SCCM Endpoint Protection Server Role


Having to deal with malware is part of any professional administering environments of any size this is specially true when there is a large Windows installed base as due to its popularity as desktop system Windows has always been a privileged target for anybody writing malwares.

ConfigMgr has the ability to act as the central point of of an antimalware solution through System center Endpoint Protection (SCEP) which used to be a separate product in SCCM 2007 and has been fully integrated in the standard ConfigMgr 2012 deployment.

[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note:  In Windows versions previous to 10 SCEP installs as an endpoint protection application managed directly via SCCM, in Windows 10 SCEP will integrate with the built-in Windows Defender component taking control of it and handling all management tasks through SCCM[/su_note]

System Center Endpoint Protection Components

Endpoint Protection in ConfigMgr relies on a number of interdependent components which can be summarized as

  • Endpoint Protection Client. This is the locally installed client that handles all antimalware functions
  • Endpoint Protection Server Role. As the name implies this component provides a communication channel between the client and the ConfigMgr database in addition to allow the creation and management of all SCEP policies and Settings
  • Software Updates. The component responsible to deploy SCEP updates is the SUP which also handles antimalware definitions updates deployment
  • Distribution Points. As with any other content deployment the distribution points play a crucial role to make SCEP updates accessible to the clients

Configure Software Updates for Endpoint Protection

Before you will be able to deploy SCEP definition updates through the SUP it is necessary to configure it to download updates for Forefront Endpoint Protection this can easily be done through the ConfigMgr admin console navigating to [Administration] –> [Site Configuration] –> [Sites] right click on <Your Site name> and select [Configure Site Components] –> [Software Update Point]

Endpoint Protection Configure SUP

In the window that will appear open the Classifications tab and check Definition Updates, in the Products tab drill down to the Forefront node and check Forefront Endpoint Protection 2010

Endpoint Protection Definition updates Download

Endpoint Protection SUP Definitions

If necessary perform  a WSUS Synchronization so that ConfigMgr can pick up the new products and download necessary metadata

Sync-CMSoftwareUpdate -FullSync $false

Wait till the synchronization is complete then configure a deployment group, as endpoint protection definitions are updated frequently, sometimes multiple times a day, what I usually suggest my customers is the use of Automatic Deployment Rules (ADR) to avoid the process involved with the manual approval and deployment package creation of update packages.

[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: Please note that having SCCM SUP deploying definition updates to clients is not a requisite nor the only option as you can configure clients to download updates from the internet and/or a a shared folder this is particularly handy in all those situations where the client cannot contact the management point. [/su_note]

Install Endpoint Protection Server Role

Deploying the Endpoint Protection Role is a straightforward and fast process especially if compared to the SUP Role but before starting the deploying keep in mind that you if you’re operating a multi-site hierarchy the role needs to be installed on the top level site this is due the fact that the endpoint protection server role can be installed on a single site system server in the hierarchy.

To assign the endpoint protection server role in the ConfigMgr console navigate to [Administration] –> [Servers and Site System Roles] either right-click on the Site System where the endpoint server role will be deployed and select [Add Site System Roles] or right-click on a clear area and select [Create Site System Server]

Add Site System Role

The Add Site System Roles Wizard will start in the General and Proxy pages simply click next or perform any change as needed according to your environment in the System Role Selection select Endpoint Protection Point. A popup will inform you that you need to configure software updates so that SCEP clients can download definition updates as this has already been done simply click OK

Install Endpoint Protection Point Role

In the next Window you will be presented with a License Agreement that you need to accept then requested if you want to join the Microsoft Active Protection Service  (previously known as the Spynet service)

Enpoint Protection Role License

Enpoint Protection Role Active Protection

Review information in the Summary page and click next to start the setup, you can follow the process in the EPSetup.log file below a screenshot from my lab machine as I said process is rather quick

Enpoint Protection Role Setup Log

Deploy the Endpoint Protection Client Component

While there are multiple options to deploy the endpoint protection client components, among which manual installation AD Deployment or SCCM package, here I will illustrate the ConfigMgr-driven client settings which basically  allows us to direct any client to install SCEP on any managed system that does not already have it (I will use a Windows 7 client for demonstration purposes).

In the ConfigMgr Admin console navigate to [Administration] –> [Client Settings] right click on it and select Create Custom Client Device Settings

Endpoint Protection Custom Settings

In the Create Custom Client Device Settings assign a descriptive name to the new set of settings and make sure to check the Endpoint Protection checkbox and click the OK button

Endpoint Protection Settings

Right-click the newly created client policy setting and select Properties and select the Endpoint Protection node where you can configure various settings about SCEP component in the red rectangle the only setting I have modified for this article

Endpoint Protection Custom Settings Configuration

Once you have made necessary modification right-click on the custom policy again and click on Deploy to make settings available to client’s collection

Deploy Endpoint Protection Custom Settings

Endpoint Protection Collection

Once you have deployed the custom client policy setting wait till the client contacts the Management Point to download them which in turn will trigger SCEP installation as you can verify from the tray icon that will appear on the client

Endpoint Protection Client

Deploy Antimalware Policies for Endpoint Protection

Once SCEP has been deployed on the client the last step is configuring a custom antimalware policy so to deploy settings to the antimalware client like updates frequency, updates download location and scan time to do so in the ConfigMgr admin console navigate to [Assets and Compliance]—> [Endpoint Protection] –> [Antimalware Policies] right-click on the node and select Create Antimalware Policy

Endpoint Protection Create antimalware Policy

While you can control any aspect of SCEP client behavior via custom policies here I have selected only the Definition Updates node as the scope is controlling how updates are deployed on the client

Endpoint Protection Custom Policy

Endpoint Protection Custom policy updates

As you can see I’ve configured the policy to force a definition updates check every 4 hours starting at 2AM selecting both SCCM and Microsoft Update as the update source

Endpoint Protection Updates Source

Once the custom policy is configured right-click on it and select Deploy to choose the client collection to which the policy will be made available while it is a best practice to deploy targeted policies to the different systems types for this article the All Windows 7 Systems collection will do it

Deploy Endpoint Protection Custom Policy

Endpoint Protection Collection

Once the client computer will contact the Management Point to refresh computer policies open the SCEP client and open the About page where you can verify the custom policy has been applied to the client

SCEP Client Policy

Note that even the default antimalware policy is displayed this is because that is applied by default but the custom one we’ve created, having an higher priority, will override the settings in the default policy.


One thought on “SCCM Endpoint Protection Server Role

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s