Tuesday, 8 November 2011

Installing Windows Intune Endpoint Protection over existing anti-malware software

How does Windows Intune install Window Intune Endpoint Protection when there is existing anti-malware software on the client computer?

Over the past year Content Master has been involved in training many Microsoft employees, Partners, and IT Pros on the technical ins and outs of Windows Intune. A question we have been asked many times is exactly how the Windows Intune installation process behaves when installed on computers with existing anti-malware software. It’s important to recognise that when the Windows Intune client is installed the overriding principle is to ensure that all client computers are protected from malware. This means that if you install Windows Intune on a computer with no existing malware protection the Windows Intune Endpoint Protection (WIEP) agents will be installed. This is exactly what you would expect, but things get a little more complicated when an existing anti-malware solution is in place; so that is the focus of this blog.

Before you deploy the Windows Intune client, we strongly recommend that you create default Windows Intune policies to set a baseline for deploying updates, software, and especially WIEP. By determining the WIEP settings you require and configuring the appropriate policy settings before deploying the client to any computer, you can take control of the deployment process and save time and effort later on.

Now let’s examine the options available in the policy setting of the Windows Intune Agent Settings policy and see how they change the installation behaviour. Then we will then look at the behaviour when installing the Windows Intune client.

WIEP Settings in the Windows Intune Agent Settings policy

The Windows Intune Agent Settings policy includes settings that control the behaviour of Endpoint Protection, updates and network bandwidth.

Figure 1 shows the Endpoint Protection setting that controls the installation behaviour of WIEP:

WI Agent Settings EP

Figure 1: Endpoint Protection Settings

Yes enables Windows Intune Endpoint Protection on client computers. If Windows Intune Endpoint Protection is not already installed on a client computer, it will be installed.

No disables Windows Intune Endpoint Protection on client computers. If Windows Intune Endpoint Protection is not already installed on a client computer, it will be installed only if another endpoint protection application is not already installed on the computer. When Windows Intune Endpoint Protection is installed in this case, it is installed and configured as disabled.

Only on computers that are unprotected when Endpoint Protection is installed enables Windows Intune Endpoint Protection on client computers that do not already have another endpoint protection application installed. If another endpoint protection application is already installed on a client computer, this policy setting causes Endpoint Protection to not be installed on that computer. This is the default and recommended option.

You can find more information on the Endpoint Protection Policy Settings and other Windows Intune Agent Policy Settings in Windows Intune Help.

Installation Behaviour:

The default behaviour of the WIEP installation is to ensure that the client computer is protected. If you create a Windows Intune Agent Settings policy and configure the Endpoint Protection policy settings, you can control the WIEP installation behaviour. This is described in the flowchart below:

New Flowchart

Figure 2: WIEP Installation Behaviour Flowchart

There are five paths through this flowchart:

Path 1 (1-2-3): This path describes the simplest situation; where there is no endpoint protection software installed on the client computer the Windows Intune client installation will install and enable WIEP.

Path 2 (1-2-4-5): This path describes an environment where Microsoft Security Essentials (MSE) or Forefront Endpoint Protection (FEP) is installed on the client computer. In this case, the existing endpoint protection software is automatically upgraded to WIEP.

Path 3 (1-2-4-6-7): This path describes an environment where MSE or FEP is not installed on the client computer, and there is no Endpoint Protection policy defined in the Windows Intune Agent Settings policy. In this case, WIEP is not installed and the client computer continues to use the existing endpoint protection software.

Path 4 (1-2-4-6-8-9): This path describes an environment where MSE or FEP is not installed on the client computer, there is an Endpoint Protection policy defined in the Windows Intune Agent Settings policy, and the existing endpoint protection software is recognised.[1] In this case, the Windows Intune client installation removes the existing endpoint protection software and installs WIEP.

Path 5 (1-2-4-6-8-10): This path describes an environment where MSE or FEP is not installed on the client computer, there is an Endpoint Protection policy defined in the Windows Intune Agent Settings policy, and the existing endpoint protection software is not recognised. In this case, the Windows Intune client installation installs WIEP in a disabled state and the client computer continues to use the existing anti-malware software.

Windows Intune will always install the Windows Intune Endpoint Protection agent, even in Paths 3 and 4 where the Windows Intune Endpoint Protection engine is not installed. This is illustrated in figures 3 and 4 below:

WIEP Agent installed

Figure 3: Windows Intune Endpoint Protection Agent installed

WIEP installed

Figure 4: Windows Intune Endpoint Protection Agent and Windows Intune Endpoint Protection engine installed

Recommendations

The most important thing is to determine whether you want to use Windows Intune to manage your endpoint protection, with all the benefits that brings. Windows Intune Endpoint Protection helps enhance the security of computers in your organization by providing real-time protection against potential threats; keeping malware definitions up-to-date; and automatically running scans that you can control with policies. All of this is integrated into the Windows Intune administrator console to provide a centralised point of management, along with customisable reports that help you to keep track of malware issues and their resolution.

If you decide to use WIEP, you should plan and implement the appropriate Endpoint Protection policy settings in the Windows Intune Agent Settings policy before you deploy the Windows Intune client software. In this way, you can control the WIEP installation as the client joins the Windows Intune account.

As always, it is wise to experiment with different methods of installing WIEP in a test lab, so that you can determine which method will work best in your organisation. For example, you may want to verify that the Windows Intune client installation can successfully remove existing anti-malware software from your client computers. You may also want to verify that WIEP can co-exist with your existing endpoint protection application if it is not one of the recognised packages.

Conclusion

Windows Intune includes a fully featured and cloud enabled endpoint protection solution based on the Forefront Endpoint Protection 2010 product. If you plan for the deployment of WIEP and configure the appropriate Windows Intune Agent Settings policy before you install the Windows Intune client on computers throughout your organisation you will have more control of the endpoint protection status as soon as they are managed by Windows Intune.


[1] A list of anti-malware software that Windows Intune recognises can be found at: http://onlinehelp.microsoft.com/windowsintune/hh127706.aspx

Blogger: User Profile: Rose Malcolm

No comments: