Five Security Tips for Windows Intune

Published: April 18, 2011

Author: Richard Harrison, Technical Product Manager, Windows Intune, Microsoft Corporation

As many of you know, Windows Intune launched on March 23, 2011 in 35 countries. In this article, I would like to explain how you can use the security features in Windows Intune to implement a few best practices that can help you better protect your PCs. The five tips that I’d like to walk you through today are:

• Enable Windows Intune Endpoint Protection.
• Setup security standards.
• Automate security update approval.
• Link Alerts to administrator emails.
• Upgrade to Windows 7 Enterprise.

Enable Windows Intune Endpoint Protection

Windows Intune Endpoint Protection (WIEP) client agents are based on the same protection engine as Forefront Endpoint Protection (FEP) 2010. By default, if you have a 3^rd party malware protection product installed when you run the Windows Intune setup, WIEP will not be installed. If that is not the case, we recommend you remove your old malware protection just before you install Windows Intune. If this is not possible you can use Windows Intune policies to override this default behavior and force WIEP to be installed. This policy setting is in the Windows Intune Agent Setting policy template shown in Figure 1:

Figure 1: Default Enable Endpoint Protection Setting

This default setting should be changed to “Yes” to ensure that WIEP is installed on all your managed clients. If these clients are running one of the following protection products, WIEP will automatically remove and replace them:

• Microsoft Security Essentials.
• Forefront Endpoint Protection 2010.
• Symantec Endpoint Protection version 11.
• Symantec Corporate Edition version 10.
• McAfee VirusScan Enterprise version 8.5 and version 8.7 and its agent.
• Forefront Client Security version 1 and the Operations Manager agent.
• TrendMicro OfficeScan version 8 and version 10.

If you are running a different protection product, we recommend that you either manually remove the product or disable the real-time protection of that product. If you do not do this, your client will be running two protection products at the same time which can have a performance impact on that computer and is therefore not recommended.

Setup Security Standards

Windows Intune policies are focused on providing you with fast and straightforward settings that control the update, endpoint protection, firewall settings, and the end user experience. These will work no matter what domain your computers are joined or even if they are non-domain joined.

The following steps will take you through the process of setting up a default Windows Intune Security policy.

1. From the Windows Intune Administration Console, click the Policy workspace tab.
2. Under the Tasks panel click Create a New Policy. At the Create New Policy Wizard, highlight the Policy Templates.
3. Select the AgentSettings template and click Create New Policy.

The Agent settings will control the endpoint protection and software update settings for the agents on the managed computers. You can Scroll down the settings and review the settings you can configure such as the Malware Scheduled scan time, SpyNet membership, and Update detection frequency. If you click the information icon next to each setting, you can read details of the setting along with a recommended setting, where appropriate, as shown in Figure 2.



Figure 2: Default Scan Schedule Policy Setting.

4. One you have configured the settings you wish to apply in your default policy, click Save Policy.
5. At the Deploy Policy window, click Yes and then select the All Computers group to deploy this policy to all computers you are managing.

You can now repeat this process for the Windows Firewall Settings policy template. This policy allows you to control a computer’s local Windows Firewall rules and create exceptions to open specific firewall ports that will enable or disable features such as File and Print services or remote administration. Once you have the default policies in place, you can apply more specialized security policies to other groups in your organization, if required. If you do this, it is the policy that is lowest in the group hierarchy that will take precedence.

It is worth spending some time reviewing the settings in these policies to ensure that you configure the security settings to meet the exact needs of your organization. These will then be inherited by the clients the next time they connect to the Internet and check in with the Windows Intune service.

Automate Security Update Approval

By default, Windows Intune will wait until an Administrator manually approves each Microsoft update before allowing the managed PC to download and install the update. However if you wish to make sure your clients get critical or security updates as soon as possible, you can configure Windows Intune auto-approval rules so that these updates are approved and deployed as soon as the client checks the update status. The following steps will take you through the process of setting up an auto-approval rule for Critical and Security related updates.

1. From the Windows Intune Administration Console, click Administration and Updates.
2. Select Automatic Approval Rules, scroll down to the bottom of the page, if required, and then click New....
3. Type in a Rule name such as: “Default Approval Rule” then click Next.
4. Check the All Categories option and click Next.
5. Now you can select the update classifications that you wish to automatically approve. We recommend that you select the categories shown in Figure 3 to be automatically approved as these will help to keep your managed PC better protected from new threats or vulnerabilities.




Figure 3: Select Update Classifications.

6. Once you have selected the classifications you wish to automate, click Next.
7. Now you can select the groups you wish to deploy this rule to. To deploy it to all your managed computers, select the All Computers group and click Finish..
8. Click Run Selected to force this rule to evaluate all updates on the systems currently and make them available for the managed computers the next time they check in. If you click save here, it will only apply to future updates as they are released.

As the managed computers check back in to the service when they connect to the Internet, they will be instructed to apply all critical and security updates as soon as they are available.

Link Alerts to Administrator Emails

Windows Intune tracks Alerts from the managed computers and you can monitor these Alerts in the Alerts workspace of the Administration console. However, to make sure you or your support team get these alerts as soon as possible, we recommend setting up Windows Intune to also email the alerts. To do this, follow the steps below:

1. From the Windows Intune Administration Console, click the Administration workspace tab.
2. Click on Alerts and Notifications.
3. Next click Recipients and click the Add option as highlighted in Figure 4:




Figure 4: Add Recipients.

4. Add the required email support aliases
5. Next select Notification Rules and select the Alert rules you wish to send emails for. Then, click the Recipients option as highlighted in Figure 5:




Figure 5: Select Recipients.

6. Now you can select which email recipients will receive emails for these alerts.

We recommend that you set up these notification rules for All Critical Alerts and the Remote Assistance Requests. This way, your support team can be made aware of any urgent security related alerts as soon as possible.

Upgrade to Windows 7 Enterprise Edition

The last, and definitely not least, recommendation is to make sure your Windows Intune managed PCs are upgraded to Windows 7 Enterprise edition. Although Windows Intune supports both Windows XP and Windows Vista (Professional, Business or higher editions), we recommend using the upgrade rights to Windows 7 Enterprise included in a Windows Intune paid subscription. The security benefits of Windows 7 have been well documented and with the inclusion of BitLocker and BitLocker To Go, you can better protect your PCs and portable storage devices.

To learn more about Windows Intune or sign up for a 30-day trial, visit www.windowsintune.com. For technical guidance to help you get the most of your trial and deploy Windows Intune as your PC management solution, visit the Windows Intune Resource Zone on TechNet.