Export (0) Print
Expand All

Getting started with Windows Intune: walkthrough guide

Updated: April 1, 2014

Applies To: Windows Intune

This walkthrough guide helps you to get started using Windows Intune to manage mobile devices and computers in under an hour. If you want to learn more about Windows Intune before using this guide, please see the Windows Intune evaluation guide.

You can complete this walkthrough in 30 minutes to set up a few users and either a few mobile devices or a few computers. With an hour, you can set up both mobile devices and computers, and also complete the optional portion of the walkthrough in which you configure alerts, notifications and reports.

The time required for each task is as follows:

Before you start this walkthrough, you will need the following:

  • Administrator device. A device with a Silverlight-enabled web browser that you can use to access the websites where you, the IT administrator, create user accounts (the Account Portal) and where you manage devices and users (the Administrative Console).

  • A Mobile device (or use InPrivate browsing on the administrator device). A second device with a web browser, that you can use to access the Company Portal to see how most Windows Intune users will enroll and manage their devices, find and install software, and request help from administrators.

    noteNote
    Instead of using a second device with a web browser, you can use the “privacy mode” setting on the same browser that you use for Windows Intune administration (for example: in Internet Explorer, you can click Settings > Safety > InPrivate Browsing).

  • Microsoft Organizational ID, if you have one. If you have an existing Microsoft Online Services account, you will need the OrgID and tenant administrator credentials for that account. You don’t need this if you don’t have such an account, or if you want to use this walkthrough for evaluation purposes only.

  • Certificates and Accounts. Depending on which types of devices you will manage in this walkthrough, you might need several certificates (or keys) and accounts to retrieve those certificates:

     

    Platform Requirements More information

    Windows Phone 8 and Windows Phone 8.1

    Download the Support Tool for Windows Intune Trial Management of Windows Phone

    Follow the installation instructions provided on the support tool download page to enable Windows Phone trial account enrollment.

    Windows RT, Windows RT 8.1, or Windows 8.1 devices.

    There are no requirements for enrolling Windows RT and Windows devices.

    To learn more, see Set up your computers to be managed by Windows Intune.

    iOS 6.0 or later

    Get an Apple Push Notification service certificate.

    Request an Apple Push Notification service certificate from Apple, as described in External dependencies for enrolling iOS devices.

    Android

    None.

    Not applicable.

Whether you Sign Up or Sign In depends on whether your organization already has an Microsoft Online Services organization identifier (OrgID), whether you have an Enterprise Agreement or equivalent volume licensing agreement with Microsoft, and whether you plan to use the subscription that you set up as part of this walkthrough after you evaluate Windows Intune:

 

Sign Up for a new account if: Sign In with your OrgID if:

You don’t have a volume licensing agreement with Microsoft or an Office 365 account. You should sign up for a new account if your organization does not have an Enterprise Agreement or equivalent volume licensing agreement (or an Office 365 account), meaning that do you do not have an OrgID that you can use to sign in to Microsoft Online Services.

OR

You will discard your free trial after completing the walkthrough. If you are using your Windows Intune free trial subscription for evaluation purposes only, and you plan to redo your Windows Intune service setup and device provisioning after using this walkthrough guide.

ImportantImportant
If you sign up for a new account, you cannot later use an existing OrgID to manage that account, or combine it with existing volume licensing agreements.

You have a volume licensing agreement or Office 365 account with Microsoft, and you are using this walkthrough to set up Windows Intune. If you have an Enterprise Agreement or equivalent volume licensing agreement (or an Office 365 account), and you want to use the steps in this walkthrough to set up the Windows Intune service and provision devices for production use, you should sign in with your existing OrgID. This will ensure that your Windows Intune free trial links to your existing Microsoft Online Services.

  1. On the Windows Intune webpage, go to the Try tab and click Sign up for a Windows Intune free 30-day trial.

  2. On the Sign up page you have two options:

    • Subscribe using the same account you use to subscribe to other Microsoft cloud services: Click Sign in if you already subscribe to a Microsoft cloud service, such as Office365, and want to use the same account to subscribe to both services. When you use the same account for multiple services, those services use the same Microsoft Azure AD infrastructure and are tenants of Azure AD. Azure AD provides the core directory and identity management capabilities for Microsoft cloud services.

    • Subscribe to Windows Intune only: If you do not yet subscribe to a cloud service, complete the form on the sign-up page to subscribe to Windows Intune.

       

      Fields More information

      Country or region

      This sets the Microsoft Azure region where the data you use with Windows Intune is located. This also determines billing and applicable taxes for the cloud service.

      This selection determines the fields that appear later in this form where you specify your physical address.

      Organization language

      This sets the language that you want to use for business communications from Microsoft.

      First name, and Last name

      These are associated with the initial user account that Windows Intune creates to manage your subscription.

      Organization name

      The organizational name is typically your company name, and is the name that will display to users who interact with your subscription.

      Address (various)

      This is the mailing address of your organization.

      Email address

      The email address that you provide is where you receive service information, billing, and details for password resets. Additionally, promotional information that you choose to receive is sent to this address.

      New domain name

      Specify a domain name to use with onmicrosoft.com. This domain name is free with your trial or paid subscription.

      By default, this domain name is associated with your subscription and user accounts that you add to Windows Intune. After you subscribe, you can add and use a domain name that you already own, or continue to use the free onmicrosoft.com domain.

      New User ID, and password

      Specify an account name and password for the initial tenant administrator account for your subscription. This can be any name you choose and will be associated with the first name and last name you provided in this same form.

After you complete the form and accept the Microsoft Online Subscription Agreement:

  • You are automatically signed in to the Windows Intune account portal with the tenant administrator account.

  • An email message that contains your account information is sent to the email address that you provided during sign-up. This confirms your subscription is active.

Now that your account has been set up, you should add user accounts that will be used by other users of Windows Intune.

You use the New users wizard to add individual user accounts. Follow the procedure below to create at least three additional user accounts, with unique names for each user. Each user account that you add counts against the 25 licenses that are available to you as part of your Windows Intune free trial.

To learn more about adding users, see Set up Windows Intune.

  1. In the Windows Intune account portal, click Users > New.

  2. Click User to start the New users wizard.

    1. On the Details page, complete the required fields.

    2. On the Settings page set the location for the user.

    3. On the Group page, click Next to accept the default and assign a license for Windows Intune to the user’s account. This will count against the set of 25 licenses that you have available as part of your free trial.

    4. On the Email page, specify up to five email addresses that will receive notification of the user name and temporary password for the account. Separate multiple email addresses by semicolons (;). When ready, click Create to add the user to your subscription.

    5. On the Results page you can view the new account name and its temporary password. Windows Intune automatically creates the temporary password.

The new user now appears in the Users node of the account portal.

  1. In the Windows Intune administrator console, click Administration > Company Portal, and then scroll to the bottom of the screen. Copy the URL shown under Windows Intune company portal.

  2. Open a new browser window in “privacy mode” (in Internet Explorer, click Settings > Safety > InPrivate Browsing), or on a different device, and then navigate to the URL that you copied in the previous step. When the user signs-in for the first time, they must provide a new password for the account.

Groups in Windows Intune give you great flexibility for managing your devices and users. You can set up groups to suit your organizational needs (for example, by geographic location, department, or hardware characteristics). You can use groups to perform a wide variety of administrative tasks at scale, from setting policies for a set of users to deploying applications to a set of devices.

To learn more about using groups, see Use groups to manage users and devices in Windows Intune.

  1. In the Windows Intune administration console, click Groups > Overview > Create Group.

  2. For the Group name, type “My Trial Devices” and from the parent group list, select All Devices, and then click Next.

  3. On the Define Membership Criteria page, select All devices, to indicate that the group includes both mobile devices and computers.

  4. On the Define Direct Membership page, click Next. If we had created a group that did not include all devices, and we wanted to add specific devices to our new group, we could do that here.

  5. On the Summary page, review the actions that will be taken, and then click Finish.

The newly created group can be found in the Groups list, in the Groups workspace, under All Devices. From here, you can also edit or delete the group.

  1. In the Windows Intune administration console, click Groups > Overview > Create Group.

  2. For the Group name, type “My Trial Users” and from the parent group list, select All Users, and then click Next.

  3. On the Define Membership Criteria page, next to Exclude members from these security groups, click Browse and then select Company Administrator. This exclusion will let you manage the My Trial Users group without affecting the Company Administrator account (also known as the tenant administrator).

  4. On the Define Direct Membership page, click Next. You don’t need to do anything here because you want the My Trial Users group to include all users, except for the Company Administrator.

  5. On the Summary page, review the actions that will be taken, and then click Finish.

The newly created group can be found in the Groups list, in the Groups workspace, under All Users. From here, you can also edit or delete the group.

Windows Intune policies provide you with straightforward settings that help control the security settings on mobile devices, maintain Windows Firewall and Endpoint Protection settings for computers, and deploy applications. If you are planning to use the service or devices that you configure in this walkthrough for real, production use (instead of just evaluation), it is absolutely essential that you follow the instructions found in Configure policy for mobile devices in Windows Intune and Help secure your computers with Endpoint Protection and Windows Firewall policy for Windows Intune. In this walkthrough, you will set up a mobile device security policy and a computer firewall policy, and then prepare to deploy an app to mobile devices after they are enrolled.

  1. Open the Windows Intune administration console.

  2. In the workspace shortcuts pane, click the Policy icon.

  3. In the Tasks list on the Policy Overview page, click Add Policy.

  4. Select Mobile Device Security Policy, click Create and Deploy a Policy with the Recommended Settings, and then click Create Policy.

  5. A confirmation message appears that prompts you to confirm whether you want to deploy the policy now. To deploy the policy, click Yes.

  6. In the Manage Deployment dialog box, select All Users to deploy the policy to all users that you manage, click Add, and then click OK.

By creating this policy, you have ensured that mobile devices enrolled in Windows Intune will:

  • Lock after 15 minutes of inactivity

  • Require a password to unlock

  • Permit only four repeated sign-in failures before being wiped

  1. Open the Windows Intune administration console.

  2. In the workspace shortcuts pane, click the Policy icon.

  3. In the Tasks list on the Policy Overview page, click Add Policy.

  4. Select Windows Firewall Settings, click Create and Deploy a Policy with Recommended Settings > Create Policy.

  5. A confirmation message appears that prompts you to confirm whether you want to deploy the policy now. To deploy the policy, click Yes.

  6. In the Manage Deployment dialog box, select the user group My Trial Users to deploy the policy to all users that you manage, click Add, and then click OK.

By creating this policy, you have ensured that computers enrolled in Windows Intune will:

  • Turn on the Windows Firewall at all times (whether on a domain, a private network, or a public network)

  • Notify the user when Windows Firewall blocks a new program (whether on a domain, a private network, or a public network)

  1. In the Windows Intune administrator console, click Software > Managed Software > Add Software. If prompted, enter your Windows Intune credentials.

    noteNote
    When you start the Windows Intune Software Publisher for the first time, a short delay occurs while the application is installed.

  2. On the Before you begin page, click Next.

  3. On the Software setup page, select External link in Select how this software is made available to devices.

  4. Enter the external link for the software in Specify the URL, and then click Next. Depending on which mobile device platform you are using for this walkthrough, you should use one of the following links:

    1. iOS: https://itunes.apple.com/us/app/microsoft-lync-2010-for-iphone/id484293461?mt=8

    2. Android: https://play.google.com/store/apps/details?id=com.microsoft.office.lync15

    3. Windows Phone 8 or Windows Phone 8.1: http://www.windowsphone.com/en-us/store/app/lync-2013/d85d8a57-0f61-4ff3-a0f4-444e131d8491

  5. On the Software description page, provide the information that you want users to see in the company portal for the software, and then click Next. The following settings are available:

     

    Setting Details

    Publisher

    Enter the name of the publisher: Microsoft.

    Name

    Enter Microsoft Lync.

    Description

    Enter a description for the software. (Lync messaging and videoconferencing app)

    Category

    Select the category that best fits this software: Collaboration

    Display this as a featured app and highlight it in the company portal

    Select this option to display the app prominently in the company portal on mobile devices.

    Icon

    Choose whether to associate an icon with the software. The maximum size for the icon is 250 x 250 pixels. The recommended size is 32 x 32 pixels. This setting is optional, so skip it for this walkthrough.

  6. On the Summary page, verify the software information, and then click Upload. Click Close to exit the wizard.

  7. In the Windows Intune administrator console, click Software > Managed Software > Manage Deployment.

  8. Click Microsoft Lync.

  9. On the Select Groups page, select My Trial Users to deploy the software to that user group, and then click Next.

  10. On the Deployment Action page, select Available Install from the Approval column for each group.

  11. Click Finish.

The Microsoft Lync app will now be available to install on mobile devices from the company portal. But first, we need to install Windows Intune software on mobile devices and computers.

There are a wide variety of ways that you a user can install the Windows Intune client software on computers: they can use an installer provided by the administrator to manually enroll, or Windows Intune software can be included in an OS image or deployed using Group Policy. They can also self-enroll their computers. For this walkthrough, we will use the self-enrollment approach.

When users self-enroll their computers through the Windows Intune company portal, each enrolled computer is linked to the user account that was used to install the client software.

To learn more about computer management using Windows Intune, see Set up your computers to be managed by Windows Intune.

noteNote
  • The user must be an administrator on the computer to install the client software.

  • Self-enrolling requires that Internet Explorer is installed on the client computer.

  • Each time a user self-enrolls a computer, it uses a Windows Intune license.

  • You must use a Microsoft Online Services ID to self-enroll a computer. This is the OrgID that you used to sign in, or the administrator account that was created when you signed up for the free trial.

  • If the client software is already installed on a computer, the end-user will receive an error.

  1. In the Windows Intune administrator console, click Administration > Company Portal, and then scroll to the bottom of the screen. Copy the URL shown under Windows Intune company portal.

  2. Use Internet Explorer to browse to the company portal URL that you acquired in the previous step, and log in with your administrator credentials.

  3. Click Add Device.

  4. Click Download Software and then click Run.

  5. Click Next to start the Windows Intune Setup Wizard.

  6. When the Setup Wizard has completed, click Finish.

Before you enroll mobile devices, you must complete the Prerequisites for your mobile devices, as discussed in the introduction of this walkthrough. You must also Set the Mobile Device Management Authority for Windows Intune.

After you are done with those tasks, you can set up direct management of mobile devices, and then enroll those devices and install Microsoft Lync.

To learn more about mobile device management using Windows Intune, see Set up and manage mobile devices using Windows Intune.

At this point you must have the Windows Phone 8 company portal app signed with your certificate.

  1. In the Windows Intune administrator console, click Administration.

  2. Click Mobile Device Management, and then click Windows Phone.

  3. Under Step 1: Enrollment Server Address, type the name of the verified domain, and then click Test Auto-Detection.

  4. Click Upload Signed App File and sign in to the Windows Intune Software Publisher Wizard.

  5. On the Software setup page for Specify the location of the software setup files, browse to the signed Windows Phone 8 company portal app that you generated when you completed the prerequisites.

  6. Add the .pfx file that you exported in the Windows Phone 8 prerequisites to Code-signing certificate and create a password for the certificate.

  7. On the Software description page, complete the fields and keep in mind that users will see this information on their devices.

  8. Complete the wizard.

The company portal can now be automatically deployed to all users who enroll Windows Phone devices.

Before setting up direct management for iOS, you must have completed the Prerequisites. At this point, you must have the APNs certificate from Apple.

  1. In the Windows Intune administrator console, click Administration, click Mobile Device Management, and then click iOS.

  2. Click the link to Upload an APNs Certificate and select the APNs Certificate that you downloaded as part of the iOS prerequisites.

    noteNote
    If you use Internet Explorer to download the APNs certificate, you will receive an error saying that the file is not valid when you try to upload it in the Windows Intune administrator console. To download the file properly with Internet Explorer:

    1. After you create the certificate and are prompted to save or open the file, click Cancel.

    2. Sign out of the Apple Push Certificates Portal and sign in again.

    3. On the Certificates for Third-Party Servers page, download the most recent APNs certificate that was created.

    4. In the Windows Intune administrator console, click Upload the APNs certificate and browse to the MDM_Microsoft_Corporation_Certificate.pem file that you downloaded previously.

  3. We recommend that you enter your Apple ID when prompted. Doing so saves the Apple ID that you used to create the certificate in Windows Intune, so that upon annual renewal, Windows Intune can remind you which Apple ID you used.

Now that you have set up direct management for mobile devices, you can enroll devices.

Each platform has its own company portal app:

 

Mobile Device Platform Name of app Location Installation Method

Windows 8.1, Windows RT 8.1, Windows RT

Company Portal

Windows Store

Direct User Installation

Windows Phone 8 and Windows Phone 8.1

Windows Intune Company Portal for Windows Phone

Microsoft Download Center Only: Windows Phone 8 company portal app

IT Deployment

iOS

Windows Intune Company Portal

App Store

Direct User Installation

Android

Windows Intune Company Portal

Google Play

Direct User Installation

Enrollment establishes a relationship between the user, the device, and the Windows Intune service. Users enroll their own mobile devices. The following sections describe enrollment for Windows Phone 8 and Windows Phone 8.1, iOS, and Android.

noteNote
If your subscription to Windows Intune is close to expiration, you must unenroll all devices prior to expiration to ensure company content is removed from devices, and to avoid the need to wipe those devices to manage them in the future.

  1. From the Windows Phone device, go to Settings, and then do the following:

    • For Windows Phone 8: choose company apps > add account.

    • For Windows Phone 8.1: choose Workplace > add account.

  2. You will be asked to provide user credentials for one of the user accounts that you created previously. When authentication is successful, Windows Intune establishes a relationship between the user and the Windows Phone device.

  3. Select Install company app or Hub to install the company portal app and enroll the device.

  4. Open the Company Portal on the device, choose Apps, and then install Microsoft Lync.

  1. On the iOS device, browse to http://m.manage.microsoft.com from the Safari browser, and log in using the user credentials for one of the user accounts that you created previously

  2. Choose Install to install the Windows Intune management profile. You will need to confirm your choice to install this profile several times, and also enter your passcode.

  3. Return to the Safari browser and browse to http://m.manage.microsoft.com, and then install the Microsoft Lync app from the company portal.

This walkthrough shows you how to enroll iOS devices without installing a Company Portal app, but you can also use the Windows Intune Company Portal app (available from the iOS App Store) to enroll and manage your devices. For more information, see Enroll mobile devices using the Windows Intune Company Portal.

  1. On the Android device, install the Windows Intune Company Portal app, available on Google Play.

  2. After the company portal app is installed, open the app and sign in using the user credentials for one of the user accounts that you created previously.

  3. When prompted to activate device administrator, choose Activate.

  4. Open the Company Portal on the device, choose Apps, and then install Microsoft Lync.

In the Windows Intune administrator console, alerts are used to quickly assess the overall health of managed devices in your organization. You can configure and customize alerts so that they report and display only the information you need for your organization. You can set whether an alert is enabled or disabled, configure the severity, use the display threshold to determine how frequently an alert event must be triggered before an alert is displayed, and also configure settings that are specific to certain types of alerts.

Notifications are used to inform administrators (and other users) using e-mail when certain types of alerts are triggered.

Reports are used to answer a range of questions, such as how many computers have a particular application or update installed, what malware was blocked, or which users needed Remote Assistance over the last month.

To learn more about alerts, notifications, and reports, see Monitoring and reporting with Windows Intune.

  1. In the Windows Intune administrator console, click Alerts > Overview > Configure Alert Type Settings.

  2. Click the search box, type “malware”, and then click the search icon.

  3. Right-click Investigate New Malware > Configure. Note that this alert is part of the Endpoint Protection category.

  4. In the Severity list, change the alert severity to Critical, and then click OK.

Now that we have increased the severity of this alert, let’s set up a notification to ensure that our malware expert is informed whenever this alert is triggered.

  1. In the Windows Intune administrator console, click Alerts > Overview > Configure Alert Type Settings.

  2. Click Notification Rules, and then click Create New Rule.

  3. Click Notification Rules, and then click Create New Rule.

  4. Complete Step 1 of the Create Notification Rule Wizard as follows:

    • Name: type “Critical Malware Alerts”.

    • Select the categories that apply: choose Endpoint Protection.

    • Select the alert severity: choose Critical.

  5. Complete Step 2 of the wizard by selecting All Devices, and then clicking Next.

  6. Complete Step 3 the wizard by choosing e-mail addresses that will be notified.

As a result of creating this notification, all critical endpoint protection alerts (including the one that you configured to be critical in the previous section) will generate an e-mail notification to the list of recipients that you provided.

  1. In the Windows Intune administrator console, click Reports > Mobile Device Inventory Reports.

  2. Under Select device groups, click Edit, and then clear the checkbox for All Devices and select the checkbox for My Trial Devices.

  3. Click Save As, and for the name, type “My Trial Device inventory”.

You now have a report that shows you the inventory for all devices in the My Trial Devices group that you created earlier in this walkthrough.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft