Export (0) Print
Expand All

Help secure computers with Endpoint Protection for Microsoft Intune

 

Updated: August 1, 2015

Applies To: Microsoft Intune

Microsoft Intune can help you to secure your managed computers in a number of ways, including Endpoint Protection which provides real-time protection against malware threats, keeps malware definitions up-to date, and automatically scans computers. Endpoint Protection also provides tools that help you to manage and monitor malware attacks

If you have not yet installed the Intune client on your computers, see Install the Microsoft Intune computer client.

Use the information in the following sections to help you configure, deploy and monitor Endpoint Protection.

As an IT admin, one of your top priorities is to keep the computers that you manage free of malware and viruses. Before you deploy Microsoft Intune to client computers in your organization, you should decide how to protect your computers by selecting one of the following options and configuring its associated policy settings:

I want to:

Endpoint Protection policy settings

More information

Use Microsoft Intune Endpoint Protection only if no third-party endpoint protection application is installed

You can use Microsoft Intune Endpoint Protection on all computers where a third-party endpoint protection application is not installed.

  • Install Endpoint Protection = Yes

  • Enable Endpoint Protection = Yes

  • Install Endpoint Protection even if a third-party endpoint protection application is installed = No

If a third-party endpoint protection application is detected, Microsoft Intune Endpoint Protection will not be installed, or will be uninstalled if it has already been installed.

Use Microsoft Intune Endpoint Protection, even if a third-party endpoint protection application is installed

With this approach, you will be running Microsoft Intune Endpoint Protection and the third party endpoint protection application (if it is installed) simultaneously. This is not a recommended configuration because of potential performance issues.

  • Install Endpoint Protection = Yes

  • Enable Endpoint Protection = Yes

  • Install Endpoint Protection even if a third-party endpoint protection application is installed = Yes

Use when:

  • You want to switch to using Microsoft Intune Endpoint Protection.

  • You deploy a new client that will use Microsoft Intune Endpoint Protection

  • You upgrade any client that will use Microsoft Intune Endpoint Protection.

Use Microsoft Intune without Microsoft Intune Endpoint Protection

In this case, you won’t be using Microsoft Intune Endpoint Protection to protect your computers from malware and viruses. Instead, you will rely on a third-party endpoint protection application.

  • Install Endpoint Protection = No

If you are not using a third-party endpoint protection application, this configuration is not recommended, as it could expose your organization’s computers to malware or other attacks.

Microsoft Intune Endpoint Protection is not installed, and it is uninstalled if it was installed previously.

If you want to switch from your current endpoint protection application to Microsoft Intune Endpoint Protection, use the following steps which are explained in more detail later in this topic:

  1. Leave your current endpoint protection application running while you deploy the Intune client software to those computers.

  2. Confirm that Microsoft Intune Endpoint Protection is installed and is helping to secure client computers.

  3. Remove the third-party endpoint protection software by:

    • Using Intune software distribution to deploy a software removal tool that is provided by the manufacturer of the third-party endpoint protection application. For more information, see Deploy and manage apps with Microsoft Intune.

    • Removing the third-party endpoint protection application manually.

System_CAPS_noteNote

Intune will not uninstall third-party endpoint protection applications.

Use the following procedure to help you configure Endpoint Protection for Microsoft Intune. Intune can manage Endpoint Protection for Windows 10 Technical Preview. Certain policy settings are only available for Windows 10.


  1. In the Microsoft Intune administration console, click Policy > Add Policy.

  2. Configure and deploy a Microsoft Intune Agent Settings policy for the Endpoint Protection settings. You can use recommended settings or customize the settings. If you need more information about how to create and deploy policies, see the Common computer management tasks with the Microsoft Intune computer client topic.

    The tables after this procedure show the values you can configure in the policy and also the recommended values that will be used if you don’t customize the policy. You can find these settings in the Endpoint Protection section.

You can view the deployed Endpoint Protection policy on the All Policies page of the Policy workspace.

Policy setting

More information

Install Endpoint Protection

Set to Yes to install Endpoint Protection on managed computers. If a third-party endpoint protection application is detected during installation, Endpoint Protection will not be installed unless Install Endpoint Protection even if a third party endpoint protection application is installed is set to Yes.

System_CAPS_noteNote

Intune Endpoint Protection is installed on managed computers by default. If you don’t want Endpoint Protection installed on your managed computers, you must explicitly set this policy to No. If Endpoint Protection was previously installed and the policy is updated to No, then the Endpoint Protection client will be uninstalled.

Recommended value: Yes

Install Endpoint Protection even if a third party endpoint protection application is installed

Set to Yes to install Microsoft Intune Endpoint Protection even if a third-party endpoint protection application is detected.

Recommended value: Yes

Enable Endpoint Protection

Set to Yes to enable Microsoft Intune Endpoint Protection on computers which have the Endpoint Protection client.

If set to No, and Microsoft Intune Endpoint Protection is installed, the Endpoint Protection client user interface is not displayed to users and all protection features are inactive.

Recommended value: Yes

Disable Client UI

Set to Yes to hide the Microsoft Intune Endpoint Protection client user interface from users (requires a client computer restart to take effect).

Recommended value: No

Install Endpoint Protection even if a third party endpoint protection application is installed

Set to Yes to force the installation of Microsoft Intune Endpoint Protection, even if a third-party endpoint protection application is detected.

Recommended value: No

Create a system restore point before malware remediation

Set to Yes to create a Windows System Restore Point before any malware remediation begins.

Recommended value: Yes

Track resolved malware (days)

Lets Endpoint Protection track resolved malware for a specified time so that you can manually check previously infected computers.

You can specify a value from 0 to 30 days.

Recommended value: 7 days 

If you have set the policy values for Install Endpoint Protection and Enable Endpoint Protection to Yes, and the policy value for Install Endpoint Protection even if a third party endpoint protection application is installed to No, Microsoft Intune Endpoint Protection will detect that another endpoint protection application is installed and will be not be installed, or uninstalled if it is already present (however, Microsoft Intune Endpoint Protection does report about the health of the other endpoint protection application in the Microsoft Intune administrator console).

Policy setting

More information

Enable real-time protection

Enables monitoring and scanning of all files and applications that are accessed. It also blocks any malicious files and applications before they can run on computers.

Recommended value: Yes

Scan all downloads

Enables the scanning of all files and attachments that are downloaded from the Internet to computers.

Recommended value: Yes

Monitor file and program activity on computers

Enables the monitoring of incoming files and outgoing files, and program activity on computers. With this setting, Endpoint Protection can monitor when files and programs start to run and alert you about any actions they perform or actions that are taken on them.

Recommended value: Yes

Files monitored

If Monitor file and program activity on computers is enabled, this setting allows you to choose if only incoming, only outgoing, or all files are monitored.

Recommended value: Monitor all files

Enable behavior monitoring

Allows Microsoft Intune Endpoint Protection to check for certain patterns of suspicious activity on client computers.

Recommended value: Yes

Enable Network Inspection System

Enables Network Inspection System (NIS) on client computers. NIS uses signatures of known vulnerabilities from the Microsoft Malware Protection Center to help detect and block malicious network traffic.

Recommended value: Yes

Policy setting

More information

Schedule a daily quick scan

Schedules a daily quick scan of both frequently used files and important system files on computers. This quick scan has a minimal effect on performance.

Recommended value: Yes

Run a quick scan if you have missed two consecutive scans

Configures Endpoint Protection to automatically run a quick scan on computers if they miss two consecutive, scheduled quick scans.

Recommended value: Yes

Schedule a full scan

Configures a full scan of all files and resources on the local hard disks of computers. This scan can take some time and can affect computer performance (depending on the number of files and resources scanned).

Recommended value: No

Run a full scan if you have missed two consecutive full scans

Configures Endpoint Protection to automatically run a full scan on computers if they miss two consecutive, scheduled full scans.

Recommend value: Not configured

Policy setting

More information

Run a full scan after installation of Endpoint Protection

Configures Endpoint Protection to automatically run a full system scan after it is installed on computers. This scan runs only when computers are idle to minimize the effect on user productivity.

Recommended value: Yes

Automatically run a full scan when needed to follow up malware removal

Set to Yes to let Endpoint Protection automatically run a full system scan on computers after the removal of malware to help confirm that other files were not affected.

Recommended value: Yes

Start a scheduled scan only when the computer is idle

Set to Yes to prevent scheduled scans from starting when computers are in use to prevent any loss of user productivity.

Recommended value: Yes

Check for the latest malware definitions before starting a scan

Set to Yes to let Endpoint Protection automatically check for the latest malware definitions before it starts a scan on computers.

Recommended value: Yes

Scan archive files

Set to Yes to configure Endpoint Protection to scan for malware in archive files (like .zip or .cab files) on computers.

Recommended value: No

Scan email messages

Set to Yes to configure Endpoint Protection to scan incoming email messages when they arrive on computers.

Recommended value: Yes

Scan files opened from network shared folders

Set to Yes to configure Endpoint Protection to scan files that are opened from shared folders on the network. These are typically files that are accessed by using a UNC path. Enabling this feature can cause problems for users who have read-only access because they cannot remove malware.

Recommended value: No

Scan mapped network drives

Set to Yes to configure Endpoint Protection to scan files on mapped network drives. Enabling this feature can cause problems for users who have read-only access because they cannot remove malware.

Recommended value: No

Scan removable drives

Set to Yes to configure Endpoint Protection to scan for malware and unwanted software in the contents of removable drives, like USB flash drives, when you run a full scan on computers.

Recommended value: Yes

Limit CPU usage during a scan

Configures the maximum percentage of CPU usage that can be used during scheduled scans on computers. You can set this value from 1 to 100 percent.

Recommended value: 50%

Policy setting

More information

Choose how Endpoint Protection acts on malware of the following alert levels

Specifies the default action that Endpoint Protection takes when malware of various alert levels is detected.

For each alert level, you can remove the malware, quarantine it, or take Microsoft’s recommended action.

Recommended value: Recommended action

Policy setting

More information

Files and folders to exclude when running a scan or using real-time protection

Excludes specific files or folders when a scan is run or when real-time protection is used on computers.

Policy setting

More information

Processes to exclude when running a scan or using real-time protection

Lets you exclude specific processes when a scan is run or from real-time protection. You can exclude only files with the following extensions: .exe, .com or .scr.

Policy setting

More information

File extensions to exclude when running a scan or using real-time protection

Lets you exclude specific file name extensions when a scan is run or when real-time protection is used on computers.

Microsoft Active Protection Service is an online community that helps you decide how to respond to potential threats. The community also helps stop the spread of new malware infections.

Policy setting

More information

Join Microsoft Active Protection Service

Yes automatically sends information about detected malware to the Microsoft Active Protection Service. Microsoft does not use any information collected to identify you or to contact you.

Recommended value: Yes

Membership level

If you selected to join the Microsoft Active Protection Service, this setting lets you choose from one of the following membership levels:

  • Basic - Sends basic information to Microsoft about detected malware. This includes where the software came from, the actions that you apply or that Endpoint Protection applies automatically, and whether the actions were successful.

  • Advanced - Sends more information to Microsoft about malware, spyware, and potentially unwanted software. This includes the location of the software, file names, how the software operates, and how it has affected your computer.

Recommended value: Advanced

Receive dynamic definitions based on Microsoft Active Protection Service reports

Yes lets computers receive dynamic malware definitions based on information that Endpoint Protection sends to the Microsoft Active Protection Service (if you have joined it) about detected malware.

Recommended value: Yes

The following tasks help you to carry out various management tasks on managed computers that run Endpoint Protection.

I want to

From the Microsoft Intune console

From the managed computer

Update malware definitions

From the Groups workspace, select the computers you want to update.

Click Remote Tasks > Update Malware Definitions.

Start the Endpoint Protection client software from the Windows notification area.

Click the Update tab, and then click Update.

Run a malware scan

From the Groups workspace, select the computers you want to scan.

Click Run a Full Malware Scan or Run a Quick Malware Scan.

Start the Endpoint Protection client software from the Windows notification area.

Select Quick, Full, or Custom, and then click Scan now.

You can view the status of a remote task by clicking the Remote Tasks link in the bottom right corner of the Microsoft Intune administrator console.

The Remote Task Status dialog box lists current remote tasks, task status, device name, any reported errors, and provides a link to troubleshooting information, if appropriate.

You monitor the status of malware on your computers by using the Protection workspace of the Microsoft Intune administration console. This workspace contains two pages:

Page name

More information

Endpoint Protection Overview

Displays important issues as links that you can click for more information. Issues that might be displayed include:

  • Malware instances that need follow-up – Click the link to see a list of malware issues including the follow up action that needs to be taken to resolve the issue. You can further drill into this list to see which computers are affected.

  • Computers with malware that need follow-up – Click the link to see all computers with unresolved malware issues including the follow up action that needs to be taken to resolve the issue.

  • Devices that are not protected – Click the link to see computers that are not protected by any endpoint protection software, either because no software is installed, or because there is an error. Select a computer to view more details.

  • Devices with another endpoint protection application running – Click the link to see computers that are running a third-party endpoint protection application.

All Malware

Displays a list of all active malware found on your computers. You can drill into this list to see all computers that are affected by a particular piece of malware, or you can select one of the following tasks:

  • View Properties – Opens a page with more information about the selected malware.

  • Learn About This Malware – Opens a topic from the Microsoft Malware Protection Center with more information about the malware.

System_CAPS_importantImportant

The Protection workspace is not displayed in the administrator console until you have installed the client on, and are successfully managing at least one computer client.

Intune can display the paths of up to 10 most recently detected instances of malware on a device. The Recent Detection Path is disabled by default. To enable this view:

How to enable Recent Detection Paths for malware

  1. In the Microsoft Intune administration console go Groups > All Devices . Malware.

  2. Right-click a column header. A list of available columns appears.

  3. Mark the Recent Detection Paths checkbox in the list. The Recent Detection Paths column appears and displays up to 10 most recent malware instances monitored on the device.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2015 Microsoft