Windows Intune Agent Policy Settings
The Windows Intune Agent policy template lets you create policies that you can use to configure the Windows Intune Endpoint Protection settings and Updates settings that are listed in the following tables. You can configure these settings in policies that you create that are based on this template, and you can use policies to deploy these settings to groups of computers.
Endpoint Protection Policy Settings
Nota
If you delete a policy that configures Windows Intune Endpoint Protection settings and is deployed to computers, the values of those settings on the computers are reset to the default state for the Endpoint Protection Agent. Except for the Join Microsoft SpyNet setting, the default values are the same as the recommended values for the policy settings. For Join Microsoft SpyNet, the default value is No.
Endpoint Protection Service policy settings
Policy Setting | Description |
---|---|
Enable Endpoint Protection |
This policy setting helps protect computers from both incoming and existing threats by enabling Windows Intune Endpoint Protection on managed computers.
Recommended value: Only on computers that are unprotected when Endpoint Protection is installed |
Create a system restore point before malware remediation |
This policy setting lets you create a Windows System Restore Point before any malicious software (also known as malware) remediation is started. A System Restore point can be useful if the remediation has unintended consequences and the computer must be returned to its previous state.
Recommended value: Yes |
Track resolved malware (days) |
This policy setting lets Windows Intune Endpoint Protection track resolved malicious software for a specified time so that you can manually check previously infected managed computers. You can specify any value from 0 to 30 days. Endpoint Protection tracks resolved malicious software on managed computers to which this policy is deployed for the time that you specify. Recommended value: 7 days |
Real-time Protection policy settings
Policy Setting | Description |
---|---|
Enable real-time protection |
This policy setting lets you enable monitoring and scanning of all files and applications that are loaded for use. It also blocks any malicious files and applications before they can run on managed computers.
Recommended value: Yes |
Scan all downloads |
This policy setting lets Windows Intune Endpoint Protection scan all files and attachments that are downloaded from the Internet to client computers.
Recommended value: Yes |
Monitor file and program activity on computers |
This policy setting lets you configure monitoring for incoming files and outgoing files, without completely disabling monitoring on client computers.
Recommended value: Yes |
Enable behavior monitoring |
This policy setting lets Windows Intune Endpoint Protection check for certain patterns of suspicious activity on client computers.
Recommended value: Yes |
Enable script scanning |
This policy setting lets Windows Intune Endpoint Protection scan scripts that are loaded in Internet Explorer on client computers.
Recommended value: Yes |
Enable Network Inspection System |
This policy setting helps protect computers by enabling Network Inspection System (NIS) on client computers. NIS uses signatures of known vulnerabilities from the Microsoft Malware Protection Center (https://go.microsoft.com/fwlink/?LinkId=160624) to help detect and block malicious network traffic.
Recommended value: Yes |
Scan Schedule policy settings
Policy Setting | Description |
---|---|
Schedule a daily quick scan |
These policy settings let you schedule a daily quick scan of both frequently used files and important system files on managed computers. This quick scan has a minimal effect on performance.
Recommended value: Yes |
Run a quick scan if you have missed two consecutive scans |
This policy setting lets you configure Windows Intune Endpoint Protection to automatically run a quick scan on managed computers if they miss two consecutive scheduled quick scans.
Recommended value: Yes |
Schedule a full scan |
These policy settings let you schedule a full system scan of all files and resources on the local hard disks of managed computers. This detailed scan can take some time and can affect computer performance (depending on the number of files and resources scanned). However, a full scan ensures that all files and resources are scanned.
Recommended value: No |
Run a full scan if you have missed two consecutive full scans |
This policy setting lets you configure Windows Intune Endpoint Protection to automatically run a full scan on managed computers if they miss two consecutive scheduled full scans.
Recommended value: Yes |
Scan Options policy settings
Policy Setting | Description |
---|---|
Run a full scan after installation of Endpoint Protection |
This policy setting enables Windows Intune Endpoint Protection to automatically run a full system scan after Endpoint Protection is installed on managed computers. The full system scan obtains a baseline of the computers' health. This scan runs only when computers are idle to minimize the effect on user productivity.
Recommended value: Yes |
Automatically run a full scan when needed to follow up malware removal |
This policy setting enables Windows Intune Endpoint Protection to automatically run a full system scan on managed computers after the removal of malicious software. This scan is performed when you must confirm that other files are not affected.
Recommended value: Yes |
Start a scheduled scan only when the computer is idle |
This policy setting lets you prevent scheduled scans from starting when managed computers are in use to prevent any loss of user productivity.
Recommended value: Yes |
Check for the latest malware definitions before starting a scan |
This policy setting lets Windows Intune Endpoint Protection automatically check for the latest malicious software definitions before it starts a scan on managed computers. If new malicious software definitions are available, Endpoint Protection automatically updates the definitions before it starts the scan. This means that Endpoint Protection scans by using the latest malicious software definitions.
Recommended value: Yes |
Scan archive files |
This policy setting lets Windows Intune Endpoint Protection scan for malicious software in archive files (such as .zip or .cab files) on managed computers.
Recommended value: No |
Scan e-mail messages |
This policy setting lets Windows Intune Endpoint Protection scan incoming email messages when they arrive on managed computers.
Recommended value: Yes |
Scan files opened from network shared folders |
This policy setting lets Windows Intune Endpoint Protection scan files that are opened from shared folders on the network. These are typically files that are accessed by using a UNC path. Enabling this feature may cause problems for users who have read-only access because they cannot remove malicious software.
Recommended value: No |
Scan mapped network drives |
This policy setting lets Windows Intune Endpoint Protection scan files on mapped network drives. Enabling this feature may cause problems for users who have read-only access because they cannot remove malicious software
Recommended value: No |
Scan removable drives |
This policy setting lets Windows Intune Endpoint Protection scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when you run a full scan on client computers.
Recommended value: Yes |
Limit CPU usage during a scan |
This policy setting lets you configure the maximum percentage of CPU usage that can be used during scheduled scans on client computers. You can set the maximum CPU percent usage to be any value from 1% to 100%. Recommended value: 50% |
Default Actions policy settings
Policy Setting | Description |
---|---|
Override how the Endpoint Protection service acts on malware of different severity levels |
This policy setting lets you specify the default action that Windows Intune Endpoint Protection takes when potential threats with the following severity classifications are detected on client computers:
Recommended value: Use the supplied definitions |
Excluded Files and Folders policy settings
Policy Setting | Description |
---|---|
Files and folders to exclude when running a scan or using real-time protection |
This policy setting lets you exclude specific files or folders when a scan is run or when real-time protection is used on client computers. Excluding some processes can help speed up a scan, but can leave computers less protected. |
Excluded Processes policy settings
Policy Setting | Description |
---|---|
Processes to exclude when running a scan or using real-time protection |
This policy setting lets you exclude specific processes when a scan is run or when real-time protection is used on client computers. Excluding some processes can help speed up a scan, but can leave computers less protected. You should exclude only files that have one of the following extensions: .exe, .com or .scr. |
Excluded File Types policy settings
Policy Setting | Description |
---|---|
File extensions to exclude when running a scan or using real-time protection |
This policy setting lets you exclude specific file name extensions when a scan is run or when real-time protection is used on client computers. Excluding some file types can help speed up a scan, but may leave computers less protected. |
Microsoft SpyNet policy settings
Microsoft SpyNet is an online community that helps you decide how to respond to potential threats. The community also helps stop the spread of new malicious software infections.
Policy Setting | Description |
---|---|
Join Microsoft SpyNet |
This policy setting allows you to decide whether to send information about detected malicious software to Microsoft SpyNet. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or to contact you.
Recommended value: Yes |
Membership level |
This policy setting lets you decide to send basic or additional information about detected malicious software. This additional information helps Microsoft create new definitions to better protect managed computers. For example, this information can include the location of detected items on the managed computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or to contact you.
Recommended value: Advanced |
Receive dynamic definitions based on Microsoft SpyNet reports |
This policy setting lets client computers receive dynamic malicious software definitions based on information that Windows Intune Endpoint Protection sends to Microsoft SpyNet about detected malicious software. For this policy setting to take effect, you must also enable the Join Microsoft SpyNet policy setting.
Recommended value: Yes |
Updates Policy Settings
Nota
If you delete an Updates policy that is deployed to computers, the values of those Updates policy settings are reset to the default state for the operating system installed on the computers.
Policy Setting | Description |
---|---|
Update detection frequency |
This policy setting specifies how frequently the Update Agent checks for new updates. You can configure this setting from 8 hours to 22 hours. Recommended value: 8 hours |
Automated or prompted installation of updates |
This policy setting specifies whether updates are installed automatically or whether the user is prompted before updates are installed. Additionally, this setting lets you schedule the installation of updates.
Recommended values: Install updates automatically as scheduled and Every day |
Immediate installation of updates that do not interrupt Windows |
This policy setting configures whether updates are installed immediately after they are downloaded, unless they would interrupt or restart Windows.
Recommended value: Allow |
Delay to restart Windows after installation of scheduled updates |
This policy setting specifies the time to wait to restart Windows for the logged-on user after the installation of a scheduled update. You can configure this setting from 1 to 1440 minutes (1440 minutes is 24 hours). Recommended value: 30 minutes |
Delay between Windows restarting and installation of missed scheduled updates |
This policy setting specifies how long to wait to start the installation of updates after Windows is restarted when a scheduled update was missed. You can configure this setting from 1 to 60 minutes. Recommended value: 5 minutes |
Allow logged-on user to control Windows restart after scheduled update installation |
This policy setting determines whether the logged-on user can delay restarting Windows or be notified of an automatic Windows restart. However, if no user is logged on when the scheduled update installation is completed, Windows is restarted automatically when it is required.
Recommended value: Yes |
Delay between prompts to restart Windows after installation of scheduled updates |
This policy setting specifies how frequently the user is prompted to restart Windows when an update that requires restarting Windows is installed and the user decides to delay restarting. You can configure this setting from 1 to 30 minutes. Recommended value: 5 minutes |