows Intune, browse applications that you make
available, install applications on their computers, and contact their IT Help desk.
They can also add computers that need to be managed by Windows Intune, add
mobile devices, remove computers that no longer need to be managed by
Windows Intune, and wipe data from mobile devices or remove mobile devices
from Windows Intune and Exchange Server.
URL - https://portal.manage.microsoft.com
Windows
Intune
mobile
company
portal
This web-based portal is optimized for mobile devices. Authorized users can
access this portal, sign in to Windows Intune, browse and install licensed internal
line-of-business software applications that you make available, install the
applications on their mobile devices, and contact their IT Help desk.
URL - https://m.manage.microsoft.com
Getting Started with the Windows Intune Company Portal After you add users to Windows Intune, you can make applications available for your users to
install on their computers and let users perform other common tasks without the need to call their
IT Help desk. By visiting the Windows Intune company portal, users can view the applications that
are available to install, and then install those applications. The Windows Intune company portal is
available from any location with Internet access. This portal helps reduce support costs by
providing a way for users to add their own computers so that the computers can be managed by
Windows Intune and to remove computers that are no longer to be managed by Windows Intune.
Windows Intune company portal. For more information, see Using the Windows
Intune company portal in the Windows Intune online Help.
The following screenshot shows the Windows Intune company portal.
Getting Started with the Windows Intune Mobile Company Portal When your environment is configured to support mobile devices, you can make internal licensed
line-of-business software applications available for your users to install on supported mobile
devices. Users can view the applications that are available for them to install on their mobile
devices and then install those applications by visiting the Windows Intune mobile company portal,
at https://m.manage.microsoft.com. Users can also contact their IT help desk. In addition to
Windows Phone 7, the mobile company portal supports devices that run the iOS and Android
operating systems.
We recommend that you explore the mobile company portal to familiarize yourself with the
experience and features that it can provide for your users.
To sign in to the Windows Intune mobile company portal, users must sign in with their user ID for
Windows Intune, or, if you have AD FS 2.0 single sign-on deployed in your environment, they can
sign in with their existing credentials.
When users sign into the Windows Intune mobile company portal, they can view the following
Partners with Delegating Administration As mentioned, if you are a Microsoft Online Services global administrator and you want someone
else to administer your Windows Intune account, you can delegate this role to a Microsoft partner
with Delegated Administration privileges.
This process must be initiated by your Microsoft partner. The partner sends you an email asking
you if you want to give them permissions to act as a delegated administrator.
1. Read the partner’s terms in the email.
2. To authorize the agreement, click the link to go to an authorization page in the Windows
Intune account portal. You may be asked to sign into your Windows Intune account to
complete this verification.
To manage a delegated administrator
1. Sign in to the Windows Intune account portal.
2. Under Support, click Overview.
3. Click Delegated administrators.
Partners managing customers on the Windows Intune October 2011 release If you are a partner that manages customers who use the Windows Intune release prior to
June 2012, you can continue to use the same sign in and URL for your customers. When you
sign in to the Windows Intune administrator console, you will see only the accounts of
customers who are using the pre-June 2012 release. When these customers are upgraded to
the June 2012 release, you must manage their accounts by using the process that is
described in the next section.
Delegated Administration Partners for the Windows Intune June 2012 release If you are a partner and you want to manage customers who are using the Windows Intune
June 2012 release, you will need to do the following.
To become a Delegated Administration Partner for Windows Intune June 2012 release customers
1. Get your Windows Intune June 2012 release Internal Use Rights benefits from the
Microsoft Partner Network.
2. In order to offer Delegated Administration to your customers, you must be a
3. Sign in to your Windows Intune June 2012 release subscription, and navigate to the
Partner area. You will find the ability to offer Trial and Paid subscriptions to
customers.
4. When you sign in to the Windows Intune administrators console with your user ID,
you will see only the accounts of customers who are using the June 2012 release.
5. When you sign in to the Windows Intune account portal, you will be able to manage
the subscriptions for your June 2012 release customers.
Setting up Policies in the Windows Intune Administrator Console Windows Intune policies provide settings that control mobile device security, software updates,
Windows Intune Endpoint Protection, Windows Firewall settings, and the end-user experience in
the Windows Intune Center, which is installed on all computers that are managed by Windows
Intune. The Windows Intune Center lets users request remote assistance, start Endpoint
Protection, and check for updates for their computers. The Windows Intune Center is installed on
all computers that are managed by using Windows Intune. Computer policies work no matter
which domain your computers or users are joined to, or even if they are not joined to a domain.
Mobile policies work on any mobile devices that are connected to your Exchange environment
through Exchange ActiveSync.
Policy templates also now include the option to deploy policies with recommended settings, so
that you can easily create and deploy policies that implement best practices.
When you plan how to deploy policies to computers in your environment, keep in mind that you
can use policies to modify the default client behavior during the client enrollment process. For this
reason, before you add computers to Windows Intune, we recommend that you create a Windows
Intune Agent Settings policy for all computers to establish a baseline.
Another consideration to keep in mind when you are planning to deploy policies to
computers is that Windows Intune policy management is not connected to Group Policy.
Although the two policy management systems serve the same purpose, their scopes of
management vary, and they operate independently. If you are using Windows Intune in
an environment that also includes Group Policy, note that domain-level Group Policy
typically takes precedence over Windows Intune policy, unless a domain-joined managed
computer cannot connect to the domain controller. If connectivity to the domain controller
is unavailable, Windows Intune policy is applied to the managed computer.
To avoid policy conflicts that can occur from having competing policy management
systems, we recommend that when you deploy the Windows Intune client software to
computers, you ensure that the computers that are managed by Windows Intune policy
are not also receiving direction from Group Policy for the same configuration settings. For
more information, see Planning Around Group Policy in the Windows Intune online Help.
the device groups to which you want to deploy this policy. Windows Intune Agent settings
can only be deployed to computers, so only device groups (which contain computers) are
available for selection. Because you have not yet added computers to be managed by
Windows Intune and created device groups, click All Devices, and then click Add. As
you add computers to be managed by Windows Intune and create computer groups, you
can edit this policy and deploy it to different groups as needed.
10. Repeat these steps as needed for the Windows Intune Center Settings and Windows
Firewall Settings policy templates.
You can use the Windows Intune Center Settings policy to configure the contact
information that appears in the Windows Intune Center on managed computers. You can
set details such as email addresses or telephone numbers for users to contact if they
need support. You can use the Windows Firewall Settings policy to control the local
Windows Firewall on managed computers and to create exceptions to open specific
firewall ports that enable or disable features such as File and Print services or remote
administration.
If your environment meets the requirements for mobile device support as described earlier in this
topic, you can use the following procedure to set up a Mobile Security Policy for mobile devices in
your organization. This policy template includes settings that let you define whether a password is
required for mobile devices that synchronize with Exchange Server, the password length and
type, and whether encryption is required on mobile devices (if it is supported; not all mobile
devices support encryption).
1. Open the Windows Intune administrator console.
2. In the workspace shortcuts pane, click the Policy icon.
3. Under Tasks, click Create New Policy.
4. In the Create a New Policy dialog box, select the Mobile Security Policy template.
5. In the right pane, under Mobile Security Policy, do one of the following:
Click Create and Deploy a Policy with the Recommended Settings. To view the
settings before you create the policy, click View the recommended settings that
will be used as the default for this policy.
Click Create and Deploy a Custom Policy, and then click Create Policy. After you
click Create Policy, you can review and configure the available policy settings. For
example, Mobile Security Policy settings include:
Enforcement: Specify whether to allow mobile devices that do not comply with
some or all settings in the policy synchronize with Exchange Server.
Password: Specify password length, complexity, and whether a device is wiped
after a certain number of password attempts fail.
Email download: Specify whether to let users download email attachments to
their mobile device.
Click the information icon next to each setting to learn about each setting and to view
the recommended value, where appropriate, as shown in the following screenshot.
To set up a mobile security policy
23
6. After you configure the settings that you want to apply in your policy, type a name and an
optional description for the policy, and then click Save Policy.
7. When prompted to specify whether you want to deploy the policy now, click Yes, and
then select the user groups that you want to deploy this policy to (this policy can only be
deployed to user groups, not to device groups). For example, click All Users, and then
click Add to deploy this policy to all users that you are managing.
As you create and deploy more specialized policies to other device groups and user groups in
your organization, be aware that all policies are applied to the computers and users in those
groups; however, the policy that is applied at the lowest level in the Windows Intune group
hierarchy takes precedence if another Windows Intune policy setting is conflicting.
Next Steps The next topic, Add Computers, Users, and Mobile Devices to Windows Intune, helps you add
computers and users to Windows Intune and understand how mobile devices are added to
Windows Intune, link users to computers, organize devices and users into groups, manage
updates, and set up alert notifications.
See Also Assess the Health of Your IT Environment and Assist End Users
24
Add Computers, Users, and Mobile Devices to Windows Intune
This topic will help you complete the following tasks:
Add computers to Windows Intune by installing the Windows Intune client software on
computers that you want to manage.
Manually add users and security groups to the Windows Intune account portal, or activate
synchronized users and add them to the Windows Intune user group in the Windows Intune
account portal.
Learn how mobile devices are added to Windows Intune.
Understand user-to-device linking and link a user to a computer.
Learn about enhancements to groups in Windows Intune, which let you create user and
device groups that have dynamic membership queries; create device groups to organize
computers; and create user groups so that you can deploy mobile security policies to that
group for members’ mobile devices.
Set up automatic update approval rules to help ensure that important updates are rapidly
deployed and set an installation deadline for automatic update approvals.
Configure alert notifications to help ensure that you or other administrators receive email
notifications about the latest alerts.
Planning for Endpoint Protection and Managed Computer Bandwidth Usage Before you add computers to the Windows Intune service, consider your needs for endpoint
protection. Determine whether you want to use Windows Intune Endpoint Protection instead of an
existing endpoint protection application, or to continue to use an existing endpoint protection
application. For information about how to implement either approach so that your managed
computers are not left in an unsecured state, see Replacing Your Existing Malware Protection
and Continuing to Use Your Existing Malware Protection in the Windows Intune online Help.
Also keep in mind that Windows Intune-managed computers use network bandwidth for Windows
Intune-related operations. Before you install the Windows Intune client software on computers
that you want to manage, you should consider the existing amount of network usage and the
amount that will be added by the requests made by Windows Intune-managed computers. For
information about the variables that impact bandwidth planning for Windows Intune and for
comprehensive deployment planning guidance, see Planning for Client Deployment and