Any suggestions? Export (0) Print
Expand All

Help secure Windows PCs with Endpoint Protection for Microsoft Intune

 

Updated: January 19, 2016

Microsoft Intune can help you to secure your managed computers in a number of ways, including Endpoint Protection which provides real-time protection against malware threats, keeps malware definitions up-to date, and automatically scans computers. Endpoint Protection also provides tools that help you to manage and monitor malware attacks

If you have not yet installed the Intune client on your computers, see Install the Windows PC client with Microsoft Intune.

Use the information in the following sections to help you configure, deploy and monitor Endpoint Protection.

Using Endpoint Protection in Microsoft Intune

Before you start

As an IT admin, one of your top priorities is to keep the computers that you manage free of malware and viruses. Before you deploy Microsoft Intune to client computers in your organization, you should decide how to protect your computers by selecting one of the following options and configuring its associated policy settings:

I want to:Endpoint Protection policy settingsMore information
Use Microsoft IntuneEndpoint Protection only if no third-party endpoint protection application is installed

You can use Microsoft IntuneEndpoint Protection on all computers where a third-party endpoint protection application is not installed.
Install Endpoint Protection = Yes

Enable Endpoint Protection = Yes

Install Endpoint Protection even if a third-party endpoint protection application is installed = No
If a third-party endpoint protection application is detected, Microsoft IntuneEndpoint Protection will not be installed, or will be uninstalled if it has already been installed.
Use Microsoft IntuneEndpoint Protection, even if a third-party endpoint protection application is installed

With this approach, you will be running Microsoft IntuneEndpoint Protection and the third party endpoint protection application (if it is installed) simultaneously. This is not a recommended configuration because of potential performance issues.
Install Endpoint Protection = Yes

Enable Endpoint Protection = Yes

Install Endpoint Protection even if a third-party endpoint protection application is installed = Yes
Use when:

- You want to switch to using Microsoft IntuneEndpoint Protection.
- You deploy a new client that will use Microsoft IntuneEndpoint Protection
- You upgrade any client that will use Microsoft IntuneEndpoint Protection.
Use Microsoft Intune without Microsoft IntuneEndpoint Protection

In this case, you won’t be using Microsoft IntuneEndpoint Protection to protect your computers from malware and viruses. Instead, you will rely on a third-party endpoint protection application.
Install Endpoint Protection = NoIf you are not using a third-party endpoint protection application, this configuration is not recommended, as it could expose your organization’s computers to malware or other attacks.

Microsoft IntuneEndpoint Protection is not installed, and it is uninstalled if it was installed previously.

If you want to switch from your current endpoint protection application to Microsoft IntuneEndpoint Protection, use the following steps which are explained in more detail later in this topic:

  1. Leave your current endpoint protection application running while you deploy the Intune client software to those computers.

  2. Confirm that Microsoft IntuneEndpoint Protection is installed and is helping to secure client computers.

  3. Remove the third-party endpoint protection software by:

    • Using Intune software distribution to deploy a software removal tool that is provided by the manufacturer of the third-party endpoint protection application. For more information, see Deploy and configure apps with Microsoft Intune.

    • Removing the third-party endpoint protection application manually.

System_CAPS_ICON_note.jpg Note


Intune will not uninstall third-party endpoint protection applications.

How to configure Microsoft Intune Endpoint Protection

Use the following procedure to help you configure Endpoint Protection for Microsoft Intune. Intune can manage Endpoint Protection for Windows 10 Technical Preview. Certain policy settings are only available for Windows 10.

  1. In the Microsoft Intune administration console, click Policy > Add Policy.

  2. Configure and deploy a Microsoft Intune Agent Settings policy for the Endpoint Protection settings. You can use recommended settings or customize the settings. If you need more information about how to create and deploy policies, see the Common Windows PC management tasks with the Microsoft Intune computer client topic.

    The tables after this procedure show the values you can configure in the policy and also the recommended values that will be used if you don’t customize the policy. You can find these settings in the Endpoint Protection section.

You can view the deployed Endpoint Protection policy on the All Policies page of the Policy workspace.

Endpoint Protection service settings

Policy settingMore information
Install Endpoint ProtectionSet to Yes to install Endpoint Protection on managed computers. If a third-party endpoint protection application is detected during installation, Endpoint Protection will not be installed unless Install Endpoint Protection even if a third party endpoint protection application is installed is set to Yes. Note: Intune Endpoint Protection is installed on managed computers by default. If you don’t want Endpoint Protection installed on your managed computers, you must explicitly set this policy to No. If Endpoint Protection was previously installed and the policy is updated to No, then the Endpoint Protection client will be uninstalled.
Recommended value: Yes
Install Endpoint Protection even if a third party endpoint protection application is installedSet to Yes to install Microsoft IntuneEndpoint Protection even if a third-party endpoint protection application is detected.

Recommended value: Yes
Enable Endpoint ProtectionSet to Yes to enable Microsoft IntuneEndpoint Protection on computers which have the Endpoint Protection client.

If set to No, and Microsoft IntuneEndpoint Protection is installed, the Endpoint Protection client user interface is not displayed to users and all protection features are inactive.

Recommended value: Yes
Disable Client UISet to Yes to hide the Microsoft IntuneEndpoint Protection client user interface from users (requires a client computer restart to take effect).

Recommended value: No
Install Endpoint Protection even if a third party endpoint protection application is installedSet to Yes to force the installation of Microsoft IntuneEndpoint Protection, even if a third-party endpoint protection application is detected.

Recommended value: No
Create a system restore point before malware remediationSet to Yes to create a Windows System Restore Point before any malware remediation begins.

Recommended value: Yes
Track resolved malware (days)Lets Endpoint Protection track resolved malware for a specified time so that you can manually check previously infected computers.

You can specify a value from 0 to 30 days.

Recommended value: 7 days

If you have set the policy values for Install Endpoint Protection and Enable Endpoint Protection to Yes, and the policy value for Install Endpoint Protection even if a third party endpoint protection application is installed to No, Microsoft IntuneEndpoint Protection will detect that another endpoint protection application is installed and will be not be installed, or uninstalled if it is already present (however, Microsoft IntuneEndpoint Protection does report about the health of the other endpoint protection application in the Microsoft Intune administrator console).

Real-time protection settings

Policy settingMore information
Enable real-time protectionEnables monitoring and scanning of all files and applications that are accessed. It also blocks any malicious files and applications before they can run on computers.

Recommended value: Yes
Scan all downloadsEnables the scanning of all files and attachments that are downloaded from the Internet to computers.

Recommended value: Yes
Monitor file and program activity on computersEnables the monitoring of incoming files and outgoing files, and program activity on computers. With this setting, Endpoint Protection can monitor when files and programs start to run and alert you about any actions they perform or actions that are taken on them.

Recommended value: Yes
Files monitoredIf Monitor file and program activity on computers is enabled, this setting allows you to choose if only incoming, only outgoing, or all files are monitored.

Recommended value: Monitor all files
Enable behavior monitoringAllows Microsoft IntuneEndpoint Protection to check for certain patterns of suspicious activity on client computers.

Recommended value: Yes
Enable Network Inspection SystemEnables Network Inspection System (NIS) on client computers. NIS uses signatures of known vulnerabilities from the Microsoft Malware Protection Center to help detect and block malicious network traffic.

Recommended value: Yes

Scan schedule settings

Policy settingMore information
Schedule a daily quick scanSchedules a daily quick scan of both frequently used files and important system files on computers. This quick scan has a minimal effect on performance.

Recommended value: Yes
Run a quick scan if you have missed two consecutive scansConfigures Endpoint Protection to automatically run a quick scan on computers if they miss two consecutive, scheduled quick scans.

Recommended value: Yes
Schedule a full scanConfigures a full scan of all files and resources on the local hard disks of computers. This scan can take some time and can affect computer performance (depending on the number of files and resources scanned).

Recommended value: No
Run a full scan if you have missed two consecutive full scansConfigures Endpoint Protection to automatically run a full scan on computers if they miss two consecutive, scheduled full scans.

Recommend value: Not configured

Scan options settings

Policy settingMore information
Run a full scan after installation of Endpoint ProtectionConfigures Endpoint Protection to automatically run a full system scan after it is installed on computers. This scan runs only when computers are idle to minimize the effect on user productivity.

Recommended value: Yes
Automatically run a full scan when needed to follow up malware removalSet to Yes to let Endpoint Protection automatically run a full system scan on computers after the removal of malware to help confirm that other files were not affected.

Recommended value: Yes
Start a scheduled scan only when the computer is idleSet to Yes to prevent scheduled scans from starting when computers are in use to prevent any loss of user productivity.

Recommended value: Yes
Check for the latest malware definitions before starting a scanSet to Yes to let Endpoint Protection automatically check for the latest malware definitions before it starts a scan on computers.

Recommended value: Yes
Scan archive filesSet to Yes to configure Endpoint Protection to scan for malware in archive files (like .zip or .cab files) on computers.

Recommended value: No
Scan email messagesSet to Yes to configure Endpoint Protection to scan incoming email messages when they arrive on computers.

Recommended value: Yes
Scan files opened from network shared foldersSet to Yes to configure Endpoint Protection to scan files that are opened from shared folders on the network. These are typically files that are accessed by using a UNC path. Enabling this feature can cause problems for users who have read-only access because they cannot remove malware.

Recommended value: No
Scan mapped network drivesSet to Yes to configure Endpoint Protection to scan files on mapped network drives. Enabling this feature can cause problems for users who have read-only access because they cannot remove malware.

Recommended value: No
Scan removable drivesSet to Yes to configure Endpoint Protection to scan for malware and unwanted software in the contents of removable drives, like USB flash drives, when you run a full scan on computers.

Recommended value: Yes
Limit CPU usage during a scanConfigures the maximum percentage of CPU usage that can be used during scheduled scans on computers. You can set this value from 1 to 100 percent.

Recommended value: 50%

Default actions settings

Policy settingMore information
Choose how Endpoint Protection acts on malware of the following alert levelsSpecifies the default action that Endpoint Protection takes when malware of various alert levels is detected.

For each alert level, you can remove the malware, quarantine it, or take Microsoft’s recommended action.

Recommended value: Recommended action

Excluded files and folders settings

Policy settingMore information
Files and folders to exclude when running a scan or using real-time protectionExcludes specific files or folders when a scan is run or when real-time protection is used on computers.

Excluded processes settings

Policy settingMore information
Processes to exclude when running a scan or using real-time protectionLets you exclude specific processes when a scan is run or from real-time protection. You can exclude only files with the following extensions: .exe, .com or .scr.

Excluded file types settings

Policy settingMore information
File extensions to exclude when running a scan or using real-time protectionLets you exclude specific file name extensions when a scan is run or when real-time protection is used on computers.

Microsoft Active Protection Service Settings

Microsoft Active Protection Service is an online community that helps you decide how to respond to potential threats. The community also helps stop the spread of new malware infections.

Policy settingMore information
Join Microsoft Active Protection ServiceYes automatically sends information about detected malware to the Microsoft Active Protection Service. Microsoft does not use any information collected to identify you or to contact you.

Recommended value: Yes
Membership levelIf you selected to join the Microsoft Active Protection Service, this setting lets you choose from one of the following membership levels:

Basic - Sends basic information to Microsoft about detected malware. This includes where the software came from, the actions that you apply or that Endpoint Protection applies automatically, and whether the actions were successful.

Advanced - Sends more information to Microsoft about malware, spyware, and potentially unwanted software. This includes the location of the software, file names, how the software operates, and how it has affected your computer.

Recommended value: Advanced
Receive dynamic definitions based on Microsoft Active Protection Service reportsYes lets computers receive dynamic malware definitions based on information that Endpoint Protection sends to the Microsoft Active Protection Service (if you have joined it) about detected malware.

Recommended value: Yes

Management tasks for Endpoint Protection

The following tasks help you to carry out various management tasks on managed computers that run Endpoint Protection.

I want toFrom the Microsoft Intune consoleFrom the managed computer
Update malware definitionsFrom the Groups workspace, select the computers you want to update.

Click Remote Tasks > Update Malware Definitions.
Start the Endpoint Protection client software from the Windows notification area.

Click the Update tab, and then click Update.
Run a malware scanFrom the Groups workspace, select the computers you want to scan.

Click Run a Full Malware Scan or Run a Quick Malware Scan.
Start the Endpoint Protection client software from the Windows notification area.

Select Quick, Full, or Custom, and then click Scan now.

You can view the status of a remote task by clicking the Remote Tasks link in the bottom right corner of the Microsoft Intune administrator console.

The Remote Task Status dialog box lists current remote tasks, task status, device name, any reported errors, and provides a link to troubleshooting information, if appropriate.

How to monitor Endpoint Protection

You monitor the status of malware on your computers by using the Protection workspace of the Microsoft Intune administration console. This workspace contains two pages:

Page nameMore information
Endpoint Protection OverviewDisplays important issues as links that you can click for more information. Issues that might be displayed include:

Malware instances that need follow-up – Click the link to see a list of malware issues including the follow up action that needs to be taken to resolve the issue. You can further drill into this list to see which computers are affected.

Computers with malware that need follow-up – Click the link to see all computers with unresolved malware issues including the follow up action that needs to be taken to resolve the issue.

Devices that are not protected – Click the link to see computers that are not protected by any endpoint protection software, either because no software is installed, or because there is an error. Select a computer to view more details.

Devices with another endpoint protection application running – Click the link to see computers that are running a third-party endpoint protection application.
All MalwareDisplays a list of all active malware found on your computers. You can drill into this list to see all computers that are affected by a particular piece of malware, or you can select one of the following tasks:

View Properties – Opens a page with more information about the selected malware.

Learn About This Malware – Opens a topic from the Microsoft Malware Protection Center with more information about the malware.
System_CAPS_ICON_important.jpg Important


The Protection workspace is not displayed in the administrator console until you have installed the client on, and are successfully managing at least one computer client.

How to view Recent Detection Paths for malware on computers

Intune can display the paths of up to 10 most recently detected instances of malware on a device. The Recent Detection Path is disabled by default. To enable this view:

How to enable Recent Detection Paths for malware
  1. In the Microsoft Intune administration console go Groups > All Devices . Malware.

  2. Right-click a column header. A list of available columns appears.

  3. Mark the Recent Detection Paths checkbox in the list. The Recent Detection Paths column appears and displays up to 10 most recent malware instances monitored on the device.

Need more help?

For further help and support, see Troubleshoot Endpoint Protection in Microsoft Intune.

See Also

Manage Windows PCs with Microsoft Intune

Show:
© 2016 Microsoft