Configuring Windows Intune part 2

In the previous tutorial, we helped you set up your Windows Intune environment so that you can get ready to manage and secure PCs through the web-based administration console. Specifically, we provided steps to guide you around the administration console, add administrators to the administration console, and set your default policies.

This tutorial will help you install the client software on PCs you will manage so that you can easily monitor the health and status of your PC environment. You will also learn how to configure groups to help organize the computers you have added to the service, setup automatic approval rules to speed up the deployment of critical updates, and configure alert notifications to help your administrators get the latest alerts.

In this article:


Client Enrollment

Before you can manage a computer with Windows Intune you will need to install the Windows Intune client software package on the PC - this can be your physical PC or even a virtual machine. Starting from the Systems Overview workspace, click either the Download and Deploy the Client Software link or click the Administration workspace and then select Client Software Download. The software can be installed on 32- and 64-bit version of the operating systems and will support Windows XP, Windows Vista and Windows 7.


Before you deploy the Windows Intune client, you should consider how you want to handle your existing malware protection software. By default, Windows Intune Endpoint Protection will not be installed if existing protection software is detected. If you want to ensure you are using the Windows Intune Endpoint Protection, we recommend removing the third-party malware protection software just before the Windows Intune installation.

To install the client software on a computer, follow these steps:

  1. Click on Download Client Software.
  2. When the download dialog opens, select Save and select a secure location to save the download package.
  3. Once the download has completed, open the folder where you saved the installation package.
  4. Right-click the package and select Extract All..., this will display the dialog box shown in Figure 1.

    Setup files extraction process

    Figure 1. Setup files extraction process

  5. Click Browse... to select an alternative path (if required) and then click Extract to extract the setup files.
  6. When the extraction has completed, a new window will be displayed similar to that shown in Figure 2.

    Extracted setup files

    Figure 2. Extracted setup files

  7. These files can be copied to a network share, a thumb drive, or deployed using an electronic software deployment (ESD) system. However it is important to keep these two files together as the ACCOUNTCERT file is used by the setup application when it is executed.


    If your ESD requires a Microsoft Installer (MSI) file for distribution, you can use the /Extract command line argument on the Windows_Intune_Setup.exe file to extract both a 32 bit and 64 bit MSI package. You can also use the /Quiet argument if you wish to suppress the Installation wizard and run it with no user interaction.

    If you wish to use the standard installation process, make sure you are logged on with an account that has local administration rights and double click Windows _Intune_Setup.exe from the client computer. Then follow the instructions in the Setup Wizard to complete the installation.

Once the installation has completed, you may be prompted to reboot the computer, this will allow the protection and update agents to complete their installation and will download any required malware protection definitions and other agent updates. The computer account will appear in the Administration console within a few minutes, but it can take up to 30 minutes for all the agents to complete their installations and report all inventory and status updates.

Offline Client Enrollment

For the standard installation process to complete a live Internet connection is required. If this is not possible at installation time, for example if you are installing the agent into a deployment image that will be used to create a number of computer deployments, there is a command line switch that can be used to schedule a task that will attempt to enroll the computer at a later time. This will ensure that the computer image is not enrolled before it has been deployed to the target computer. To launch a delayed installation use the following command line argument to launch the installation:

Windows_Intune_Setup.exe /PrepareEnroll

For more information on using this installation option, see the Windows Intune Online Help website at


Organizing Your Computers

The following steps will take you through the process of configuring groups to help organize the computers you will add to the service. Below is an example of how you can go about setting up your first computer groups. Feel free to customize this to meet your organization's needs.

  1. From the Windows Intune Administration Console click the Computers Tab.
  2. You will see two groups: All Computers and Unassigned Computers.
    The All Computers group contains all computers managed by the system at any one time, whereas the Unassigned Computers group will contain computers that have not been assigned to a group yet by the systems administrator.
  3. Click on the Create Computer Group link in the Tasks panel on the right.
  4. In the Name box, type "HQ".
  5. In the Description, type "Our HQ site computers".
  6. Under the Parent Group heading, make sure the All Computers group is selected so that this group appears at the top level of the groups.
  7. Now scroll down the page until you can see the Members section of the page.
  8. Click the Add... button and select computers to add to the group.
  9. Click OK to add the computers and click Create Computer Group.
  10. Now you can click on the new group in the list to the left and this will show the status of computers in that group.
  11. Next, click on the Computers tab in the main information panel to show the computers you added to the group.

You can now repeat these steps for all groups you wish to create. Figure 3 shows three examples of grouping strategies you could use to help organize your computers. Managed computers can be a member of multiple Windows Intune groups. This allows you a great deal of flexibility in how you can use groups.

Grouping examples

Figure 3. Grouping examples

It is important to know that these groups are completely independent of any Active Directory Domain Service (ADDS) groups you have in your domains. The groups only apply to the Windows Intune agents so you are free to change these to meet those needs without having to worry about any possible conflict with ADDS groups.


The numbers in the Departmental example are used to help organize the order the groups are listed in. By default they are sorted alpha-numerically.

Once you have created the groups you need to organize your computers you can use them to control the deployment of your Windows Intune polices, software updates and application deployment.


Manage Update and Automatic Approvals

The groups you created above can now be used to deploy Windows Intune Policies, software updates, and software packages. If you wish to closely manage all the updates that are managed by Windows Intune you can use the Updates workspace to Approve or Decline them. However, if you wish to ensure that critical or security updates are installed as quickly as possible on your managed PCs, you can use the Windows Intune auto-approval rules. The following steps will take you through the process of setting up an auto-approval rule that can be used to help automate the process of approving updates of the classifications you select.

  1. From the Windows Intune Administration Console click Administration and Updates.
  2. Select Automatic Approval Rules, scroll down to the bottom of the page, if required, and then click New....
  3. Type in a Rule name such as: "Default Approval Rule" then click Next.
  4. In Step 2 of 4, check the All Categories option and click Next.
  5. Now you can select the update classifications that you wish to automatically approve. We recommend that you select the categories shown in Figure 4 to be automatically approved as these will help to keep your managed computer better protected from new threats or vulnerabilities.

    Approval rule classifications

    Figure 4. Approval rule classifications

  6. Once you have selected the classifications you wish to automate, click Next.
  7. Now you can select the groups you wish to deploy this rule to. To deploy it to all your managed computers, select the All Computers group and click Finish.
  8. Click Run Selected to force this rule to evaluate all updates on the systems currently and make them available for the managed computers the next time they check in. Or if you click save here, it will only apply to future updates as they are released.

As the managed computers check back in to the service (by default this is every 8 hours), they will be instructed to apply all critical and security updates as soon as they are available.

For those updates that you wish to approve manually, you can use the Updates workspace to review and approve them. There are two types of updates that can be managed in Windows Intune, the first is the Microsoft Updates that are automatically made available to you via the Windows Intune service. For these updates you simply need to select the update and approve it for deployment to the groups you select as shown in Figure 9. You can approve these updates to individual Windows Intune groups or you can approve the updates to higher level groups such as the All Computers group and use inheritance to allow the updates to be approved to all lower level groups.


If you hold down the CTRL or SHIFT keys while selecting the updates you wish to approve you can select multiple updates to approve at once.

Update approval settings

Figure 5. Update approval settings

The second type of update you can manage with Windows Intune are third party updates. For these updates to be approved you first have to obtain the update package (usually an MSI, MSP, or EXE package.) Once you have the update that will update the previous application you will need to select the Upload task from the Update workspace. This will start the Update upload wizard that will walk you through the process of creating the update package which can then be approved for deployment in the same way as the Microsoft updates, as shown in Figure 5.


Set up Alerts Notifications

Windows Intune tracks alerts for your managed computers and you can monitor these via the Alerts workspace or you can have the service email alerts directly to email accounts.

From the Windows Intune Administration Console click the Administration workspace tab. Then:

  1. Click on Alerts and Notifications.
  2. Click Recipients and click the Addoption as highlighted in Figure 6.

    Adding a recipient

    Figure 6. Adding recipients

  3. Add as many email aliases as you need.


    Being made a recipient does not allow access to the Windows Intune Administration console. If you wish to allow any of these recipients to logon to the console, you will need to add them as a service administrator.

  4. Select Notification Rules and select the Alert rules you wish to send emails for and then click the Select Recipients...option as highlighted in Figure 7.

    Selecting recipients

    Figure 7. Selecting recipients

Now you can select which email recipients will receive an email for these alerts.

We recommend that you, as a minimum, set up the Remote Assistance Requests for notifications as these alerts are generated by the end user and are typically time critical. You can also use the Create New Rule... option to create customized rules to meet your organization's specific needs, if required.



This guide has taken you through the key steps to install the Windows Intune client software on PCs you will manage using the web-based administration console. In the third and final installment, we will help you learn how to assess the health of your computers, create custom reports, deploy software and remote control a managed computer using Windows Intune Remote Assistance.

Also in this guide:

Skip to main content