Installing And Configuring Endpoint Protection Role In SCCM 2012 R2

46195

In this post we will look at the steps for installing and configuring Endpoint protection role in SCCM 2012 R2. Endpoint Protection in System Center 2012 R2 Configuration Manager allows you to manage antimalware policies and Windows Firewall security for client computers in your Configuration Manager hierarchy. Endpoint Protection helps protect your PC from malicious software (malware) such as viruses, spyware, and other potentially harmful software. Before you install the Endpoint protection role you need to install the prerequisites. Windows Server Update Services (WSUS) must be installed and configured for software updates synchronization if you want to use Configuration Manager software updates to deliver definition and engine updates.

For SCCM 2012 R2 Step by Step Guides click here.

When you install the Endpoint Protection with Configuration Manager you get following advantages :-

  1. Endpoint Protection in Configuration Manager allows you to manage Windows Firewall settings in the Configuration Manager console. You can also configure antimalware policies and apply that to selected groups of computers, by using custom antimalware policies and client settings.
  2. Configuration Manager software updates can be used to download the latest antimalware definition files to keep client computers up-to-date.
  3. You can send email notifications, use in-console monitoring, and view reports to keep administrative users informed when malware is detected on client computers.

Where Should I Install the Endpoint Protection Role ? – The Endpoint Protection point site system role must be installed on one site system server only, and it must be installed at the top of the hierarchy on a central administration site or a stand-alone primary site.

Before you begin installing the endpoint protection role, you must have the WSUS installed and configured for software updates synchronization. A software update point site system role must be installed and configured to deliver definition updates if you want to use Configuration Manager software updates to deliver definition and engine updates.

To install the Endpoint Protection Role, launch the Configuration Manager console, click Administration. In the Administration workspace, expand Site Configuration, click Servers and Site System Roles, right click the server and click Add site system roles. Check the role Endpoint Protection Point. Click Next.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 1

Click on I accept the EP license terms and click Next.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 2

For MAPS membership type select Basic Membership, click Next.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 3

The Endpoint Protection role has been installed successfully. Click Close.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 4

After the installation of Endpoint Protection role, we will now create a Custom client device settings for Endpoint protection. You need to enable this setting to install Endpoint Protection client on systems. In the Configuration Manager console click Administration, under Site Configuration, right click Client Device settings and click on Create Custom Client Device Settings. Specify a name for the custom client device settings and check Endpoint Protection and click OK.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 5

On the left pane click Endpoint Protection setting, on the right side set Manage Endpoint Protection client on client computers to Yes. When you enable this setting the Configuration Manager can be used to manage the endpoint protection clients on the client computers. Below it there is another setting Install Endpoint Protection client on client computers, when you enable this setting and if this device settings is deployed to the target collection, the endpoint protection client is installed on all the computers present inside the target collection. Likewise you can configure the remaining settings as per you requirement. Click on OK.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 6

The EP client device settings that we created in above step is deployed to the target collection named All Windows 7 Computers.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 7

After few minutes when you log in to one of the machines which was a part of target collection to which the EP client device settings was applied, we see that the EP client has been installed but it needs to be updated (Status color is RED) as the definition updates are missing.

[us_message color=”success”]When you install an Endpoint Protection point, an Endpoint Protection client is installed on the server hosting the Endpoint Protection point.[/us_message]

 

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 8

Next we will create an Antimalware policy. Antimalware policies when deployed to the collections specify how Endpoint Protection protects them from malware and other threats. These antimalware policies include information about the scan schedule, the types of files and folders to scan, and the actions to take when malware is detected. When you enable Endpoint Protection, a default antimalware policy is applied to client computers. You can also use additional policy templates that are supplied or create your own custom antimalware policies to meet the specific needs of your environment. It’s recommended to create your own antimalware policy.

To create a antimalware policy, in Configuration Manager console, click Assets and Compliance expand Endpoint Protection, right click Antimalware Policies and click Create Antimalware Policy.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 9

Specify a name for the new antimalware policy and enable all the settings as shown in the below screenshot. Click OK.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 10

On the left pane, click Definition updates, on the right pane we see the settings on how EP clients will receive definition updates.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 11

Click on Set Source, we see a new window showing the options using which we can deploy the definition updates to the EP clients. Uncheck all the sources and select Updates distributed from Configuration Manager and click OK. This option uses Configuration Manager software updates to deliver definition and engine updates to computers in your hierarchy.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 12

On the left pane select Scan Settings, on the right pane you will find the scan settings such as scan email and attachments, scan removable drives etc. Configure these settings as per your requirements and click OK.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 13

The next step is to deploy the custom antimalware policy to a collection. Right click on the antimalware policy and click Deploy. Choose the target collection and click OK.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 14

In the Configuration Manager console, click on Assets and Compliance select Devices and choose Device Collections, right click target collection on which you deployed the antimalware policy and click on properties. Click on Alerts, check the box View this collection in the Endpoint Protection Dashboard. Click Add.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 15

In Add New Collection Alerts window, check all the boxes and click OK. Click OK again to close the Computer properties window.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 16

We will now configure the Software Update Point to download the EP definition updates. In the Configuration Manager console, click on Administration, under Site Configuration click Sites. under Configure Site Components, click Software Update Point. In the Classifications tab you must select Definition Updates. Click on Apply.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 17

In the Products tab, select Forefront Endpoint Protection 2010 as the product and click Apply and then click OK.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 18

In the Configuration Manager console, Click on Software Library, expand Software Updates, right click on All Software Updates and choose Synchronize Software Updates. After the synchronization process is over you should see the list of definition updates under All Software Updates.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 19

We will now select all the definition updates and put them inside a Software Update Group. To create a SUG, select the updates and right click and click on Create Software Update Group. Provide a name to SUG and click Create.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 20

Click on Software Update Groups, right click on the Software Update Group that we created and click on Deploy.

There are 2 ways to deploy the definitions – Manual and Automatic. In this example we will be deploying the EP definitions manually. If you want to deploy definition updates using Automatic method then you can create an Automatic Deployment Rule.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 21

Specify the Deployment Name, choose the collection to which you want to deploy this software update deployment. Click Next.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 22

Set the Type of Deployment to Required and set the Detail Level to Only success and error messages. Click Next.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 23

Choose the Time based on to Client local time, Software available time to specific time, Installation deadline to As soon as possible. Click Next.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 24

Click Next.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 25

If you are using Configuration Manager software updates to distribute definition updates, consider placing definition updates in a package that does not contain other software updates. This keeps the size of the definition update package smaller which allows it to replicate to distribution points more quickly.

We will create a new deployment package to deploy the definition updates. Specify the Name and Package source and click Next.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 26

Add the DP and click Next.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 27

Choose Download software updates from the Internet. Click Next and click Close to close the wizard.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 29

On the client machine we see a notification that Software changes are required.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 30

The definition updates are downloaded from the DP and then installed on the client systems.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 31

The definition updates are installed successfully.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 32

Now see the change, the status of EP client is Green and virus and spyware definitions are up to date.

Installing And Configuring Endpoint Protection Role In SCCM 2012 R2 Snap 33

  • Arshad

    Hi Prajwal,

    Nice Post.

    I would like to know do you haveing Kasperskey 10 Client Push steps to SCCM 212.

    As i am tring to push some client as Kasperskey 10 test it fails on software centre while installation or sometime unable to see any stuff on SC

    My procedure:

    created as application package with Manaual Script file & program tab ” setup.exe” / a / s. (also DP added), can you help me out where i am doing wrong…….?

    (2) After KP 10 Push & we can push the update 10.2 on Exsting Client KP 10

    Thanking You

    Best Regards

    Arshad

    • is KP 10 available for download ? I will try the app deployment in my lab and will give you the exact steps..

  • capricorn

    Hi!

    Any tips for client side troubleshooting. Some time one or two client start scanning daily. They have the right policy and everything but cant figure out why they scan daily.

  • arshad

    Hi Prajwal,

    fine. i will give more info by opening the ticket.

    Regards,
    Arshad

  • Reza Prawirasatya

    Prajwal,

    On my current SCCM 2007 R3 SP2 with FEP 2010, I setup FEP alert to e-mail me any virus outbreak. I couldn’t seem to find this setting on my SCCM 2012 R2 with SCEP 2012 (I did configure it already).

    Would you please let me know?

    Thanks, Reza

  • Hi Reza, you can get alerts by creating a subscription for that alert.

  • Naveen Punj

    Nice post buddy… really appreciate your hard work…
    When we create software update group, we can rt. Click and download the data related to these metadata and keep them in a separate shared folder.
    We can download these updates directly while deploying the updates as well as shown in this post…

    • @Naveen – Yes you can download the updates before and store them in a folder. This is the normal practice followed.

      You can also choose to download updates while deploying them to the clients. However in case if the updates fail to download you might have to start again, so first method is recommended.

  • Andrewjohnporter

    Hi Prajwal,

    Do you happen to know what the SUP Product ‘Forefront Client Security’ does?

    Thanks,

    Andrew

    • Forefront client security was a security software which was more like an AV. Later Microsoft replaced Forefront Client Security with a newer product called Forefront Endpoint Protection 2010. But malware updates are still available for Forefront Client Security clients.

      • Andrewjohnporter

        Ok, so if we have Forefront Endpoint Protection deployed ot our clients and that Product selected in the SUP settings then we don’t need Forefront Client Security selected (must be an old setting from a few years back I guess)

  • FlavioPena

    Hello everyone! Prajwal Desai thank you for posting these installs. Is anyone having an issue where the the latest definition updates are being deployed through an ADR rule but when you go to the actual definition under Software Library, it shows as Required 0 ? Everything was working fine until the 21st of this month 03/21/16. All of my clients last update definition is 1.215.2461.0 and now their definitions are Out of date. They obviously do need the latest definition but according to sccm they are 0 Required that need the latest definition? Windows Updates are still being deployed and installing correctly, so my clients are reporting correctly to my main site server. I don’t know what else to look for.. Any suggestions? I’m running on 2012 R2 SP1 CU3 update and my clients are running on the latest hotfix for that CU3 update which is 5.00.8239.1403

  • Tuan

    What would be the query to detect all SCEP installed on all devices?
    Thanks

  • Skylar Ragan

    So, I’ve been following the steps in this (and your previous guides) pretty closely, but after I Synchronize Software updates, I’m not seeing a single one for Definition Update for Microsoft Endpoint Protection. I have other updates (I followed the previous guide for “How To Deploy Microsoft Office 2013 Using SCCM 2012 R2”), but no definition updates. What am I missing?