Friday 31 May 2013

Windows Intune Step by Step Guide Part 6: Endpoint Protection

Back to main menu

In Part 4 we created our Windows Intune Agent Settings policy. This includes the configuration settings for Endpoint Protection. In Part 5 we enrolled a device and saw that the device became protected almost immediately. 

In Part 6 of my Windows Intune Step by Step Guide I will provide screenshots of the options that can be configured in the policy.


Right click on the policy and choose Edit. All the items below are configurable.










Computers will check for updates to policies between 8 and 22 hours, depending on the configuration of the Windows Intune Agent policies. If you make a change you can force a refresh of policy on computers by using the Refresh Policies remote task.





Windows Intune Step by Step Guide Part 5: Enroll devices

Back to main menu

Part 5 of my Windows Intune Step by Step Guide describes how to enroll devices so that they can be managed. 

Note that we are just dealing with full Windows clients for the purpose of this guide (in my case Windows 8 Enterprise tablets). Further configuration is necessary for mobile devices. You can find more information in the

Windows Intune Getting Started Guide

Enrolling Devices

You can enroll devices in Windows Intune in three ways:
  • Administrator Enrollment: The Windows Intune Administrator sets up the device enrollment on behalf of  the end user.
  • User Enrollment: The device user self-enrolls using the Windows Intune company portal.
  • Embedding in a deployment image: The Windows Intune Administrator embeds the Windows Intune service into the operating system deployment images.


I have used the first method for this guide and I enrolled the device on behalf of the user. There are two ways to do this


  • On the device, navigate to https://admin.manage.microsoft.com and download the client software directly to the device.
  • Install the software directly from a USB drive.

I downloaded the software to a USB drive from my PC.


Admin Console



Click Download Client Software


Download compressed software package


Extract and see Intune executable file and account certificate file (this file is specific to your Intune subscription - it needs to be in the same folder as the executable for the installation so that your devices are enrolled under the correct subscription).


On device.



Double click Windows_Intune_Setup. Note the Intune account cert in the same folder.



Click Next to install





The client has now been installed and contacts Intune to retrieve the policies we created in Part 4. It will also download and install the Endpoint Protection software and then download the EP definition files.


See Intune processes.


Note the Endpoint Protection icon in the System Tray (the green one). See also the Intune Center (with the yellow exclamation). It is not yet healthy as the EP virus definitions have not been fully downloaded.


New icons available.


New folder structure.



Client is now healthy. Download of definition files is complete. 


Client is now fully protected by Endpoint Protection


Device now enrolled -


- and showing healthy status.

Installation Tip: If the device date or time are incorrect the installation will fail.

Windows Intune Setup: The software cannot be installed, 0x800b0101 


Thursday 30 May 2013

Windows Intune Step by Step Guide Part 4: Policies

Back to main menu

Part 4 of my Windows Intune Step by Step Guide describes how to configure and deploy policies.

Windows Intune policies focus on providing you with straightforward settings that help control the security settings on mobile devices, provide computer updates, ensure Endpoint Protection, maintain firewall settings, and enhance the end user experience. 


In the workspace shortcuts pane, click the Policy icon.


Under tasks, click Add Policy


In the Create a New Policy dialog box, the following policy templates are presented:

  • Mobile Device Security Policy
  • Windows Firewall Settings
  • Windows Intune Agent Settings
  • Windows Intune Center Settings

I am only managing Windows 8 Enterprise tablets in this series so I do not need to configure the Mobile Device Security Policy (however I have included screenshots of the options at the end of this blog)

I also did not require to manage Windows Firewall settings  (however I have included screenshots of the options at the end of this blog)

Select the Windows Intune Agent Settings template and click Create and Deploy a Policy with the Recommended Settings.



Add All Computers to the Selected Groups


The policy is now available in the console and can be edited.

The following screenshots show the default policy settings. Each item is configurable.











Select the Windows Intune Center Settings template and click Create and Deploy a Policy with the Recommended Settings.


This allows you to display support information to your users.


Enter your details


Choose to deploy the policy now.


Both deployed policies can be seen in the console.

After these policies have been deployed, all users or devices inherit these settings as their baseline policy. You can then review and, if required, edit the details of these policies from the Policy workspace.

Computers will check for updates to policies between 8 and 22 hours, depending on the configuration of the Windows Intune Agent policies. You can force a refresh of policy on computers by using the "Refresh Policies" remote task. 


Mobile Device Security Policy Options

All items are configurable







Windows Firewall Policy Options

All items are configurable