In Part 1 of this series we got our AD and SCCM servers ready, and then we installed System Center 2012 Configuration Manager as a standalone Primary site. In Part 2 we configured the SCCM server further by adding some Windows Server roles necessary for the following Configuration Manager 2012 functionality, Software Update Point (SUP) and Operating System Deployment. In Part 3 we configured the server further by Enabling some Discovery methods and creating Boundary's and Boundary Groups. In Part 4 we configured Client Settings, Added roles and Distributed the Configmgr Client to our Computers within the LAB, now we will enable the Endpoint Protection Role and configure Endpoint Protection settings and we will target All Windows 7 Computers with these settings and policies.

Note: In Part 2 we selected Definition Updates in the Classifications screen to support Endpoint Protection as part of the SUP role setup, if you havn't completed that part then do so now before continuing.

Below is an Introduction to Endpoint Protection in Configuration Manager, for more info see the following on Technet - http://technet.micro...y/hh508781.aspx

When you use Endpoint Protection with Configuration Manager, you benefit from the following: You can configure antimalware policies and Windows Firewall

settings to selected groups of computers, by using custom antimalware policies and client settings.

You can use Configuration Manager software updates to download the latest antimalware definition files to keep client computers up-to-date.

You can send email notifications, use in-console monitoring, and view reports to keep administrative users informed when malware is detected on client computers.

Endpoint Protection installs its own client, which is in addition to the Configuration Manager client. The Endpoint Protection client has the following capabilities:

Malware and Spyware detection and remediation. Rootkit detection and remediation.

Critical vulnerability assessment and automatic definition and engine updates.

Integrated Windows Firewall management.

Network vulnerability detection via Network Inspection System.

Recommended Reading:-

Prerequisites for Endpoint Protection in Configuration Manager - http://technet.micro...y/hh508780.aspx

Best Practices for Endpoint Protection in Configuration Manager - http://technet.micro...y/hh508771.aspxAdministrator Workflow for Endpoint Protection in Configuration Manager - http://technet.micro...y/hh526775.aspx

Step 1. Configure the Endpoint Protection RolePerform the following on the SCCM server as SMSadmin

Note: The Endpoint Protection point site system role must be installed before you can use Endpoint Protection or before you can set EndPoint Protection client settings. It must be installed on one site system server only and it must be installed at the top of the hierarchy on a central administration site or a standalone primary site.

In the configmgr console, click on Administration, expand Overview and expand Site Configuration, select Servers and Site System Roles and click on Home in the Ribbon and click on Add Site System Roles.

when the wizard appears click next

Select the Endpoint Protection Point role and click next

Read and then accept the License Agreement terms

Next you get some choices about Microsoft Active Protection service, you can opt in, or opt out, let's select Basic Membership.

click next at the summary and review the status on the completion screen.

within a few minutes you'll see the Endpoint Protection client appear in the System Tray of your ConfigMgr Server (this is normal behaviour and is expected, you must have the SCEP client installed on your ConfigMgr Server hosting the Endpoint Protection role).

Note: you can review the EPSetup.log on the server to monitor role installation progress.

Step 2. Configure alerts for Endpoint ProtectionPerform the following on the SCCM server as SMSadmin

Note: Alerts inform the administrator when specific events have occurred, such as a malware infection. Alerts can be displayed in the Configuration Manager console, through reports, or optionally can be emailed to specified users. You can configure Endpoint Protection alerts in System Center 2012 Configuration Manager to notify administrative users when specific security events occur in your hierarchy. Notifications display in the Endpoint Protection dashboard in the Configuration Manager console, in reports, and you can configure them to be emailed to specified recipients.

Configure Email Notification (Optional)If you have access to an SMTP server then you can optionally configure Email Notification Alerts. In the configmgr console, click on Administration, expand Overview and expand Site Configuration, select Sites and click on Settings in the ribbon and click on Configure Site Components and select Email Notification.

enter your desired settings for SMTP and click Apply. Note that you can test your SMTP settings also.

Configure Alerts for CollectionsNext let's configure Alerts for a Collection, but first let's create a collection called All Windows 7 Computers (in a LAB this is fine for what we want to do, in Production you should create EndPoint Protection specific Collections).

Note:- You cannot configure alerts for User Collections.Click on Assets and Complicance in the console,click on Device Collections and in the ribbon click on Create Device Collection.

Call the collection All Windows 7 Computers and limit it to All Systems

click next, choose Query Rule from the drop down menu and fill in a Query like so (edit query statement, criteria, show query language and replace the code with the below)

select * from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "%Workstation 6.1%"

set the schedule as follows (it's a LAB)

click next through the wizard, the collection is now created.

In Assets and Compliance select Devices and choose Device Collections, select the All Windows 7 Computers collection (we have no computers in this collection yet but we will have soon), choose properties

Click on the Alerts tab and place a checkmark in View this collection in the Endpoint Protection Dashboard

click on Add and select all the options

click ok and leave the other Alert settings as they are

Step 3. Configure the SUP Products to Sync and Perform a SyncPerform the following on the SCCM server as SMSadmin

Click on Administration, expand Overview and expand Site Configuration, select Sites and click on Settings in the ribbon and click on Configure Site Components and select Software Update Point.

In the Products tab ensure that the product Forefront Endpoint Protection 2010 check box is selected.

change the Sync Schedule to 1 days

Click on Software Library, Software Updates, right click on All Software Updates and choose Synchronize Software Updates

answer Yes to the Sync

at this point you can review the Wsyncmgr.log in CMtrace

Step 4. Configure SUP to deliver Definition Updates using an Automatic Deployment RulePerform the following on the SCCM server as SMSadmin

In the Configuration Manager console, click Software Library, expand Software Updates and click on Automatic Deployment Rules

in the Ribbon click on Create Automatic Deployment Rule and the wizard appears, give the rule a suitable name like Automatic Deployment Rule for Endpoint Protection and point it to our previously created All Windows 7 Computers collection, select add to an exisiting software update group

On the Deployment Settings page of the wizard select Minimal from the Detail level drop-down list and then click Next this reduces State Messages returned and thus reduces Configuration Manager server load

on the Software Updates page select Date Released or Revised

in the Search Criteria pane, click on Value to find and select Last 1 day

In the Products tab ensure that the product Forefront Endpoint Protection 2010 check box is selected.

for Evaluation Schedule, click on Customize and set it to run every 1 days

for Deployment Schedule set Time based on: UTC (if you want all clients in the hierarchy to install the latest definitions at the same time. This setting is a recommended best practice.), for software available select 2 hours to allow sufficient time for the Deployment to reach all Distribution Points and select As soon as possible for the installation Deadline.

for the User Visual Experience select Hide from the drop down menu

for Alerts enable the option to generate an alert

for download settings as the definition updates are important let's download them even if on slow networks

For Deployment Package we are creating a new one so give it a suitable name like Endpoint Protection Definition Updates and point it to a previously created folder

Note: Make sure that \\sccm\sources\updates\Endpoint (or whatever path you choose) exists otherwise the wizard will fail below when it tries to Download as the Network Path won't exist. In addition Everytime this ADR runs it will want to create a new deployment package as specified above, we do not want this to happen so after running the ADR once, retire it and

create a new ADR except this time point the deployment package to the packaged which is now created called Endpoint Protection Definition Updates.

click your way through the rest of the Wizard till completion

if you scroll to the right you'll see nothing has been downloaded, yet...(because our Automatic Deployment Rule hasn't run yet since the sync)

so let's force the Automatic Deployment Rule to run now, right click on our ADR and choose Run Now

and after a few minutes look at our Definition Updates again, notice the difference ?

Step 5. Configure Custom Client Settings for Endpoint Protection Perform the following on the SCCM server as SMSadmin

Note: Do not configure the default Endpoint Protection client settings unless you are sure

that you want these applied to all computers in your hierarchy.

Below is an explanation of the EndPoint Protection settings available:-

Quote

Manage Endpoint Protection client on client computers Select True if you want to manage existing Endpoint Protection clients on

computers in your hierarchy. Select this option if you have already installed the Endpoint Protection

client and want to manage it with Configuration Manager.

You should also select this option if you want to create a script to uninstall an existing antimalware solution, install the Endpoint Protection client and deploy this script using a Configuration Manager application or package and program.

Install Endpoint Protection client on client computers Select True to install and enable the Endpoint Protection client on client

computers where it is not already installed.

Automatically remove previously installed antimalware software before Endpoint Protection is installed Select True to uninstall existing antimalware software.

Note Endpoint Protection uninstalls the following antimalware software only:

All current Microsoft antimalware products except for Windows InTune and Microsoft Security EssentialsSymantec AntiVirus Corporate Edition version 10Symantec Endpoint Protection version 11Symantec Endpoint Protection Small Business Edition version 12Mcafee VirusScan Enterprise version 8Trend Micro OfficeScan

Suppress any required computer restart after the Endpoint Protection client installed Select True to suppress a computer restart if it is required after the

Endpoint Protection client installs.

Allowed period of time users can postpone a required restart to complete the Endpoint Protection installation (hours)

Specify the number of hours that users can postpone a computer restart if this is required after the Endpoint Protection client installs.

Disable alternate sources (such as Windows Update, Microsoft Windows Server Update Services or UNC shares) for the initial definition update on client computers

Select True if you want to allow only Configuration Manager to install the initial definition update on client computers. This setting can be helpful to avoid unnecessary network connections and reduce network bandwidth during the initial installation of the definition update.

In the Configuration Manager console, click Administration, click Client Settings and on the Home tab in the Create group, click Create Custom Client Device Settings.

Select Endpoint Protection and call it Custom Client Device Endpoint Protection Settings

click on Endpoint Protection and review the settings, change them to as follows:- Manage Endpoint Protection Client on Client Computers =

True Install Endpoint Protection Client on Client Computers = True

Automatically remove previously installed antimalware software before Endpoint Protection is installed = True

Suppress any required computer restart after the Endpoint Protection client installed = False

Allowed period of time users can postpone a required restart to complete the Endpoint Protection installation (hours) = 1

Disable alternate sources (such as Windows Update, Microsoft Windows Server Update Services or UNC shares) for the initial definition update on client computers = True

click ok when done, right click on the new custom settings and choose Deploy

select our All Windows 7 Computers collection and choose Ok.

Step 6. Configure Custom AntiMalware PoliciesPerform the following on the SCCM server as SMSadmin

Note: Do not configure the default client Malware Policy unless you are sure that you want these applied to all computers in your hierarchy.

There are several pre-created AntiMalware Policies available, to review/use them click on Import. (see screenshot below)

We will create our own policy in this LAB so in the Configuration Manager console, click Assets and

Compliance, click Endpoint Protection, select Antimalware Policies. In the ribbon select Create Antimalware Policy

give the policy a name like Custom Endpoint Protection Antimalware Policy

for Scheduled scans change to Daily at 12 pm (default was Saturday, 2am) and set it to check for latest definition updates before the scan and to randomize the scan start time

for Definition Updates set the check to 2 hours and click on set source, only select Updates distributed from Configuration Manager (deselet the other options)

Note: if your SCCM server has no internet access you can configure it to check for updates from UNC file shares

Click Ok, Ok.

Right click our Custom Endpoint Protection Antimalware Policy and select Deploy, choose our All Windows 7 Computers Collection as we did for the Device settings above.

that's it we are done !

we have now created custom Client Device settings and a Custom Antimalware Policy for our All Windows 7 Computers collection, in further posts we will add some computers to that collection and verify our Endpoint Protection settings.