As promised before I wanted to show you how to deploy and implement Windows Intune. Basically these steps will describe how to setup up you’re PoC (Proof Of Concept) environment which you can use to test the product. You can also use these steps to setup you’re Production environment except I will not describe the steps to setup a ADFS environment. These steps will be described in a future article. Basically ADFS is needed for Mobile Device Management and Single Sign On.
So lets get started!
First of all get the Windows Intune 30 day free trail here
The most important thing to note here is that if you want to test out Windows Intune you have to be careful with the new domain name section. You have 2 options here:
1) Use the name of you’re company
2) Use a pilot name
If you use you’re company name and if you don’t want to continue with you’re trail you will use the ability to use you’re company name again if you want to use it later. After the initial 30 day trail you still have a 30 day grace period in which you can decide to use the product, you are not able to use it during that period. If you do not decide to use it then you cannot use you’re domain name again (this is the current state of affairs and may change in the future).
So what you can do to keep you’re domain name is to buy the product for 1 user until you decide what you want to do with it. Where I live in the Netherlands a single user license is € 4,90 per month and a single user license with a user desktop O.S. with Software Assurance is € 9,00 per month.
I mostly advise to use a pilot name for the PoC environment. After subscribing you will get a email on the email address you subscribed with. Intune consists of the following important URL’s:
https://account.manage.microsoft.com (the account portal where you can manage you’re users, domains, licensing and support).
https://admin.manage.microsoft.com (this is the Windows Intune management portal which you will use the most, here you will do all the client administration).
https://portal.manage.microsoft.com (this is the user management portal where users can manage there devices or software).
After the subscribing point you’re browser to: https://account.manage.microsoft.com. Login and you will be treated to the following screen.
Under Setup you will find information about setting up a Single Sign On environment, adding domains and syncing you’re Active Directory users and groups to the Azure AD in the cloud, basically this involves a ADFS implementation and some extra wizardry. Under Management you can create users, activate users that you synced with Azure AD, add groups, and add domains. Under Subscriptions you can manage settings for you’re billing, licenses, add purchases and download software that falls under the software agreement. Under Support you can reach out to the Windows Intune support line from Microsoft by phone or email if you have issues with the service and you can see the global Windows Intune health status, maintenance notifications and status history.
For now it’s important to create a extra Intune Administrative account. By default the user which inscribes to the Windows Intune trail gets the most administrative right in the Windows Intune management console. This is called the Global/Tenant Administrator. For security it’s a best practice to create a extra Global/Tenant Administrator.
Go to the Administration - Users node and add a new user.
Follow the prompts and be sure to add the user to the Global Administrator role.
By clicking on the Admin Console option on the top of the screen or going to: https://admin.manage.microsoft.com you will go to the administration console.
In the next part I will talk more about the Windows Intune admin console but for now I want to show you how to deploy the client agent software to a device. In the System Overview screen click on the Download and Deploy the Client Software link. This brings you to the Administration - Client Software Download tab.
Step 1 is important if you are deploying the client software to machines which already have a anti-virus solution installed. By default the client software installs the Windows Intune Endpoint Protection software, the software has the following behaviour:
1) If Endpoint Protection finds no anti-virus software on the machine where you are installing the Intune client then Endpoint Protection will be enabled.
2) If Endpoint Protection finds a anti-virus solution on the machine where you are installing the Intune client which it doesn’t recognise it will be enabled.
3) If Endpoint Protection finds a anti-virus solution on the machine where you are installing the Intune client which it does recognise then Endpoint Protection will disable itself and will report on the anti-virus status of the machine to the Windows Intune console.
If you want to explicitly enable or disable Endpoint Protection on a device you can use a Windows Intune policy, more on that in the next part. For now continue to Step 2 and click on the Download Client Software link. This will download the Windows Intune Setup zip file. Extract the file to a folder. In the folder you will find the following files:
Windows_Intune_Setup.exe
WindowsIntune.accountcert
It’s important to never separate the accountcert file from the setup.exe or msi file. The accountcert contains information about your organization. Windows Intune uses this certificate to enrol the computer to the Windows Intune service.
You can install the agent through the following mechanisms:
1) If users have local admin rights on their computers then can install and enroll the software through the Windows Intune Portal: https://portal.manage.microsoft.com
2) Install the software manually on the computer with a administrative account (you can put the software on a share).
3) Install the software in the image through SCCM, MDT or another mechanism (more on that in a future blog post).
4) Install the software through Group Policy.
If you want to use Group Policy you will have to extract the msi from the exe with the following command line: Windows_Intune_Setup.exe /Extract <destination-directory>
Install the client software through either mechanism, wait about 30 minutes and you will be treated to a Windows Intune managed device!
You can find the enrolled device in the Groups - All Devices node.
And on the computer of course!
More on Windows Intune in the next part! Till then and stay frosty!
