prajwaldesai.co mhttp://prajwaldesai.com/deploying-sccm-2012-part-13-installing-and-configuring-endpoint-pro tection-ro le/

Deploying SCCM 2012 Part 13 – Installing and ConfiguringEndpoint Protection Role.

Deploying SCCM 2012 Part 13 – Installing and Configuring Endpoint Protection Role.

Endpoint Protection in System Center 2012 Conf iguration Manager lets you manage antimalware policiesand Windows Firewall security f or client computers in your Conf iguration Manager hierarchy. EndpointProtection in Conf iguration Manager provides basic management of the Windows Firewall on clientcomputers. Endpoint Protection supports managing the Windows Firewall only.

The Endpoint Protection client has the f ollowing capabilit ies:1. Malware and Spyware detection and remediation.

2. Rootkit detection and remediation.

3. Crit ical vulnerability assessment and automatic definit ion and engine updates.

4. Network vulnerability detection via Network Inspection System.

5. Integration with Microsoft Active Protection Services to report malware to Microsoft. Whenyou join this service, the Endpoint Protection client can download the latest def init ions f rom the MalwareProtection Center when unidentif ied malware is detected on a computer.

Installing Endpoint Protection Point Role

Note : The Endpoint Protection role should be installed on one site system server only and it must beinstalled at the top of the hierarchy on a central administration site or a standalone primary site.

In the Conf iguration Manager console, click Administration. In the Administration workspace, expandSite Configuration, click Servers and Site System Roles, right click the server and click Add sitesystem roles. Check the role Endpoint Protection Point .

Accept the terms and click Next.

Choose Basic membership and click Next.

The Endpoint Protection point role has been installed. click Close.

We will now create a Custom client device sett ings f or Endpoint protection. Click Administration in theConsole and under Site Configuration, right click Client Device sett ings and create custom clientdevice sett ings. check Endpoint Protection and click OK.

On the lef t side of the settings page select Endpoint Protection, and Under Custom Device sett ingsf or Manage Endpoint Protection client on client computers, click on drop down and select True .click OK

Right Click My Custom endpoint sett ings policy and click Deploy. We will deploy the policy to AllWindows 7 Computers.

Af ter f ew minutes on the client machine we see that Endpoint protection client is installed.

The Endpoint Updates are not yet deployed, so thecomputer status is at risk and is red in color. We willDeploy the endpoint protection updates throughSCCM 2012 in the coming steps.

Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager

Antimalware policies determine how Endpoint Protection protects the computers f rom malware andthreats. Policies include inf ormation about the scan schedule, the types of f iles and f olders to scan, andthe actions to take when malware is detected. Conf iguration Manager supplies a selection of predef inedtemplates that are optimized f or various scenarios and can be imported into Conf iguration Manager.These templates can be f ound in the f older <ConfigMgr InstallFolder>\AdminConsole\XMLStorage\EPTemplates. You can choose to create a new antimalwarepolicy or modif y the def ault antimalware policy.

In this post we will create a new Antimalware policy. To create a new Antimalware Policy, in theConfiguration Manager console , click Assets and Compliance . In the Assets and Complianceworkspace, expand Endpoint Protection, and then click Antimalware Policies. Right click and selectCreate Antimalware Policy .

On the lef t pane, click on scan settings. Set Scan removable storage devices to True .

Click on definit ion updates, f or check endpoint protection definit ions at specif ic interval set it to2 hours. Set force a definit ion update if the client computer is off line for more than 2consecutive scheduled updates to True .

For set sources and order f or endpoint protection def init ion updates, click Set Source . choose Updatesdistributed from Configuration Manager. Click OK. Click OK again to close the window.

We will now deploy the malware policy that we created, right click the policy and click Deploy.

The policy will be deployed to All Windows 7 Computers. Click OK.

In Assets and Compliance select Devices and choose Device Collections, select the All Windows 7Computers collection, choose properties.

Click on Alerts, Check the box View this collection in the Endpoint Protection Dashboard. click Add.

Now in Add New Collection Alerts , Check all the boxes and click OK.

Click OK to close the Computer properties window.

Configuring Software Update Point to Download the Endpoint Protection Point Definit ionUpdates.

We will now conf igure the Software Update Point and Select the Endpoint Protection Product andwill download the updates. On the SCCM Console click on Administration, Under Site Configurationclick Sites. Under Configure Site Components, click Software Update Point.

Click on Products, Choose Forefront Endpoint Protection 2010 product . Click Apply.

On the Classif ication tab, make sure that Definit ion Updates are selected. Click OK.

On the SCCM console, Click on Software Library, Software Updates, right click on All SoftwareUpdates and choose Synchronize Software Updates.

Click Yes to start the Synchronization process.

We can view the Synchronization logf ile located under C:\ProgramFiles\Microsoft ConfigurationManager\Logs\wsyncmgr.log. UseCMTrace tool to open the log f ile.

The Synchronization has completed.

Af ter f ew minutes we can see def init ion updates under All Software Updates.

Deploying Endpoint Updates – We can deploy the updates in 2 ways, the f irst one is by creating aADR (Automatic Deployment Rule). The second method is to select all the updates, download them andthen deploy updates to a collection. We will deploy the Endpoint Protection Updates using AutomaticDeployment Rule.In the CM console , click on Software Library, expand Software Updates, right click AutomaticDeployment Rule and click Create Automatic Deployment Rule .

Lets name the ADR rule as ADR for Endpoint Protection Updates. Choose the collection as AllWindows 7 Computers. The rule will be added to existing sof tware update group. click Next.

Set the State message detail level to Minimal, select Automatically deploy all software updatesfound in this rule and approve license agreements.

Under property f ilters, Choose Date Released or Revised, Product . Set date released or revisedas 1 day and Product as Forefront Endpoint Protection 2010. click Next.

Check the box “Enable rule to run on a schedule” and click customize and set it to run every 2 days.click Next.

Set the Timed Based on value to UTC. Set sof tware available t ime to 1 hours. Set the InstallationDeadline to As soon as possible . Click Next.

Do not select anything on this page, click Next.

Click Generate an alert when the following conditions are met , Set the client compliancepercentage to 90, offset from the deadline to 7 days. click Next.

For clients that have slow site boundaries, under deployment options select “Download softwareupdates from distribution point and install“. click Next.

We will create a new deployment package named “Endpoint Protection Definit ion Update Package“,the package source will be \\sccm.prajwal.local\updates\Endpoint ( create a f older named updates,create a new f older called endpoint within Updates f older.) Select Sending Priority to Medium. clickNext.

On the Specify distribution points page , click Add and select the distribution point . In this lab wehave only one distribution point and that is SCCM.PRAJWAL.LOCAL.

Choose Download software updates from Internet . click next.

On the Confirm Settings page click Next.

The Automatic Deployment Rule has been created successf ully, Click close.

Click on Automatic Deployment Rules, right click ADR rule and click Run Now.

Click OK.

Once the ADR is run, it takes some time to download the def init ion updates and is deployed to thecollection. In the below screenshot we see that the Def init ion updates have been downloaded as well asdeployed.

Af ter 2 hours lets see the status of Endpoint Protection on the client machineCLIENT.PRAJWAL.LOCAL. Wow, the def init ion updates have been installed and we see that computerstatus is Protected.