Having to deal with malware is part of any professional administering environments of any size this is specially true when there is a large Windows installed base as due to its popularity as desktop system Windows has always been a privileged target for anybody writing malwares.
ConfigMgr has the ability to act as the central point of of an antimalware solution through System center Endpoint Protection (SCEP) which used to be a separate product in SCCM 2007 and has been fully integrated in the standard ConfigMgr 2012 deployment.
[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: In Windows versions previous to 10 SCEP installs as an endpoint protection application managed directly via SCCM, in Windows 10 SCEP will integrate with the built-in Windows Defender component taking control of it and handling all management tasks through SCCM[/su_note]
System Center Endpoint Protection Components
Endpoint Protection in ConfigMgr relies on a number of interdependent components which can be summarized as
- Endpoint Protection Client. This is the locally installed client that handles all antimalware functions
- Endpoint Protection Server Role. As the name implies this component provides a communication channel between the client and the ConfigMgr database in addition to allow the creation and management of all SCEP policies and Settings
- Software Updates. The component responsible to deploy SCEP updates is the SUP which also handles antimalware definitions updates deployment
- Distribution Points. As with any other content deployment the distribution points play a crucial role to make SCEP updates accessible to the clients
Configure Software Updates for Endpoint Protection
Before you will be able to deploy SCEP definition updates through the SUP it is necessary to configure it to download updates for Forefront Endpoint Protection this can easily be done through the ConfigMgr admin console navigating to [Administration] –> [Site Configuration] –> [Sites] right click on <Your Site name> and select [Configure Site Components] –> [Software Update Point]
In the window that will appear open the Classifications tab and check Definition Updates, in the Products tab drill down to the Forefront node and check Forefront Endpoint Protection 2010
If necessary perform a WSUS Synchronization so that ConfigMgr can pick up the new products and download necessary metadata
Sync-CMSoftwareUpdate -FullSync $false
Wait till the synchronization is complete then configure a deployment group, as endpoint protection definitions are updated frequently, sometimes multiple times a day, what I usually suggest my customers is the use of Automatic Deployment Rules (ADR) to avoid the process involved with the manual approval and deployment package creation of update packages.
[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: Please note that having SCCM SUP deploying definition updates to clients is not a requisite nor the only option as you can configure clients to download updates from the internet and/or a a shared folder this is particularly handy in all those situations where the client cannot contact the management point. [/su_note]
Install Endpoint Protection Server Role
Deploying the Endpoint Protection Role is a straightforward and fast process especially if compared to the SUP Role but before starting the deploying keep in mind that you if you’re operating a multi-site hierarchy the role needs to be installed on the top level site this is due the fact that the endpoint protection server role can be installed on a single site system server in the hierarchy.
To assign the endpoint protection server role in the ConfigMgr console navigate to [Administration] –> [Servers and Site System Roles] either right-click on the Site System where the endpoint server role will be deployed and select [Add Site System Roles] or right-click on a clear area and select [Create Site System Server]
The Add Site System Roles Wizard will start in the General and Proxy pages simply click next or perform any change as needed according to your environment in the System Role Selection select Endpoint Protection Point. A popup will inform you that you need to configure software updates so that SCEP clients can download definition updates as this has already been done simply click OK
In the next Window you will be presented with a License Agreement that you need to accept then requested if you want to join the Microsoft Active Protection Service (previously known as the Spynet service)
Review information in the Summary page and click next to start the setup, you can follow the process in the EPSetup.log file below a screenshot from my lab machine as I said process is rather quick
Deploy the Endpoint Protection Client Component
While there are multiple options to deploy the endpoint protection client components, among which manual installation AD Deployment or SCCM package, here I will illustrate the ConfigMgr-driven client settings which basically allows us to direct any client to install SCEP on any managed system that does not already have it (I will use a Windows 7 client for demonstration purposes).
In the ConfigMgr Admin console navigate to [Administration] –> [Client Settings] right click on it and select Create Custom Client Device Settings
In the Create Custom Client Device Settings assign a descriptive name to the new set of settings and make sure to check the Endpoint Protection checkbox and click the OK button
Right-click the newly created client policy setting and select Properties and select the Endpoint Protection node where you can configure various settings about SCEP component in the red rectangle the only setting I have modified for this article
Once you have made necessary modification right-click on the custom policy again and click on Deploy to make settings available to client’s collection
Once you have deployed the custom client policy setting wait till the client contacts the Management Point to download them which in turn will trigger SCEP installation as you can verify from the tray icon that will appear on the client
Once SCEP has been deployed on the client the last step is configuring a custom antimalware policy so to deploy settings to the antimalware client like updates frequency, updates download location and scan time to do so in the ConfigMgr admin console navigate to [Assets and Compliance]—> [Endpoint Protection] –> [Antimalware Policies] right-click on the node and select Create Antimalware Policy
While you can control any aspect of SCEP client behavior via custom policies here I have selected only the Definition Updates node as the scope is controlling how updates are deployed on the client
As you can see I’ve configured the policy to force a definition updates check every 4 hours starting at 2AM selecting both SCCM and Microsoft Update as the update source
Once the custom policy is configured right-click on it and select Deploy to choose the client collection to which the policy will be made available while it is a best practice to deploy targeted policies to the different systems types for this article the All Windows 7 Systems collection will do it
Once the client computer will contact the Management Point to refresh computer policies open the SCEP client and open the About page where you can verify the custom policy has been applied to the client
Note that even the default antimalware policy is displayed this is because that is applied by default but the custom one we’ve created, having an higher priority, will override the settings in the default policy.