Beruflich Dokumente
Kultur Dokumente
STEP BY STEP
Abstract
This document includes step by step guide for Implementing and Configuring Microsoft
Intune components including Software distribution, Mobile Management policies,
Software updates and Reporting.
Microsoft Intune step by step
Table of Contents
Chapter 1 ..................................................................................................................................................... 6
Definition of Microsoft Intune ................................................................................................................... 6
What is Microsoft Intune? ..................................................................................................................... 6
Why Microsoft Intune? .......................................................................................................................... 6
Comparison between Configuration Manager 2012 R2 & Microsoft Intune .................................... 7
Chapter 2 ................................................................................................................................................... 11
Configure Microsoft Intune ..................................................................................................................... 11
Setting up a Microsoft Intune account ................................................................................................ 11
Add Custom Domain ............................................................................................................................ 13
Assign additional Administrators to manage Microsoft Intune ....................................................... 15
Add Intune Users .................................................................................................................................. 17
Create Individual Intune User ......................................................................................................... 18
Create bulk Intune Users using CSV file ........................................................................................ 21
Synchronize users from Active Directory on Microsoft Intune .................................................... 26
Activate Synchronized Users and Grant Licenses ............................................................................. 38
Chapter 3 ................................................................................................................................................... 41
Implement and Configure ADFS for Single Sign-ON ........................................................................... 41
Install ADFS on Windows Server 2012 R2 ......................................................................................... 41
Configure ADFS .................................................................................................................................... 45
Setup the ADFS trust using PowerShell ............................................................................................. 55
Chapter 4 ................................................................................................................................................... 58
Create Intune Groups to organize Users and Devices ........................................................................... 58
To create a Device group ...................................................................................................................... 58
To create a User group ......................................................................................................................... 61
Configure Security Groups .................................................................................................................. 64
To create a Security group ............................................................................................................... 65
Chapter 5 ................................................................................................................................................... 68
Set Mobile Devices Management (MDM) Authority ............................................................................. 68
Set Mobile Device Management Authority ......................................................................................... 68
Prepare for Mobile Device Management Authority “iOS” ............................................................... 69
Prepare for Mobile Device Management Authority “Windows phone 8.1” .................................... 73
Set up Windows Phone enrollment with Intune ............................................................................. 74
Chapter 6 ................................................................................................................................................... 76
1|Page
Microsoft Intune step by step
2|Page
Microsoft Intune step by step
3|Page
Microsoft Intune step by step
Required domains for Windows Intune and related services ......................................................... 242
Required domains for Windows Update Services ............................................................................ 243
Required proxy server configuration ................................................................................................ 243
Reference ................................................................................................................................................. 244
Other articles ........................................................................................................................................... 244
4|Page
Microsoft Intune step by step
Mai Ali has various Technology Certifications and Awards: Microsoft Valuable Professional
System Center Cloud and Data Management, Microsoft Certified Solutions Expert
(Communication, Server Infrastructure, Private Cloud, and Messaging), MCITP (Office 365
Administrator), MCITP (Enterprise Administrator Windows 2008), MCITP (Enterprise Messaging
Administrator), MCITP (Lync Server 2010 Administrator), Microsoft Certified Systems Engineer
(Security, Messaging) Windows 2003, MCSA (Office 365, Windows 2012), MCSA Windows 2008,
MCSA (Security) Windows 2003, Citrix Certified Professional - Virtualization, Cisco Certified
Network Professional, Red Hat Certified Engineer, STS Symantec Enterprise Vault 10.0 for
Exchange and Symantec Certified Professional Program Data Protection.
Mai Ali has been very involved with Windows Server based virtualization, communication and
Management solutions including Microsoft System Center, Microsoft Lync, Enterprise Mobility,
Azure and Office 365. She is currently a prolific blogger at http://expertslab.wordpress.com and
has done many Scripts for automatic configuration on Microsoft TechNet Gallery. Mai likes
giving back via community forums: She has contributed thousands of posts to Microsoft System
Center, Microsoft Lync and Experts-Exchange community forums over the years.
5|Page
Microsoft Intune step by step
Chapter 1
Definition of Microsoft Intune
Posted on July 14, 2015 by Mai Ali
Microsoft Intune is a cloud-based desktop and mobile device management tool that helps
organizations provide their employees with access to corporate applications, data, and resources
from the device of their choice.
Microsoft Intune is a unified device management solution that combines cloud and on-premises
capabilities. Microsoft Intune provides mobile device management, mobile application
management, and PC management capabilities from the cloud. Using Intune, organizations can
provide their employees with access to corporate applications, data, and resources from virtually
anywhere on almost any device, while helping to keep corporate information secure.
6|Page
Microsoft Intune step by step
The following table lists compares the device and application management capabilities available
to you when you use Intune alone, Configuration Manager alone, or a solution that uses both
products.
Scenario Microsoft Intune System Center System Center 2012 System Center 2012
2012 R2 Configuration R2 Configuration
Configuration Manager SP2 and Manager SP1 and
Manager Intune Intune
Platform Support
Microsoft Windows Yes Yes Yes Yes
Microsoft Windows No Yes Yes Yes
Server
Windows Phone Yes No Yes Yes
Windows RT Yes No Yes Yes
iOS Yes No Yes Yes
Android Yes No Yes Yes
Mac OS X No Yes Yes Yes
Unix/Linux Servers No Yes Yes Yes
Compliance Settings
Extensible Windows No Yes Yes Yes
PC Device
Configuration
Settings (e.g., WMI,
Registry)
Extensible Mac OS X No Yes Yes Yes
Configuration
Settings
Mobile Device Yes Yes Yes Yes
Configuration
Settings
Custom Mobile Yes Yes Yes Yes
Device Settings (such
as OMA-URI and
Apple Configurator)
Deployment
Application Yes Yes Yes Yes
Deployment
Windows Operating No Yes Yes Yes
System Deployment
Security and Privacy
Software Updates Yes Yes Yes Yes
Endpoint Protection Yes Yes Yes Yes
Administration and
Reporting
Software Metering No Yes Yes Yes
Hardware and Yes Yes Yes Yes
Software Inventory
7|Page
Microsoft Intune step by step
Scenario Microsoft Intune System Center System Center 2012 System Center 2012
2012 R2 Configuration R2 Configuration
Configuration Manager SP2 and Manager SP1 and
Manager Intune Intune
Custom hardware and No Yes Yes Yes
software inventory
Role-based No Yes Yes Yes
Administration and
Reporting
Unified Reporting for No No Yes Yes
Cloud and Corporate-
connected Devices
Cloud-based Yes No No No
Reporting
Data Protection for mobile devices
Security Settings Yes Yes Yes Yes
Remote Wipe Yes Yes Yes Yes
Remote Lock Yes Yes Yes Yes
Passcode Reset Yes Yes Yes Yes
Company Resource Access
Email Profiles Yes Yes No Yes
Wi-Fi Profiles Yes Yes No Yes
VPN Profiles Yes Yes No Yes
Certificate Profiles Yes Yes No Yes
Conditional Access Yes Yes Yes Yes
Mobile Application Yes Yes Yes Yes
Management
App Compliance Yes Yes Yes Yes
Policies (compliant
and noncompliant
apps)
Kiosk Mode Yes Yes Yes Yes
Managed Internet Yes Yes Yes Yes
Browser Policy
You can use the following table to help you decide if using Intune stand-alone or using Intune
with System Center 2012 Configuration Manager is a better fit for your business. It is followed
by a table that provides a detailed comparison of your device management options.
8|Page
Microsoft Intune step by step
You might choose Intune stand-alone if: You might choose Intune + Configuration Manager if:
You want to manage mobile devices You want to manage computers joined to a
You want to manage computers that are domain.
not joined to a domain You want to manage servers.
You have fewer than 50,000 devices to You want to manage computers with the
manage Configuration Manager client, Mac computers,
You have no (or limited) on-premises IT Linux and UNIX server, and mobile devices
infrastructure enrolled with Intune from the same console.
You have a mobile or highly distributed You have more than 50,000 devices to manage.
workforce. Cloud-based device You have on-premises IT infrastructure in place,
management lets you manage mobile or plan to deploy such infrastructure. In this
devices and computers anywhere in the configuration, the device and resource
world. management experience is fully unified.
User names and passwords are synchronized,
providing users with a single account that they use
to access company resources, whether from a
domain-joined computer or from a mobile device.
Use the following table to help you decide if using Microsoft Intune or Built-in MDM for
Office 365 is the best fit for your business.
9|Page
Microsoft Intune step by step
PC management:
10 | P a g e
Microsoft Intune step by step
Chapter 2
Configure Microsoft Intune
Setting up a Microsoft Intune account
Posted on July 14, 2015 by Mai Ali
11 | P a g e
Microsoft Intune step by step
3. On “Don’t lose access to your account” page, enter your phone no. and alternate Email
Address.
12 | P a g e
Microsoft Intune step by step
1. In the Intune account portal, click Domains and then Add a Domain.
13 | P a g e
Microsoft Intune step by step
3. Copy Text Record and create it in your public DNS to verify Domain, then click Verify.
4. Click Close.
14 | P a g e
Microsoft Intune step by step
Administrator roles are common between the different Microsoft cloud services although some
services might not support some roles. Intune uses the following roles:
Tenant administrator
Service administrator
Device enrollment manager
15 | P a g e
Microsoft Intune step by step
3. Provide the user ID for the new Intune Administrator then Select the Access permission.
16 | P a g e
Microsoft Intune step by step
4. Click on OK.
17 | P a g e
Microsoft Intune step by step
1. In the Intune account portal, click Add Users > New> User to start the New users wizard.
2. Fill in the required information of user you want to create and click Next.
18 | P a g e
Microsoft Intune step by step
3. On “Settings” page, Assign Role for this user if Administrator or not. Fill the country
“Egypt” and click Next.
19 | P a g e
Microsoft Intune step by step
5. Type Email Address that you want to receive mail of this account Credential or leave it
blank.
6. Click Finish.
20 | P a g e
Microsoft Intune step by step
8. To verify that the new user was created successfully. From the Intune administration
console, click Admin > Company Portal, and then scroll to the bottom of the screen.
Copy the URL shown under Intune company portal. New user should be access
successfully.
21 | P a g e
Microsoft Intune step by step
To create bulk Intune users using CSV file, you can follow below steps:
1. Create CSV file “User Name, First name, Last Name, Display Name, State, Country”.
2. In the Intune account portal, click Add Users > New> Bulk Add to start the New users
wizard.
22 | P a g e
Microsoft Intune step by step
4. On “Verification” Page, check all users are correct upload without error.
5. On “Settings” page, Assign Role for this user if Administrator or not. Fill the country
“Egypt” and click Next.
23 | P a g e
Microsoft Intune step by step
7. Type Email Address that you want to receive mail of this account Credential or leave it
blank.
24 | P a g e
Microsoft Intune step by step
8. Click Close.
25 | P a g e
Microsoft Intune step by step
Add Verified domain as UPN suffix on Active Directory, you can follow below steps
26 | P a g e
Microsoft Intune step by step
3. Click Ok
Use PowerShell to Update UPN for Users, you can follow below steps
1. From the taskbar, right click the PowerShell icon , select Run as Administrator
2. Type cd C:\
3. Type .\UPN-Update.ps1
27 | P a g e
Microsoft Intune step by step
28 | P a g e
Microsoft Intune step by step
Note
Edit UPN-Update Script, Write OU Path that you need to update UPN suffix on it.
1. In the Intune account portal, click Users and Click Set up on Active Directory
Synchronization
2. Click Activate.
29 | P a g e
Microsoft Intune step by step
30 | P a g e
Microsoft Intune step by step
6. Click Next
31 | P a g e
Microsoft Intune step by step
8. Click Next
32 | P a g e
Microsoft Intune step by step
9. Click Next
33 | P a g e
Microsoft Intune step by step
11. Logoff and Logon. Double click on Directory Sync Configuration icon on the
desktop
12. Click Next on the welcome page.
13. On the Microsoft Online Services Credentials page enter the credentials and Click Next
34 | P a g e
Microsoft Intune step by step
14. On the Active Directory Credentials page enter the credentials and Click Next
15. On the Exchange hybrid deployment page, make sure the box is unchecked and click
Next
35 | P a g e
Microsoft Intune step by step
16. On the Password Synchronization page, make sure the box is checked and click Next
36 | P a g e
Microsoft Intune step by step
18. Leave the Synchronize directories now checkbox and click Finish
19. In the Intune account portal, click Users and verify all users synchronize on Intune Portal
37 | P a g e
Microsoft Intune step by step
2. Next to Display Name, check the box to select all users on the page or select Specific
user and click Activate synced users
38 | P a g e
Microsoft Intune step by step
4. On Email page, Write email address that will send temp password to it then click
Activate
39 | P a g e
Microsoft Intune step by step
40 | P a g e
Microsoft Intune step by step
Chapter 3
Implement and Configure ADFS for Single Sign-ON
Install ADFS on Windows Server 2012 R2
1. To install ADFS server, open Server Manager, on the Dashboard click Add Roles and
Features.
41 | P a g e
Microsoft Intune step by step
3. On the Select installation type box, click Next to proceed (make sure Role-based or
feature-based installation is selected).
42 | P a g e
Microsoft Intune step by step
5. On the Select server roles page, Select Active Directory Federation Service, and click
Next.
43 | P a g e
Microsoft Intune step by step
44 | P a g e
Microsoft Intune step by step
9. Wait for few minutes for the installation to complete and when the installation completes,
click close.
Configure ADFS
1. On ADFS server, Open Server Manager, In the upper right corner select More for the
Configuration Required Notice and Click Configure the Federation service
45 | P a g e
Microsoft Intune step by step
2. Select “Create the first federation server in a federation farm”, and Click Next
46 | P a g e
Microsoft Intune step by step
47 | P a g e
Microsoft Intune step by step
7. Select “Create a database on the server using windows internal database” and Click Next
48 | P a g e
Microsoft Intune step by step
49 | P a g e
Microsoft Intune step by step
50 | P a g e
Microsoft Intune step by step
51 | P a g e
Microsoft Intune step by step
52 | P a g e
Microsoft Intune step by step
53 | P a g e
Microsoft Intune step by step
23. Make sure the prefix is sts and not autodiscover or adfs for both the service name and
service identifier sts.lab17563.o365ready.com
54 | P a g e
Microsoft Intune step by step
Import-Module MSOnline
Connect-MsolService
55 | P a g e
Microsoft Intune step by step
56 | P a g e
Microsoft Intune step by step
After completing the last command, you should see an entry called Microsoft Intune.
This means you have correctly setup a federation trust with the online Intune
environment.
5. Close PowerShell and the AD FS Management Console
6. Now SSO work, you can verify access from client PC
57 | P a g e
Microsoft Intune step by step
Chapter 4
Create Intune Groups to organize Users and Devices
Groups in Intune give you great flexibility for managing your devices and users. You can set up
groups to suit your organizational needs (for example, by geographic location, department, or
hardware characteristics). You can use groups to perform a wide variety of administrative tasks
at scale, from setting policies for a set of users to deploying applications to a set of devices.
To Create Intune groups to organize users and devices, you can follow below steps
1. In the Intune administration console, click Groups > Overview > Create Group.
2. For the Group name, type “Test Devices PC” and from the parent group list, select All
Devices, and then click Next.
58 | P a g e
Microsoft Intune step by step
3. On the Define Membership Criteria page, select All devices to indicate that the group
includes both mobile devices and computers.
4. On the Define Direct Membership page, click Next. If you had created a group that did
not include all devices, and you wanted to add specific devices to your new group, you
could do that here.
59 | P a g e
Microsoft Intune step by step
5. On the Summary page, review the actions that will be taken, and then click Finish.
6. You can find the newly created group in the Groups list, in the Groups workspace, under
All Devices. From here, you can also edit or delete the group.
60 | P a g e
Microsoft Intune step by step
1. In the Intune administration console, click Groups > Overview > Create Group.
2. For the Group name, type “Test Users” and from the parent group list, select All Users,
and then click Next.
61 | P a g e
Microsoft Intune step by step
3. On the Define Membership Criteria page, set Start group membership with to All users in
the Parent group.
4. Next to Exclude members from these security groups, click Browse and then select
Company Administrator. This exclusion will let you manage the Test Users group
without affecting the Company Administrator account (also known as the tenant
administrator).
62 | P a g e
Microsoft Intune step by step
5. On the Define Direct Membership page, click Next. You don’t need to do anything here
because you want the Test Users group to include all users, except for the Company
Administrator.
6. On the Summary page, review the actions that will be taken, and then click Finish.
63 | P a g e
Microsoft Intune step by step
7. You can find the newly created group in the Groups list, in the Groups workspace, under
All Users. From here, you can also edit or delete the group.
In the Microsoft Intune account portal, you can create, edit, and delete security groups. You can
use security groups as criteria for the organization groups that service administrators use for day-
to-day management of Intune, including deploying software or assigning policies.
64 | P a g e
Microsoft Intune step by step
Users and groups you sync from your on-premises Active Directory
Users and groups you add directly to your subscription
1. In the Microsoft Intune account portal, click Security Groups > New to start the New
security group wizard.
2. On the Details page, provide a name for the group, and then click Save.
65 | P a g e
Microsoft Intune step by step
3. On the Members page, you can add both users and groups to a group:
o To add users: Set List type to Users, select one or more users to add to this group,
and then click Add.
o To add groups: Set List Type to Groups, select one or more groups, and then click
Add.
After you add the users and groups you want to include, click Save and Close to complete the
wizard.
66 | P a g e
Microsoft Intune step by step
67 | P a g e
Microsoft Intune step by step
Chapter 5
Set Mobile Devices Management (MDM) Authority
Posted on August 19, 2015 by Mai Ali
To Set Mobile Device Management Authority, you can follow below steps
68 | P a g e
Microsoft Intune step by step
4. Enroll devices:
o Android – Install the Company Portal app from Microsoft Corporation available
on Google Play and sign in with Intune user credentials added above.
o iOS – Install the Company Portal app from Microsoft Corporation available in the
App Store and sign in with Intune user credentials added above. View Enrolled
devices to add your device.
o Windows Phone 8.1- Users install the Company Portal app from Microsoft
Corporation available in the Windows Phone store and sign in with Intune user
credentials added above. View Enrolled devices to add your device.
1. In the Intune administration console, click Admin > Mobile Device Management, and
for iOS, click on Enable the iOS platform
69 | P a g e
Microsoft Intune step by step
2. Click on Download the APNs Certificate Request. After downloading the certificate
click on Apple Push Certificate Portal.
3. Click on Create a Certificate, Check I have read and agree to these terms and
conditions and click Accept.
70 | P a g e
Microsoft Intune step by step
71 | P a g e
Microsoft Intune step by step
72 | P a g e
Microsoft Intune step by step
Setup requirements for Window Phone mobile device management depend upon how you'll
manage devices. Setting two CNAMEs in your company's DNS registration makes enrollment
easier for uses. If your users will download the Company Portal app from the Store, then once
you've configured DNS settings you just need to set up the Company Portal and inform users
how to enroll.
73 | P a g e
Microsoft Intune step by step
1. In the Intune administration console, click Administration > Mobile Device Management
> Windows Phone.
2. Type the URL of the verified domain of the company website in the Specify a verified
domain name box and then click Test Auto-Detection.
74 | P a g e
Microsoft Intune step by step
3. Create CNAME resource records for your company’s domain. The CNAME resource
records must contain the following information:
75 | P a g e
Microsoft Intune step by step
Chapter 6
Create Mobile Management Policies
Intune policies provide you with straightforward settings that help control the security settings on
mobile devices, maintain Windows Firewall and Endpoint Protection settings for computers, and
deploy applications. If you are planning to use the service or devices that you configure in this
walkthrough for real production use (instead of just evaluation), it is absolutely essential that you
follow the instructions found in Manage settings and features on your devices with Microsoft
Intune policies and Help secure computers with Endpoint Protection for Microsoft Intune. In this
walkthrough, you will set up a mobile device security policy and a computer firewall policy, and
then prepare to deploy an app to mobile devices after they are enrolled.
76 | P a g e
Microsoft Intune step by step
4. Expand Common Mobile Device Settings, select Mobile Device Security Policy, choose
Create and Deploy a Policy with the Recommended Settings, and then click Create
Policy.
5. When prompted to Select the groups to which you want to deploy this policy, select Test
Users from the list, click Add > OK.
6. Your policy appears in the list of configuration policies, and has been deployed to the
Test Users group. Double-click the policy to view its settings.
77 | P a g e
Microsoft Intune step by step
Your policy appears in the list of configuration policies, and has been deployed to the Test Users
group. Double-click the policy to view its settings.
78 | P a g e
Microsoft Intune step by step
4. Expand Common Mobile Device Settings, select Mobile Device Security Policy, choose
Create and Deploy a Custom Policy, and then click Create Policy.
5. Configure Security policy “Reset Mobile to factory setting after wrong password” as
following.
6. Click yes.
79 | P a g e
Microsoft Intune step by step
8. Your policy appears in the list of configuration policies, and has been deployed to the All
Direct Managed Devices group. Double-click the policy to view its settings.
80 | P a g e
Microsoft Intune step by step
Define the rules and settings that a device must comply with in order to be considered compliant
by conditional access polices. You can also use compliance policies to monitor and remediate
compliant issues with devices independently of conditional access.
1. Open the Intune administration console, click Policy > Compliance Policies > Add.
81 | P a g e
Microsoft Intune step by step
2. On the Create Policy page, configure the settings you require “Enable Encryption and
required password”
82 | P a g e
Microsoft Intune step by step
83 | P a g e
Microsoft Intune step by step
4. Select Group that you will assign policy to it and Click Add.
84 | P a g e
Microsoft Intune step by step
To Create Conditional Access Policy on Exchange Online, you can follow below steps
1. Open the Intune administration console, click Policy > Conditional Access > Exchange
Online Policy.
85 | P a g e
Microsoft Intune step by step
2. Configure the policy with the settings you require, Check “Block e-mails for accessing
Exchange online if the device is noncompliant”.
3. On Selected Security Group, Click Modify. Add security that will apply policy to it.
86 | P a g e
Microsoft Intune step by step
4. Click Save.
Next, configure the policy to require that only managed and compliant devices can access
SharePoint Online. This policy will be will be stored in Azure Active Directory.
1. In the Microsoft Intune administration console, click Policy > Conditional Access >
SharePoint Online Policy.
87 | P a g e
Microsoft Intune step by step
3. Under Device platforms, you can choose to apply conditional access policy to All
platforms
4. For windows PCs, the PC must either be domain joined, or enrolled with Intune and
compliant. You can set the following requirements: Devices must be domain joined or
compliant.
88 | P a g e
Microsoft Intune step by step
5. Under Targeted Groups, click Modify to select the Azure Active Directory security
groups to which the policy will apply. You can choose to target this to all users or just a
select groups of users.
6. Under Exempted Groups, optionally, click Modify to select the Azure Active Directory
security groups that are exempt from this policy.
89 | P a g e
Microsoft Intune step by step
90 | P a g e
Microsoft Intune step by step
4. On the Set Up Exchange Connection page, click Set Up Service to Service Connector,
Click Next.
91 | P a g e
Microsoft Intune step by step
7. On-premises Microsoft Exchange server, Write FQDN of CAS server and Enter
Credential of Exchange Administrator On-premises Then click connect.
92 | P a g e
Microsoft Intune step by step
93 | P a g e
Microsoft Intune step by step
1. From the Intune Portal, click on Policy Conditional Access > Exchange On-premises
Policy.
2. Select Block email apps from accessing Exchange On-premises if the device is
noncompliant or not enrolled to Microsoft Intune
94 | P a g e
Microsoft Intune step by step
4. Click on Save
95 | P a g e
Microsoft Intune step by step
Chapter 7
Manage Computers Using Microsoft Intune
Install Intune software on computers
We have one or more of the following methods to get the Intune client installed
If you no longer need to manage a computer with Intune, you can retire the computer, which also
removes the client software from the computer.
1. In the Microsoft Intune administration console, click Admin > Client Software Download
2. On the Client Software Download page, click Download Client Software and save the
Microsoft_Intune_Setup.zip package containing the software to a secure location on your
network.
3. Extract the contents of the installation package to the secure location on your network.
96 | P a g e
Microsoft Intune step by step
1. On a computer, browse to the folder where the client software installation files are
located, and then run Microsoft_Intune_Setup.exe to install the client software.
2. Click Finish.
97 | P a g e
Microsoft Intune step by step
98 | P a g e
Microsoft Intune step by step
Note
Do not separate or rename the files or the client software installation will fail
3. Use Group Policy to deploy the software to computers on your network, Open Group
Policy Management console and click create New GPO.
99 | P a g e
Microsoft Intune step by step
5. Click on Computer Configuration > Policies > Software Settings > Software Installation,
then click New > package
100 | P a g e
Microsoft Intune step by step
101 | P a g e
Microsoft Intune step by step
9. Logon to Client Pc, Open cmd and run gpupdate /force and click yes.
10. Now Package is deployment, you will find Intune center in start menu.
102 | P a g e
Microsoft Intune step by step
Users can self-enroll each of their computers through the Microsoft Intune company portal. Each
enrolled computer is linked to the user account that was used to install the client software.
Note
The user must be an administrator on the computer to install the client software.
Self-enrolling requires that Internet Explorer is installed on the client computer.
Each time a user self-enrolls a computer, it uses an Intune license.
You must use a work or school account to self-enroll a computer. You cannot self-enroll
a computer using a Microsoft account.
If the client software is already installed on a computer, the end-user will receive an
error.
If the client software is already installed on a computer, the end-user will receive an error.
To self-enroll a computer
1. Log on to the company portal from the computer that you want to enroll.
103 | P a g e
Microsoft Intune step by step
2. Click This device is either not enrolled or the company portal can’t identify it.
104 | P a g e
Microsoft Intune step by step
105 | P a g e
Microsoft Intune step by step
You can deploy the Intune client software to computers as part of an operating system image by
using the following example procedure as a basis:
106 | P a g e
Microsoft Intune step by step
3. Add the following command to setupcomplete.cmd to run the enrollment package with
the /PrepareEnroll command-line
argument: %systemdrive%\temp\Microsoft_Intune_Setup\Microsoft_Intune_Setup.exe
/PrepareEnroll
107 | P a g e
Microsoft Intune step by step
5. Capture an image of the reference computer and then deploy this to targeted computers.
When the targeted computer restarts at the completion of Windows Setup, the
WindowsIntuneEnrollPending registry key is created. The enrollment package checks whether
the computer is enrolled. If the computer is enrolled, no further action is taken. If the computer is
not enrolled, the enrollment package creates a Microsoft Intune Automatic Enrollment Task.
When the Microsoft Intune Automatic Enrollment Task runs at the next scheduled time, it checks
the existence of the WindowsIntuneEnrollPending registry value, and it tries to enroll the
108 | P a g e
Microsoft Intune step by step
targeted computer in Intune. If the enrollment fails for any reason, the enrollment is retried the
next time the task runs. The retries continue for a period of one month.
The Intune Automatic Enrollment Task, the WindowsIntuneEnrollPending registry value, and
the account certificate are deleted from the targeted computer when the enrollment is successful
or after one month.
Use one of the following procedures to help you monitor and validate successful client
deployment.
To verify the installation of the client software from the Microsoft Intune administrator
console
1. In the Microsoft Intune administration console, click Groups > All Devices > All
Computers.
2. Examine the status of the computer in the bottom pane of the console, and resolve any
errors.
109 | P a g e
Microsoft Intune step by step
1. In the Microsoft Intune administration console, click Reports > Computer Inventory
Reports.
2. On the Create New Report page, leave all fields as the default values (unless you want to
apply filters), and click View Report.
3. The Computer Inventory Report page opens in a new window that displays all computers
that are successfully enrolled in Intune.
110 | P a g e
Microsoft Intune step by step
1. In the Microsoft Intune administration console, click Groups > All Devices (or another
group that contains the computer you want to restart).
2. Select one or more computers, and then click Remote Tasks > Restart Computer.
111 | P a g e
Microsoft Intune step by step
3. Click yes.
4. To view the task status, click Remote Tasks in the bottom right corner of the page.
5. In the Task Status dialog box, review the current remote tasks, task status, device name,
and any reported errors.
To retire a computer
1. In the Microsoft Intune administration console, click Groups > All Devices (or another
group that contains the computer you want to retire).
112 | P a g e
Microsoft Intune step by step
2. Select the devices you want to retire, and then click Retire/Wipe.
113 | P a g e
Microsoft Intune step by step
1. In the Microsoft Intune administration console, click Groups > All Devices (or another
group that contains the computer you want to link to a user).
2. Select the computer that you want to link a user, and then click Link User.
114 | P a g e
Microsoft Intune step by step
3. If a user is already linked to the selected computer, that user’s name and user ID are
displayed under Current user. If the computer is not linked to any user, No User appears
under Current User. To link the computer to a new user, in the All users list, select a user.
Confirm that the user data is correct, and then click OK.
115 | P a g e
Microsoft Intune step by step
2. In the Microsoft Intune administration console, click Alerts > Remote Assistance.
116 | P a g e
Microsoft Intune step by step
3. Select a Remote Assistance request in the Alerts list to open the properties page of the
request.
4. Click Approve request and launch Remote Assistance to open a dialog box that provides
options for resolving the alert.
5. Click Accept the request - To join the remote session, click Accept the Remote
Assistance request.
117 | P a g e
Microsoft Intune step by step
118 | P a g e
Microsoft Intune step by step
119 | P a g e
Microsoft Intune step by step
120 | P a g e
Microsoft Intune step by step
121 | P a g e
Microsoft Intune step by step
122 | P a g e
Microsoft Intune step by step
123 | P a g e
Microsoft Intune step by step
Chapter 8
Deploy Applications Using Microsoft Intune
Deploy Apps “Office ProPlus” to Windows Pc using Intune
This generally involves three steps:
In this procedure, you'll use the Intune Software Publisher to configure the properties of the app
and, where applicable, upload it to your cloud storage space.
To configure an App
1. In the Intune administration console, click the Apps icon, then click Apps > Add App. If
prompted, enter your Intune credentials.
124 | P a g e
Microsoft Intune step by step
4. On the Software setup page in Select how this software is made available to devices
select Software installer.
125 | P a g e
Microsoft Intune step by step
5. Enter the location of the software setup files, and then click Next.
6. On the Software description page, provide the information that you want users to see in
the company portal for the software, and then click Next. The following settings are
available:
Setting Details
Publisher Enter the name of the publisher: Microsoft.
Name Enter Office ProPlus 2016-32 bit.
Description Enter a description for the software, such as Office ProPlus 2016-32
bit
Category Select the category that best fits this software: Other
Display this as a featured app Select this option to display the app prominently in the company
and highlight it in the company portal on mobile devices.
portal
Icon Choose whether to associate an icon with the software. The
maximum size for the icon is 250 x 250 pixels. The recommended
size is 32 x 32 pixels. This setting is optional, so skip it for this
walkthrough.
126 | P a g e
Microsoft Intune step by step
127 | P a g e
Microsoft Intune step by step
9. On command line argument, select yes and type “setup.exe /configure install.xml”
128 | P a g e
Microsoft Intune step by step
10. On Return code, select yes “0 for success and 3010 for success with restart”
11. On the Summary page, verify the software information, and then click Upload.
129 | P a g e
Microsoft Intune step by step
1. In the Intune administration console, click Apps > Apps > Office ProPlus > Manage
Deployment.
130 | P a g e
Microsoft Intune step by step
2. On the Select Groups page, select All computers to deploy the software to all Pc, and
then click Add > Next.
3. On the Deployment Action page, select Available Install from the Approval column for
your group.
131 | P a g e
Microsoft Intune step by step
4. Click Finish.
You can see the apps you manage, and their deployment status in the Intune console.
132 | P a g e
Microsoft Intune step by step
The list of apps you manage will be displayed. You can click on any app to see an installation
status in the lower pane of the console windows. Click the status to see more details. For
example, if the status shows 1 computer that have Installation pending, you can click the
message to see the name of the computer.
In this procedure, you'll use the Intune Software Publisher to configure the properties of the app
and, where applicable, upload it to your cloud storage space.
1. In the Intune administration console, click the Apps icon, then click Apps > Add App. If
prompted, enter your Intune credentials.
133 | P a g e
Microsoft Intune step by step
134 | P a g e
Microsoft Intune step by step
4. On the Software setup page in Select how this software is made available to devices
select Managed iOS App from App store.
5. Enter the location of the software setup files, and then click Next.
6. On the Software description page, provide the information that you want users to see in
the company portal for the software, and then click Next. The following settings are
available:
Setting Details
Publisher Enter the name of the publisher: Microsoft.
Name Enter Microsoft word for iOS.
135 | P a g e
Microsoft Intune step by step
Setting Details
Description Enter a description for the software, such as Other
Category Select the category that best fits this software: other
Display this as a featured app and Select this option to display the app prominently in the company
highlight it in the company portal portal on mobile devices.
Icon Choose whether to associate an icon with the software. The
maximum size for the icon is 250 x 250 pixels. The recommended
size is 32 x 32 pixels. This setting is optional, so skip it for this
walkthrough.
136 | P a g e
Microsoft Intune step by step
8. On the Summary page, verify the software information, and then click Upload.
1. In the Intune administration console, click the Apps icon, then click Apps > Add App. If
prompted, enter your Intune credentials.
137 | P a g e
Microsoft Intune step by step
138 | P a g e
Microsoft Intune step by step
4. On the Software setup page in Select how this software is made available to devices
select External link.
5. Enter the external link for the software in Specify the URL, and then click Next. Make
sure that you preface the URL with http://. This example deploys Skype. Depending on
which mobile device platform you are using for this walkthrough, you should use one of
the following links:
a. iOS: https://itunes.apple.com/us/app/skype-for-iphone/id304878510?mt%3D8
b. Android: https://play.google.com/store/apps/details?id=com.skype.raider
c. Windows Phone 8 or Windows Phone 8.1: http://www.windowsphone.com/en-
us/store/app/skype/c3f8e570-68b3-4d6a-bdbb-c0a3f4360a51
139 | P a g e
Microsoft Intune step by step
6. On the Software description page, provide the information that you want users to see in
the company portal for the software, and then click Next. The following settings are
available (this example refers to Microsoft Lync):
Setting Details
Publisher Enter the name of the publisher: Microsoft.
Name Enter Skype.
Description Enter a description for the software, such as Skype
communication app
Category Select the category that best fits this software: Collaboration
Display this as a featured app and Select this option to display the app prominently in the company
highlight it in the company portal portal on mobile devices.
Icon Choose whether to associate an icon with the software. The
maximum size for the icon is 250 x 250 pixels. The recommended
size is 32 x 32 pixels. This setting is optional, so skip it for this
walkthrough.
140 | P a g e
Microsoft Intune step by step
7. On the Summary page, verify the software information, and then click Upload. Click
Close to exit the wizard.
1. In the Intune administration console, click Apps > Apps > Skype > Manage Deployment.
141 | P a g e
Microsoft Intune step by step
2. On the Select Groups page, select Test Users to deploy the software to that user group,
and then click Add > Next.
3. On the Deployment Action page, select Available Install from the Approval column for
your group.
142 | P a g e
Microsoft Intune step by step
4. Click Finish.
You can see the apps you manage, and their deployment status in the Intune console.
143 | P a g e
Microsoft Intune step by step
The list of apps you manage will be displayed. You can click on any app to see an installation
status in the lower pane of the console windows. Click the status to see more details. For
example, if the status shows 6 user has this software available, you can click the message to
see the name of the user.
144 | P a g e
Microsoft Intune step by step
Chapter 9
Configure Alerts, Notifications and Reports
In the Intune administration console, alerts are used to quickly assess the overall health of
managed devices in your organization. You can configure and customize alerts so that they
report and display only the information you need for your organization. You can set whether an
alert is enabled or disabled, configure the severity, use the display threshold to determine how
frequently an alert event must be triggered before an alert is displayed, and also configure
settings that are specific to certain types of alerts.
Notifications are used to inform administrators (and other users) using e-mail when certain types
of alerts are triggered.
Reports are used to answer a range of questions, such as how many computers have a particular
application or update installed, what malware was blocked, or which users needed Remote
Assistance over the last month.
To configure an alert
1. In the Intune administration console, click Alerts > Overview > Configure Alert Type
Settings.
145 | P a g e
Microsoft Intune step by step
2. Click the search box, type “malware”, and then click the search icon.
3. Right-click Investigate New Malware > Configure. Note that this alert is part of the
Endpoint Protection category.
4. In the Severity list, change the alert severity to Critical, and then click OK.
146 | P a g e
Microsoft Intune step by step
1. First we’ll add some email addresses to our list of possible notification recipients. In the
Intune administration console, click Admin > Alerts and notifications > Select Recipients
for Email Notifications.
147 | P a g e
Microsoft Intune step by step
2. Click Add.
3. Enter and confirm an email address for a notification recipient, then click OK. Repeat as
necessary to add recipients.
4. In the Intune administration console, click Alerts > Overview > and under Tasks, click
Configure Notification Rules.
148 | P a g e
Microsoft Intune step by step
149 | P a g e
Microsoft Intune step by step
8. Complete Step 3 the wizard by choosing e-mail addresses that will be notified.
150 | P a g e
Microsoft Intune step by step
1. In the Intune administration console, click Reports > Mobile Device Inventory Reports.
151 | P a g e
Microsoft Intune step by step
3. Clear the checkbox for All Devices and select the checkbox for Test Devices Mobiles.
152 | P a g e
Microsoft Intune step by step
5. To view the report, click Load at the top right of the console, then View Report at the
bottom right of the console.
153 | P a g e
Microsoft Intune step by step
8. You now have a report that shows you the inventory for all devices in the Test Devices
Mobiles group.
154 | P a g e
Microsoft Intune step by step
155 | P a g e
Microsoft Intune step by step
Chapter 10
Enroll Mobile Devices in Intune
For Android
Android mobile devices allow users to enroll using the Company Portal app available from
Google Play.
1. On your Android device, open the Play Store and search for Intune, open the Intune
Company Portal app and click on INSTALL, then accept the permissions
156 | P a g e
Microsoft Intune step by step
157 | P a g e
Microsoft Intune step by step
For iOS
1. From the iOS device, open the Apple Store app and search for Intune
158 | P a g e
Microsoft Intune step by step
3. Click Install
159 | P a g e
Microsoft Intune step by step
4. Open the app and type your user name and password
5. Click on Sign in
160 | P a g e
Microsoft Intune step by step
8. Click on Install
161 | P a g e
Microsoft Intune step by step
9. Enter Passcode
162 | P a g e
Microsoft Intune step by step
163 | P a g e
Microsoft Intune step by step
164 | P a g e
Microsoft Intune step by step
2. Click Intune
165 | P a g e
Microsoft Intune step by step
166 | P a g e
Microsoft Intune step by step
167 | P a g e
Microsoft Intune step by step
168 | P a g e
Microsoft Intune step by step
169 | P a g e
Microsoft Intune step by step
conditions before using the Company Portal, provide the following information and click
Save:
Title: Test lab
Text for terms: You agree company terms and conditions before using company
portal
Text to explain what it means if the user accepts: You agree company terms and
conditions before using company portal
2. On customization tab, select Theme color “purple” then select include a company logo.
Select show the company name next to your logo.
170 | P a g e
Microsoft Intune step by step
171 | P a g e
Microsoft Intune step by step
Chapter 11
Configure Mobile Application Management Policies
“MAM”
Control Applications using Mobile Application Management Policies
Mobile application management policies in Microsoft Intune let you modify the functionality of
apps that you deploy to help bring them into line with your company compliance and security
policies. For example, you can restrict cut, copy and paste operations within a managed app, or
configure an app to open all web links inside a managed browser.
MAM policies will only work with Managed Apps.
2. Select Software Then Select Mobile Application Management (iOS 7.1 and later)
172 | P a g e
Microsoft Intune step by step
173 | P a g e
Microsoft Intune step by step
174 | P a g e
Microsoft Intune step by step
7. Click on APPS > Click on Apps, select your managed app “Microsoft word for iOS” and
Click on Manage Deployment
8. Select your group “Test Group” and Click on Add then Click on Next
175 | P a g e
Microsoft Intune step by step
176 | P a g e
Microsoft Intune step by step
You can use Mobile Application Management (MAM) without enrolling a device to Intune
MDM policies or even when the device is enrolled into a third party MDM solution.
177 | P a g e
Microsoft Intune step by step
2. Click on Policy
178 | P a g e
Microsoft Intune step by step
4. Type a name for the policy “App. Policy for Office iOS”
5. Click on Apps
179 | P a g e
Microsoft Intune step by step
180 | P a g e
Microsoft Intune step by step
8. Click on Create
181 | P a g e
Microsoft Intune step by step
10. Click on Add user group and select the group you want the policy to apply to
182 | P a g e
Microsoft Intune step by step
Chapter 12
Resource Access Profile with Microsoft Intune
Microsoft Intune resource access profiles work together to help your users gain access to the
files and resources they need to do their work successfully, wherever they are.
Intune provides the following mobile device policies that help you to accomplish this goal:
Email profiles in Microsoft Intune help you create, deploy and monitor Exchange ActiveSync
email settings on devices. This lets user’s access corporate email on their personal devices
without any required setup on their part.
Enable access to corporate email using Email profiles
These steps will help you deploy an email profile for iOS devices.
1. From the Intune Portal, click on Policy >Configuration Policies Then Click on Add
183 | P a g e
Microsoft Intune step by step
2. Click on Email Profile (iOS 7.1 and later) and Click on Create Policy
3. Type a name for the policy “Email Profile for iOS” and Type the URL for the Exchange
server “Outlook.office.com”
184 | P a g e
Microsoft Intune step by step
4. Type a name for the profile “Office 365” then Click on Save Policy
5. Click on Yes
185 | P a g e
Microsoft Intune step by step
6. Select a group to apply the policy to “Test Group” and Click on Add
7. Click on OK
186 | P a g e
Microsoft Intune step by step
VPN profiles in Microsoft Intune help you Deploy Virtual Private Network (VPN) settings to
your users. By deploying these settings, you minimize the end-user effort required to connect to
resources on the corporate network.
Help users connect to their work using VPN profiles
These steps will help you deploy an VPN profile for Windows devices.
1. From the Intune Portal, click on Policy > Configuration Policies and Click on Add
187 | P a g e
Microsoft Intune step by step
2. Select on VPN Profile (Windows 8.1 and later) Then Click on Create Policy
3. Type a name for the policy “VPN Profile for Win.” Then Type VPN Connection Name
“Test IT VPN”
188 | P a g e
Microsoft Intune step by step
4. Type VPN Server Description “VPN Connection to Test IT HQ” and Type server IP
address “41.38.25.xxx”. Click on Save Policy
5. Click on Yes
189 | P a g e
Microsoft Intune step by step
6. Select a group to apply the policy to “Test Group” and Click on Add
7. Click on OK
190 | P a g e
Microsoft Intune step by step
Wi-Fi profiles in Microsoft Intune help you Deploy wireless network settings to your users. By
deploying these settings, you minimize the end-user effort required to connect to the corporate
network.
Help users connect to company networks using Wi-Fi profiles
These steps will help you deploy a Wi-Fi profile for Android devices.
1. From the Intune Portal, click on Policy > Configuration Policies and Click on Add
191 | P a g e
Microsoft Intune step by step
2. Click on Wi-Fi Profile (Android 4 and later) Then Click on Create Policy
192 | P a g e
Microsoft Intune step by step
4. Type Network name “OfficeMaadi” and SSID “OfficeMaadi”. Both Network name and
SSID must be matched.
5. Select “Connect automatically when this network is in range” & “Connect when the
network is not broadcasting its name (SSID)”
6. Select EAP Type “PEAP” and type Enable Identity Privacy “PEAP” Then Click on Save
Policy
193 | P a g e
Microsoft Intune step by step
7. Click on Yes
8. Select a group to apply the policy to “Test Group” and Click on Add
194 | P a g e
Microsoft Intune step by step
9. Click on OK
Use the Windows Wi-Fi Import Policy to import a set of Wi-Fi settings that you can then
deploy to the required user or device groups.
1. Open Cmd and run “netsh wlan export profile Dlink_DWR”
195 | P a g e
Microsoft Intune step by step
2. In the Microsoft Intune administration console, click Policy > Add Policy.
3. Configure a policy of the type Windows > Windows Wi-Fi Import Policy.
196 | P a g e
Microsoft Intune step by step
4. Specify the following general values for the Windows Wi-Fi Import Policy, Type Name
“Wi-Fi Profile for Windows”
5. Specify the following values under the Custom Wi-Fi Profile heading: Select Import
197 | P a g e
Microsoft Intune step by step
7. Click yes
198 | P a g e
Microsoft Intune step by step
8. Select a group to apply the policy to “Test Group” and Click on Add
9. Click on OK
199 | P a g e
Microsoft Intune step by step
Certificate profiles in Microsoft Intune help you Help secure access to company resources
including wireless networks and VPN connections.
Configure Prerequisites for Certificate Profile
Before you can configure certificate profiles you must complete the following tasks, which
require knowledge of Windows Server 2012 R2 and Active Directory Certificate Services
(ADCS):
200 | P a g e
Microsoft Intune step by step
2. Create a new custom template or copy an existing template and then edit an existing
template (like the User template), for use with NDES.
201 | P a g e
Microsoft Intune step by step
4. On the Subject Name tab, select Supply in the request. (Security is enforced by the Intune
policy module for NDES).
202 | P a g e
Microsoft Intune step by step
5. On the Extensions tab, ensure the Description of Application Policies includes Client
Authentication.
6. On the Security tab, add the NDES service account, and give it Read and Enroll
permissions to the template.
203 | P a g e
Microsoft Intune step by step
8. Select the Certificate Templates node, click Action-> New > Certificate Template to
Issue
204 | P a g e
Microsoft Intune step by step
10. Validate that the template published by viewing it under the Certificate Templates folder.
205 | P a g e
Microsoft Intune step by step
Step 2, for SCEP profile only: - Configure prerequisites on the NDES server
To configure prerequisites on the NDES sever, you need to follow below steps:
1. When NDES is added to the server, the wizard also installs IIS. Ensure IIS has the
following configurations:
Web Server > Security > Request Filtering
Web Server > Application Development > ASP.NET 3.5. Installing ASP.NET 3.5
will install .NET Framework 3.5. When installing .NET Framework 3.5, install both
the core .NET Framework 3.5 feature and HTTP Activation.
206 | P a g e
Microsoft Intune step by step
Web Server > Application Development > ASP.NET 4.5. Installing ASP.NET 4.5
will install .NET Framework 4.5. When installing .NET Framework 4.5, install the
core .NET Framework 4.5 feature, ASP.NET 4.5, and the WCF Services > HTTP
Activation feature.
207 | P a g e
Microsoft Intune step by step
Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility
2. On the server, add the NDES service account as a member of the IIS_IUSR group.
208 | P a g e
Microsoft Intune step by step
3. Run the following command to set the SPN of the NDES Service account: setspn -s
http/<DNS name of NDES Server> <Domain name>\<NDES Service account name>
4. On the server that will hosts NDES, you must log on as an Enterprise Administrator, and
then use the Add Roles and Features Wizard to install NDES
209 | P a g e
Microsoft Intune step by step
5. In the Wizard, select Active Directory Certificate Services to gain access to the AD CS
Role Services.
6. Select the Network Device Enrollment Service, uncheck Certification Authority, and then
complete the wizard.
210 | P a g e
Microsoft Intune step by step
7. On the Installation progress page of the wizard, do not click Close. Instead, click the link
for Configure Active Directory Certificate Services on the destination server.
211 | P a g e
Microsoft Intune step by step
Step 3, for SCEP profile only: - Configure NDES for use with Intune
2. On the Service Account for NDES page, specify the NDES Service Account
212 | P a g e
Microsoft Intune step by step
3. On the CA for NDES page, click Select, and then select the issuing CA where you
configured the certificate template.
213 | P a g e
Microsoft Intune step by step
5. On the Cryptography for NDES page, set the key length to meet your company
requirements.
214 | P a g e
Microsoft Intune step by step
7. After the wizard completes, edit the following registry key on the NDES Server:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\, edit on 3
Template and type your template name “IntuneTemplate”
8. After editing the registry, run iisreset on the server to force the server to pick up recent
configuration changes.
215 | P a g e
Microsoft Intune step by step
2. After you obtain the server authentication certificate, open IIS Manager, select the
Default Web Site in the Connections pane, and then click Bindings in the Actions pane.
216 | P a g e
Microsoft Intune step by step
3. Click Add, set Type to https, and then ensure the port is 443. (Only port 443 is supported
for standalone Intune).
217 | P a g e
Microsoft Intune step by step
218 | P a g e
Microsoft Intune step by step
5. Reboot the NDES server. The server is now ready to support the Certificate Connector.
Step 4 - Enable, install, and configure the Intune Certificate Connector
219 | P a g e
Microsoft Intune step by step
220 | P a g e
Microsoft Intune step by step
221 | P a g e
Microsoft Intune step by step
2. Open the Intune administration console, and then click Admin > Mobile Device
Management > Certificate Connector > Download Certificate Connector.
222 | P a g e
Microsoft Intune step by step
4. Click Next
5. Click Next
223 | P a g e
Microsoft Intune step by step
6. Click Next
224 | P a g e
Microsoft Intune step by step
9. Click Next
225 | P a g e
Microsoft Intune step by step
226 | P a g e
Microsoft Intune step by step
227 | P a g e
Microsoft Intune step by step
228 | P a g e
Microsoft Intune step by step
16. Open a command prompt and type services.msc, and then press Enter, right-click the
Intune Connector Service, and then click Restart.
17. validate that the service is running, open a browser and enter the following URL, which
should return a 403 error: http://
<FQDN_of_your_NDES_server>/certsrv/mscep/mscep.dll. You are now ready to
configure certificate profiles.
229 | P a g e
Microsoft Intune step by step
After your infrastructure and certificates are configured, you can configure certificate profiles:
230 | P a g e
Microsoft Intune step by step
231 | P a g e
Microsoft Intune step by step
4. When you are finished, click Save Policy. Then Click Yes.
5. Select a group to apply the policy to “Test Group” and Click on Add
232 | P a g e
Microsoft Intune step by step
6. Click Ok
233 | P a g e
Microsoft Intune step by step
2. Select Android > SCEP Certificate Profile (Android 4 and later) and Click on Create
Policy
3. Type a name for the policy “SCEP for Android”. Type the URL for the SCEP
234 | P a g e
Microsoft Intune step by step
235 | P a g e
Microsoft Intune step by step
6. Click yes
7. Select a group to apply the policy to “Test Group” and Click on Add
236 | P a g e
Microsoft Intune step by step
8. Click Ok
Step 4 - Create .PFX certificate profiles
2. Select Android > PFX Certificate Profile (Android 4 and later) and Click on Create
Policy
237 | P a g e
Microsoft Intune step by step
4. Type the certificate authority, certificate authority name and certificate Template
238 | P a g e
Microsoft Intune step by step
8. Click Yes.
239 | P a g e
Microsoft Intune step by step
9. Select a group to apply the policy to “Test Group” and Click on Add
10. Click Ok
240 | P a g e
Microsoft Intune step by step
241 | P a g e
Microsoft Intune step by step
APPENDIX
Firewall and Proxy Server Settings for Client Computers
Those of you out there with firewalls may have run into issues with the Windows Intune clients
having difficulty communicating with the service. The excerpt below provides detailed
information on how to set up your firewall for a successful Windows Implementation. Thanks
goes to our awesome documentation team for putting this together, and to the Windows Intune
client team for doing the research and testing.
If you want to use Windows Intune™ to manage client computers that exist behind firewalls or
proxy servers, you must configure the firewall or proxy server to allow Windows Intune to
communicate with the client computers.
Domain Ports
*.livemeeting.com 80 and 443
*.microsoftonline.com 80
onlinehelp.microsoft.com 80
*.social.technet.microsoft.com 80
blogs.technet.com 80
go.microsoft.com 80
www.microsoft.com 80
Domain Ports
*.update.microsoft.com 80 and 443
download.microsoft.com 80 and 443
update.microsoft.com 80 and 443
Depending on the firewall and how it processes DNS lookup requests, you might also need to
allow access to the domain manage.microsoft.com.nsatc.net on port 80.
242 | P a g e
Microsoft Intune step by step
Domain Ports
*.manage.microsoft.com 80 and 443
*.spynet2.microsoft.com 443
manage.microsoft.com 80 and 443
wustat.microsoft.com 80 and 443
Domain Ports
*.download.windowsupdate.com 80 and 443
*.windowsupdate.com 80 and 443
download.windowsupdate.com 80 and 443
ntservicepack.microsoft.com 80 and 443
windowsupdate.microsoft.com 80 and 443
If the client computers exist behind a proxy server, you must configure the proxy server as
follows:
Windows Intune communicates with client computers by using both the HTTP and
HTTPS protocols. Confirm that the proxy server supports HTTP and HTTPS.
Windows Intune supports the Non-auth and Negotiate (Kerberos) authentication
methods. If the proxy server uses the Negotiate (Kerberos) authentication method, the
proxy server must allow computer accounts (instead of domain user accounts) to be
enrolled in the service because the client software enrollment package runs as user
LocalSystem.
You can modify proxy server settings on individual client computers, or you can use Group
Policy to change settings for all client computers that exist behind a specified proxy server.
Authenticated proxy servers are not supported
243 | P a g e
Microsoft Intune step by step
Reference
TechNet Microsoft
https://www.microsoft.com/en-us/server-cloud/products/microsoft-intune/overview.aspx
https://technet.microsoft.com/en-us/library/dn646960.aspx
https://technet.microsoft.com/en-us/library/mt282239.aspx
Other articles
This eBook is part of a series of articles dedicated to Configuration and Troubleshooting System
Center Family and Intune.
They are actually written and hosted on Mai Ali’s Blog http://expertslab.wordpress.com
How to Install Operation Manager 2012R2 using PowerShell
Troubleshooting the Installation of the System Center Operations Manager Agent
SQL Server cannot authenticate using Kerberos because the Service Principal Name
(SPN) is missing, misplaced, or duplicated
Removing Bulk Management Packs using PowerShell
Enable Proxy Agent for all SCOM Agents
Error Configure Portal web site during Install SCSM
244 | P a g e