Deploy Windows Intune
Published: March 23, 2011
Windows Intune helps businesses manage and secure client computers by using Windows cloud services. Windows Intune has three parts:
- The web-based administration console, which you use to manage your organization’s client computers
- The Windows Intune client software, which you install on each client computer you want to manage
- Upgrade rights to Windows 7 Enterprise and future versions of Windows
Windows Intune requires no infrastructure and is quick and easy to deploy. This article describes how to deploy the Windows Intune client software using Microsoft deployment tools, including Microsoft Deployment Toolkit (MDT) 2010 and System Center Configuration Manager 2007. For more information about installing the client software, see the
Administration topic in Windows Intune
In this article:
You download the Windows Intune client software from the Windows Intune account administration website. Because the file you download contains a certificate unique to your organization, you must log on to the website using the Windows Live ID and password associated with your Windows Intune account. Click Download Client Software in the Administration workspace, and save the file (called Windows_Intune_Setup.zip) to your computer.
After downloading Windows_Intune_Setup.zip, extract it to a folder on your computer. The folder will contain two files: Windows_Intune_Setup.exe and WindowsIntune.accountcert:
- Windows_Intune_Setup.exe. This program file installs the Windows Intune client software on x64 and x86 client computers. You automate installation by using the /Quiet command-line option.
- WindowsIntune.accountcert. This file is a certificate that identifies your organization. Windows Intune uses this certificate to enroll each computer in the Windows Intune service.
You can install the Windows Intune client manually by downloading it directly from the account administration website, installing from a network share, installing from a USB flash disk, or installing from an intranet webpage. This article elaborates on deploying the Windows Intune client by using MDT 2010, System Center Configuration Manager 2007, and custom Windows images.
Back to top
Microsoft Deployment Toolkit 2010
After downloading and extracting the Windows Intune client software installation files, you are ready to add them to your MDT 2010 deployment share. This article assumes that you have already installed MDT 2010 and fully stocked a deployment share with operating systems, applications, and so on. To add the Windows Intune client software to the distribution share, perform these steps:
- Copy the folder containing Windows_Intune_Setup.exe and WindowsIntune.accountcert to a location accessible to the Deployment Workbench.
- In the Deployment Workbench console tree, click Applications. Applications is under Deployment Shares\share_name, where share_name is the name of the deployment share you are configuring.
- In the Actions pane, click New Application.
- On the Application Type page, click Application with source files, and then click Next.
- On the Details page, enter the following information, and then click Next:
- In the Publisher box, type Microsoft.
- In the Application Name box, type Windows Intune.
- On the Source page, click Browse, open the folder containing the Windows Intune client software, and then click Next.
Note: The Windows Intune client software is unique to your organization and contains a certificate that client computers use to enroll in the service. Therefore, take steps to secure these files, and make sure they are only available to Windows Intune administrators and users who need them for installation.
- On the Destination page, click Next.
- On the Command Details page, type Windows_Intune_Setup.exe /Quiet in the Command line box, and then click Next.
- On the Summary page, shown in Figure 1, review the settings, and then click Next.
Figure 1. Adding Windows Intune to a deployment share
- Click Finish.
After completing these steps, the Windows Intune client software is in the MDT 2010 deployment share, but that alone is not enough to install the client software. You must add a command to each task sequence that installs the client software during deployment:
- In the Deployment Workbench console tree, click Task Sequences. Task Sequences is under Deployment Shares\share_name, where share_name is the name of the deployment share you are configuring.
- In the Details pane, click the task sequence to which you want to add the Windows Intune client software. Then, in the Actions pane, click Properties.
- In the Properties dialog box, click the Task Sequence tab.
- In the left pane of the task sequence, under State Restore, click Custom Tasks.
- Click Add, General, Install Application.
- On the Properties tab, shown in Figure 2, perform the following tasks, and then click OK:
- In the Name box, type Install Windows Intune.
- Click Install a single application.
- Click Browse, select Microsoft Windows Intune in the Applications list, and then click OK.
Figure 2. Adding Windows Intune to a task sequence
That’s it. When you run this task sequence on client computers, it will automatically install Windows Intune during the State Restore phase. It is important to note, however, that each computer must have Internet connectivity, or Windows Intune installation will fail. Windows Intune requires an Internet connection during installation to enroll the computer in the service.
Back to top
System Center Configuration Manager 2007
You can also deploy the Windows Intune client software by using System Center Configuration Manager. This article assumes that you have already added Windows images to System Center Configuration Manager and that you have created task sequences to install them. To install the Windows Intune client software by using a task sequence, perform the following steps:
- Create a package for the Windows Intune client software by following the instructions at
How to Manage Packages. Make sure the source folder contains both Windows_Intune_Setup.exe and WindowsIntune.accountcert.
- Add a program to the package that installs the Windows Intune client software by following the instructions at
How to Manage Programs. The command to install the Windows Intune client software is Windows_Intune_Setup.exe /Quiet.
- Add the Windows Intune client software package to an existing task sequence by following the instructions at
How to Install Software Packages as Part of a Task Sequence.
As with deployment using MDT 2010, each computer on which you run the task sequence must have an Internet connection during deployment, because the Windows Intune client software enrolls the computer during installation. Installation fails if the installer cannot enroll the computer.
Back to top
Custom Windows Images
Creating custom Windows images containing applications, including management agents, was once a common practice that has fallen out of favor lately. Known as thick imaging, the practice was to build monolithic images that were difficult to maintain and gobbled up vast amounts of storage. The process was to install Windows on a master computer, install applications and configure the computer, and then capture a new image that contained the applications.
The Windows Intune client software is not compatible with the thick imaging process. The client software enrolls the computer in the service during installation, which is why an Internet connection is required during installation. So, the following scenario does not work:
- Install Windows on a master computer.
- Install the Windows Intune client software, which enrolls the computer in the service. The enrollment data is specific to the computer.
- Capture a custom Windows image.
- Deploy the image to other computers in the organization. The Windows Intune client does not enroll each computer again, so each machine receives the same enrollment data. This clearly does not work.
As a result, you must use a thin imaging process to deploy the Windows Intune client software. In this process, you install the default Windows image, and then automatically install required applications immediately afterward. Both MDT 2010 and System Center Configuration Manager make this process easy. The benefit is that thin imaging reduces image maintenance and image count considerably. Updating an application no longer requires capturing a new image. You simply update the application in the deployment share.
A hybrid process is possible for organizations that do not use MDT 2010 or System Center Configuration Manager. You can add the Windows Intune installation files to an image, and then run the installer the first time the image boots. You can do this by creating an Unattend.xml file, which
Work with Answer Files describes.
Back to top
Windows Intune provides essential management and protection for any size business that has unmanaged or lightly managed client computers. Large organizations can also use Windows Intune to complement existing management systems to manage pockets of unmanaged client computers (for example, non–domain-joined computers, contract employees, or lightly managed field employees).
Not only is Windows Intune easy to use, it is also easy to deploy. Microsoft recommends that you use the
Microsoft Deployment Toolkit 2010 or
System Center Configuration Manager 2007 to automate deployment. Key points to remember about deploying the client software with either tool are:
- You must keep the installation files (Windows_Intune_Setup.exe and WindowsIntune.accountcert) together in the same folder. The Windows Intune client software uses the certificate to enroll the computer during installation.
- For the Windows Intune installation process to complete successfully, the client computer must have access to the Internet. If the installer is unable to contact the Windows Intune service during installation, the installation process will fail.
- You cannot capture a custom image containing the installed Windows Intune client software. The client software enrolls the computer during installation. Capturing and distributing an image that contains the enrolled Windows Intune client software will duplicate its information to each computer.
For more information about Windows Intune, visit