Deploying SCCM 2012 Part 13 – Installing and Configuring Endpoint Protection Role.
Endpoint Protection in System Center 2012 Configuration Manager lets you manage antimalware policies and Windows Firewall security for client computers in your Configuration Manager hierarchy. Endpoint Protection in Configuration Manager provides basic management of the Windows Firewall on client computers. Endpoint Protection supports managing the Windows Firewall only.
The Endpoint Protection client has the following capabilities:
1. Malware and Spyware detection and remediation.
2. Rootkit detection and remediation.
3. Critical vulnerability assessment and automatic definition and engine updates.
4. Network vulnerability detection via Network Inspection System.
5. Integration with Microsoft Active Protection Services to report malware to Microsoft. When you join this service, the Endpoint Protection client can download the latest definitions from the Malware Protection Center when unidentified malware is detected on a computer.
Installing Endpoint Protection Point Role
Note : The Endpoint Protection role should be installed on one site system server only and it must be installed at the top of the hierarchy on a central administration site or a standalone primary site.
In the Configuration Manager console, click Administration. In the Administration workspace, expand Site Configuration, click Servers and Site System Roles, right click the server and click Add site system roles. Check the role Endpoint Protection Point.
Accept the terms and click Next.
Choose Basic membership and click Next.
The Endpoint Protection point role has been installed. click Close.
We will now create a Custom client device settings for Endpoint protection. Click Administration in the Console and under Site Configuration, right click Client Device settings and create custom client device settings. check Endpoint Protection and click OK.
On the left side of the settings page select Endpoint Protection, and Under Custom Device settings for Manage Endpoint Protection client on client computers, click on drop down and select True. click OK
Right Click My Custom endpoint settings policy and click Deploy. We will deploy the policy to All Windows 7 Computers.
After few minutes on the client machine we see that Endpoint protection client is installed.
The Endpoint Updates are not yet deployed, so the computer status is at risk and is red in color. We will Deploy the endpoint protection updates through SCCM 2012 in the coming steps.
Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager
Antimalware policies determine how Endpoint Protection protects the computers from malware and threats. Policies include information about the scan schedule, the types of files and folders to scan, and the actions to take when malware is detected. Configuration Manager supplies a selection of predefined templates that are optimized for various scenarios and can be imported into Configuration Manager. These templates can be found in the folder <ConfigMgr Install Folder>\AdminConsole\XMLStorage\EPTemplates. You can choose to create a new antimalware policy or modify the default antimalware policy.
In this post we will create a new Antimalware policy. To create a new Antimalware Policy, in the Configuration Manager console, click Assets and Compliance. In the Assets and Compliance
workspace, expand Endpoint Protection, and then click Antimalware Policies. Right click and select Create Antimalware Policy.
On the left pane, click on scan settings. Set Scan removable storage devices to True.
Click on definition updates, for check endpoint protection definitions at specific interval set it to 2 hours. Set force a definition update if the client computer is offline for more than 2 consecutive scheduled updates to True.
For set sources and order for endpoint protection definition updates, click Set Source. choose Updates distributed from Configuration Manager. Click OK. Click OK again to close the window.
We will now deploy the malware policy that we created, right click the policy and click Deploy.
The policy will be deployed to All Windows 7 Computers. Click OK.
In Assets and Compliance select Devices and choose Device Collections, select the All Windows 7 Computers collection, choose properties.
Click on Alerts, Check the box View this collection in the Endpoint Protection Dashboard. click Add.
Now in Add New Collection Alerts, Check all the boxes and click OK.
Click OK to close the Computer properties window.
Configuring Software Update Point to Download the Endpoint Protection Point Definition Updates.
We will now configure the Software Update Point and Select the Endpoint Protection Product and will download the updates. On the SCCM Console click on Administration, Under Site Configuration click Sites. Under Configure Site Components, click Software Update Point.
Click on Products, Choose Forefront Endpoint Protection 2010 product. Click Apply.
On the Classification tab, make sure that Definition Updates are selected. Click OK.
On the SCCM console, Click on Software Library, Software Updates, right click on All Software Updates and choose Synchronize Software Updates.
Click Yes to start the Synchronization process.
We can view the Synchronization log file located under C > Program Files > Microsoft Configuration Manager > Logs > wsyncmgr.log. Use CMTrace tool to open the log file.
The Synchronization has completed.
After few minutes we can see definition updates under All Software Updates.
Deploying Endpoint Updates – We can deploy the updates in 2 ways, the first one is by creating a ADR (Automatic Deployment Rule). The second method is to select all the updates, download them and then deploy updates to a collection. We will deploy the Endpoint Protection Updates using Automatic Deployment Rule.
In the CM console, click on Software Library, expand Software Updates, right click Automatic Deployment Rule and click Create Automatic Deployment Rule.
Lets name the ADR rule as ADR for Endpoint Protection Updates. Choose the collection as All Windows 7 Computers. The rule will be added to existing software update group. click Next.
Set the State message detail level to Minimal, select Automatically deploy all software updates found in this rule and approve license agreements.
Under property filters, Choose Date Released or Revised, Product. Set date released or revised as 1 day and Product as Forefront Endpoint Protection 2010. click Next.
Check the box “Enable rule to run on a schedule” and click customize and set it to run every 2 days. click Next.
Set the Timed Based on value to UTC. Set software available time to 1 hours. Set the Installation Deadline to As soon as possible. Click Next.
Do not select anything on this page, click Next.
Click Generate an alert when the following conditions are met, Set the client compliance percentage to 90, offset from the deadline to 7 days. click Next.
For clients that have slow site boundaries, under deployment options select “Download software updates from distribution point and install“. click Next.
We will create a new deployment package named “Endpoint Protection Definition Update Package“, the package source will be \\sccm.prajwal.local\updates\Endpoint ( create a folder named updates, create a new folder called endpoint within Updates folder.) Select Sending Priority to Medium. click Next.
On the Specify distribution points page, click Add and select the distribution point. In this lab we have only one distribution point and that is SCCM.PRAJWAL.LOCAL.
Choose Download software updates from Internet. click next.
On the Confirm Settings page click Next.
The Automatic Deployment Rule has been created successfully, Click close.
Click on Automatic Deployment Rules, right click ADR rule and click Run Now.
Once the ADR is run, it takes some time to download the definition updates and is deployed to the collection. In the below screenshot we see that the Definition updates have been downloaded as well as deployed.
After 2 hours lets see the status of Endpoint Protection on the client machine CLIENT.PRAJWAL.LOCAL.
Wow, the definition updates have been installed and we see that computer status is Protected.