Five Security Tips for Windows Intune
Published: April 18, 2011
Author: Richard Harrison, Technical Product Manager, Windows Intune, Microsoft Corporation
As many of you know, Windows Intune launched on March 23, 2011 in 35 countries. In this article, I would like to explain how you can use the security features in Windows Intune to implement a few best practices that can help you better protect your PCs. The five tips that I’d like to walk you through today are:
Enable Windows Intune Endpoint Protection
Windows Intune Endpoint Protection client agent is based on the same Enterprise class protection engine as System Center Endpoint Protection (SCEP) 2012. When you install Windows Intune on a client computer a check is done to determine whether to an enable Windows Intune Endpoint Protection. By default if no other endpoint protection application is detected Windows Intune Endpoint Protection will be enabled. If however an existing non-Microsoft endpoint protection application is detected, Windows Intune Endpoint Protection will be disabled. When this happens Windows Intune Endpoint Protection does report on the health of the other endpoint protection application in the Windows Intune administrator console but it will not report on specific malware instances or details.
To explicitly enable Windows Intune Endpoint Protection on client computers that are running non-Microsoft endpoint protection applications, you have to create a Windows Intune Agent Settings policy, set the policy value for Enable Endpoint Protection to Yes, and deploy the policy to the appropriate device groups.
This policy setting is in the Windows Intune Agent Setting policy template shown in Figure 1:
Figure 1: Default Enable Endpoint Protection Setting
This default setting should be changed to “Yes” to ensure that Windows Intune Endpoint Protection is installed on all your managed clients. After you confirm that Windows Intune Endpoint Protection is helping to secure the client computers, we recommend that you either; remove the other endpoint protection or, at least, disable its real-time protection feature. This will minimize the potential conflicts and performance degradation associated with running two endpoint protection applications simultaneously.
Setup Security Standards
Windows Intune policies are focused on providing you with fast and straightforward settings that control the update, endpoint protection, firewall settings, and the end user experience. These will work no matter what domain your computers are joined or even if they are non-domain joined.
The following steps will take you through the process of setting up a default Windows Intune Security policy.
The Agent settings will control the endpoint protection and software update settings for the agents on the managed computers. You can Scroll down the settings and review the settings you can configure such as the Malware Scheduled scan time, SpyNet membership, and Update detection frequency. If you click the information icon next to each setting, you can read details of the setting along with a recommended setting, where appropriate, as shown in Figure 2.
Figure 2: Default Scan Schedule Policy Setting.
You can now repeat this process for the Windows Firewall Settings policy template. This policy allows you to control a computer’s local Windows Firewall rules and create exceptions to open specific firewall ports that will enable or disable features such as File and Print services or remote administration. Once you have the default policies in place, you can apply more specialized security policies to other groups in your organization, if required. If you do this, it is the policy that is lowest in the group hierarchy that will take precedence.
It is worth spending some time reviewing the settings in these policies to ensure that you configure the security settings to meet the exact needs of your organization. These will then be inherited by the clients the next time they connect to the Internet and check in with the Windows Intune service.
Automate Security Update Approval
By default, Windows Intune will wait until an Administrator manually approves each Microsoft update before allowing the managed PC to download and install the update. However if you wish to make sure your clients get critical or security updates as soon as possible, you can configure Windows Intune auto-approval rules so that these updates are approved and deployed as soon as the client checks the update status. The following steps will take you through the process of setting up an auto-approval rule for Critical and Security related updates.
Figure 3: Select Update Classifications.
As the managed computers check back in to the service when they connect to the Internet, they will be instructed to apply all critical and security updates as soon as they are available.
Link Alerts to Administrator Emails
Windows Intune tracks Alerts from the managed computers and you can monitor these Alerts in the Alerts workspace of the Administration console. However, to make sure you or your support team get these alerts as soon as possible, we recommend setting up Windows Intune to also email the alerts. To do this, follow the steps below:
Figure 4: Add Recipients.
Figure 5: Select Recipients.
We recommend that you set up these notification rules for All Critical Alerts and the Remote Assistance Requests. This way, your support team can be made aware of any urgent security related alerts as soon as possible.
Upgrade to Windows 7 Enterprise Edition
The last, and definitely not least, recommendation is to make sure your Windows Intune managed PCs are upgraded to Windows 7 Enterprise edition. Although Windows Intune supports both Windows XP and Windows Vista (Professional, Business or higher editions), we recommend using the upgrade rights to Windows 7 Enterprise included in a Windows Intune paid subscription. The security benefits of Windows 7 have been well documented and with the inclusion of BitLocker and BitLocker To Go, you can better protect your PCs and portable storage devices.
To learn more about Windows Intune or sign up for a 30-day trial, visit www.windowsintune.com. For technical guidance to help you get the most of your trial and deploy Windows Intune as your PC management solution, visit the Windows Intune Resource Zone on TechNet.
About the Author
Richard Harrison is the Windows Intune Technical Product Manager at Microsoft. He has over 25 years of IT experience and has specialized on the Windows platform for the past 15 years.
Richard has worked with a wide variety of products and technologies and has authored a number of books and guides including the Microsoft Antivirus Defense-in-Depth Guide and the Branch Office Infrastructure Solution (BOIS), and has co-authored several Windows Server and Client Security Guides for the Microsoft Solution Accelerator Team.