Configuration Manager 2012 – Installing Endpoint Protection Point Role
Microsoft made some big steps in improving their desktop-server antimalware protection. Their first enterprise antivirus product (Forefront Client Security) needed a separated Operation Manager 2005 instance for managing and reporting. The need of a separated MOM 2005 instance was one of the big disadvantages, because most companies where already migrating to Operations Manager 2007. With the release of Forefront Endpoint Protection 2010, Microsoft decided to move management into Configuration Manager. Managing a Forefront Endpoint Protection 2010 environment from within Configuration Manager 2007 did require an console extension and some additional SQL components for reporting. The need for additional SQL components, did require some extra planning and knowledge about SQL Server. With the release of Configuration Manager 2012, Microsoft improved their antimalware even further. First of all they changed the name again, by replacing Forefront with System Center. So it’s is nowofficially named “System Center Endpoint Protection 2012” (SCEP2012). SCEP 2012 is now completely integrated within Configuration Manager and doesn’t require extra installation media. To install SCEP2012, just add the Endpoint Protection Point role on your site server and you’re done.
Install Endpoint Protection Point Role:
To add the Endpoint Protection Site Role, go to the “Administration Pane”, “Site Configuration”, “Servers and Site System Roles”. Right click on the preferred Site Server and select “Add System System Roles”.
Click on “Next”.
Select the “Endpoint Protection Point” role.
Accept the License agreement.
If you like to join MAPS you can choose between Basic or Advanced membership. If you don’t want to participate in MAPS you select not to join MAPS. MAPS is an online community collecting information about malware which can help improve SCEP2012.
Verify the summary and click on “Next” to install the SCEP2012 role.
Configure Client Settings:
After installing the Site System Role you need to define SCEP 2012 Client Policies. Depending on your environment you’ll need multiple Client Settings (e.g. Windows 7 Clients and Servers). In this guide, I will show you how to define a new Client Setting configuration dedicate for Endpoint Protection settings. To add a new Client Settings configuration go to the “Administration Pane”, “Client Settings”. Right click on “Client Settings” and choose “Create Custom Client Device Settings”
In the general settings enter a name and choose “Endpoint Protection”.
In the Endpoint Protection settings, change “Manage Endpoint Protection client on client computer to “True”. Leave other setting default and click on “OK”. Assign the new Client Settings to a Device Collection by right click the new settings and choose “Deploy”.
Select the preferred device collection, and click on “OK”. In my case I did create a Device Collection with all Windows 7 clients.
Define Antimalware Policies:
After the installation of the Endpoint Protection Role and defining the SCEP2012 Client Settings, the clients will be installed and become active. The last thing we need to do is configuring the SCEP2012 policies. By defining SCEP2012 policies you will be able to control the behavior of the SCEP clients. You are able to control settings like scheduled scans, realtime scanning, excluding files and processes from scanning, etc. In the following steps I will configure a SCEP policy set for my Windows 7 Clients. Open “Assets and Compliance”, “Overview”, “Endpoint Protection”, “Antimalware Policies”. By default there is one standard policy set “Default Client Antimalware Policy”. Best practice is to create a new policy set based on a SCEP template. Right click on “Antimalware Policies” and choose “Import”. This will open a file dialog box with SCEP template files.
Scroll down and choose “SCEP12_Standard_Desktop.xml”, and click on “Open”.
Provide a name for the policy set and if needed adjust the settings. When finished click “OK”. Right click on the just created policy set and select “Deploy”.
Choose your device collection for which you want the policies to become active and click on “OK”. To verify if the configured policy is installed on a client you can check the SCEP2012 client settings. Open the SCEP2012 console on a client and click on the “Additional help options” arrow next to “Help” and click on “About System Center Endpoint Protection”.