Getting Started Guide: Getting the most from Windows Intune

Contents
Overview ....................................................................................................................................................... 2
Setup ............................................................................................................................................................. 2
Getting Started with the Administration Console ........................................................................................ 2
Adding Administrators .................................................................................................................................. 4
Manage Update and Automatic Approvals................................................................................................... 5
Set up Alerts Notifications ............................................................................................................................ 6
Setting Your Default Policies ......................................................................................................................... 8
Client Enrollment .......................................................................................................................................... 9
Organizing Your Computers ........................................................................................................................ 11
Creating Reports ......................................................................................................................................... 12
Customizing Report Templates ........................................................................................................... 12
Creating a Malware Status Report ...................................................................................................... 14
Using Workspace Filters...................................................................................................................... 15
Creating Software Inventory Reports ................................................................................................. 16
Working with Remote Assistance ............................................................................................................... 17
Working with Multiple Accounts ................................................................................................................ 19
Summary ..................................................................................................................................................... 21
Resources: ........................................................................................................................................... 22

Overview
Learn how you can get the most out of Windows Intune with the Getting Started Guide.
This document is designed to help you setup your new Windows Intune environment and explore the
main features of Windows Intune. To help in this, we have created an example environment for a
business called Coho Winery. Throughout this paper you will see example screenshots taken from this
environment to help illustrate how you can similarly configure your Windows Intune environment.
Subsequently, you can take the steps we have documented to create and customize them to meet your
own business needs.

Setup
During the Windows Intune signup process, you will be asked to provide a Windows Live ID and basic
contact information to identify you as the owner of the subscription agreement. Once this information
has been completed, an email will be sent to the Live IDs email address confirming the account is active.
You can click on the link included in your email or simply log in to your account at
https://manage.microsoft.com.
Windows Intune requires no new network or server infrastructure and minimal PC hardware
requirements basically no more than those needed for the operating system itself. In order to manage
PCs with Windows Intune, the client computers just need to have Internet access and the Windows
Intune client software installed on the PC. As an administrator of the service, you should also make sure
the browser you will be using to manage Windows Intune has Silverlight 3.0, or later, installed.

Getting Started with the Administration Console

When you logon to the service, you are presented with the Windows Intune System Overview page in
the Windows Intune Administration console; this Silverlight application will provide you with rapid
access to the management features of Windows Intune. The screen will look similar to that shown in
Figure 1:

FIGURE 1: WINDOWS INTUNE ADMINISTRATION CONSOLE SYSTEM OVERVIEW SCREEN

In this screen, you can see the three main information panels for Windows Intune. On the left is the
Navigation panel that contains the links to the Windows Intune workspaces. Workspaces is how we refer
to the various features of Windows Intune. You can click on Computers to create computer groups;
manage Updates or Endpoint Protection, view Alerts for potential issues; gather insight into Software
inventory across managed PCs; view the status of installed Microsoft Licenses against entitlements; set
a basic security Policy such as firewall management; view select template-based Reports on items such
as updates; and lastly, complete Administration tasks that can include deploying the client software
on each PC or adding administrators. In the middle of the screen is the main information panel that
provides the detail view for the workspace (in this example the Systems Overview workspace). Finally,
on the right is the Tasks panel that provides a context sensitive list of available tasks for that workspace.
At this point you have no computers enrolled into the system so there is not much information here, but
you can start to familiarize yourself with the workspaces and tasks available in each.
For example, if you click on the Update icon in the navigation panel and then select All Updates, you will
see a list of all updates that the Windows Intune service allows you to manage, as shown in Figure 2:

FIGURE 2: UPDATE WORKSPACE VIEW

So take a few minutes to click through the navigation panel and administration console to get a feel for
how the service is laid out.
Over the next few pages, we will walk you through steps we recommend you take as well as provide you
with the insight on the features of the Windows Intune service.

Adding Administrators
By default, the subscription owner is made the Tenant Administrator for your Windows Intune service.
The Tenant Administrator is the individual who accepted the Microsoft Online Subscription Agreement
(MOSA) in the Microsoft Online Services Commerce Portal (MOCP) at the time of purchase and is
entitled to perform all tasks in the Windows Intune administration console.
To add additional administrators that can perform day to day management tasks in Windows Intune
these are referred to as Service Administrators - you will need to do the following:
1. Logon to the Windows Intune Administration Console and click Administration.
2. Click Administrator Management.
3. Click Add Administrator, you will then see a window similar to that in Figure 3:

FIGURE 3: ADD ADMINISTRATOR

4. Enter a valid Windows Live ID in the E-mail address box and click Add Administrator. For
customers that are working with a service provider, this is where you would add your service
providers Windows Live ID to enable them to administer your account.

Repeat the previous step for all Windows Live IDs that you wish to make
Service Administrators of this Windows Intune account. Manage Update and
Automatic Approvals
The groups you created above can now be used to deploy both Windows Intune Policies and Microsoft
updates. If you wish to closely manage all the updates that are managed by Windows Intune you can use
the Updates workspace to Approve or Decline them. However, if you wish to ensure that critical or
security updates are installed as quickly as possible on your managed PCs, you can use the Windows
Intune auto-approval rules. The following steps will take you through the process of setting up an autoapproval rule that can be used to help automate the process of approving updates of the classifications
you select.
1. From the Windows Intune Administration Console click Administration and Updates.
2. Select Automatic Approval Rules, scroll down to the bottom of the page, if required, and then
click New.
3. Type in a Rule name such as: Default Approval Rule then click Next.
4. In Step 2 of 4, check the All Categories option and click Next.
5. Now you can select the update classifications that you wish to automatically approve. We
recommend that you select the categories shown in Figure 8 to be automatically approved as

these will help to keep your managed computer better protected from new threats or
vulnerabilities.

FIGURE 8: APPROVAL RULE CLASSIFICATIONS

6. Once you have selected the classifications you wish to automate click Next.
7. Now you can select the groups you wish to deploy this rule to. To deploy it to all your managed
computers, select the All Computers group and click Finish.
8. Click Run Selected to force this rule to evaluate all updates on the systems currently and make
them available for the managed computers the next time they check in. Or if you click save
here, it will only apply to future updates as they are released.
As the managed computers check back in to the service, they will be instructed to apply all critical and
security updates as soon as they are available. For those updates that you wish to approve manually,
you can use the Updates workspace to review and approve them.

Set up Alerts Notifications

Windows Intune tracks alerts for your managed computers and you can monitor these via the Alerts
workspace or you can have the service email alerts directly to email accounts.
From the Windows Intune Administration Console click the Administration workspace tab.
1. Click on Alerts and Notifications.
2. Next click Recipients and click the Add option as highlighted in Figure 9:

FIGURE 9: ADD RECIPIENT

3. Add as many email aliases as you need.
Note: Being made a recipient does not allow access to the Windows Intune Administration console.
If you wish to allow any of these recipients to logon to the console, you will need to add them as an
administrator.
4. Next select Notification Rules and select the Alert rules you wish to send emails for and then
click the Recipients option as highlighted in Figure 10:

FIGURE 10: SELECT NOTIFICATION RULE

5. Now you can select which email recipients will receive an email for these alerts.
We recommend that you set up the Remote Assistance Requests for notifications as these alerts are
generated by the end user and are typically time critical.

Setting Your Default Policies

Windows Intune policies are focused on providing you with fast and straightforward settings that
control the updates, endpoint protection, firewall settings, and the end user experience. These will work
no matter what domain your computers are joined to or even if they are non-domain joined.
Note: For many years Microsoft has provided a feature called Group Policy to help manage Windows
computers. We recommend that you do not use both Group Policy and Windows Intune policies on the
same computers. However, if you wish to do this, Group Policy will take precedence over Windows Intune
policies. For more information see the Plan for Deployment in Enterprises that are managing by using
Group Policy page in the Policy section of the Windows Intune online help here:
http://onlinehelp.microsoft.com/windowsintune
The following steps will take you through the process of setting up a set of default Windows Intune
policies.
1. From the Windows Intune Administration Console click the Policy workspace tab.
2. Under the Tasks panel click Create a New Policy. At the Create New Policy Wizard, highlight
the Policy Templates.
You can see here that we have three types of policy we can create: Agent settings, Tools settings,
and Firewall settings.
3. Select the Agent Settings template and click Create New Policy.
The Agent settings will control the endpoint protection and software update settings for the agents
on the managed computers. You can Scroll down the settings and review the available settings such
as Scan Schedule for malware, SpyNet membership, and Update detection frequency. If you click the
information icon next to each setting you can read details of the setting along with a recommended
value, where appropriate, as shown in Figure 11.

FIGURE 11: ONLINE POLICY DETAILS

8

4. Once you have configured the settings you wish to apply in your default policy click Save Policy.
5. At the Deploy Policy window click Yes and then select the All Computers group to deploy this
policy to all computers you are managing.
You can now repeat this process for both the Windows Intune Center Settings and Windows
Firewall Settings policy templates. The Windows Intune Center Settings allow you to configure the
contact information that will appear in the Windows Intune Center on the client computers. You can
set details such as email addresses or telephone numbers for clients to contact if they need IT
support. The Windows Firewall Settings policy allows ySou to control the computers local Windows
Firewall and create exceptions to open specific firewall ports that will enable or disable features
such as File and Print services or remote administration.
Once you have the default policies in place, you can apply more specialized policies to other groups
in your organization if required. If you do this, it is the policy that is lowest in the group hierarchy
that will take precedence.

Client Enrollment
Before you can manage a computer with Windows Intune you will need to install the Windows Intune
client software package on the PC this can be your physical PC or even a virtual machine. Use the
following steps to complete this step:
1. Starting from the Systems Overview workspace you can either click the Installing the
Windows Intune Client software link in the Notice Board or click the Administration
workspace and then select Client Software download.
2. The software can be installed on 32 and 64 bit version of the operating systems and will
support Windows XP, Windows Vista and Windows 7.
Important: Before you deploy the Windows Intune client you should consider how you want to
handle your existing malware protection software. By default, Windows Intune Endpoint
Protection will not be installed if existing protection software is detected. If you want to ensure
you are using the Windows Intune Endpoint Protection, we recommend removing the 3rd party
malware protection software just before the Windows Intune installation.
To install the client software on a computer, follow these steps:
3. Click on Download Client Software.
4. When the download dialog opens, select Save and select a secure location to save the
download package.
5. Once the download has completed, open the folder where you saved the installation
package.
6. Right-click the Windows_Intune_Setup.zip package and select Extract All, this will display
the dialog box shown in Figure 4:

FIGURE 4: SETUP FILES EXTRACTION PROCESS

7. Click Browse to select an alternative path (if required) and then click Extract to extract the
setup files.
8. When the extraction has completed, a new window will be displayed similar to that shown
in Figure 5:

FIGURE 5: EXTRACTED SETUP FILES

9. These files can be copied to a network share, a thumb drive, or deployed using an electronic
software deployment (ESD) system. However it is important to keep these two files together
as the ACCOUNTCERT file is used by the setup application when it is executed.
Note: If your ESD requires a Microsoft Installer (MSI) file for distribution, you can use the
/Extract switch on the Windows_Intune_Setup.exe file to extract both a 32 bit and 64 bit MSI
package.
10

10. When you are ready to enroll a computer, double click Windows _Intune_Setup.exe from
the client computer to start the installation process as shown in Figure 6:

FIGURE 6: SETUP WIZARD WELCOME SCREEN

11. Follow the instructions in the Setup Wizard to complete the installation.
Once the installation has completed, you may be prompted to reboot the computer, this will allow the
protection and update agents to complete their installation and will download any required malware
protection definitions and other agent updates. The computer account will appear in the Administration
console within a few minutes, but it can take up to 30 minutes for all the agents to complete their
installations and report all inventory and status updates.

Organizing Your Computers

The following steps will take you through the process of configuring groups to help organize the
computers you will add to the service. Below is an example of how you can go about setting up your first
computer groups. Feel free to customize this to meet your organizations needs.
1. From the Windows Intune Administration Console click the Computers Tab.
2. You will see two groups: All Computers and Unassigned Computers.
The All Computers group contains all computers managed by the system at any one time,
whereas the Unassigned Computers group will contain computers that have not been assigned
to a group yet by the systems administrator.
3.
4.
5.
6.

Click on the Create Computer Group link in the Tasks panel on the right.
In the Name box type HQ.
In the description type Our HQ site computers.
Under the Parent Group heading, make sure the All Computers group is selected so that this
group appears at the top level of the groups.
7. Now scroll down the page until you can see the Members section of the page.
8. Click the Add button and select computers to add to the group.
9. Click OK to add the computers and click Create Computer Group.
11

10. Now you can click on the new group in the list to the left and this will show the status of
computers in that group.
11. Next, click on the Computers tab in the main information panel to show the computers you
added to the group.

You can now repeat these steps for all groups you wish to create. Figure 7
shows three examples of grouping strategies you could use to help organize
your computers. Managed computers can be a member of multiple Windows
Intune groups. This allows you a great deal of flexibility in how you can use
groups.
It is important to know that these groups are completely independent of any
Active Directory Domain Service (ADDS) groups you have in your domains. The
groups only apply to the Windows Intune agents so you are free to change
these to meet those needs without having to worry about any possible conflict
with ADDS groups.
Note: The numbers in the Departmental example are used to help organize the
order the groups are listed in. By default they are sorted alpha-numerically.

FIGURE 7: GROUPING EXAMPLES

Creating Reports
How many computers have a particular application or update installed? What malware was blocked?
Which users needed Remote Assistance over the last month? If you find yourself asking these questions,
Windows Intune can help you create reports to get this view. We have developed a set of reports
templates you can use or create custom reports based on views within the Windows Intune workloads.
All these reports can be printed out or exported as either HTML or comma separated value (CSV) files.
This allows you to export the data from Windows Intune and import it into whatever programs you need
for further manipulation. For example, you could use Microsoft Excel to take the CSV data and create a
detailed and formatted spreadsheet.
Customizing Report Templates
The following steps will take you through the process of creating a Windows Update report to help
identify all computers that have pending Updates waiting to be installed:
1. Click the Reporting workspace tab.
2. Click the Update reports.
3. Customize the report settings to look like those in Figure 12:
12

FIGURE 12: CUSTOM UPDATE REPORT

4. Click View Report.
This will generate a report similar to that shown in Figure 13. Using this information you can identify
those computers that have updates outstanding and start the process of troubleshooting the
updates.

13

FIGURE 13: CUSTOM UPDATE STATUS REPORT

Creating a Malware Status Report
The majority of time, the Windows Intune Endpoint Protection feature will generate informational alerts
that are designed to give you an up-to-date view of malware that has been detected and removed from
any of your managed computers. For those times that some follow up is required, the Alerts will be
marked as urgent so you can contact the user and use the Remote Assistance feature to help perform
any follow up tasks. The following steps show you how to create a Malware Protection report:
1. Click the Alerts workspace tab and select the Malware Protection option.
This will display a list of the current malware incidents recorded on all managed computers please
see Figure 14:

14

FIGURE 14: MALWARE PROTECTION REPORT

2. To export this view, click the
icon in the top right-hand corner of the screen.
3. Select either HTML or CSV as your preferred export file type and click Export.
4. In the Save As window enter the path and file name for the export file and click Save.
This will create the exported report which you can then use in your preferred reporting or data
application as required.

Wherever you see the print or export icons

the data in that view.

in the Administration console you can export

Using Workspace Filters

In this section you will look at the filters that are available in the Administration console Workspaces to
help you generate additional reports. The following steps will take you through the process of creating a
Hardware Classification report:
1. Click the Computers workspace tab and select All Computers.
2. From the Filters drop down box, select Hardware classification filter.
This filter will display a view of the computer in your environment that includes the Chassis type,
Manufacturer, Model, as well as the Operating System and the last time the computers checked in
the service. Figure 15 shows an example of this filtered view:

15

FIGURE 15: HARDWARE CLASSIFICATION

3. Now using the Print and Export icons described in the previous section, you can create a printed
report or export this view to a CSV file.
Creating Software Inventory Reports
As you install the Windows Intune client software on your computers, a detailed inventory is built of the
software installed on them and reported back to the Windows Intune service. Using either the Software
workspace or by using the Software report in the Reports workspace, you can review, print, or export
this information.
One key piece of information required by many organizations is a computer by computer list of all
software installed. The following steps will take you through the process of creating this report in
Windows Intune:
1. From the Windows Intune Administration Console, click the Reports workspace tab.
2. Select the Software Report Type.
3. Leave all the other customization options at their default All state and click View Report.
This will generate a detailed software report identifying and categorizing all software installed on the
computers in the Windows Intune environment. As this is a Silverlight-formatted report, you can drill
down into the details of which computers have which software installed. To export a full detail report of
this information, follow these steps:
4. Click the Export

icon
16

5. Once the Export Dialog Windows opens, select .csv File.

6. Uncheck the Export summary data only option and click Export.
This will export a CSV file containing a list of all software found in the environment and which computers
have the software installed. This can be any software recognized by the service and is not limited to just
Microsoft products. This information can then be imported into Microsoft Excel to be formatted and
customized as required.

Working with Remote Assistance

Now lets take a look at a very useful feature of Windows Intune and that is Remote Assistance (RA).
This feature allows you to view and control a managed computer remotely so you can support your
users virtually anywhere and regardless of whether you are in the office or on the road. The RA process
starts when an end-user opens a request for remote assistance. This is done using the Windows Intune
Center client software you installed on the managed computer. Click on the Windows Intune Center and
you should see the UI shown in Figure 16:

FIGURE 16: WINDOWS INTUNE CENTER

The RA feature uses Microsoft Easy Assist to enable an RA session. Once the user has clicked the
Microsoft Easy Assist option, a Remote Assistance Alert is sent to the Windows Intune service.
Note: Microsoft recommends that you setup E-Mail Notifications for Remote Assistance alerts to ensure
that emails are sent to administrators automatically to help minimize the wait time for an end-user. See
the Set up Alerts Notifications section of this guide for information on setting these up.
17

The following steps will take you through the process of responding to a RA request:
1. From the Windows Intune Administration console, click the Alerts Tab
2. Click Remote Assistance to view Remote Assistance requests.
Note: RA alerts are set as Critical and they will also appear in the Alerts by Type section of both the
Systems Overview workspace and the Alerts Overview workspace.
3. Click on the RA request to see the details of the request, as shown in Figure 17.

4.
5.
6.
7.

FIGURE 17: REMOTE ASSISTANCE REQUEST DETAILS

At the bottom of the RA Details screen, select the Click here to take action link.
In the A New Remote Assistance Request is Pending window, click Accept the remote
assistance request link.
Click Allow on the Internet Explorer Security pop-up to allow the rtcearouter.dll to run.
Enter a Display Name, such as Helpdesk for this RA session; click Join

The Microsoft Easy Assist session Window will now open and you will need to wait until the end-users
computer is joined to the session. This process can take a few minutes depending on the network
bandwidth available. Once the session has been established, the end-user will see the Microsoft Easy
Assist control request windows as shown in Figure 18:

18

FIGURE 18: MICROSOFT EASY ASSIST CONTROL REQUEST WINDOW

At this point the end-user will need to click OK to allow you to see their desktop. Once they do this, you
will be able to see their desktop in a window on your desktop.
8. To control their desktop, click Request Control in the top Left of the RA session window.
The end-user will now be shown the following message in Figure 19:

FIGURE 19: REMOTE ASSISTANCE CONTROL REQUEST

Once the end-user clicks Yes, you will be able to control their computer. Also available during the
session are the options to chat and transfer files to and from the RA session. These options are
accessible using the main session controls. At the end of your support session, Microsoft recommends
that you return to the Administration console and close the original RA alert. This way it will be easier to
identify new requests when they come in.

Working with Multiple Accounts

Up to this point we have assumed that you are responsible for a single Windows Intune environment.
However, Windows Intune can be used for supporting multiple environments from a single Windows
Live ID.
If the Windows Live ID account you logon with has been granted Service (or Tenant) administration
rights to more than one Windows Intune environment, you will be taken to the Multi-Account Console
when you logon, see Figure 20:

19

FIGURE 20: THE WINDOWS INTUNE MULTI-ACCOUNT CONSOLE

When you log on, the Windows Intune service checks if your LiveID is an administrator for more than
one Windows Intune environment. If it is, the service will automatically show the Multi-Account Console
so you can select the accounts you wish to manage. This feature was added specifically to help Service
Providers or large IT support organizations manage multiple customer accounts.
Each line in the list represents the latest account status of the respective managed accounts. As the list
grows, you can use the sort and search features to help get to the information you need fast. For
example, if you need to see which accounts have the most health issues you can click the Sort by:
button to select the health option. See Figure 21:

FIGURE 21: SORT BY:

You can also filter the list by typing a customer name (or part of ) in the Search accounts field. This
allows you to quickly find the account you wish to manage.
To get to the details of a specific account, simply click anywhere on the account line in the console and
you will be taken to the System Overview of that account.
You can check the account you are working in by viewing the account label that is presented in the top
right of the Adminisration Console as highlighted in Figure 22:

20

FIGURE 22: ADMINISTRATION CONSOLE ACCOUNT LABEL

You can switch back to the Multi-account console at any time by clicking the Switch to another account
hyperlink next to the account label.
The Multi-Account Console is designed to make the task of managing a number of different accounts
quick and easy for you.

Summary
Windows Intune simplifies and helps businesses manage and secure PCs using Windows cloud services
and Windows 7, so your computers and end users can operate at peak performance from virtually
anywhere.
This guide has taken you through some of the key tasks you can perform to setup and manage your
computers with the Windows Intune cloud service. We hope you found this guide valuable.
With a paid subscription to Windows Intune, you will also get access to upgrade rights to Windows 7
Enterprise and future version of Windows. To evaluate Windows 7 Enterprise today, visit
http://technet.microsoft.com/evalcenter/cc442495.aspx. To get help with deploying the Windows 7
Enterprise licenses provided with your Windows Intune subscription, visit
http://technet.microsoft.com/windows/dd361745.aspx.
If you are evaluating the 30-day trial and are interested in becoming a Windows Intune, please visit
http://www.microsoft.com/windows/windowsintune/pc-management-how-to-try-and-buy.aspx.

21

For the latest Windows Intune information, visit the Windows Intune website at
http://www.windowsintune.com or visit the Windows Intune team Blog at:
http://blogs.technet.com/windowsintune.

Resources:
Windows Intune Home Page: http://www.windowsintune.com
Windows Intune Online Help: http://onlinehelp.microsoft.com/windowsintune
Windows Intune TechCenter: http://technet.microsoft.com/windows/intune
Windows Intune Team Blog: http://blogs.technet.com/windowsintune
Windows Intune FAQ: http://www.microsoft.com/windows/windowsintune/windowsintune-faq.aspx

22