Deploying SCCM 2012 Part 13 – Installing and Configuring Endpoint Protection Role.

25425

Deploying SCCM 2012 Part 13 – Installing and Configuring Endpoint Protection Role.

Endpoint Protection in System Center 2012 Configuration Manager lets you manage antimalware policies and Windows Firewall security for client computers in your Configuration Manager hierarchy. Endpoint Protection in Configuration Manager provides basic management of the Windows Firewall on client computers. Endpoint Protection supports managing the Windows Firewall only.

The Endpoint Protection client has the following capabilities:
1. Malware and Spyware detection and remediation.

2. Rootkit detection and remediation.

3. Critical vulnerability assessment and automatic definition and engine updates.

4. Network vulnerability detection via Network Inspection System.

5. Integration with Microsoft Active Protection Services to report malware to Microsoft. When you join this service, the Endpoint Protection client can download the latest definitions from the Malware Protection Center when unidentified malware is detected on a computer.

Installing Endpoint Protection Point Role

Note : The Endpoint Protection role should be installed on one site system server only and it must be installed at the top of the hierarchy on a central administration site or a standalone primary site.

In the Configuration Manager console, click Administration. In the Administration workspace, expand Site Configuration, click Servers and Site System Roles, right click the server and click Add site system roles. Check the role Endpoint Protection Point.

Deploying SCCM 2012 Part 13 Snap 1

Accept the terms and click Next.

Deploying SCCM 2012 Part 13 Snap 2

Choose Basic membership and click Next.

Deploying SCCM 2012 Part 13 Snap 3

The Endpoint Protection point role has been installed. click Close.

Deploying SCCM 2012 Part 13 Snap 4

We will now create a Custom client device settings for Endpoint protection. Click Administration in the Console and under Site Configuration, right click Client Device settings and create custom client device settings. check Endpoint Protection and click OK.

Deploying SCCM 2012 Part 13 Snap 5

On the left side of the settings page select Endpoint Protection, and Under Custom Device settings for Manage Endpoint Protection client on client computers, click on drop down and select True. click OK

Deploying SCCM 2012 Part 13 Snap 6

Right Click My Custom endpoint settings policy and click Deploy. We will deploy the policy to All Windows 7 Computers.

Deploying SCCM 2012 Part 13 Snap 7

After few minutes on the client machine we see that Endpoint protection client is installed.

Deploying SCCM 2012 Part 13 Snap 8

The Endpoint Updates are not yet deployed, so the computer status is at risk and is red in color. We will Deploy the endpoint protection updates through SCCM 2012 in the coming steps.

Deploying SCCM 2012 Part 13 Snap 9

Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager

Antimalware policies determine how Endpoint Protection protects the computers from malware and threats. Policies include information about the scan schedule, the types of files and folders to scan, and the actions to take when malware is detected. Configuration Manager supplies a selection of predefined templates that are optimized for various scenarios and can be imported into Configuration Manager. These templates can be found in the folder <ConfigMgr Install Folder>\AdminConsole\XMLStorage\EPTemplates. You can choose to create a new antimalware policy or modify the default antimalware policy.

In this post we will create a new Antimalware policy. To create a new Antimalware Policy, in the Configuration Manager console, click Assets and Compliance. In the Assets and Compliance
workspace, expand Endpoint Protection, and then click Antimalware Policies. Right click and select Create Antimalware Policy.

Deploying SCCM 2012 Part 13 Snap 10

On the left pane, click on scan settings. Set Scan removable storage devices to True.

Deploying SCCM 2012 Part 13 Snap 11

Click on definition updates, for check endpoint protection definitions at specific interval set it to 2 hours. Set force a definition update if the client computer is offline for more than 2 consecutive scheduled updates to True.

Deploying SCCM 2012 Part 13 Snap 12

For set sources and order for endpoint protection definition updates, click Set Source. choose Updates distributed from Configuration Manager. Click OK. Click OK again to close the window.

Deploying SCCM 2012 Part 13 Snap 13

We will now deploy the malware policy that we created, right click the policy and click Deploy.

Deploying SCCM 2012 Part 13 Snap 14

The policy will be deployed to All Windows 7 Computers. Click OK.

Deploying SCCM 2012 Part 13 Snap 15

In Assets and Compliance select Devices and choose Device Collections, select the All Windows 7 Computers collection, choose properties.

Deploying SCCM 2012 Part 13 Snap 16

Click on Alerts, Check the box View this collection in the Endpoint Protection Dashboard. click Add.

Deploying SCCM 2012 Part 13 Snap 17

Now in Add New Collection Alerts, Check all the boxes and click OK.

Deploying SCCM 2012 Part 13 Snap 18

Click OK to close the Computer properties window.

Deploying SCCM 2012 Part 13 Snap 19

Configuring Software Update Point to Download the Endpoint Protection Point Definition Updates.

We will now configure the Software Update Point and Select the Endpoint Protection Product and will download the updates. On the SCCM Console click on Administration, Under Site Configuration click Sites. Under Configure Site Components, click Software Update Point.

Deploying SCCM 2012 Part 13 Snap 20

Click on Products, Choose Forefront Endpoint Protection 2010 product. Click Apply.

Deploying SCCM 2012 Part 13 Snap 21

On the Classification tab, make sure that Definition Updates are selected. Click OK.

Deploying SCCM 2012 Part 13 Snap 22

On the SCCM console, Click on Software Library, Software Updates, right click on All Software Updates and choose Synchronize Software Updates.

Deploying SCCM 2012 Part 13 Snap 24

Click Yes to start the Synchronization process.

Deploying SCCM 2012 Part 13 Snap 23

We can view the Synchronization log file located under C > Program Files > Microsoft Configuration Manager > Logs > wsyncmgr.log. Use CMTrace tool to open the log file.

Deploying SCCM 2012 Part 13 Snap 25

The Synchronization has completed.

Deploying SCCM 2012 Part 13 Snap 26

After few minutes we can see definition updates under All Software Updates.

Deploying SCCM 2012 Part 13 Snap 27

Deploying Endpoint Updates – We can deploy the updates in 2 ways, the first one is by creating a ADR (Automatic Deployment Rule). The second method is to select all the updates, download them and then deploy updates to a collection. We will deploy the Endpoint Protection Updates using Automatic Deployment Rule.
In the CM console, click on Software Library, expand Software Updates, right click Automatic Deployment Rule and click Create Automatic Deployment Rule.

Deploying SCCM 2012 Part 13 Snap 28

Lets name the ADR rule as ADR for Endpoint Protection Updates. Choose the collection as All Windows 7 Computers. The rule will be added to existing software update group. click Next.

Deploying SCCM 2012 Part 13 Snap 29

Set the State message detail level to Minimal, select Automatically deploy all software updates found in this rule and approve license agreements.

Deploying SCCM 2012 Part 13 Snap 30

Under property filters, Choose Date Released or Revised, Product. Set date released or revised as 1 day and Product as Forefront Endpoint Protection 2010. click Next.

Deploying SCCM 2012 Part 13 Snap 31

Check the box “Enable rule to run on a schedule” and click customize and set it to run every 2 days. click Next.

Deploying SCCM 2012 Part 13 Snap 32

Set the Timed Based on value to UTC. Set software available time to 1 hours. Set the Installation Deadline to As soon as possible. Click Next.

Deploying SCCM 2012 Part 13 Snap 33

Do not select anything on this page, click Next.

Deploying SCCM 2012 Part 13 Snap 34

Click Generate an alert when the following conditions are met, Set the client compliance percentage to 90, offset from the deadline to 7 days. click Next.

Deploying SCCM 2012 Part 13 Snap 35

For clients that have slow site boundaries, under deployment options select “Download software updates from distribution point and install“. click Next.

Deploying SCCM 2012 Part 13 Snap 36

We will create a new deployment package named “Endpoint Protection Definition Update Package“, the package source will be \\sccm.prajwal.local\updates\Endpoint ( create a folder named updates, create a new folder called endpoint within Updates folder.) Select Sending Priority to Medium. click Next.

Deploying SCCM 2012 Part 13 Snap 37

On the Specify distribution points page, click Add and select the distribution point. In this lab we have only one distribution point and that is SCCM.PRAJWAL.LOCAL.

Deploying SCCM 2012 Part 13 Snap 38

Choose Download software updates from Internet. click next.

Deploying SCCM 2012 Part 13 Snap 39

On the Confirm Settings page click Next.

Deploying SCCM 2012 Part 13 Snap 40

The Automatic Deployment Rule has been created successfully, Click close.

Deploying SCCM 2012 Part 13 Snap 41

Click on Automatic Deployment Rules, right click ADR rule and click Run Now.

Deploying SCCM 2012 Part 13 Snap 42

Click OK.

Deploying SCCM 2012 Part 13 Snap 43

Once the ADR is run, it takes some time to download the definition updates and is deployed to the collection. In the below screenshot we see that the Definition updates have been downloaded as well as deployed.

Deploying SCCM 2012 Part 13 Snap 45

After 2 hours lets see the status of Endpoint Protection on the client machine CLIENT.PRAJWAL.LOCAL.

Deploying SCCM 2012 Part 13 Snap 44

Wow, the definition updates have been installed and we see that computer status is Protected.

Deploying SCCM 2012 Part 13 Snap 46

 

 

 

 

  • John T

    Nice Article.

  • Jeroen Kerkhof

    Hello,
    Thanks for your articles. They where very helpfull.
    I have a little question about the software deploy of the endpoint updates. You need a unc path where the updates are centrally stored. Is there anyway in SCCM to automatically cleanup this folder?
    My folder is now about 6GB with full of old updates.
    Thanks in advance

  • Sandy

    Dont we have a dashboard like we have in sccm 2007 we shows collections like Protection service off, Out of date, etc..

  • @Aleksey – “notification the subscription was created, but letters do not come on emails.” – What exactly do you mean by letters do no come on emails. By the way have you configured the email notification feature ?. check the attached screenshot.

    • Prajwal, yes, I have configured the email notification feature. I meant that alerts don’t work when Endpoint Protection finds viruses on computers of users, so letters don’t come to e-mail. I have solved this problem. Problems were in the table “Alertfortriggers” in SCCM Database.

  • Habibalby Al Sayed

    I’m new to SCCM. Vendor engineer who has deployed the system while I was a way and by searching blogs and forums, I have noticed most of the things are not done as per the best practices..

    1. Auto Update is not being pushed automatically, even though I have made all the necessary configuration following blogs / forums.

    2. I have noticed some of the clients are not installed with the agent, and when I select to install the client, nothing is happening.

    Any help please?

    Regards,

    • You need to examine log files to determine why the client push is not happening. Have you done that ?.

  • check CCM.log file on the server. FYI here you will find solutions to your questions – http://prajwaldesai.com/community/forums/system-center-configuration-manager.4/

    • Habibalby Al Sayed

      Thanks Prajwal, let me go through and will let you know how it goes.
      Much appreciate your support.
      Regards,

    • Habibalby Al Sayed

      One of various logs… 🙂

      \GBRADYadmin$ using machine account (67) SMS_CLIENT_CONFIG_MANAGER 5/16/2016 11:03:55 AM 8552 (0x2168)
      \GBRADYadmin$ share using account ‘Machine Account’ SMS_CLIENT_CONFIG_MANAGER 5/16/2016 11:03:55 AM 8552 (0x2168)
      —> ERROR: Unable to access target machine for request: “2097152279”, machine name: “GBRADY”, access denied or invalid network path. SMS_CLIENT_CONFIG_MANAGER 5/16/2016 11:03:55 AM 8552 (0x2168)

    • Habibalby Al Sayed

      Please have a look at the screen shot which shows some of the clients are getting, but majority of them are not… I can send you another screen show if you wish…

  • JEmlay

    Hello, I was hoping you could help with me a little issue I’m having. I’ve made changes to my Antimalware Policy however those changes aren’t getting to my clients. When I look at my devices I see that everyone has the proper policy (Succeeded) however, the date appears to be the date the machine was installed and put into service. So it’s getting the policy when the SCCM client installs then never again.

    Is there a way to push this out on an interval? Secondly, is there a way to manually push it out for testing purposes?

    Many thanks for your time!