Deploying SCCM 2012 Part 13 – Installing and Configuring Endpoint Protection Role.
Endpoint Protection in System Center 2012 Configuration Manager lets you manage antimalware policies and Windows Firewall security for client computers in your Configuration Manager hierarchy. Endpoint Protection in Configuration Manager provides basic management of the Windows Firewall on client computers. Endpoint Protection supports managing the Windows Firewall only.
The Endpoint Protection client has the following capabilities:
1. Malware and Spyware detection and remediation.
2. Rootkit detection and remediation.
3. Critical vulnerability assessment and automatic definition and engine updates.
4. Network vulnerability detection via Network Inspection System.
5. Integration with Microsoft Active Protection Services to report malware to Microsoft. When you join this service, the Endpoint Protection client can download the latest definitions from the Malware Protection Center when unidentified malware is detected on a computer.
Installing Endpoint Protection Point Role
Note : The Endpoint Protection role should be installed on one site system server only and it must be installed at the top of the hierarchy on a central administration site or a standalone primary site.
In the Configuration Manager console, click Administration. In the Administration workspace, expand Site Configuration, click Servers and Site System Roles, right click the server and click Add site system roles. Check the role Endpoint Protection Point.
Accept the terms and click Next.
Choose Basic membership and click Next.
The Endpoint Protection point role has been installed. click Close.
We will now create a Custom client device settings for Endpoint protection. Click Administration in the Console and under Site Configuration, right click Client Device settings and create custom client device settings. check Endpoint Protection and click OK.
On the left side of the settings page select Endpoint Protection, and Under Custom Device settings for Manage Endpoint Protection client on client computers, click on drop down and select True. click OK
Right Click My Custom endpoint settings policy and click Deploy. We will deploy the policy to All Windows 7 Computers.
After few minutes on the client machine we see that Endpoint protection client is installed.
The Endpoint Updates are not yet deployed, so the computer status is at risk and is red in color. We will Deploy the endpoint protection updates through SCCM 2012 in the coming steps.
Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager
Antimalware policies determine how Endpoint Protection protects the computers from malware and threats. Policies include information about the scan schedule, the types of files and folders to scan, and the actions to take when malware is detected. Configuration Manager supplies a selection of predefined templates that are optimized for various scenarios and can be imported into Configuration Manager. These templates can be found in the folder <ConfigMgr Install Folder>AdminConsoleXMLStorageEPTemplates. You can choose to create a new antimalware policy or modify the default antimalware policy.
In this post we will create a new Antimalware policy. To create a new Antimalware Policy, in the Configuration Manager console, click Assets and Compliance. In the Assets and Compliance
workspace, expand Endpoint Protection, and then click Antimalware Policies. Right click and select Create Antimalware Policy.
On the left pane, click on scan settings. Set Scan removable storage devices to True.
Click on definition updates, for check endpoint protection definitions at specific interval set it to 2 hours. Set force a definition update if the client computer is offline for more than 2 consecutive scheduled updates to True.
For set sources and order for endpoint protection definition updates, click Set Source. choose Updates distributed from Configuration Manager. Click OK. Click OK again to close the window.
We will now deploy the malware policy that we created, right click the policy and click Deploy.
The policy will be deployed to All Windows 7 Computers. Click OK.
In Assets and Compliance select Devices and choose Device Collections, select the All Windows 7 Computers collection, choose properties.
Click on Alerts, Check the box View this collection in the Endpoint Protection Dashboard. click Add.
Now in Add New Collection Alerts, Check all the boxes and click OK.
Click OK to close the Computer properties window.
Configuring Software Update Point to Download the Endpoint Protection Point Definition Updates.
We will now configure the Software Update Point and Select the Endpoint Protection Product and will download the updates. On the SCCM Console click on Administration, Under Site Configuration click Sites. Under Configure Site Components, click Software Update Point.
Click on Products, Choose Forefront Endpoint Protection 2010 product. Click Apply.
On the Classification tab, make sure that Definition Updates are selected. Click OK.
On the SCCM console, Click on Software Library, Software Updates, right click on All Software Updates and choose Synchronize Software Updates.
Click Yes to start the Synchronization process.
We can view the Synchronization log file located under C > Program Files > Microsoft Configuration Manager > Logs > wsyncmgr.log. Use CMTrace tool to open the log file.
The Synchronization has completed.
After few minutes we can see definition updates under All Software Updates.
Deploying Endpoint Updates – We can deploy the updates in 2 ways, the first one is by creating a ADR (Automatic Deployment Rule). The second method is to select all the updates, download them and then deploy updates to a collection. We will deploy the Endpoint Protection Updates using Automatic Deployment Rule.
In the CM console, click on Software Library, expand Software Updates, right click Automatic Deployment Rule and click Create Automatic Deployment Rule.
Lets name the ADR rule as ADR for Endpoint Protection Updates. Choose the collection as All Windows 7 Computers. The rule will be added to existing software update group. click Next.
Set the State message detail level to Minimal, select Automatically deploy all software updates found in this rule and approve license agreements.
Under property filters, Choose Date Released or Revised, Product. Set date released or revised as 1 day and Product as Forefront Endpoint Protection 2010. click Next.
Check the box “Enable rule to run on a schedule” and click customize and set it to run every 2 days. click Next.
Set the Timed Based on value to UTC. Set software available time to 1 hours. Set the Installation Deadline to As soon as possible. Click Next.
Do not select anything on this page, click Next.
Click Generate an alert when the following conditions are met, Set the client compliance percentage to 90, offset from the deadline to 7 days. click Next.
For clients that have slow site boundaries, under deployment options select “Download software updates from distribution point and install“. click Next.
We will create a new deployment package named “Endpoint Protection Definition Update Package“, the package source will be sccm.prajwal.localupdatesEndpoint ( create a folder named updates, create a new folder called endpoint within Updates folder.) Select Sending Priority to Medium. click Next.
On the Specify distribution points page, click Add and select the distribution point. In this lab we have only one distribution point and that is SCCM.PRAJWAL.LOCAL.
Choose Download software updates from Internet. click next.
On the Confirm Settings page click Next.
The Automatic Deployment Rule has been created successfully, Click close.
Click on Automatic Deployment Rules, right click ADR rule and click Run Now.
Once the ADR is run, it takes some time to download the definition updates and is deployed to the collection. In the below screenshot we see that the Definition updates have been downloaded as well as deployed.
After 2 hours lets see the status of Endpoint Protection on the client machine CLIENT.PRAJWAL.LOCAL.
Wow, the definition updates have been installed and we see that computer status is Protected.
Hi I did all steps but all software update is empty and automatic deployment rule showing in last error description showing unspecified error.please help
I’ve followed the ADR process and my folder is over 60GB with 20,000+files/folders. My Software Update group is correct and just has a few updates. I’ve run the vbs script to clean up now twice. As local administrator and as my domain account which is an admin in sccm and on the box. Neither cleaned up any of the files in my endpoint protection repository. It found the group fine but didn’t remove anything from the folder. Any thoughts/ideas? Thank you.
FYI, after pulling out the old updates from the Deployment Packages it updated to about 16GB…but has since has been growing again. 5GB in one week. I don’t see an automatic way to pull superseded definitions for the Deployment package as it does for the Software Update Group and that is why it keeps growing. I may go to a UNC path method simply to not have to clean up regularly and to only use about 2% of the space before it starts growing.
Hello, I was hoping you could help with me a little issue I’m having. I’ve made changes to my Antimalware Policy however those changes aren’t getting to my clients. When I look at my devices I see that everyone has the proper policy (Succeeded) however, the date appears to be the date the machine was installed and put into service. So it’s getting the policy when the SCCM client installs then never again.
Is there a way to push this out on an interval? Secondly, is there a way to manually push it out for testing purposes?
Many thanks for your time!
check CCM.log file on the server. FYI here you will find solutions to your questions – https://www.prajwaldesai.com/community/forums/system-center-configuration-manager.4/
Thanks Prajwal, let me go through and will let you know how it goes.
Much appreciate your support.
One of various logs… 🙂
\GBRADYadmin$ using machine account (67) SMS_CLIENT_CONFIG_MANAGER 5/16/2016 11:03:55 AM 8552 (0x2168)
\GBRADYadmin$ share using account ‘Machine Account’ SMS_CLIENT_CONFIG_MANAGER 5/16/2016 11:03:55 AM 8552 (0x2168)
—> ERROR: Unable to access target machine for request: “2097152279”, machine name: “GBRADY”, access denied or invalid network path. SMS_CLIENT_CONFIG_MANAGER 5/16/2016 11:03:55 AM 8552 (0x2168)
Have you configured client push installation account ? – https://www.prajwaldesai.com/wp-content/uploads/2013/09/How-To-Install-Configuration-Manager-Clients-By-Using-Client-Push-Snap4.jpg
Please have a look at the screen shot which shows some of the clients are getting, but majority of them are not… I can send you another screen show if you wish…
I’m new to SCCM. Vendor engineer who has deployed the system while I was a way and by searching blogs and forums, I have noticed most of the things are not done as per the best practices..
1. Auto Update is not being pushed automatically, even though I have made all the necessary configuration following blogs / forums.
2. I have noticed some of the clients are not installed with the agent, and when I select to install the client, nothing is happening.
Any help please?
You need to examine log files to determine why the client push is not happening. Have you done that ?.
what is the client log file name? could you please guide me through the steps if you don’t mind..?
@Aleksey – “notification the subscription was created, but letters do not come on emails.” – What exactly do you mean by letters do no come on emails. By the way have you configured the email notification feature ?. check the attached screenshot.
Prajwal, yes, I have configured the email notification feature. I meant that alerts don’t work when Endpoint Protection finds viruses on computers of users, so letters don’t come to e-mail. I have solved this problem. Problems were in the table “Alertfortriggers” in SCCM Database.
Good afternoon, Prajwal! Excellent article, one question: I have the collection with all workstations. In properties of this collection notifications are adjusted (the tick costs, conditions are exposed all which are connected with detection of harmful programs). This notification is present in “All notifications” at the Monitoring tab. However the condition of the notification “Was never activated”. In the Computers tab of this notification for today (26.02) there are workstations at which the malicious software was found, but the condition of the notification all the same “Was never activated”. On this notification the subscription was created, but letters do not come on emails.
Question: the notification needs to be activated somewhere manually or it has to be activated by itself? Perhaps, somewhere else there are some software configurations to creation of notifications which I did not consider? Thanks in advance for the answer!
Dont we have a dashboard like we have in sccm 2007 we shows collections like Protection service off, Out of date, etc..
Thanks for your articles. They where very helpfull.
I have a little question about the software deploy of the endpoint updates. You need a unc path where the updates are centrally stored. Is there anyway in SCCM to automatically cleanup this folder?
My folder is now about 6GB with full of old updates.
Thanks in advance