Export (0) Print
Expand All

Windows Intune Technical FAQs

Updated: November 1, 2013

Applies To: Windows Intune

Windows Intune is an integrated, cloud-based client management solution that provides tools, reports, and upgrade licenses to the latest version of Windows. Windows Intune helps keep your computers up-to-date and secure, and lets your users more securely access and install targeted licensed software applications and perform other common tasks, from virtually anywhere. If you are preparing to use Windows Intune for device management or user-centric management in your environment or if you are already using Windows Intune, the following answers to frequently asked technical questions may be helpful.

If you are evaluating whether to use Windows Intune in your environment, you can find helpful information in the Frequently Asked Questions on the Windows Intune product website.

The following are answers to frequently asked questions about operating system requirements for Windows Intune and supported devices.

You can install the Windows Intune client software on computers that are running any of the following Windows operating systems:

  • Windows XP Professional, Service Pack (SP) 3

  • Windows Vista Enterprise, Ultimate, or Business editions

  • Windows 7 Enterprise, Ultimate, or Professional editions

  • Windows 8 Enterprise or Pro editions

  • Windows 8.1 Enterprise or Pro editions

For more information about requirements for running the Windows Intune client software, see Windows Intune Client Software Requirements.

noteNote
Windows Intune does not require client software to be installed on mobile devices.

Windows Intune provides a unified discovery experience across computers and mobile devices and protection of corporate data on mobile devices that are connected through Mobile Device Management and Exchange ActiveSync.

Additionally, you can make licensed internal line-of-business software applications and links to store applications available for users to access and install on mobile and tablet devices that run the following operating systems:

  • Windows Phone 8

  • iOS

  • Android

  • Windows RT

For more information about the benefits of using Windows Intune to support mobile devices, see the next FAQ, “What are the benefits of and requirements for using Windows Intune to support mobile devices,” and Mobile Device Management Capabilities in Windows Intune..

Windows Intune uses both direct management of mobile devices and Microsoft Exchange ActiveSync to integrate users’ mobile and tablet devices with your business infrastructure, and to enforce your organization’s mobile device access policies. Using Windows Intune direct management and Exchange ActiveSync provides you with the following benefits:

  • Unified management experience across computers and mobile devices

    • A single console to manage computers and mobile devices

    • User-centric views for device inventory

    noteNote
    When you use Exchange ActiveSync to manage mobile devices, Windows RT, Windows Phone 8, and iOS devices are automatically discovered.

  • The ability to help protect corporate data on mobile devices when you:

    • Deploy policies to user groups to help secure corporate data that is stored on mobile devices (including password, encryption and attachments).

    • Define mobile device access rules by device family and device model to set which mobile devices can access Exchange ActiveSync.

    • Enroll, rename, and unenroll devices.

    • Retire mobile devices with the option to wipe the mobile device (for lost or stolen devices).

Using Windows Intune direct management provides you with the following additional benefits:

  • You can distribute applications to users in either of the following ways:

    • External link: You can provide a link address to an application on the Windows Store. In addition, this web link can be to a web-based application that runs on the device through the device’s web browser.

    • Software installer: You can provide a signed application package that is uploaded to the Windows Intune service directly and then sideloaded onto managed devices.

  • Users can contact IT from their mobile devices.

  • Users can discover and download internally developed line-of-business applications.

  • You can provide richer management through additional policy settings.

    noteNote
    If a device is managed by both Windows Intune direct management and Exchange ActiveSync policy settings, the more secure policy settings will be applied.

  • You can manage Windows RT, Windows Phone 8, Android, and iOS devices without any on-premise infrastructure setup requirements.

For Windows Intune to support Exchange ActiveSync, your environment must have AD DS synchronization so that your local users and groups are synchronized to the cloud. Also, you need to download and install the Windows Intune Exchange Connector and configure it to work with your on-premises Exchange Server 2010 Service Pack 1 or later with Exchange ActiveSync enabled. Additional steps include:

  • Enabling domain verification

  • Activating synchronized users for Windows Intune

  • Ensuring that the computer that hosts the Windows Intune Exchange Connector meets the necessary requirements

  • Setting permissions on Windows PowerShell cmdlets (required for downloading and installing the Windows Intune Exchange Connector)

For more information about mobile device management requirements, see Planning and Requirements for Exchange ActiveSync Management of Mobile Devices with Windows Intune.

The following are answers to frequently asked questions about how to sign up for Windows Intune and using the Windows Intune account portal.

To sign up for a free trial of Windows Intune, use the following procedure. The trial can be used on up to 25 devices.

  1. Go the Windows Intune Try and Buy page, and then click the trial sign-up link.

    ImportantImportant
    If you are using any other Microsoft Online Service such as Microsoft Office 365, on the Sign up page, click the Sign in link and sign in with the same user ID that you are using for the other Microsoft Online Service.

    If you are not using another Microsoft Online Service, proceed to Step 2.

  2. Select the country or region where your organization will use Windows Intune, and then select the language that you want to use for business communications.

  3. Type your first and last names and your organization name. Your first and last name will be displayed on the Windows Intune account portal after you sign in.

  4. Type the complete mailing address of your organization. Note that the email address that you provide is where you will receive password reset information if you forget your password and request a reset. Service, billing, and promotional information that you choose to receive will also be sent to this email address.

  5. Type a descriptive name for your new domain so that it is in the following format: contoso.onmicrosoft.com. Click Check availability to ensure that the domain name is available.

  6. Type a user name, and then type a password. Retype the password to confirm it.

  7. Type the numbers and letters that you see in the picture box. The characters are not case-sensitive. This step confirms that a person—not an automated program—is signing up for an account.

  8. Review the service agreement, and if you agree, click I accept and continue to complete the sign-up process.

    After you sign up, you are automatically signed in to the account portal as an administrator.

  9. An email message that contains your account information is sent to the email address that you provided during the sign-up process, to confirm that the account is active. Keep this email message to refer to if you forget your user ID or the website address where you sign in to Windows Intune.

    You can click the link that is included in that email or go to the Windows Intune administrator console at https://admin.manage.microsoft.com or the Windows Intune account portal at https://account.manage.microsoft.com and sign in.

Prior to the Windows Intune April 2012 Pre-Release, the Microsoft Online Customer Portal (MOCP) was used for Windows Intune account management. The Windows Intune account portal replaces MOCP. The Windows Intune account portal lets you manage your Windows Intune subscription and specify the users who can access Windows Intune. From the Windows Intune account portal, you can review guidance and download tools to set up single sign-on or Active Directory synchronization, manually add user accounts and security groups (if Active Directory Domain Services is not deployed in your environment), activate synced users (if AD DS is deployed in your environment), set up and manage service settings, check service status, access online Help, and purchase subscription licenses. You can also access the Windows Intune administrator console and the Windows Intune company portal. Users can access the Windows Intune account portal to change their password. For more information, see the Windows Intune account portal online Help.

By default, when you subscribe to Windows Intune, you become a global administrator for Microsoft Online Services and a tenant administrator for the Windows Intune administrator console. As a global administrator for Microsoft Online Services, you have the same privileges across all Microsoft Online Services for your organization, and you can add other tenant administrators for the Windows Intune administrator console. Windows Intune tenant administrators have full administrative rights to the Windows Intune administrator console. They can perform all operations in the console, including adding or deleting Windows Intune service administrators. Tenant administrators must be assigned in the Windows Intune account portal.

ImportantImportant
We recommend that you designate at least two global administrators in your organization for Windows Intune. Doing this ensures that if one global administrator leaves your organization, at least one other remaining global administrator is available if needed to elevate users to the global administrator role.

Windows Intune service administrators can have either of the following levels of console access: Full access or read-only access.

  • Full access: These service administrators have full administrative rights to the Windows Intune administrator console and therefore they can perform all operations in the console, including adding or deleting other service administrators.

  • Read-only access: These service administrators have read-only rights and therefore they cannot modify data in the console; they can only view data in the console and run reports.

You can assign service administrators by using the Windows Intune administrator console. These administrators must have a user ID and password, and they must be a member of the Windows Intune user group. If an individual does not have a user ID, a tenant administrator must use the Windows Intune account portal to create a user ID for him or her and then ensure that the individual is a member of the Windows Intune user group.

noteNote
The Windows Intune service administrator is not the same as the service administrator that is displayed in the Windows Intune account portal. The service administrator for Microsoft Online Services that is displayed in the Windows Intune account portal manages service requests and monitors service health. For information about how to add a Windows Intune service administrator, see Adding and Managing Administrators in Windows Intune.

You can also delegate administrator permissions. For information, see the next FAQ question, “Can I delegate administrator permissions for Windows Intune”?

For more information about Microsoft Online Services and Windows Intune administrator roles and how to assign administrator roles, see Assigning Administrator Roles.

Yes. You can delegate administrators by using the Windows Intune account portal. There are two types of delegated administrators:

  • Delegated Administrator Partner (DAP): These delegated administrators have full administrative access to the Windows Intune administrator console.

    ImportantImportant
    If you are using another Microsoft Online Service, be aware that Delegated Administrator Partners are granted full access to all Microsoft Online Services for your organization, not just to Windows Intune.

  • Delegated Helpdesk Partner (DHP): These delegated administrators are read-only administrators for Windows Intune, and therefore they cannot modify data in the Windows Intune administrator console; they can only view data in the console and run reports.

    noteNote
    If you are using another Microsoft Online Service, be aware that Delegated Helpdesk Partners are granted access to all Microsoft Online Services for your organization, not just to Windows Intune.

The following are answers to frequently asked questions about using Windows Intune for device and user-centric management.

With this release of Windows Intune, you can target available licensed software and deploy policies to user groups. You can also let users access the Windows Intune company portal to perform common tasks without involving their IT help desk. The Windows Intune company portal enables users to add their own computers or devices to Windows Intune, so that they can be managed by Windows Intune, and to remove devices that no longer need to be managed by Windows Intune. Users can also install licensed software applications that you make available through the company portals, the Windows Store, or through external links.

For users and security groups to appear in the Windows Intune administrator console, you must sign in to the Windows Intune account portal and do one of the following:

  • Manually add users or security groups, or both, to the account portal. For information, see the Windows Intune Getting Started Guide.

  • Use Active Directory synchronization to populate the account portal with synchronized users and security groups. After the synchronized users and security groups are added to the account portal, you must activate the synchronized users and assign them membership in the Windows Intune user group to manage them in the Windows Intune administrator console. You do not need to activate the synchronized security groups. For information about how to activate synchronized users and add them to the Windows Intune user group, see the Windows Intune Getting Started Guide.

    The Windows Intune user group is not a security group, but a group that enables you to identify users who are to be managed by Windows Intune. After you add users to the Windows Intune user group in the Windows Intune account portal, they appear in the list of users in the Windows Intune administrator console and are available to be managed.

To synchronize users and security groups in Active Directory with Windows Intune, you need to do the following:

  1. Synchronize your on-premises Active Directory users and security groups with Windows Azure Active Directory (the cloud) by using Directory synchronization (DirSync). Note that you cannot filter users during this step by using domain or OU filtering.

    noteNote
    By default, you can synchronize the following number of on-premises Active Directory objects to Windows Azure Active Directory:

    • 20,000, if you set up your Windows Azure Active Directory account before May 1, 2012.

    • 50,000, if you set up your Windows Azure Active Directory account on or after May 1, 2012.

    This number includes user accounts, security groups, and contacts. If you need to synchronize more than the applicable number of objects noted in this topic, you will need to contact support.

  2. Synchronize Windows Azure Active Directory with Windows Intune.

    After users are synchronized, you can restrict the number of users that are managed in Windows Intune and appear in the Windows Intune administrator console. To specify which users are managed in Windows Intune, you must activate the synchronized users in the Windows Intune account portal.

For information about synchronizing your on-premises Active Directory users and security groups with Windows Azure Active Directory (the cloud) and synchronizing Windows Azure Active Directory with Windows Intune, see the Windows Azure Active Directory online Help. For information about how to activate synchronized users and add them to the Windows Intune user group, see the Windows Intune Getting Started Guide.

The following are answers to frequently asked questions about downloading the client software on computers that you want to manage and enrolling clients.

noteNote
Windows Intune does not require client software to be installed on mobile devices. When your environment is configured to support mobile devices, Windows Intune automatically discovers all the mobile devices that belong to the users who have been added to Windows Intune. The mobile devices appear in the Windows Intune administrator console in the All Devices group, or on the Devices tab in the user properties page for the users to whom the devices are linked.

To start, you need to perform two key tasks:

  • Download the client software and deploy it to the client computers that you want to manage by using Windows Intune.

  • Configure the Windows Intune service. For information about recommended configuration tasks, see “Managing My Environment in the Windows Intune administrator console” later in this topic.

To download the Windows Intune client software, open the Administration workspace, and in the Client Software Download area, download the client software package. For more information, see Downloading the Windows Intune Client Software.

To make sure that Windows Intune can detect and upgrade or service the client software that you install on client computers, do not install the software by downloading and running the client installation file (.msi file) directly from the Internet. Also, do not manually rename the file. If you run the file directly from the Internet, the client software cannot be upgraded or serviced because the file will be downloaded to a temporary directory and renamed during this process.

If you have already downloaded and run the client installation software directly from the Internet, you have to retire and then re-enroll the computer. For information about how to retire a computer, see Retiring a Device by Using the Windows Intune Administrator Console.

After the Windows Intune client software is installed on client computers, the Windows Intune agents communicate with the Windows Intune service to provide the service with data about the clients. The frequencies with which the different agents communicate with the Windows Intune service depend on the workspace (for example, for the Updates workspace, the agent communicates with the Windows Intune service once a day; for the Software workspace, the agent communicates with the service once a week). In a few minutes to 30 minutes after the client software is installed, the names of the client computers appear in the Windows Intune administrator console. To locate the computers, in the Windows Intune administrator console, in the workspace shortcuts pane, click Devices, and then click All Devices. For more information, see Validating Windows Intune Client Software Deployment.

Windows Intune informs administrators if client software is installed incorrectly on computers. The client software is composed of agents that report status and perform management activities on the computer. If some of the agents are not reporting status as expected, or if none of the agents have reported status within a specific timeframe, then Windows Intune informs the administrator of that issue through Agent Health messages.

The names of the computers on which you installed the client software should appear approximately 30 minutes after installation. They should appear in the Windows Intune administrator console, in the Groups workspace, under All Devices. If you do not see the names of the computers in this location, a restart may be pending on these computers from previous or recent update installations. If this is the case, restarting these computers should enable the Windows Intune client software to be successfully installed on them.

It may also be possible that your proxy is not allowing the computers to access the Windows Intune service. To resolve this issue, configure the proxy to allow computer access on ports 80 or 443.

The Troubleshooting Windows Intune Client Software Deployment and Enrollment topic is a great resource for information about how to determine whether the Windows Intune client software was installed successfully and for information about how to troubleshoot client health issues.

When you download and run the Windows Intune client software package on a client computer, the software authenticates and enrolls the client in the Windows Intune service, and the first agent, Windows Intune, is installed on the client. After the first agent is installed, the software schedules the remaining agents, applications, and components for download and installation. These agents, applications, and components are updates to the initial Windows Intune client enrollment software package. You can view the updates in the Windows Intune administrator console. The Windows Intune agents, applications, and components that are installed on the client first communicate with the service approximately 30 minutes after enrollment unless a restart is pending on the client.

The Policy agent starts policy enactment, hardware inventory, and software inventory, and then sends the data to the Update for Microsoft Online Management agent by using the following procedure.

  1. Approximately five minutes after installation of the Policy agent, a policy enactment is performed and a marker is set.

  2. The Policy agent wakes up every 60 minutes after the marker is set.

  3. The Policy agent checks at the following time intervals to determine:

    1. If it is 8 hours since the last policy enactment

    2. If it is 8 hours since the last software inventory

    3. If it is 8 hours since the last hardware inventory

    noteNote
    Every 30 days, a full inventory is collected.

  4. If it is time for a policy enactment or an inventory, the Policy agent performs the action and submits the collected information to the Update for Microsoft Online Management agent.

  5. The Update for Microsoft Online Management agent then sends the report back to the Windows Intune service within approximately 15 to 20 minutes.

  6. The Policy agent waits to start the next cycle. See step 2.

When the Windows Intune client software is installed on a client computer, multiple agents are installed and activated on the computer. Each agent reports to the Windows Intune service separately.

If you are ready to configure settings in the Windows Intune administrator console so that you can monitor and manage devices in your environment and perform user-centric management tasks, the following are answers to frequently asked questions about managing your environment.

To configure the Windows Intune service, we recommend that you perform the following tasks:

  • Create device groups to target the deployment of policies, updates, and licensed software applications to managed computers. For example, you might want to create such a group to organize all computers in your organization’s corporate headquarters site, and then create additional groups for your additional sites, based on geographical location. Or, you might organize computer groups by the operating systems that computers run or by business function. For information about planning considerations for creating device groups, see Device and User Group Considerations in Windows Intune.

  • If your Windows Intune environment is configured to support users, create user groups so that you can make licensed internal line-of-business software applications available for users to install on their devices if they choose, deploy policies to user groups, and let users add computers that need to be managed by Windows Intune and remove computers that no longer need to be managed by Windows Intune. For information about planning considerations for creating user groups, see Device and User Group Considerations in Windows Intune. For information about making licensed software applications available for users to install, see User Initiated Software Installation in Windows Intune.

  • Determine the kinds of updates that you want to approve and the products in your environment for which you want to approve updates. For step-by-step instructions, see Selecting Product Categories and Classifications to be Updated in Windows Intune.

  • Configure auto approval rules for updates that you know that you want to deploy immediately and set deadlines for installation of approved updates. For step-by-step instructions, see Creating Windows Intune Automatic Update Approval Rules.

  • Create policies by using the simple templates that Windows Intune provides, and then deploy these policies to appropriate device groups and user groups. Policy templates also now include the option to deploy policies with recommended settings, so that you can easily create and deploy policies that implement best practices. For step-by-step instructions, see Creating a Windows Intune Policy.

  • Set up email alert notifications for alert types that can occur in your environment. Notifications will be sent to the email accounts that you specify. For step-by-step instructions, see Configure Windows Intune Alert Notification Rules.

  • Enable mobile device management by setting the mobile device management authority, or configuring the connection between Windows Intune and your on-premises Exchange. For more information, see Planning and Requirements for Exchange ActiveSync Management of Mobile Devices with Windows Intune.

Yes. You can use the Policy workspace to configure Windows Intune policies that control mobile device security, software updates, Windows Intune Endpoint Protection, Windows Firewall settings, and the end-user experience in the Windows Intune Center, which is installed on all computers that are managed by Windows Intune. Computer policies work no matter which domain your computers or users are joined to, or even if they are not joined to a domain. Mobile policies work on any mobile devices that are managed through direct management or are connected to your Exchange environment through Exchange ActiveSync.

Policy templates also now include the option to deploy policies with recommended settings, so that you can easily create and deploy policies that implement best practices.

For step-by-step instructions, see Creating a Windows Intune Policy. For detailed information about policy settings, see Windows Intune Policy Settings Reference.

If you are using Windows Intune in an environment that also includes Group Policy, note that domain-level Group Policy typically takes precedence over Windows Intune policy, unless a domain-joined managed computer cannot connect to the domain controller. If connectivity to the domain controller is unavailable, Windows Intune policy is applied to the managed computer.

To avoid policy conflicts that can occur from having competing policy management systems, we recommend that when you deploy the Windows Intune client software to computers, you ensure that the computers that are managed by Windows Intune policy are not also receiving direction from Group Policy for the same configuration settings. For more information, see Planning Around Group Policy When Using Windows Intune.

We do not recommend this configuration. We recommend that you run either Windows Intune Endpoint Protection or your existing endpoint protection application, but not both.

If another endpoint protection application is installed and Windows Intune Endpoint Protection detects the application, Windows Intune Endpoint Protection will automatically disable itself. However, Windows Intune Endpoint Protection does report on the health of the other endpoint protection application, and it displays that information in the Windows Intune administrator console. If Windows Intune Endpoint Protection does not detect the other endpoint protection application, Windows Intune Endpoint Protection will remain enabled.

To explicitly enable Windows Intune Endpoint Protection on client computers that are running another endpoint protection application that was detected by Windows Intune Endpoint Protection, you have to create a Windows Intune policy, and then deploy it to those computers. To do so, in the Windows Intune administrator console, create a new policy, set the policy value for Enable Endpoint Protection to Yes, and deploy the policy to the appropriate device groups. After you confirm that Windows Intune Endpoint Protection is helping to secure the client computers, you can remove or disable the other endpoint protection application. For more information, see Using Windows Intune Endpoint Protection or an Existing Endpoint Protection Application and Creating a Windows Intune Policy.

Windows Intune only collects serial numbers for computers from Win32_SystemEnclosure.SerialNumber. If a hardware manufacturer does not store the serial number for a computer in this location, Windows Intune cannot report the serial number. For example, if a hardware manufacturer stores serial numbers for computers in Win32_Bios.SerialNumber and Win32_BaseBoard.SerialNumber, the serial numbers for these computers are not displayed in the Windows Intune administrator console.

To activate Windows 7 or Windows 8 with the product key that is supplied as part of your Windows Intune subscription (a MAK key), see the instructions in Converting KMS Clients to MAK Activation.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft