This article is a step-by-step guide to install Endpoint Protection Role in SCCM (ConfigMgr). You’ll learn how to enable Endpoint protection client and create Endpoint Protection Antimalware Policy.
The Endpoint Protection point site system role must be installed before you can use Endpoint Protection.
Endpoint Protection in SCCM manages Antimalware policies and Windows Defender Firewall security for client computers in your Configuration Manager hierarchy.
Beginning with Windows 10 and Windows Server 2016 computers, Microsoft Defender Antivirus is already installed. When you install Windows 11, Microsoft Defender is already installed.
What is Endpoint Point Protection Role in SCCM?
Endpoint Protection in SCCM allows you to create Antimalware policies that contain settings for Endpoint Protection client configurations. You can deploy these Antimalware policies to client computers
What are the advantages of Endpoint Protection Role in SCCM?
Enabling the Endpoint Protection role in SCCM provides the following advantages:
- Configure Antimalware policies, Windows Defender Firewall settings, and manage Microsoft Defender for Endpoint to selected groups of computers.
- Use Configuration Manager software updates to download the latest Antimalware definition files to keep client computers up to date. Learn how to deploy Endpoint Protection updates using SCCM.
- Send email notifications, use in-console monitoring, and view reports. These actions inform administrative users when malware is detected on client computers.
- Endpoint Protection helps protect your PC from malicious software (malware) such as viruses, spyware, and other potentially harmful software.
Endpoint Protection Role Prerequisites
The endpoint protection point role in SCCM requires the following Windows Server features as prerequisites:
- .NET Framework 3.5
- Windows Defender feature (Windows Server 2016)
- Windows Defender Antivirus feature (Windows Server 2019)
- Microsoft Defender Antivirus feature (Windows Server 2022 or later)
A Software Update Point site system role must be installed and configured to deliver definition updates if you want to use Configuration Manager software updates to deliver definition and engine updates.
Where Should I Install the Endpoint Protection Role?
The SCCM Endpoint Protection point role must be installed on one site system server only, and it must be installed at the top of the hierarchy on a central administration site or a stand-alone SCCM primary site.
Before you begin installing the endpoint protection role, you must have the WSUS installed and configured for software updates synchronization. Learn how to install WSUS for Configuration Manager.
Note: When you install an Endpoint Protection point, an Endpoint Protection client is installed on the server hosting the Endpoint Protection point.
Install Endpoint Protection Role in SCCM
Let’s see how to install the Endpoint protection role in SCCM:
- Launch the Configuration Manager console.
- Go to Administration > Site Configuration > Servers and Site System Roles
- Right-click the server and select Add site system roles.
- From the list of roles, select the Endpoint Protection Point. Click Next.
You cannot use Endpoint Protection in Configuration Manager unless you accept the license terms. Select I accept the Endpoint Protection license terms and click Next.
This option configures the Cloud Protection Service (formerly known as Microsoft Active Protection Service or MAPS) settings that are used by default. You can then configure custom settings for each Antimalware policy you create.
Select Basic Membership, click Next.
On the Summary page, review the settings and click Next. The Endpoint Protection role has been installed successfully. Click Close.
Enable Endpoint Protection using Custom Device Settings
After you install Endpoint Protection role in SCCM, let’s create a Custom client device settings to enable Endpoint protection on client computers.
You need to enable this setting to install Endpoint Protection client on systems. In the Configuration Manager console click Administration, under Site Configuration, right click Client Device settings and click on Create Custom Client Device Settings.
Specify a name for the custom client device settings and check Endpoint Protection and click OK.
- On the left pane click Endpoint Protection setting, on the right side set Manage Endpoint Protection client on client computers to Yes.
- When you enable this setting the Configuration Manager can be used to manage the endpoint protection clients on the client computers.
- There is another setting to Install Endpoint Protection client on client computers. When you enable this setting and if this device settings are deployed to the target collection, the endpoint protection client is installed on all the computers present inside the target collection. Click on OK.
Deploy Endpoint Protection Client Settings
The next step after enabling the Endpoint protection via custom settings is to deploy the Endpoint protection client settings to a device collection.
To deploy the Endpoint Protection client settings:
- Launch the SCCM Console.
- Navigate to Administration\Overview\Client Settings.
- Right-click the Endpoint Settings and select Deploy.
- On Select Collection window, choose the device collection to which you want to deploy the settings.
After you Deploy Endpoint Protection client settings, the clients will get the latest endpoint protection client installed. These client computers will get the Endpoint protection settings that you created in the above step.
On the client computer, when you launch the Endpoint Protection client, it shows PC Status: At Risk. Don’t worry, since the client is newly installed, the status is read because there are no updates downloaded.
Clicking the update button will download the latest Endpoint protection definition updates on the client computers.
Create Endpoint Protection Antimalware Policy
The Antimalware policy includes information about the scan schedule, the types of files and folders to scan, and the actions to take when malware is detected.
Antimalware policies when deployed to the device collections specify how Endpoint Protection protects them from malware and other threats.
You must create an Antimalware policy soon after you install the Endpoint protection role in SCCM. When you enable Endpoint Protection role in SCCM, a default Antimalware policy is applied to client computers.
You can either edit the default client Antimalware policy or create a new Antimalware policy defining settings and apply them to your computers.
In addition, you can also use additional policy templates that are supplied or create your own custom Antimalware policies to meet the specific needs of your environment.
It’s recommended to create your own Antimalware policy. This way you can customize the settings required by your organization.
Here are the steps to create Endpoint Protection Antimalware Policy:
- Launch the Configuration Manager console.
- Go to Assets and Compliance\Overview\Endpoint Protection\Antimalware Policies.
- Right-click Antimalware Polices and select Create Antimalware Policy.
Specify a name for the new antimalware policy and enable all the settings as shown in the below screenshot. Click OK.
Customize Antimalware Policy Settings
Let’s look at the steps to customize Antimalware policy settings. On the left pane, click Definition updates. Here you can configure how Endpoint Protection clients will receive definition updates.
Click on Set Source, we see a new window showing the options using which we can deploy the definition updates to the EP clients. Uncheck all the sources and select Updates distributed from Configuration Manager and click OK. This option uses Configuration Manager software updates to deliver definition and engine updates to computers in your hierarchy.
On the left pane select Scan Settings, on the right pane you will find the scan settings such as scan email and attachments, scan removable drives etc. Configure these settings as per your requirements and click OK.
The next step is to deploy the custom Antimalware policy to a collection. Right-click on the Antimalware policy and click Deploy. Choose the target collection and click OK.
In the Configuration Manager console, click on Assets and Compliance select Devices and choose Device Collections, right-click the target collection on which you deployed the Antimalware policy and click on properties. Click on Alerts, check the box View this collection in the Endpoint Protection Dashboard. Click Add.
In Add New Collection Alerts window, check all the boxes and click OK. Click OK again to close the Computer properties window.
Enable Definition Updates in Software Update Point
The below steps show you how to configure the Software Update Point to enable the Endpoint Protection Definition updates.
- Launch the Configuration Manager console.
- Go to Administration > Site Configuration > Sites.
- Under Configure Site Components, click Software Update Point.
- In the Classifications tab you must select Definition Updates. Click on Apply.
In the Products tab, select Forefront Endpoint Protection 2010 as the product and click Apply and then click OK.
Synchronize Endpoint Protection Updates in SCCM
In the Configuration Manager console, Click on Software Library, expand Software Updates, right click on All Software Updates and choose Synchronize Software Updates. After the synchronization process is over you should see the list of definition updates under All Software Updates.
We will now select all the definition updates and put them inside a Software Update Group. To create a SUG, select the updates and right click and click on Create Software Update Group. Provide a name to SUG and click Create.
Deploy Endpoint Protection Updates using SCCM
In Configuration Manager, there are 2 ways to deploy the definitions
- Manually deploy Endpoint Protection updates
- Automatic deployment of Endpoint Protection updates
In this example, we will be deploying the Endpoint Protection client definitions manually. If you want to deploy definition updates using Automatic method, then you can Create a Automatic Deployment Rule in SCCM.
Click on Software Update Groups, right-click on the Software Update Group that we created and click on Deploy.
Specify the Deployment Name, choose the collection to which you want to deploy this software update deployment. Click Next.
Set the Type of Deployment to Required and set the Detail Level to Only success and error messages. Click Next.
Choose the Time based on to Client local time, Software available time to specific time, Installation deadline to As soon as possible. Click Next.
If you are using Configuration Manager software updates to distribute definition updates, consider placing definition updates in a package that does not contain other software updates. This keeps the size of the definition update package smaller which allows it to replicate to distribution points more quickly.
We will create a new deployment package to deploy the definition updates. Specify the Name and Package source and click Next.
Add the DP and click Next.
Choose Download software updates from the Internet. Click Next and click Close to close the wizard.
On the client machine we see a notification that Software changes are required.
The definition updates are downloaded from the DP and then installed on the client systems.
The definition updates are installed successfully.
Now see the change, the status of Endpoint Protection client is Green and virus and spyware definitions are up-to-date.