In the previous tutorials, we helped you set up your Windows Intune environment and enroll managed PCs so that you can manage and secure them through the web-based administration console. Specifically, we provided steps to:
This tutorial will help you learn how to assess the health of your computers, create custom reports, deploy software and remote control a managed computer using Windows Intune Remote Assistance.
How many computers have a particular application or update installed? What malware was blocked? How many computers have less than 2 Gigabytes (GBs) of physical memory installed? Which users needed Remote Assistance over the last month? If you find yourself asking these questions, Windows Intune can help you create reports to get this view. We have developed a set of reports templates you can use or create custom reports based on views within the Windows Intune workloads. All these reports can be printed out or exported as either HTML or comma separated value (CSV) files. This allows you to export the data from Windows Intune and import it into whatever programs you need for further manipulation. For example, you could use Microsoft Excel to take the CSV data and create a detailed and formatted spreadsheet.
The following steps will take you through the process of creating a Windows Update report to help identify all computers that have pending Updates waiting to be installed:
Figure 1. Update Reports customization
This will generate a report similar to that shown in Figure 2. Using this information you can identify those computers that have updates outstanding and start the process of troubleshooting the updates.
Figure 2. Custom Update Status Report
The majority of time, the Windows Intune Endpoint Protection feature will generate informational alerts that are designed to give you an up-to-date view of malware that has been detected and removed from any of your managed computers. For those times that some follow up is required, the Alerts will be marked as urgent so you can contact the user and use the Remote Assistance feature to help perform any follow up tasks. The following steps show you how to create a Malware Protection report:
Figure 3. Malware Protection Report
This will create the exported report which you can then use in your preferred reporting or data application as required.
Wherever you see the Print or Export icons in the Administration console you can export the data in that view.
In this section you will look at the filters that are available in the Administration console Workspaces to help you generate additional reports. The following steps will take you through the process of creating a Computer details report:
Figure 4. Computer and user account details
In addition to using these filters to print or export data you can also perform actions against the computers in the view. For example, if you right-click on any computer in the view you are able to perform a number of tasks on that computers. These tasks include viewing the computer properties, adding the computer to a group or even retiring the computer from the Windows Intune managed service. You can also select the Remote Tasks option to instruct that computer to perform one of a number of tasks as soon as possible. If the computer is online it will be performed within a few minutes, if the computer is offline the task will be queued and performed once the computer is next able to check in with the Windows Intune service. Figure 5 shows the four remote tasks that can be sent to a managed computer.
Figure 5. Remote Tasks options
The Computer workspace can also provide you with rapid access to additional information and tasks that can be performed on these computers. For example if you click on the Computers workspace icon you will be taken to the Computers Overview view, then click Computer Summary option to display current status information on a number of key computers metrics, as shown in Figure 6.
Figure 6. Computers Overview
Clicking the Computer Summary link will toggle this view on or off as needed. Each of the numbers indicated next to each item in the list is a hyperlink that allows you to drill down to the filtered view that will show you exactly which computers meet have those characteristics.
As you install the Windows Intune client software on your computers, a detailed inventory is built of the software installed on them and reported back to the Windows Intune service. Using either the Software workspace or by using the Software report in the Reports workspace, you can review, print, or export this information.
One key piece of information required by many organizations is a computer by computer list of all software installed. The following steps will take you through the process of creating this report in Windows Intune:
This will generate a detailed software report identifying and categorizing all software installed on the computers in the Windows Intune environment. As this is a Silverlight-formatted report, you can drill down into the details of which computers have which software installed. To export a full detail report of this information, follow these steps:
This will export a CSV file containing a list of all software found in the environment and which computers have the software installed. This includes any software recognized by the service and is not limited to just Microsoft products. This information can then be imported into Microsoft Excel to be formatted and customized as required.
A new feature in Windows Intune is the ability to create, store and then deploy software via the cloud. This process extends the update management process described earlier in this guide to allow you to deploy a new application to a managed computer wherever they are in the world. The process starts at a Windows Intune administrator's computer that has access to the required software installation files; these can be in the form of either EXE or MSI files. For both file types it is important that they support silent installation, this is where the package can be installed without user interaction. This allows the Windows Intune agents to install the software regardless of whether the computers user has rights to install software or even if they are logged on. The methods to enable a silent installation do vary between software packages, so you will need to check with the software publishers documentation to determine the exact method to use, for example the /Quiet or /Silent command line arguments are often used to indicate a silent installation option.
From the Managed Software workspace the administrator uses the Upload wizard to create the compressed and encrypted package and uploaded it to the Windows Intune service that package is available to be deployed to the Windows Intune groups in the same way as application updates. However it is important to understand that software installation packages are typically larger than software updates and therefore you may need to take steps to help minimize the possible impact of a deployment on a sites Internet connection. To help explain this process, in detail, and document best practices for using working with software deployments with Windows Intune we have created a guide called Deploying Software and Third Party Updates with Windows Intune.
Once you have familiarized yourself with this guide you will have all the information you need to deploy software applications to all your managed computers.
Now let's take a look at a very useful feature of Windows Intune and that is Remote Assistance (RA). This feature allows you to view and control a managed computer remotely so you can support your users virtually anywhere and regardless of whether you are in the office or on the road. The RA process starts when an end user opens a request for remote assistance. This is done using the Windows Intune Center client software you installed on the managed computer. Click on the Windows Intune Center and you should see a window similar to that shown in Figure 7.
Figure 7. Windows Intune Center
The RA feature uses Microsoft Easy Assist to enable an RA session. Once the user has clicked the Microsoft Easy Assist option, a Remote Assistance Alert is sent to the Windows Intune service.
Microsoft recommends that you setup E-Mail Notifications for Remote Assistance alerts to ensure that emails are sent to administrators automatically to help minimize the wait time for an end-user. See the Set up Alerts Notifications section of part two of this guide for information on setting these up.
The following steps will take you through the process of responding to a RA request:
RA alerts are set as Critical and they will also appear in the Alerts by Type section of both the Systems Overview workspace and the Alerts Overview workspace.
Figure 8. Remote Assistance request details
Figure 9. Microsoft Easy Assist control request window
At this point the end-user will need to click OK to allow you to see their desktop. Once they do this, you will be able to see their desktop in a window on your desktop.
Figure 10. Remote assistance control request
Once the end-user clicks Yes, you will be able to control their computer. Also available during the session are the options to chat and transfer files to and from the RA session. These options are accessible using the main session controls. At the end of your support session, Microsoft recommends that you return to the Administration console and close the original RA alert. This way it will be easier to identify new requests when they come in.
Up to this point we have assumed that you are responsible for a single Windows Intune environment. However, Windows Intune can be used for supporting multiple environments from a single Windows Live ID.
If the Windows Live ID account you logon with has been granted Service (or Tenant) administration rights to more than one Windows Intune environment, you will be taken to the Multi-Account Console when you logon, see Figure 11.
Figure 11. Windows Intune Multi-Account Console
When you log on, the Windows Intune service checks if your LiveID is an administrator for more than one Windows Intune environment. If it is, the service will automatically show the Multi-Account Console so you can select the accounts you wish to manage. This feature was added specifically to help Service Providers or large IT support organizations manage multiple customer accounts.
Each line in the list represents the latest account status of the respective managed accounts. As the list grows, you can use the sort and search features to help get to the information you need fast.
You can quickly find an specific account, even in the longest lists, by typing an account name (or part of one) in the Search accounts field.
To get to the details of a specific account, simply click anywhere on the account line in the console and then click the Select Account menu option or the View Account link and you will be taken to the System Overview view of that account.
You can always be sure of the account you are working in as the the account label is presented in the top right of the Administration Console as highlighted in Figure 12.
Figure 12. Administration Console account label
You can switch back to the Multi-account console at any time by clicking the Switch to another account hyperlink next to the account label.
The Multi-Account Console is designed to make the task of managing a number of different accounts quick and easy for you.
This guide has taken you through some of the key tasks you can perform to manage your computers with the Windows Intune cloud service. For guidance on using the software deployment feature of Windows Intune we recommend you read Deploying Software and Third Party Updates with Windows Intune.
Also in this guide: