Jump to content


anyweb

using SCCM 2012 in a LAB - Part 5. Enable the Endpoint Protection Role and configure Endpoint Protection settings

Recommended Posts

In Part 1 of this series we got our AD and SCCM servers ready, and then we installed System Center 2012 Configuration Manager as a standalone Primary site. In Part 2 we configured the SCCM server further by adding some Windows Server roles necessary for the following Configuration Manager 2012 functionality, Software Update Point (SUP) and Operating System Deployment. In Part 3 we configured the server further by Enabling some Discovery methods and creating Boundary's and Boundary Groups. In Part 4 we configured Client Settings, Added roles and Distributed the Configmgr Client to our Computers within the LAB, now we will enable the Endpoint Protection Role and configure Endpoint Protection settings and we will target All Windows 7 Computers with these settings and policies.

Note: In Part 2 we selected Definition Updates in the Classifications screen to support Endpoint Protection as part of the SUP role setup, if you havn't completed that part then do so now before continuing.


Below is an Introduction to Endpoint Protection in Configuration Manager, for more info see the following on Technet - http://technet.micro...y/hh508781.aspx

When you use Endpoint Protection with Configuration Manager, you benefit from the following:

  • You can configure antimalware policies and Windows Firewall settings to selected groups of computers, by using custom antimalware policies and client settings.
  • You can use Configuration Manager software updates to download the latest antimalware definition files to keep client computers up-to-date.
  • You can send email notifications, use in-console monitoring, and view reports to keep administrative users informed when malware is detected on client computers.

Endpoint Protection installs its own client, which is in addition to the Configuration Manager client. The Endpoint Protection client has the following capabilities:

  • Malware and Spyware detection and remediation.
  • Rootkit detection and remediation.
  • Critical vulnerability assessment and automatic definition and engine updates.
  • Integrated Windows Firewall management.
  • Network vulnerability detection via Network Inspection System.

Recommended Reading:-

Prerequisites for Endpoint Protection in Configuration Manager - http://technet.micro...y/hh508780.aspx
Best Practices for Endpoint Protection in Configuration Manager - http://technet.micro...y/hh508771.aspx
Administrator Workflow for Endpoint Protection in Configuration Manager - http://technet.micro...y/hh526775.aspx


Step 1. Configure the Endpoint Protection Role

Perform the following on the SCCM server as SMSadmin

Note: The Endpoint Protection point site system role must be installed before you can use Endpoint Protection or before you can set EndPoint Protection client settings. It must be installed on one site system server only and it must be installed at the top of the hierarchy on a central administration site or a standalone primary site.

In the configmgr console, click on Administration, expand Overview and expand Site Configuration, select Servers and Site System Roles and click on Home in the Ribbon and click on Add Site System Roles.

home in the ribbon.png

when the wizard appears click next

wizard next.png

Select the Endpoint Protection Point role and click next

select endpoint protection role.png

Read and then accept the License Agreement terms

eula for endpoint.png

Next you get some choices about Microsoft Active Protection service, you can opt in, or opt out, let's select Basic Membership.

microsoft active protection service.png

click next at the summary and review the status on the completion screen.

ep role added.png

within a few minutes you'll see the Endpoint Protection client appear in the System Tray of your ConfigMgr Server (this is normal behaviour and is expected, you must have the SCEP client installed on your ConfigMgr Server hosting the Endpoint Protection role).

ep client in systray.png

Note: you can review the EPSetup.log on the server to monitor role installation progress.



Step 2. Configure alerts for Endpoint Protection

Perform the following on the SCCM server as SMSadmin

Note: Alerts inform the administrator when specific events have occurred, such as a malware infection. Alerts can be displayed in the Configuration Manager console, through reports, or optionally can be emailed to specified users. You can configure Endpoint Protection alerts in System Center 2012 Configuration Manager to notify administrative users when specific security events occur in your hierarchy. Notifications display in the Endpoint Protection dashboard in the Configuration Manager console, in reports, and you can configure them to be emailed to specified recipients.

Configure Email Notification (Optional)

If you have access to an SMTP server then you can optionally configure Email Notification Alerts. In the configmgr console, click on Administration, expand Overview and expand Site Configuration, select Sites and click on Settings in the ribbon and click on Configure Site Components and select Email Notification.

email notification.png

enter your desired settings for SMTP and click Apply. Note that you can test your SMTP settings also.

test smtp connection.png

Configure Alerts for Collections

Next let's configure Alerts for a Collection, but first let's create a collection called All Windows 7 Computers (in a LAB this is fine for what we want to do, in Production you should create EndPoint Protection specific Collections).

Note:- You cannot configure alerts for User Collections.Click on Assets and Complicance in the console,click on Device Collections and in the ribbon click on Create Device Collection.

create device collection.png

Call the collection All Windows 7 Computers and limit it to All Systems

create device collection wizard.png

click next, choose Query Rule from the drop down menu and fill in a Query like so (edit query statement, criteria, show query language and replace the code with the below)

select * from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "%Workstation 6.1%"

query rule properties.png

set the schedule as follows (it's a LAB)

custom schedule.png

click next through the wizard, the collection is now created.

collection created.png

In Assets and Compliance select Devices and choose Device Collections, select the All Windows 7 Computers collection (we have no computers in this collection yet but we will have soon), choose properties

properties of collection.png

Click on the Alerts tab and place a checkmark in View this collection in the Endpoint Protection Dashboard

alerts tab.png

click on Add and select all the options

alerts options.png

click ok and leave the other Alert settings as they are

alerts tab configured.png



Step 3. Configure the SUP Products to Sync and Perform a Sync

Perform the following on the SCCM server as SMSadmin

Click on Administration, expand Overview and expand Site Configuration, select Sites and click on Settings in the ribbon and click on Configure Site Components and select Software Update Point.

software update point components.png

In the Products tab ensure that the product Forefront Endpoint Protection 2010 check box is selected.

forefront endpoint protection.png

change the Sync Schedule to 1 days

1 day sync.png

Click on Software Library, Software Updates, right click on All Software Updates and choose Synchronize Software Updates

sync now.png

answer Yes to the Sync

yes to sync.png

at this point you can review the Wsyncmgr.log in CMtrace

done syncing.png



Step 4. Configure SUP to deliver Definition Updates using an Automatic Deployment Rule

Perform the following on the SCCM server as SMSadmin

In the Configuration Manager console, click Software Library, expand Software Updates and click on Automatic Deployment Rules

Automatic Deployment Rules.png

in the Ribbon click on Create Automatic Deployment Rule and the wizard appears, give the rule a suitable name like Automatic Deployment Rule for Endpoint Protection and point it to our previously created All Windows 7 Computers collection, select add to an exisiting software update group

add to an existing software update group.png

On the Deployment Settings page of the wizard select Minimal from the Detail level drop-down list and then click Next this reduces State Messages returned and thus reduces Configuration Manager server load

detail level minimum.png

on the Software Updates page select Date Released or Revised

value to find.png

in the Search Criteria pane, click on Value to find and select Last 1 day

last 1 day.png

In the Products tab ensure that the product Forefront Endpoint Protection 2010 check box is selected.
product = forefront endpoint protection 2010.png

for Evaluation Schedule, click on Customize and set it to run every 1 days,

Tip: notice that the Synchronization Schedule is listed below, make sure that this occurs at least 2 hours before you evaluate for Forefront Endpoint Protection definition updates, there is no point checking for updates if we haven't synchronized yet.

every 1 days.png

for Deployment Schedule set Time based on: UTC (if you want all clients in the hierarchy to install the latest definitions at the same time. This setting is a recommended best practice.), for software available select 2 hours to allow sufficient time for the Deployment to reach all Distribution Points and select As soon as possible for the installation Deadline.

adr deployment schedule.png

for the User Visual Experience select Hide from the drop down menu

hide user visual experience.png

for Alerts enable the option to generate an alert

generate an alert.png

for download settings as the definition updates are important let's download them even if on slow networks

download settings.png

For Deployment Package we are creating a new one so give it a suitable name like Endpoint Protection Definition Updates and point it to a previously created folder

Note: Make sure that \\sccm\sources\updates\Endpoint (or whatever path you choose) exists otherwise the wizard will fail below when it tries to Download as the Network Path won't exist. In addition Everytime this ADR runs it will want to create a new deployment package as specified above, we do not want this to happen so after running the ADR once, retire it and create a new ADR except this time point the deployment package to the packaged which is now created called Endpoint Protection Definition Updates.


create a new deployment package.png

click your way through the rest of the Wizard till completion

adr done.png

if you scroll to the right you'll see nothing has been downloaded, yet...(because our Automatic Deployment Rule hasn't run yet since the sync)

not downloaded.png

so let's force the Automatic Deployment Rule to run now, right click on our ADR and choose Run Now

automatic deployment rules run now.png

and after a few minutes look at our Definition Updates again, notice the difference ?

downloaded yes.png


Step 5. Configure Custom Client Settings for Endpoint Protection

Perform the following on the SCCM server as SMSadmin

Note: Do not configure the default Endpoint Protection client settings unless you are sure that you want these applied to all computers in your hierarchy.

Below is an explanation of the EndPoint Protection settings available:-




Manage Endpoint Protection client on client computers

  • Select True if you want to manage existing Endpoint Protection clients on computers in your hierarchy.
  • Select this option if you have already installed the Endpoint Protection client and want to manage it with Configuration Manager.
  • You should also select this option if you want to create a script to uninstall an existing antimalware solution, install the Endpoint Protection client and deploy this script using a Configuration Manager application or package and program.

Install Endpoint Protection client on client computers

  • Select True to install and enable the Endpoint Protection client on client computers where it is not already installed.

Automatically remove previously installed antimalware software before Endpoint Protection is installed

  • Select True to uninstall existing antimalware software.

gg682067.note%28en-us,TechNet.10%29.gifNote Endpoint Protection uninstalls the following antimalware software only:

All current Microsoft antimalware products except for Windows InTune and Microsoft Security Essentials
Symantec AntiVirus Corporate Edition version 10
Symantec Endpoint Protection version 11
Symantec Endpoint Protection Small Business Edition version 12
Mcafee VirusScan Enterprise version 8
Trend Micro OfficeScan

Suppress any required computer restart after the Endpoint Protection client installed

  • Select True to suppress a computer restart if it is required after the Endpoint Protection client installs.

Allowed period of time users can postpone a required restart to complete the Endpoint Protection installation (hours)

  • Specify the number of hours that users can postpone a computer restart if this is required after the Endpoint Protection client installs.

Disable alternate sources (such as Windows Update, Microsoft Windows Server Update Services or UNC shares) for the initial definition update on client computers

  • Select True if you want to allow only Configuration Manager to install the initial definition update on client computers. This setting can be helpful to avoid unnecessary network connections and reduce network bandwidth during the initial installation of the definition update.

 

 

In the Configuration Manager console, click Administration, click Client Settings and on the Home tab in the Create group, click Create Custom Client Device Settings.

create customclient device settings.png

Select Endpoint Protection and call it Custom Client Device Endpoint Protection Settings

custom client device endpoint protection settings.png

click on Endpoint Protection and review the settings, change them to as follows:-

 

  • Manage Endpoint Protection Client on Client Computers = True
  • Install Endpoint Protection Client on Client Computers = True
  • Automatically remove previously installed antimalware software before Endpoint Protection is installed = True
  • Suppress any required computer restart after the Endpoint Protection client installed = False
  • Allowed period of time users can postpone a required restart to complete the Endpoint Protection installation (hours) = 1
  • Disable alternate sources (such as Windows Update, Microsoft Windows Server Update Services or UNC shares) for the initial definition update on client computers = True

endpoint protection manage clients.png

click ok when done, right click on the new custom settings and choose Deploy

deploy custom client settings.png

select our All Windows 7 Computers collection and choose Ok.

deploy to all windows 7 computers.png



Step 6. Configure Custom AntiMalware Policies

Perform the following on the SCCM server as SMSadmin

Note: Do not configure the default client Malware Policy unless you are sure that you want these applied to all computers in your hierarchy.

There are several pre-created AntiMalware Policies available, to review/use them click on Import. (see screenshot below)

import antimalware policies.png

We will create our own policy in this LAB so in the Configuration Manager console, click Assets and Compliance, click Endpoint Protection, select Antimalware Policies. In the ribbon select Create Antimalware Policy

create antimalware policy.png

give the policy a name like Custom Endpoint Protection Antimalware Policy

custom endpoint protection antimalware policy.png

for Scheduled scans change to Daily at 12 pm (default was Saturday, 2am) and set it to check for latest definition updates before the scan and to randomize the scan start time

scheduled scans.png

for Definition Updates set the check to 2 hours and click on set source, only select Updates distributed from Configuration Manager (deselet the other options)

Note: if your SCCM server has no internet access you can configure it to check for updates from UNC file shares

updates distributed from Configuration Manager.png

Click Ok, Ok.


Right click our Custom Endpoint Protection Antimalware Policy and select Deploy, choose our All Windows 7 Computers Collection as we did for the Device settings above.

deploy custom antimalware policy.png

that's it we are done !

we have now created custom Client Device settings and a Custom Antimalware Policy for our All Windows 7 Computers collection, in further posts we will add some computers to that collection and verify our Endpoint Protection settings.

Note: If you are having issues with the client installing or getting the Endpoint Protection role installed please refer to the following Endpoint Protection Log files.

  • EndpointProtectionAgent.log - Records details about the installation of the Endpoint Protection client and the application of antimalware policy to that client.
  • EPCtrlMgr.log - Records details about the synchronization of malware threat information from the Endpoint Protection role server into the Configuration Manager database.
  • EPMgr.log - Monitors the status of the Endpoint Protection site system role.
  • EPSetup.log - Provides information about the installation of the Endpoint Protection site system role.
  • Like 1

Share this post


Link to post
Share on other sites

Hi together,

i got problems with the automatic deployment rule. i get the error code 0X87D20417 with the following information: automatic deployment rule download failed. when i start the download of a forefront update manualy i works great and places the update in the selected folder.

Can anyone give my a little bit help.

in the ruleengine.log i got the following error: Failed to download the update from internet. Error = 5 and in the next line Failed to download contentID 16791605 for UpdateID 16792808. Error code = 5.

:(

Brgds, Jan

Share this post


Link to post
Share on other sites

Hi

 

I'm doing some testing in deploying FEP 2012 to clients in another state but in monitoring its showing that the clients haven't been deployed.

 

I'm wondering if there is a way to see why the clients didn't install so that i can remedy it. Looking around i can't seem to find any logs or monitoring for whether the FEP client error out.

 

Thanks

Share this post


Link to post
Share on other sites

are you referring to EP as from being installed above or purely talking about FEP 2012 on a different version of SCCM ? please clarify

Share this post


Link to post
Share on other sites

I noticed something in my lab environment.

 

1. System Center 2012 Endpoint Protection shows as: real-time protection OFF and virus and spyware definitions Out of date

 

How do I go about changing these settings? I can't find them on SCCM.

Share this post


Link to post
Share on other sites

if you follow what I did above then real time protection will be ON and your virus definitions will be up to date assuming you are checking on a Windows 7 client in the All Windows 7 computers collection as that's where we targetted the deployments

can you please double check ?

Share this post


Link to post
Share on other sites

if you follow what I did above then real time protection will be ON and your virus definitions will be up to date assuming you are checking on a Windows 7 client in the All Windows 7 computers collection as that's where we targetted the deployments

can you please double check ?

 

Yup, you're right. It takes a few minutes (10-20min) before SCCM starts to deploy the updates; I was not waiting long enough.

 

Thanks!

  • Like 1

Share this post


Link to post
Share on other sites

Hi together,

i got problems with the automatic deployment rule. i get the error code 0X87D20417 with the following information: automatic deployment rule download failed. when i start the download of a forefront update manualy i works great and places the update in the selected folder.

Can anyone give my a little bit help.

in the ruleengine.log i got the following error: Failed to download the update from internet. Error = 5 and in the next line Failed to download contentID 16791605 for UpdateID 16792808. Error code = 5.

:(

Brgds, Jan

 

I've got the same problem but in my situation even manual initiated download gives me "Access Denied" so if you have any solution for this please let me know.

Share this post


Link to post
Share on other sites

so if i was serious about the deployment, should these be the settings i choose for deploying?

 

Date released or revised > 1 day

Product > "ForeFront EndPoint Protection 2010"

Update Classification > Defintion updates

 

BTW i thank you for getting me started very quickly. i have instructed all people around my organzation to your site for helpful tips and trciks, as wellas the amazing guides. any hope of getting a PDF or word doc for offline references?

Share this post


Link to post
Share on other sites

I dont see how this product is anywhere near ready for production - how do we roll this out when the product is gold? It looks like its an all-or-nothing piece. I'd love to be able to test it on 10% of our machines to make sure it can uninstall current products with success and then kick it out - how would one do this?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.