Implementing Endpoint Protection With ConfigMgr 2012

26 th  November 2013 IMPLEMENTING ENDPOINT PROTECTION WITH SYSTEM CENTER CONFIGURATION MANAGER 2012 Gerry Hampson | Blog: | Twitter: @gerryhampson 


Implementing Endpoint Protection With ConfigMgr 2012

Transcript of Implementing Endpoint Protection With ConfigMgr 2012

  • 26th November 2013




    MANAGER 2012

    Gerry Hampson | Blog: | Twitter: @gerryhampson

  • Table of Contents

    Introduction ...................................................................................................................................... 2

    1. Add Endpoint Protection Point ................................................................................... 3

    2. Antimalware Policy .......................................................................................................... 7

    3. Enable SCEP on clients ................................................................................................ 13

    4. Alerts & Subscriptions ................................................................................................. 22

    5. Definition Updates .......................................................................................................... 26

  • Introduction

    System Center Endpoint Protection 2012 is now integrated with ConfigMgr and replaces Forefront

    Endpoint Protection 2010 (which can no longer be deployed as a stand-alone product).

    Note that Endpoint Protection licensing is not automatically included with your System Center license.

    The client license is included in the Core CAL and Enterprise CAL suites.

    When System Center 2012 Endpoint Protection is used with Microsoft System Center 2012

    Configuration Manager, it provides a comprehensive enterprise management solution that allows the


    Centrally deploy and configure the Endpoint Protection client.

    Configure default and custom antimalware policies that apply to groups of computers.

    Create and deploy Windows Firewall settings to groups of computers.

    Use Configuration Manager software updates to automatically download the latest

    antimalware definition files to keep client computers up-to-date.

    Control who manages the antimalware policies and Windows Firewall settings by using the

    Endpoint Protection Manager security role.

    Use email notifications to alert you when computers report that malware is installed.

    View summary and detailed information from the Configuration Manager console and reports.

    The following sections describe a full implementation of SCEP.

    1. Add Endpoint Protection Point

    2. Antimalware Policy

    3. Enable SCEP on clients

    4. Alerts and Subscriptions

    5. Definition Updates

  • 1. Add Endpoint Protection Point

    We start by adding the Endpoint Protection Point

    Navigate to Administration > Site Configuration > Sites and right click on your site.

    Select "Add Site System Roles" to start the wizard.

    Verify the server name and click Next to continue

    We are not using a proxy at this time. Click Next to continue.

  • Select the Endpoint Protection Point.

    You receive a pop-up message to say that SCEP leverages the software updates functionality of

    ConfigMgr to deploy definition files. Accept that you have been told to configure this.

    Accept the Endpoint Protection License terms and click Next to continue.

  • Microsoft Active Protection Service (MAPS) is an online community that helps Microsoft to keep the

    SCEP definition files current and improve SCEP's effectiveness. If you choose to become a member

    SCEP will automatically send information to Microsoft.

    Choose whether you wish to participate or not and click Next to continue.

    Review the summary and click Next.

  • The Endpoint Protection Point has now been added. Click Close to exit the wizard.

    See the new Site System Role. Examine the properties.

    License Terms

    MAPS membership. You can change this at any time.

  • See Monitoring > Endpoint Protection Status

    In the next section we will create and deploy Antimalware Policy.

    2. Antimalware Policy This is an extract from the Microsoft TechNet Library

    "You can deploy antimalware policies to collections of Microsoft System Center 2012

    Configuration Manager client computers to specify how Endpoint Protection protects them from

    malware and other threats. These antimalware policies include information about the scan schedule,

    the types of files and folders to scan, and the actions to take when malware is detected. When you

    enable Endpoint Protection, a default antimalware policy is applied to client computers. You can also

    use additional policy templates that are supplied or create your own custom antimalware policies to

    meet the specific needs of your environment."

    Navigate to Asset and Compliance > Endpoint Protection > Antimalware Policies

    See the Default Client Antimalware Policy. This was created when the Endpoint Protection Point

    was added. Let's examine the properties of the policy. Right click and choose Properties.

  • Default Scheduled Scans

    Default Scan Settings

    Default Actions.

  • Default Real-time protection settings.

    Default exclusion settings. Click Set to examine the excluded files and folders.

    Excluded files and folders.

  • Advanced Settings - default options.

    Threat Overrides

    Choice of MAPS membership.

  • Default Definition Updates settings. Click "Set Source" to see the order of configured definition update


    List and order of sources.

    They were the settings configured in the Default Antimalware Policy. However it is best practice not to

    use the default policy. It is recommended to create your own custom policies and deploy to collections

    as required.

    Navigate to Asset and Compliance > Endpoint Protection > Antimalware Policies.

    Right click and choose "Create Antimalware Policy"

  • Select all the options.

    Right click and choose properties if you wish to make any policy changes. eg you may want

    ConfigMgr to be your only source for definition updates.

    Now you must deploy the policy to a collection - I have a test collection.

    Right click the policy and select Deploy.

    Select the collection you require and click OK to deploy.

    We have now added our Endpoint Protection Point and we have created our own custom Antimalware

    Policy. We have also deployed this policy to a test collection.

    However we have yet to enable SCEP on any clients. We will do that in the next section.

  • 3. Enable SCEP on clients

    Previously we added our Endpoint Protection Point and created our own custom Antimalware Policy.

    We then deployed this policy to a test collection.

    However none of this is useful if we do not enable Endpoint Protection on clients.

    Navigate to Administration > Site Configuration > Client Settings. It is good practice not to use

    Default Client Settings so we will create a Custom Client Device Settings.

    Right click and choose "Create Custom Client Device Settings".

    Enter a suitable name, select "Endpoint Protection" and click OK.

    You receive a pop-up with client reboot information. Click OK to acknowledge.

  • Right click and choose Properties.

    Select Yes to "Manage Endpoint Protection client on client computers"

    Select Yes to "Install Endpoint Protection client on client computers".

    Click OK to Save.

    Now right click and deploy to your test collection.

  • SCEP client will now be installed on all computers in the test collection when they retrieve their

    machine policy. They will be defined by our custom antimalware policy.

    You can monitor the progress of the SCEP client installation using the EndpointProtectionAgent.log


    Endpoint has been triggered.

    SCEPInstall.exe starts. See the policy file used.

    A SCEP icon will appear in the system tray. It is minimised but will open if you click on it.

  • You can see the application installing if you wish.

    EP client is successfully installed.

    SCEP 2012 icon now available.

    New processes running.

    New service.

  • New registry settings.

    SCEP now completely installed on client. Let's have a look at all the tabs.

    Virus and spyware definitions are shown as up to date.

  • Quarantined items.

    Settings - note they are all greyed out as there are defined by policy and managed by the

    administrator. Let's review the individual settings.

    Scheduled Scans.

    Default Actions.

  • Real-time protection.

    Excluded files and locations.

  • Excluded file types.

    Excluded processes.


  • MAPS.

    Navigate to Monitoring > Endpoint Protection Status > System Center 2012 Endpoint Protection

    Choose the collection and see the client count starting to rise.

    Right click a client and see the possible console actions.

  • 4. Alerts & Subscriptions

    You can configure Endpoint Protection alerts in ConfigMgr 2012 to notify administrators when specific

    security events occur in your hierarchy. Notifications display in the Endpoint Protection dashboard in

    the Configuration Manager console, in reports, and you can configure them to be emailed to specified


    You configure alerts in the properties of collections. Navigate to the properties of your collection and

    open the Alerts tab.

    Check the box "View this collection in the Endpoint Protection dashboard". Click Add to add

    some collection alerts.

    Choose the options you need and click OK to continue.

  • Note that the Conditions box is now populated. Select them in turn and review the options. Configure

    the Alert Name and Severity as you wish.

  • When you have configured your options click Apply and OK to finish.

    Navigate to Monitoring > Alerts > All Alerts and review the Alerts you have created.

    Navigate to Monitoring > Alerts > Subscriptions.

    Right click and choose "Configure Email Notification".

  • Check the box "Enable email notification for alerts" and enter the details of your SMTP server. You

    should configure your SMTP server to accept anonymous requests for SMTP relay from the

    ConfigMgr server.

    Enter a Sender address (this is irrelevant but should make sense) and click the "Test SMTP Server"

    button (enter your email address). See successful test above.

    See successful test email notification.

    Right click Subscription again and this time choose "Create subscription".

  • Enter a Subscription Name and choose one or more alerts. Enter the System Administrators

    Distribution List email address (you can enter multiple email addresses if you wish).

    See the configured subscription. If the condition you configured is reached the subscription will cause

    an email to be sent to the Admins with details of the alert.

    5. Definition Updates

    We previously installed the SCEP 2012 client on the devices in our test collection. Now we must

    ensure that the definition files remain up-to-date on these clients. We do this by integration with the

    software updates component of ConfigMgr.

    We have already configured the Software Update Point to deliver Windows and Office software

    updates to our endpoints. We will now extend this functionality.

    Navigate to Administration > Site Configuration > Sites.

    Select your Site and click "Configure Site Components" on the ribbon above. Choose Software

    Update Point.

    Navigate to the Classifications tab.

  • Choose Definition Updates.

    Navigate to the Products tab and choose Forefront Endpoint Protection 2010 (the catalog has not

    yet been updated to be called SCEP 2012). Click Apply and OK to complete the configuration.

  • Now manually synchronise with the Microsoft catalog to download the latest definition files. Navigate

    to Software Library > Software Updates > All Software Updates.

    Right click and choose "Synchronise Software Updates". Monitor the download using


    See FEP 2010 chosen and sync starting.

    See Definition updates being synchronised and process completing.

    See Definition Updates now available in the console (filter by FEP 2012).

    We will now create an Automatic Deployment Rule so that the definition updates can be downloaded

    and deployed automatically. We don't want to have to do this manually each week.

  • Navigate to Software Library > Software Updates > Automatic Deployment Rules

    Right click and choose to "Create Automatic Deployment Rule"

    The Create Automatic Deployment Rule Wizard starts. Enter a Name for the rule and then choose a

    collection (I have used my test collection). Leave the default "Add to an existing Software Update


    Make sure that the "Enable the deployment after the rule is on" is checked. Click Next to continue.

    Choose defaults and click Next to continue.

  • Add Property Filters - Product and Update Classification. Choose FEP 2010 and "Definition

    Updates or Updates". Click Next to continue.

    Choose to run the rule after any SUP sync. Click Next to continue.

    Choose "As soon as possible" as the deadline. We want the definition updates to be applied

    immediately. Click Next to continue.

  • Click Next.

    Click Next.

    Click Next.

  • Choose to create a new deployment package. The source folder must exist and be empty. Click Next

    to continue.

    Choose DP and click Next.

    Click Next.

  • Choose your language and click Next.

    Review the summary and click Next to create the ADR.

    The ADR has been created. Click Close to exit the wizard.

  • Note the User Experience configuration for the ADR - I want to see what's going on in my test.

    The ADR is configured to run automatically after each scheduled synchronisation but let's run it now

    for the sake of testing. Right click the rule and choose "Run Now".

    Click OK to the pop-up message and the rule is now running.

    Monitor progress using the ruleengine.log file. See the rule starting.

  • See deployment package folder being populated.

    Content being downloaded.

  • Software Update Group does not exist so the rule creates it.

    See the Software Update Group.

    and the contents of the SUG.

    Navigate to Monitoring > Deployments

    Look at the progress of the ADR.

    Our test client has received the deployment.

  • Verify the "before and after" definition files on the client.