Windows Intune Endpoint Protection
What is Windows Intune Endpoint Protection? (from Microsoft)
Manage PCs and multiple types of mobile devices in one unified solution, either through the cloud or by extending your existing on-premises infrastructure. Whether using corporate or employee-owned devices, Windows Intune helps provide a security-enhanced environment with comprehensive update and policy management. Use... Read more
Overview
Windows Intune Endpoint Protection is a software program developed by Microsoft. The most common release is 4.5.216.0, with over 98% of all installations currently using this version. During setup, the program creates a startup registration point in Windows in order to automatically start when any user boots the PC. Upon being installed, the software adds a Windows Service which is designed to run continuously in the background. Manually stopping the service has been seen to cause the program to stop functing properly. It adds a background controller service that is set to automatically run. Delaying the start of this service is possible through the service manager. A scheduled task is added to Windows Task Scheduler in order to launch the program at various scheduled times (the schedule varies depending on the version). The software is designed to connect to the Internet and adds a Windows Firewall exception in order to do so without being interfered with. When installed, it will add a context menu handler to the Windows shell in order to provide quick access to the program. The setup package generally installs about 39 files and is usually about 22.1 MB (23,174,406 bytes). Relative to the overall usage of users who have this installed on their PCs, most are running Windows 7 (SP1) and Windows 10. While about 50% of users of Windows Intune Endpoint Protection come from the United States, it is also popular in United Kingdom and Germany.
Program details
URL: go.microsoft.com/fwlink/?LinkID=206391&mkt=en-us
Installation folder: C:\Program Files\Microsoft Security Client
Uninstaller: C:\Program Files\Microsoft Security Client\Setup.exe /x
Estimated size: 22.1 MB
Files installed by Windows Intune Endpoint Protection
-
ConfigSecurityPolicy.exe - Microsoft Security Client Policy Configure
-
IpsConsumer.dll - Microsoft Network Inspection System
-
NisLog.dll - Microsoft Network Inspection System Logging Provider
-
NisNetIP.dll
-
NisPerformanceProvider.dll - Microsoft Network Inspection System performance counters provider
-
NisSrv.exe
-
NisWFP.dll
-
NisIpsPlugin.dll - AntiMalware RealTime Protection (Nis Ips Plugin in AM Service)
-
DbgHelp.dll - Debugging Tools for Windows(R) (Windows Image Helper)
-
SymSrv.dll - Symbol Server
-
MsseWat.dll - Microsoft Security Essentials (Microsoft Security Essentials WGA module)
-
ProtectionManagement.dll - Microsoft Endpoint Protection (Microsoft Endpoint Protection Management Provider)
-
MpAsDesc.dll - Microsoft Malware Protection (Definition Update Descriptions)
-
MpClient.dll - Client Interface
-
MpCmdRun.exe - Microsoft Malware Protection Command Line Utility
-
MpCommu.dll - Communication Module
-
mpevmsg.dll - Event Resource Module
-
MpOAv.dll - IOfficeAntiVirus Module
-
MpRTP.dll - AntiMalware Realtime Monitor
-
MpSvc.dll - Service Module
-
MpTpmAtt.dll - TPM Attestation
-
MpUtil.dll - Sample / Spynet Submission
-
MsMpCom.dll - COM Utility
-
MsMpEng.exe - Antimalware Service Executable
-
mpuxhostproxyoob.dll - Microsoft Security Client (COM Proxy for mpuxhost (MP Modern shell host))
-
MpUxSrvOob.exe - MP modern host server
-
MsMpRes.dll - User Interface Resource Module
-
msseces.exe - Microsoft Security Client User Interface
-
setup.exe - Microsoft Security Client Setup
-
setupres.dll - Microsoft Security Client Setup Resources
-
shellext.dll - Microsoft Security Client Shell Extension
-
MsMpLics.dll - Microsoft Antimalware (License Module)
-
ProtectionMgmt.dll - Protection Management WMIv2 Provider
-
EppManifest.dll - Windows Intune (Intune Resource Module)
-
sqmapi.dll - SQM Client
Behaviors exhibited
Autoplay Handler
- shellext.dll is registered as an AutoPlay event handler named 'RhapsodyRipCDAudioOnArrival' with the ProgID of 'Rhapsody.AudioCDRip.3' and the action verb 'rip.
Context Menu Handler
- shellext.dll added to Windows Explorer under the name 'XXX Groove GFS Context Menu Handler XXX' with a class of {6C467336-8281-4E60-8204-430CED96822D}.
Mozilla Plugin
- shellext.dll is loaded into Mozilla Firefox under the product name 'Office Authorization' with a plugin key of '@microsoft.com/OfficeAuthz,version=14.0' for all users of the PC.
5 Scheduled Tasks
- msseces.exe is scheduled as a task with the class '{70A48729-EDA2-4C43-BD2A-622C1FE1B158}' (runs on registration).
- MpCmdRun.exe is scheduled as a task named 'MSE' (runs weekly on Sundays at 22:52).
- MsMpEng.exe is scheduled as a task with the class '{36EFC519-FFC0-44BA-A865-06780C54FA6D}' (runs on registration).
- Setup.exe is scheduled as a task with the class '{EAC44AF3-B6F9-401D-8A78-249D0D819684}' (runs on registration).
- MsMpRes.dll is scheduled as a task named 'Microsoft-Windows-TaskScheduler_Operational_Microsoft-Windows-TaskScheduler_103'.
2 Scheduled Tasks (Boot/Login)
- MpCmdRun.exe is automatically launched at startup through a scheduled task named Microsoft Security Essentials-Startup.
- msseces.exe is automatically launched at startup through a scheduled task named MSC (5).
2 Services
- NisSrv.exe runs as a service named '@C:\Program Files\Microsoft Security Client\MpAsDesc.dll,-243' (NisSrv) "Helps guard against intrusion attempts targeting known and newly discovered vulnerabilities in network protocols".
- MsMpEng.exe runs as a service named 'MsMpSvc' (MsMpSvc).
3 Startup Files (User Run)
- MpCmdRun.exe is loaded in the current user (HKCU) registry as an auto-starting executable named 'Microsoft Malware Protection Command Line Utility' and executes as C:\Program Files\Microsoft Security Client\MpCmdRun.exe.
- msseces.exe is loaded in the current user (HKCU) registry as an auto-starting executable named 'Microsoft Security Client User Interface' and executes as C:\Program Files\Microsoft Security Client\msseces.exe.
- MsMpEng.exe is loaded in the current user (HKCU) registry as an auto-starting executable named 'New startup' and executes as "C:\Program Files\Microsoft Security Client\MsMpEng.exe".
Startup File (User Run Once)
- msseces.exe is loaded once in the current user (HKCU) registry as a startup file name 'Application Restart #0' which loads as C:\Program Files\Microsoft Security Client\msseces.exe -Recover.
2 Startup Files (All Users Run)
- msseces.exe is loaded in the all users (HKLM) registry as a startup file name 'MSC.old' which loads as "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey.
- MsMpEng.exe is loaded in the all users (HKLM) registry as a startup file name 'MsMpEng' which loads as C:\Program Files\Microsoft Security Client\MsMpEng.exe.
4 Windows Firewall Allowed Programs
- msseces.exe is added as a firewall exception for 'C:\Program Files\Microsoft Security Client\msseces.exe'.
- shellext.dll is added as a firewall exception for 'C:\users\user\appdata\Local\Temp\30985.exe'.
- MsMpEng.exe is added as a firewall exception for 'C:\Program Files\Microsoft Security Client\MsMpEng.exe'.
- MpCmdRun.exe is added as a firewall exception for 'C:\Program Files\Microsoft Security Client\MpCmdRun.exe'.
Resource utilization averages
Show technical details
| MpCmdRun.exe |
| Memory: | 564 KB | |
| Total CPU: | 0.1615348063% | |
| Kernel CPU: | 0.13167757% | |
| User CPU: | 0.02985724% | |
| MsMpEng.exe |
| Memory: | 93.98 MB | |
| Total CPU: | 0.0073768926% | |
| Kernel CPU: | 0.00499648% | |
| User CPU: | 0.00238042% | |
| CPU cycles/sec: | 31,319,887 | |
| Switches/sec: | 24 | |
| I/O reads/min: | 5.84 MB | |
| I/O writes/min: | 1.78 MB | |
| NisSrv.exe |
| Memory: | 9.39 MB | |
| Total CPU: | 0.0019590863% | |
| Kernel CPU: | 0.00047169% | |
| User CPU: | 0.00148740% | |
| CPU cycles/sec: | 29,554 | |
| I/O reads/min: | 2 Bytes | |
| I/O writes/min: | 23 Bytes | |
How do I remove Windows Intune Endpoint Protection?
You can uninstall Windows Intune Endpoint Protection from your computer by using the Add/Remove Program feature in the Window's Control Panel.
- On the Start menu (for Windows 8, right-click the screen's bottom-left corner), click Control Panel, and then, under Programs, do one of the following:
- Windows Vista/7/8/10: Click Uninstall a Program.
- Windows XP: Click Add or Remove Programs.
- When you find the program Windows Intune Endpoint Protection, click it, and then do one of the following:
- Windows Vista/7/8/10: Click Uninstall.
- Windows XP: Click the Remove or Change/Remove tab (to the right of the program).
- Follow the prompts. A progress bar shows you how long it will take to remove Windows Intune Endpoint Protection.
How do I reset my web browser?
If your web browser homepage and search settings have been modfied by Windows Intune Endpoint Protection you can restore them to their previous default settings.
Microsoft Internet Explorer
- Open Internet Explorer and click the Tools button, and then click Internet options.
- Click the Advanced tab, and then click Reset. Select the Delete personal settings check box if you would also like to remove search providers, Accelerators and home pages. When Internet Explorer finishes applying default settings, click Close, and then click OK.
- The changes will take effect the next time you open IE.
Mozilla Firefox
- At the top of the Firefox window, click the Firefox button, go over to the Help sub-menu and select Troubleshooting Information.
- To continue, click Reset Firefox in the confirmation window that opens. It will close and be reset.
- When it's done, a window will list the information that was imported. Click Finish and Firefox will open.
Google Chrome
- Open Chrome and click the Chrome menu on the browser toolbar.
- Select Settings. In the "Search" section, click Manage search engine. Check if (Default) is displayed next to your preferred search engine. If not, mouse over it and click Make default. Mouse over any other suspicious search engine entries that are not familiar and click X to remove them.
- When the "Show Home button" checkbox is selected, a web address appears below it. If you want the Homepage button to open up a different webpage, click Change to enter a link.
- Restart Google Chrome.
OS VERSIONS
Win 7 (SP1) 51%
Win Vista (SP2) 3%
|
|
HOW IT STARTS
Automatically starts? Yes
(Found in the run registry)
|
|
USER ACTIONS
 |
Uninstall it 1%
Keep it 99%
|
|
Windows
Which Windows OS versions does it run on?
| Windows 7 |
50.75% |
|
| Windows 10 |
46.27% |
|
| Windows Vista |
2.99% |
|
Which OS releases does it run on? |
| Windows 7 Professional |
26.87% |
|
| Windows 7 Enterprise |
17.91% |
|
| Windows 8.1 Pro |
14.93% |
|
| Windows 8 Pro |
10.45% |
|
| Windows 8.1 Enterprise |
8.96% |
|
| Windows 8 Enterprise |
8.96% |
|
Geography
50.00% of installs come from the United States
Which countries install it?
| United States |
50.00% |
| United Kingdom |
8.82% |
| Germany |
5.88% |
| Australia |
4.41% |
| DK |
4.41% |
| Belgium |
2.94% |
| Japan |
2.94% |
| Netherlands |
2.94% |
| Norway |
1.47% |
| Switzerland |
1.47% |
| Finland |
1.47% |
| Austria |
1.47% |
| New Zealand |
1.47% |
| Portugal |
1.47% |
PC manufacturers
What PC manufacturers (OEMs) have it installed?
| Dell |
35.09% |
|
| Lenovo |
26.32% |
|
| Hewlett-Packard |
17.54% |
|
| Acer |
7.02% |
|
| GIGABYTE |
5.26% |
|
| ASUS |
3.51% |
|
| Samsung |
1.75% |
|
| Intel |
1.75% |
|
| Apple |
1.75% |
|
Common models |
| Gateway NE56R |
3.13% |
|
| Dell Latitude E6530 |
3.13% |
|
| Microsoft Corporation Sur... |
3.13% |
|
| Dell Precision M4500 |
3.13% |
|
| Dell Precision M4700 |
3.13% |
|
| Dell Latitude 3540 |
1.56% |
|
About Microsoft
Microsoft Corporation develops, manufactures, licenses and supports a variety of products and services related to computing.
Publisher URL: www.microsoft.com