Export (0) Print
Expand All
29 out of 30 rated this helpful - Rate this topic

Using Windows Intune Endpoint Protection or an Existing Endpoint Protection Application

Updated: January 1, 2014

Applies To: Windows Intune

Before deploying Windows Intune to client computers that have another endpoint protection application running, determine which of the following approaches is optimal for your environment:

  • Use Windows Intune Endpoint Protection instead of the existing endpoint protection application.

  • Do not use Windows Intune Endpoint Protection; continue to use the existing endpoint protection application instead.

Use Windows Intune Endpoint Protection to Help Secure Client Computers

To use Windows Intune Endpoint Protection to help secure client computers, do the following:

  1. Leave the other endpoint protection application running while you deploy the Windows Intune client software to the client computers.

  2. Determine how you will remove the other endpoint protection application from the client computers.

    ImportantImportant
    With this version of Windows Intune, Endpoint Protection will be automatically installed in the next service window (if there are any service windows defined for the client computers), unless Endpoint Protection policy settings are configured as described below in Continue to Use an Existing Endpoint Protection Application Instead of Windows Intune Endpoint Protection.

  3. After you confirm that the policy has taken effect and that Windows Intune is helping to secure client computers, remove the existing endpoint protection application from those clients.

After you deploy the Windows Intune client software, Windows Intune Endpoint Protection contacts the Windows XP Windows Security Center (which must be enabled for this to occur) or the Windows Action Center (Windows Vista® and later) to check whether another endpoint protection application is installed. If another endpoint protection application is installed and Windows Intune Endpoint Protection detects the application, Windows Intune Endpoint Protection automatically disables itself if the Install Endpoint Protection even if a third party endpoint protection application is installed setting is set to No. If Windows Intune Endpoint Protection does not detect the other endpoint protection application, Windows Intune Endpoint Protection will remain enabled.

If Windows Intune Endpoint Protection detects another endpoint protection application on client computers, you can use the policy settings described below to manage the behavior of Windows Intune Endpoint Protection and the other endpoint protection application:

  • Deploying a new client: If you are deploying a new client, set the following policy values to ensure that the client uses Windows Intune Endpoint Protection:

    • Install Endpoint Protection = Yes

    • Install Endpoint Protection even if a third party endpoint protection application is installed = Yes

    • Enable Endpoint Protection = Yes

  • Upgrading an existing client that has Endpoint Protection enabled by policy already: The existing policy will be migrated. You do not need to make any changes, and the client will continue to receive Endpoint Protection updates.

  • Upgrading an existing client that has Endpoint Protection enabled but no policy configured: These clients will continue to have Windows Intune Endpoint Protection enabled, as long as you use the following policy settings:

    • Install Endpoint Protection = Yes

    • Install Endpoint Protection even if a third party endpoint protection application is installed = Yes

  • Upgrading an existing client that has Windows Intune Endpoint Protection installed, but not enabled: If this client is using third-party endpoint protection, then it will continue to work as before. If you want this client to use Windows Intune Endpoint protection and get updates, set the following policy values:

    • Install Endpoint Protection = Yes

    • Install Endpoint Protection even if a third party endpoint protection application is installed = Yes

    • Enable Endpoint Protection = Yes

After you confirm that Windows Intune Endpoint Protection is helping to secure the client computers, you can remove or disable the other endpoint protection application.

Continue to Use an Existing Endpoint Protection Application Instead of Windows Intune Endpoint Protection

To continue to use an existing endpoint protection application, install and deploy the Windows Intune client software on client computers as required. If you have set the policy values for Install Endpoint Protection and Enable Endpoint Protection to Yes, and the policy value for Install Endpoint Protection even if a third party endpoint protection application is installed to No, Windows Intune Endpoint Protection will detect that another endpoint application is installed and will disable itself (however, Windows Intune Endpoint Protection does report on the health of the other endpoint protection application, and it displays that information in the Windows Intune administrator console). If it does not detect another endpoint protection application, Windows Intune Endpoint Protection will remain enabled unless you set the policy value for Install Endpoint Protection to No.

Removing Non-Microsoft Endpoint Protection Software

Windows Intune will no longer provide non-Microsoft endpoint protection application removal functionality. If you want to remove a non-Microsoft endpoint protection application from client computers; you can do so by doing either of the following:

  • Use Windows Intune Software Distribution to deploy a removal tool that is provided by the manufacturer of the non-Microsoft endpoint protection application.

  • Remove the non-Microsoft endpoint protection application manually.

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.