In the previous tutorial, we helped you set up your Windows Intune environment so that you can get ready to manage and secure PCs through the web-based administration console. Specifically, we provided steps to guide you around the administration console, add administrators to the administration console, and set your default policies.
This tutorial will help you install the client software on PCs you will manage so that you can easily monitor the health and status of your PC environment. You will also learn how to configure groups to help organize the computers you have added to the service, setup automatic approval rules to speed up the deployment of critical updates, and configure alert notifications to help your administrators get the latest alerts.
Before you can manage a computer with Windows Intune you will need to install the Windows Intune client software package on the PC - this can be your physical PC or even a virtual machine. Starting from the Systems Overview workspace, click either the Download and Deploy the Client Software link or click the Administration workspace and then select Client Software Download. The software can be installed on 32- and 64-bit version of the operating systems and will support Windows XP, Windows Vista and Windows 7.
Before you deploy the Windows Intune client, you should consider how you want to handle your existing malware protection software. By default, Windows Intune Endpoint Protection will not be installed if existing protection software is detected. If you want to ensure you are using the Windows Intune Endpoint Protection, we recommend removing the third-party malware protection software just before the Windows Intune installation.
To install the client software on a computer, follow these steps:
Figure 1. Setup files extraction process
Figure 2. Extracted setup files
If your ESD requires a Microsoft Installer (MSI) file for distribution, you can use the /Extract command line argument on the Windows_Intune_Setup.exe file to extract both a 32 bit and 64 bit MSI package. You can also use the /Quiet argument if you wish to suppress the Installation wizard and run it with no user interaction.
If you wish to use the standard installation process, make sure you are logged on with an account that has local administration rights and double click Windows _Intune_Setup.exe from the client computer. Then follow the instructions in the Setup Wizard to complete the installation.
Once the installation has completed, you may be prompted to reboot the computer, this will allow the protection and update agents to complete their installation and will download any required malware protection definitions and other agent updates. The computer account will appear in the Administration console within a few minutes, but it can take up to 30 minutes for all the agents to complete their installations and report all inventory and status updates.
For the standard installation process to complete a live Internet connection is required. If this is not possible at installation time, for example if you are installing the agent into a deployment image that will be used to create a number of computer deployments, there is a command line switch that can be used to schedule a task that will attempt to enroll the computer at a later time. This will ensure that the computer image is not enrolled before it has been deployed to the target computer. To launch a delayed installation use the following command line argument to launch the installation:
For more information on using this installation option, see the Windows Intune Online Help website at http://onlinehelp.microsoft.com/windowsintune.
The following steps will take you through the process of configuring groups to help organize the computers you will add to the service. Below is an example of how you can go about setting up your first computer groups. Feel free to customize this to meet your organization's needs.
You can now repeat these steps for all groups you wish to create. Figure 3 shows three examples of grouping strategies you could use to help organize your computers. Managed computers can be a member of multiple Windows Intune groups. This allows you a great deal of flexibility in how you can use groups.
Figure 3. Grouping examples
It is important to know that these groups are completely independent of any Active Directory Domain Service (ADDS) groups you have in your domains. The groups only apply to the Windows Intune agents so you are free to change these to meet those needs without having to worry about any possible conflict with ADDS groups.
The numbers in the Departmental example are used to help organize the order the groups are listed in. By default they are sorted alpha-numerically.
Once you have created the groups you need to organize your computers you can use them to control the deployment of your Windows Intune polices, software updates and application deployment.
The groups you created above can now be used to deploy Windows Intune Policies, software updates, and software packages. If you wish to closely manage all the updates that are managed by Windows Intune you can use the Updates workspace to Approve or Decline them. However, if you wish to ensure that critical or security updates are installed as quickly as possible on your managed PCs, you can use the Windows Intune auto-approval rules. The following steps will take you through the process of setting up an auto-approval rule that can be used to help automate the process of approving updates of the classifications you select.
Figure 4. Approval rule classifications
As the managed computers check back in to the service (by default this is every 8 hours), they will be instructed to apply all critical and security updates as soon as they are available.
For those updates that you wish to approve manually, you can use the Updates workspace to review and approve them. There are two types of updates that can be managed in Windows Intune, the first is the Microsoft Updates that are automatically made available to you via the Windows Intune service. For these updates you simply need to select the update and approve it for deployment to the groups you select as shown in Figure 9. You can approve these updates to individual Windows Intune groups or you can approve the updates to higher level groups such as the All Computers group and use inheritance to allow the updates to be approved to all lower level groups.
If you hold down the CTRL or SHIFT keys while selecting the updates you wish to approve you can select multiple updates to approve at once.
Figure 5. Update approval settings
The second type of update you can manage with Windows Intune are third party updates. For these updates to be approved you first have to obtain the update package (usually an MSI, MSP, or EXE package.) Once you have the update that will update the previous application you will need to select the Upload task from the Update workspace. This will start the Update upload wizard that will walk you through the process of creating the update package which can then be approved for deployment in the same way as the Microsoft updates, as shown in Figure 5.
Windows Intune tracks alerts for your managed computers and you can monitor these via the Alerts workspace or you can have the service email alerts directly to email accounts.
From the Windows Intune Administration Console click the Administration workspace tab. Then:
Figure 6. Adding recipients
Being made a recipient does not allow access to the Windows Intune Administration console. If you wish to allow any of these recipients to logon to the console, you will need to add them as a service administrator.
Figure 7. Selecting recipients
Now you can select which email recipients will receive an email for these alerts.
We recommend that you, as a minimum, set up the Remote Assistance Requests for notifications as these alerts are generated by the end user and are typically time critical. You can also use the Create New Rule... option to create customized rules to meet your organization's specific needs, if required.
This guide has taken you through the key steps to install the Windows Intune client software on PCs you will manage using the web-based administration console. In the third and final installment, we will help you learn how to assess the health of your computers, create custom reports, deploy software and remote control a managed computer using Windows Intune Remote Assistance.
Also in this guide: