Windows Intune Agent Policy Settings

The Windows Intune Agent policy template lets you create policies that you can use to configure the Windows Intune Endpoint Protection settings and Updates settings that are listed in the following tables. You can configure these settings in policies that you create that are based on this template, and you can use policies to deploy these settings to groups of computers.

Endpoint Protection Policy Settings

Nota

If you delete a policy that configures Windows Intune Endpoint Protection settings and is deployed to computers, the values of those settings on the computers are reset to the default state for the Endpoint Protection Agent. Except for the Join Microsoft SpyNet setting, the default values are the same as the recommended values for the policy settings. For Join Microsoft SpyNet, the default value is No.

Endpoint Protection Service policy settings

Policy Setting Description

Enable Endpoint Protection

This policy setting helps protect computers from both incoming and existing threats by enabling Windows Intune Endpoint Protection on managed computers.

  • Yes enables Endpoint Protection on managed computers to which this policy is deployed.

  • No disables Endpoint Protection on managed computers to which this policy is deployed.

  • Only on computers that are unprotected when Endpoint Protection is installed. This configuration will automatically enable Endpoint Protection only on those computers that are unprotected.

Recommended value: Only on computers that are unprotected when Endpoint Protection is installed

Create a system restore point before malware remediation

This policy setting lets you create a Windows System Restore Point before any malicious software (also known as malware) remediation is started. A System Restore point can be useful if the remediation has unintended consequences and the computer must be returned to its previous state.

  • Yes lets you create a Windows System Restore Point before malicious software remediation is started.

  • No disables creating a Windows System Restore Point.

Recommended value: Yes

Track resolved malware (days)

This policy setting lets Windows Intune Endpoint Protection track resolved malicious software for a specified time so that you can manually check previously infected managed computers.

You can specify any value from 0 to 30 days. Endpoint Protection tracks resolved malicious software on managed computers to which this policy is deployed for the time that you specify.

Recommended value: 7 days

Real-time Protection policy settings

Policy Setting Description

Enable real-time protection

This policy setting lets you enable monitoring and scanning of all files and applications that are loaded for use. It also blocks any malicious files and applications before they can run on managed computers.

  • Yes enables real-time protection monitoring and scanning on managed computers to which this policy is deployed.

  • No disables real-time protection monitoring and scanning on managed computers to which this policy is deployed.

Recommended value: Yes

Scan all downloads

This policy setting lets Windows Intune Endpoint Protection scan all files and attachments that are downloaded from the Internet to client computers.

  • Yes configures Endpoint Protection to scan all files and attachments that are downloaded from the Internet to client computers.

  • No does not configure Endpoint Protection to scan all files and attachments that are downloaded from the Internet to client computers.

Recommended value: Yes

Monitor file and program activity on computers

This policy setting lets you configure monitoring for incoming files and outgoing files, without completely disabling monitoring on client computers.

  • Yes lets you configure monitoring for incoming and outgoing files.

  • No disables monitoring for incoming and outgoing files.

Recommended value: Yes

Enable behavior monitoring

This policy setting lets Windows Intune Endpoint Protection check for certain patterns of suspicious activity on client computers.

  • Yes enables behavior monitoring on client computers.

  • No disables behavior monitoring on client computers.

Recommended value: Yes

Enable script scanning

This policy setting lets Windows Intune Endpoint Protection scan scripts that are loaded in Internet Explorer on client computers.

  • Yes enables scanning for scripts that are loaded in Internet Explorer on client computers.

  • No disables scanning for scripts that are loaded in Internet Explorer on client computers.

Recommended value: Yes

Enable Network Inspection System

This policy setting helps protect computers by enabling Network Inspection System (NIS) on client computers. NIS uses signatures of known vulnerabilities from the Microsoft Malware Protection Center (http://go.microsoft.com/fwlink/?LinkId=160624) to help detect and block malicious network traffic.

  • Yes enables NIS on client computers.

  • No disables NIS on client computers.

Recommended value: Yes

Scan Schedule policy settings

Policy Setting Description

Schedule a daily quick scan

These policy settings let you schedule a daily quick scan of both frequently used files and important system files on managed computers. This quick scan has a minimal effect on performance.

  • Yes schedules a daily quick scan for the time that you specify on managed computers to which this policy is deployed.

  • No does not schedule a daily quick scan on managed computers to which this policy is deployed.

Recommended value: Yes

Run a quick scan if you have missed two consecutive scans

This policy setting lets you configure Windows Intune Endpoint Protection to automatically run a quick scan on managed computers if they miss two consecutive scheduled quick scans.

  • Yes configures Endpoint Protection to run a quick scan if the computers to which this policy is deployed miss two consecutive scheduled quick scans.

  • No configures Endpoint Protection so that missing consecutive scheduled quick scans does not affect managed computers.

Recommended value: Yes

Schedule a full scan

These policy settings let you schedule a full system scan of all files and resources on the local hard disks of managed computers. This detailed scan can take some time and can affect computer performance (depending on the number of files and resources scanned). However, a full scan ensures that all files and resources are scanned.

  • Yes schedules a full system scan for the day and time that you specify on managed computers to which this policy is deployed.

  • No does not schedule a full system scan on managed computers to which this policy is deployed.

Recommended value: No

Run a full scan if you have missed two consecutive full scans

This policy setting lets you configure Windows Intune Endpoint Protection to automatically run a full scan on managed computers if they miss two consecutive scheduled full scans.

  • Yes configures Endpoint Protection to run a full scan if the computers to which this policy is deployed miss two consecutive scheduled full scans.

  • No configures Endpoint Protection so that missing consecutive scheduled full scans does not affect managed computers to which this policy is deployed.

Recommended value: Yes

Scan Options policy settings

Policy Setting Description

Run a full scan after installation of Endpoint Protection

This policy setting enables Windows Intune Endpoint Protection to automatically run a full system scan after Endpoint Protection is installed on managed computers. The full system scan obtains a baseline of the computers' health. This scan runs only when computers are idle to minimize the effect on user productivity.

  • Yes configures Endpoint Protection to automatically run a full system scan on each computer to which this policy is deployed after Endpoint Protection is installed on that computer.

  • No does not configure Endpoint Protection to automatically run a full system scan on each managed computer to which this policy is deployed after Endpoint Protection is installed on that computer.

Recommended value: Yes

Automatically run a full scan when needed to follow up malware removal

This policy setting enables Windows Intune Endpoint Protection to automatically run a full system scan on managed computers after the removal of malicious software. This scan is performed when you must confirm that other files are not affected.

  • Yes configures Endpoint Protection to automatically run a full system scan on a computer to which this policy is deployed if Endpoint Protection indicates that follow-up is needed after malicious software was removed from the computer.

  • No does not configure Endpoint Protection to automatically run a full system scan on managed computers to which this policy is deployed if Endpoint Protection indicates that follow-up is needed after malicious software is removed from that computer.

Recommended value: Yes

Start a scheduled scan only when the computer is idle

This policy setting lets you prevent scheduled scans from starting when managed computers are in use to prevent any loss of user productivity.

  • Yes lets scheduled scans run only when computers to which this policy is deployed are not being used.

  • No lets scans run as scheduled or as needed on managed computers to which this policy is deployed, even if the computers are being used.

Recommended value: Yes

Check for the latest malware definitions before starting a scan

This policy setting lets Windows Intune Endpoint Protection automatically check for the latest malicious software definitions before it starts a scan on managed computers. If new malicious software definitions are available, Endpoint Protection automatically updates the definitions before it starts the scan. This means that Endpoint Protection scans by using the latest malicious software definitions.

  • Yes configures Endpoint Protection to automatically check for the latest malicious software definitions before it starts a scan on managed computers to which this policy is deployed.

  • No configures Endpoint Protection not to check for the latest malicious software definitions before it starts a scan on managed computers to which this policy is deployed.

Recommended value: Yes

Scan archive files

This policy setting lets Windows Intune Endpoint Protection scan for malicious software in archive files (such as .zip or .cab files) on managed computers.

  • Yes configures Endpoint Protection to scan for malicious software in archive files on managed computers to which this policy is deployed.

  • No configures Endpoint Protection not to scan for malicious software in archive files on managed computers to which this policy is deployed.

Recommended value: No

Scan e-mail messages

This policy setting lets Windows Intune Endpoint Protection scan incoming email messages when they arrive on managed computers.

  • Yes configures Endpoint Protection to scan email messages when they arrive on managed computers to which this policy is deployed.

  • No configures Endpoint Protection not to scan email messages when they arrive on managed computers to which this policy is deployed.

Recommended value: Yes

Scan files opened from network shared folders

This policy setting lets Windows Intune Endpoint Protection scan files that are opened from shared folders on the network. These are typically files that are accessed by using a UNC path. Enabling this feature may cause problems for users who have read-only access because they cannot remove malicious software.

  • Yes configures Endpoint Protection to scan files opened from shared folders on the network.

  • No configures Endpoint Protection not to scan files opened from shared folders on the network.

Recommended value: No

Scan mapped network drives

This policy setting lets Windows Intune Endpoint Protection scan files on mapped network drives. Enabling this feature may cause problems for users who have read-only access because they cannot remove malicious software

  • Yes configures Endpoint Protection to scan files on mapped network drives.

  • No configures Endpoint Protection not to scan files on mapped network drives.

Recommended value: No

Scan removable drives

This policy setting lets Windows Intune Endpoint Protection scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when you run a full scan on client computers.

  • Yes configures Endpoint Protection to scan for malicious software and unwanted software in the contents of removable drives when you run a full scan.

  • No does not configure Endpoint Protection to scan for malicious software and unwanted software in the contents of removable drives when you run a full scan.

Recommended value: Yes

Limit CPU usage during a scan

This policy setting lets you configure the maximum percentage of CPU usage that can be used during scheduled scans on client computers. You can set the maximum CPU percent usage to be any value from 1% to 100%.

Recommended value: 50%

Default Actions policy settings

Policy Setting Description

Override how the Endpoint Protection service acts on malware of different severity levels

This policy setting lets you specify the default action that Windows Intune Endpoint Protection takes when potential threats with the following severity classifications are detected on client computers:

  • Severe

  • High

  • Medium

  • Low

Recommended value: Use the supplied definitions

Excluded Files and Folders policy settings

Policy Setting Description

Files and folders to exclude when running a scan or using real-time protection

This policy setting lets you exclude specific files or folders when a scan is run or when real-time protection is used on client computers. Excluding some processes can help speed up a scan, but can leave computers less protected.

Excluded Processes policy settings

Policy Setting Description

Processes to exclude when running a scan or using real-time protection

This policy setting lets you exclude specific processes when a scan is run or when real-time protection is used on client computers. Excluding some processes can help speed up a scan, but can leave computers less protected. You should exclude only files that have one of the following extensions: .exe, .com or .scr.

Excluded File Types policy settings

Policy Setting Description

File extensions to exclude when running a scan or using real-time protection

This policy setting lets you exclude specific file name extensions when a scan is run or when real-time protection is used on client computers. Excluding some file types can help speed up a scan, but may leave computers less protected.

Microsoft SpyNet policy settings

Microsoft SpyNet is an online community that helps you decide how to respond to potential threats. The community also helps stop the spread of new malicious software infections.

Policy Setting Description

Join Microsoft SpyNet

This policy setting allows you to decide whether to send information about detected malicious software to Microsoft SpyNet. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or to contact you.

  • Yes configures Endpoint Protection to send information about any malicious software that it detects on managed computers to which this policy is applied to Microsoft SpyNet.

  • No configures Endpoint Protection not to send information about any malicious software that it detects on managed computers to which this policy is applied to Microsoft SpyNet.

Recommended value: Yes

Membership level

This policy setting lets you decide to send basic or additional information about detected malicious software. This additional information helps Microsoft create new definitions to better protect managed computers. For example, this information can include the location of detected items on the managed computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or to contact you.

  • Basic configures Endpoint Protection to send basic information to Microsoft about software that Windows Intune Endpoint Protection detects. This includes where the software came from, the actions that you apply or that Windows Intune Endpoint Protection applies automatically, and whether the actions were successful.

  • Advanced configures Endpoint Protection to send more information to Microsoft about malicious software, spyware, and potentially unwanted software. This includes the location of the software, file names, how the software operates, and how it has affected your computer.

Recommended value: Advanced

Receive dynamic definitions based on Microsoft SpyNet reports

This policy setting lets client computers receive dynamic malicious software definitions based on information that Windows Intune Endpoint Protection sends to Microsoft SpyNet about detected malicious software. For this policy setting to take effect, you must also enable the Join Microsoft SpyNet policy setting.

  • Yes lets client computers receive dynamic malicious software definitions based on information that is submitted to Microsoft SpyNet about detected malicious software.

  • No does not let client computers receive dynamic malicious software definitions based on information that is submitted to Microsoft SpyNet about detected malicious software.

Recommended value: Yes

Updates Policy Settings

Nota

If you delete an Updates policy that is deployed to computers, the values of those Updates policy settings are reset to the default state for the operating system installed on the computers.

Policy Setting Description

Update detection frequency

This policy setting specifies how frequently the Update Agent checks for new updates.

You can configure this setting from 8 hours to 22 hours.

Recommended value: 8 hours

Automated or prompted installation of updates

This policy setting specifies whether updates are installed automatically or whether the user is prompted before updates are installed. Additionally, this setting lets you schedule the installation of updates.

  • Install updates automatically as scheduled starts the automated installation of updates at the scheduled day and time.

  • Prompt user for installation prompts the user to install when updates are ready. Updates are installed only if the user confirms that they should be installed.

Recommended values: Install updates automatically as scheduled and Every day

Immediate installation of updates that do not interrupt Windows

This policy setting configures whether updates are installed immediately after they are downloaded, unless they would interrupt or restart Windows.

  • Allow installs updates immediately after they are downloaded, except for updates that would interrupt or restart Windows. Updates that would interrupt or restart Windows are installed according to the configuration of the Automated or prompted installation of updates setting.

  • Do not allow installs updates according to the configuration of the Automated or prompted installation of updates setting.

Recommended value: Allow

Delay to restart Windows after installation of scheduled updates

This policy setting specifies the time to wait to restart Windows for the logged-on user after the installation of a scheduled update.

You can configure this setting from 1 to 1440 minutes (1440 minutes is 24 hours).

Recommended value: 30 minutes

Delay between Windows restarting and installation of missed scheduled updates

This policy setting specifies how long to wait to start the installation of updates after Windows is restarted when a scheduled update was missed.

You can configure this setting from 1 to 60 minutes.

Recommended value: 5 minutes

Allow logged-on user to control Windows restart after scheduled update installation

This policy setting determines whether the logged-on user can delay restarting Windows or be notified of an automatic Windows restart. However, if no user is logged on when the scheduled update installation is completed, Windows is restarted automatically when it is required.

  • Yes prompts the logged-on user to restart Windows when required.

  • No notifies the logged-on user that Windows will automatically restart when it is required to complete the installation. The time before Windows restarts by default is set to 5 minutes.

Recommended value: Yes

Delay between prompts to restart Windows after installation of scheduled updates

This policy setting specifies how frequently the user is prompted to restart Windows when an update that requires restarting Windows is installed and the user decides to delay restarting.

You can configure this setting from 1 to 30 minutes.

Recommended value: 5 minutes

See Also