Updated: December 12, 2012
Now that your account has been set up, there are some steps to go through before you start adding computers and mobile devices to your account.
To help ensure an organization can delegate administrative roles effectively, Windows Intune offers two levels of administrator roles. Both provide access to the Windows Intune administrator consoles:
|When you subscribe to Windows Intune, your first User ID automatically becomes a Global Administrator for Microsoft Online Services and a Tenant Administrator for the Windows Intune administrator console. As a Global Administrator for Microsoft Online Services, you have the same privileges across all Microsoft Online Services for your organization, and you can add other Tenant Administrators for the Windows Intune administrator console.|
You can create Service Administrators by using the Windows Intune administrator console. These administrators must have a user ID and password, and they must be a member of the Windows Intune user group. If an individual does not have a user ID, a Tenant Administrator must create one by using the Windows Intune account portal and then ensure that the individual is a member of the Windows Intune user group.
|The Windows Intune Service Administrator and the Service Administrator displayed in the Windows Intune account portal are two different entities. The Service Administrator for Microsoft Online Services that is displayed in the Windows Intune account portal manages the users accounts and groups, service requests, and monitors service status but not necessarily the status of the users and devices managed by Windows Intune.|
By default, the subscription owner becomes the Tenant Administrator for your Windows Intune service. The Tenant Administrator is the individual who accepted the Microsoft Online Subscription Agreement (MOSA) at the time of purchase, which entitles him or her to perform all tasks in the Windows Intune administrator console.
We recommend that you create a least one extra Tenant Administrator Account to help delegate tasks and ensure you don’t get locked out of your Windows Intune account if you forget your password. To create a Tenant Administrator account:
Figure 5. Add Tenant Administrator
The Tenant Administrator account should not be used for day-to-day IT support and management tasks. For that purpose, you should set up Service Administrators. To add Service Administrators:
Figure 6. Add Service Administrator
After you have set up administrators, you can configure the environment into which you will deploy devices. Over the next few pages, we will review some additional steps that you are recommended to perform before you start deploying computers or mobile devices into your account.
Windows Intune policies focus on providing you with straightforward settings that help control the security settings on mobile devices, provide computer updates, ensure Endpoint Protection, maintain firewall settings, and enhance the end user experience. These settings apply both to domain-joined computers in any domain and to non-domain joined computers.
|To avoid policy conflicts that can result from competing policy management systems, you should ensure that when you deploy the Windows Intune client software, those computers that Windows Intune policy manages do not also receive the same configuration settings from Active Directory Group Policies. For more information, see Planning Around Group Policy in Online Help.|
The following procedure describes how to set up a Windows Intune Agent Settings policy for computers.
To set up the default Windows Intune Policies:
|For detailed information about specific policy settings, see Policy Settings Reference in Online Help.|
After these policies have been deployed, all users or devices inherit these settings as their baseline policy. You can then review and, if required, edit the details of these policies from the Policy workspace.
Before you add computers to the Windows Intune service, consider your requirements for Endpoint Protection. If you have an existing Endpoint Protection application, you should determine whether you want to use Windows Intune Endpoint Protection or continue with the current application. For information about how to implement either approach so that your managed computers are not left in an unsecured state, see
Replacing Your Existing Malware Protection and
Continuing to Use Your Existing Malware Protection in Online Help.
Remember that Windows Intune-managed computers use additional network bandwidth for Windows Intune-related operations. Before you install the Windows Intune client software consider the existing network traffic and the increase that will result from implementing Windows Intune. For information about the variables that affect bandwidth planning for Windows Intune and for comprehensive deployment planning guidance, see Planning for Client Deployment and Enrollment in Online Help.