Configure Your Windows Intune Environment
Updated: December 12, 2012
Now that your account has been set up, there are some steps to go through before you start adding computers and mobile devices to your account.
In this article:
- Adding Administrators
- Setting Your Default Policies
- Planning for Endpoint Protection and Managed Computer Bandwidth Usage
To help ensure an organization can delegate administrative roles effectively, Windows Intune offers two levels of administrator roles. Both provide access to the Windows Intune administrator consoles:
Windows Intune Tenant Administrator: Tenant Administrators have full administrative rights to the Windows Intune administrator console. They can perform all operations in the console, including adding or deleting Windows Intune service administrators. In addition, they can assign other tenant administrators. Note that Tenant Administrators must be assigned in the Windows Intune account portal; you cannot use the Windows Intune administrator console to assign a Tenant Administrator.
Note When you subscribe to Windows Intune, your first User ID automatically becomes a Global Administrator for Microsoft Online Services and a Tenant Administrator for the Windows Intune administrator console. As a Global Administrator for Microsoft Online Services, you have the same privileges across all Microsoft Online Services for your organization, and you can add other Tenant Administrators for the Windows Intune administrator console.
- Windows Intune Service Administrator: Service Administrators have the following two levels of console access:
- Full access: These Service Administrators have full administrative rights to the Windows Intune administrator console and can perform all operations in the console, including adding or deleting other Service Administrators.
- Read-only access: These Service Administrators have read-only rights and cannot modify data in the console; they can only view data in the console and run reports.
You can create Service Administrators by using the Windows Intune administrator console. These administrators must have a user ID and password, and they must be a member of the Windows Intune user group. If an individual does not have a user ID, a Tenant Administrator must create one by using the Windows Intune account portal and then ensure that the individual is a member of the Windows Intune user group.
|The Windows Intune Service Administrator and the Service Administrator displayed in the Windows Intune account portal are two different entities. The Service Administrator for Microsoft Online Services that is displayed in the Windows Intune account portal manages the users accounts and groups, service requests, and monitors service status but not necessarily the status of the users and devices managed by Windows Intune.|
By default, the subscription owner becomes the Tenant Administrator for your Windows Intune service. The Tenant Administrator is the individual who accepted the Microsoft Online Subscription Agreement (MOSA) at the time of purchase, which entitles him or her to perform all tasks in the Windows Intune administrator console.
We recommend that you create a least one extra Tenant Administrator Account to help delegate tasks and ensure you don’t get locked out of your Windows Intune account if you forget your password. To create a Tenant Administrator account:
- Log on to the Windows Intune Account Console and click the Users menu item under Management.
- Click the checkbox next to the user you wish to promote to a Tenant Administrator and click Edit, or click New to add a new user.
- Select Settings and under Assign role, click the Yes radio button and select Global Administrator. Figure 5 shows this selection.
- Enter the user’s alternate email address and click Save.
Figure 5. Add Tenant Administrator
The Tenant Administrator account should not be used for day-to-day IT support and management tasks. For that purpose, you should set up Service Administrators. To add Service Administrators:
- In the Windows Intune Account Portal, create user accounts for the users that you want to enroll as Service Administrators.
- Log on to the Windows Intune Administration Console and check that those users appear in the All Users group.
- Click Administration and Service Administrators.
- Click Add Administrator to display a window similar to that in Figure 6.
- Enter the User ID and select the access permissions for that user, then click OK.
- Repeat the previous step for all User IDs that you wish to make Service Administrators of this Windows Intune account.
Figure 6. Add Service Administrator
After you have set up administrators, you can configure the environment into which you will deploy devices. Over the next few pages, we will review some additional steps that you are recommended to perform before you start deploying computers or mobile devices into your account.
Setting Your Default Policies
Windows Intune policies focus on providing you with straightforward settings that help control the security settings on mobile devices, provide computer updates, ensure Endpoint Protection, maintain firewall settings, and enhance the end user experience. These settings apply both to domain-joined computers in any domain and to non-domain joined computers.
|To avoid policy conflicts that can result from competing policy management systems, you should ensure that when you deploy the Windows Intune client software, those computers that Windows Intune policy manages do not also receive the same configuration settings from Active Directory Group Policies. For more information, see Planning Around Group Policy in Online Help.|
The following procedure describes how to set up a Windows Intune Agent Settings policy for computers.
To set up the default Windows Intune Policies:
- Open the Windows Intune administrator console.
- In the workspace shortcuts pane, click the Policy icon.
- Under Tasks, click Add Policy.
- In the Create a New Policy dialog box, the following policy templates are displayed in the list of templates in the left pane:
- Mobile Device Security Policy
- Windows Firewall Settings
- Windows Intune Agent Settings
- Windows Intune Center Settings
|For detailed information about specific policy settings, see Policy Settings Reference in Online Help.|
After these policies have been deployed, all users or devices inherit these settings as their baseline policy. You can then review and, if required, edit the details of these policies from the Policy workspace.
Planning for Endpoint Protection and Managed Computer Bandwidth Usage
Before you add computers to the Windows Intune service, consider your requirements for Endpoint Protection. If you have an existing Endpoint Protection application, you should determine whether you want to use Windows Intune Endpoint Protection or continue with the current application. For information about how to implement either approach so that your managed computers are not left in an unsecured state, see Replacing Your Existing Malware Protection and Continuing to Use Your Existing Malware Protection in Online Help.
Remember that Windows Intune-managed computers use additional network bandwidth for Windows Intune-related operations. Before you install the Windows Intune client software consider the existing network traffic and the increase that will result from implementing Windows Intune. For information about the variables that affect bandwidth planning for Windows Intune and for comprehensive deployment planning guidance, see Planning for Client Deployment and Enrollment in Online Help.