Skip to main content


Five Security Tips for Windows Intune

Published: April 18, 2011

Author: Richard Harrison, Technical Product Manager, Windows Intune, Microsoft Corporation

As many of you know, Windows Intune launched on March 23, 2011 in 35 countries. In this article, I would like to explain how you can use the security features in Windows Intune to implement a few best practices that can help you better protect your PCs. The five tips that I’d like to walk you through today are:

Enable Windows Intune Endpoint Protection

Windows Intune Endpoint Protection client agent is based on the same Enterprise class protection engine as System Center Endpoint Protection (SCEP) 2012. When you install Windows Intune on a client computer a check is done to determine whether to an enable Windows Intune Endpoint Protection. By default if no other endpoint protection application is detected Windows Intune Endpoint Protection will be enabled. If however an existing non-Microsoft endpoint protection application is detected, Windows Intune Endpoint Protection will be disabled. When this happens Windows Intune Endpoint Protection does report on the health of the other endpoint protection application in the Windows Intune administrator console but it will not report on specific malware instances or details.

To explicitly enable Windows Intune Endpoint Protection on client computers that are running non-Microsoft endpoint protection applications, you have to create a Windows Intune Agent Settings policy, set the policy value for Enable Endpoint Protection to Yes, and deploy the policy to the appropriate device groups.

This policy setting is in the Windows Intune Agent Setting policy template shown in Figure 1:

Default Enable Endpoint Protection settings

Figure 1: Default Enable Endpoint Protection Setting

This default setting should be changed to “Yes” to ensure that Windows Intune Endpoint Protection is installed on all your managed clients. After you confirm that Windows Intune Endpoint Protection is helping to secure the client computers, we recommend that you either; remove the other endpoint protection or, at least, disable its real-time protection feature. This will minimize the potential conflicts and performance degradation associated with running two endpoint protection applications simultaneously.

Setup Security Standards

Windows Intune policies are focused on providing you with fast and straightforward settings that control the update, endpoint protection, firewall settings, and the end user experience. These will work no matter what domain your computers are joined or even if they are non-domain joined.

The following steps will take you through the process of setting up a default Windows Intune Security policy.

  1. From the Windows Intune Administration Console, click the Policy workspace tab.
  2. Under the Tasks panel click Create a New Policy. At the Create New Policy Wizard, highlight the Policy Templates.
  3. Select the AgentSettings template and click Create New Policy.
  4. The Agent settings will control the endpoint protection and software update settings for the agents on the managed computers. You can Scroll down the settings and review the settings you can configure such as the Malware Scheduled scan time, SpyNet membership, and Update detection frequency. If you click the information icon next to each setting, you can read details of the setting along with a recommended setting, where appropriate, as shown in Figure 2.

    Scan schedule screehshot

    Figure 2: Default Scan Schedule Policy Setting.

  5. One you have configured the settings you wish to apply in your default policy, click Save Policy.
  6. At the Deploy Policy window, click Yes and then select the All Computers group to deploy this policy to all computers you are managing.

You can now repeat this process for the Windows Firewall Settings policy template. This policy allows you to control a computer’s local Windows Firewall rules and create exceptions to open specific firewall ports that will enable or disable features such as File and Print services or remote administration. Once you have the default policies in place, you can apply more specialized security policies to other groups in your organization, if required. If you do this, it is the policy that is lowest in the group hierarchy that will take precedence.

It is worth spending some time reviewing the settings in these policies to ensure that you configure the security settings to meet the exact needs of your organization. These will then be inherited by the clients the next time they connect to the Internet and check in with the Windows Intune service.

Automate Security Update Approval

By default, Windows Intune will wait until an Administrator manually approves each Microsoft update before allowing the managed PC to download and install the update. However if you wish to make sure your clients get critical or security updates as soon as possible, you can configure Windows Intune auto-approval rules so that these updates are approved and deployed as soon as the client checks the update status. The following steps will take you through the process of setting up an auto-approval rule for Critical and Security related updates.

  1. From the Windows Intune Administration Console, click Administration and Updates.
  2. Select Automatic Approval Rules, scroll down to the bottom of the page, if required, and then click New....
  3. Type in a Rule name such as: “Default Approval Rule” then click Next.
  4. Check the All Categories option and click Next.
  5. Now you can select the update classifications that you wish to automatically approve. We recommend that you select the categories shown in Figure 3 to be automatically approved as these will help to keep your managed PC better protected from new threats or vulnerabilities.

  6. Automatic Approval Rule Wizard screenshot

    Figure 3: Select Update Classifications.

  7. Once you have selected the classifications you wish to automate, click Next.
  8. Now you can select the groups you wish to deploy this rule to. To deploy it to all your managed computers, select the All Computers group and click Finish..
  9. Click Run Selected to force this rule to evaluate all updates on the systems currently and make them available for the managed computers the next time they check in. If you click save here, it will only apply to future updates as they are released.

As the managed computers check back in to the service when they connect to the Internet, they will be instructed to apply all critical and security updates as soon as they are available.

Windows Intune tracks Alerts from the managed computers and you can monitor these Alerts in the Alerts workspace of the Administration console. However, to make sure you or your support team get these alerts as soon as possible, we recommend setting up Windows Intune to also email the alerts. To do this, follow the steps below:

  1. From the Windows Intune Administration Console, click the Administration workspace tab.
  2. Click on Alerts and Notifications.
  3. Next click Recipients and click the Add option as highlighted in Figure 4:

  4. Add Recipient windows

    Figure 4: Add Recipients.

  5. Add the required email support aliases
  6. Next select Notification Rules and select the Alert rules you wish to send emails for. Then, click the Recipients option as highlighted in Figure 5:

  7. Select Recipients window

    Figure 5: Select Recipients.

  8. Now you can select which email recipients will receive emails for these alerts.

We recommend that you set up these notification rules for All Critical Alerts and the Remote Assistance Requests. This way, your support team can be made aware of any urgent security related alerts as soon as possible.

Upgrade to Windows 7 Enterprise Edition

The last, and definitely not least, recommendation is to make sure your Windows Intune managed PCs are upgraded to Windows 7 Enterprise edition. Although Windows Intune supports both Windows XP and Windows Vista (Professional, Business or higher editions), we recommend using the upgrade rights to Windows 7 Enterprise included in a Windows Intune paid subscription. The security benefits of Windows 7 have been well documented and with the inclusion of BitLocker and BitLocker To Go, you can better protect your PCs and portable storage devices.

To learn more about Windows Intune or sign up for a 30-day trial, visit For technical guidance to help you get the most of your trial and deploy Windows Intune as your PC management solution, visit the Windows Intune Resource Zone on TechNet.

About the Author

Richard Harrison photoRichard Harrison is the Windows Intune Technical Product Manager at Microsoft. He has over 25 years of IT experience and has specialized on the Windows platform for the past 15 years.

Richard has worked with a wide variety of products and technologies and has authored a number of books and guides including the Microsoft Antivirus Defense-in-Depth Guide and the Branch Office Infrastructure Solution (BOIS), and has co-authored several Windows Server and Client Security Guides for the Microsoft Solution Accelerator Team.

Related Resources

  • Windows Intune Resource Zone

    Find technical guidance and troubleshooting resources for IT professionals.

  • Windows Intune Technology Tune-up

    Explore best practices in PC management, the challenges of protecting and supporting remote users, and real life experiences with Windows Intune, Microsoft's cloud-based PC management solution.

  • Windows Intune 30-Day Trial

    Download a free trial to see how it can help you better manage and secure your PCs using Windows cloud services and Windows 7.

Microsoft Security Newsletter

Sign up for a free monthly roundup of security news, bulletins, and guidance for IT pros and developers.