Tag Archives: Antivirus Deployment

System Center 2012 R2 Configuration Manager – Deploying Endpoint Protection

This guide is in continuation to my guide on deploying system center 2012 r2 configuration manager, as found here.

In this tutorial, we will cover basic deployment/configuration of Endpoint Protection to client workstations.  This tutorial is largly based off of user anyweb's guide on windows-noob.com  Make sure to give him some credit over on his forum 🙂 Adding the Endpoint Protection role, configure Alerts and custom Antimalware Policies

Definition

Per the following Technet article (http://technet.microsoft.com/en-us/library/hh508781.aspx) Endpoint Protection in System Center 2012 Configuration Manager provides security, antimalware, and Windows Firewall management for computers in your enterprise.

When you use Endpoint Protection with Configuration Manager, you have the following benefits:

  • You can configure antimalware policies and Windows Firewall settings to selected groups of computers, by using custom antimalware policies and client settings.
  • You can use Configuration Manager software updates to download the latest antimalware definition files to keep client computers up-to-date.
  • You can send email notifications, use in-console monitoring, and view reports to keep administrative users informed when malware is detected on client computers.

Creating Endpoint Protection Hierarchy via Folders

  1. Launch the System Center 2012 R2 Configuration Manager console
    System Center 2012 R2 Configuration Manager Console - Task Bar
  2. On the Assets and Compliance pane, select Device Collections, and then right click and select Create Folder
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Device Collections - New Folder
  3. Enter Endpoint Protection for the folder name and click OK
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Device Collections - New Folder - Endpoint Protection
  4. Select your Endpoint Protection folder under Device Collections and create two more folders called Endpoint Protection Managed Clients and Endpoint Protection Managed Servers
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Device Collections - Endpoint Protection Managed Clients-Servers

Create Device Collections to categorize devices managed by SCCM

  1. Launch the System Center 2012 R2 Configuration Manager console
    System Center 2012 R2 Configuration Manager Console - Task Bar
  2. On the Assets and Compliance pane, select Device Collections, Endpoint Protection Managed Clients, and right click select Create Device Collection
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Endpoint Protection Managed Clients - Create Device Collection
  3. Enter Endpoint Protection Managed Desktops for the name and then a comment describing what the group will hold (Desktops in this example), and then click Browse...
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Create Device Collection - Managed Desktops
  4. Select All Systems and click OK
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Create Device Collection - Managed Desktops - Select Collection
  5. Click Next >
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Create Device Collection - Managed Desktops - All Systems
  6. Click Next >
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Create Device Collection - Membership Rules
  7. Click OK on the dialog box explaining we have set no rules
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Create Device Collection - Membership Rules - Dialog
  8. Click Next >
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Create Device Collection - Summary
  9. Click Close
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Create Device Collection - Completion
  10. Repeat steps 2-9 to create another group for Laptops
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Endpoint Protection Managed Clients - Desktops and Laptops
  11. Select Endpoint Protection Managed Servers and repeat steps 2-9 to create the following groups
    1. Note: This step is optional, this i more for organization.  If you don't have all of these services/servers deployed in your environment, you don't have to create these Collections.
      1. Endpoint Protection Managed Servers - Configuration Manager
      2. Endpoint Protection Managed Servers - DHCP
      3. Endpoint Protection Managed Servers - Domain Controller
      4. Endpoint Protection Managed Servers - Exchange
      5. Endpoint Protection Managed Servers - File Server
      6. Endpoint Protection Managed Servers - Hyper-V
      7. Endpoint Protection Managed Servers - IIS
      8. Endpoint Protection Managed Servers - Operations Manager
      9. Endpoint Protection Managed Servers - SharePoint
      10. Endpoint Protection Managed Servers - SQL Server
        System Center 2012 R2 Configuration Manager - Assets and Compliance - Assets and Compliance - Endpoint Protection Managed Servers

Enable the Endpoint Protection Role

  1. Launch the System Center 2012 R2 Configuration Manager console
    System Center 2012 R2 Configuration Manager Console - Task Bar
  2. Select AdministrationSite ConfigurationServers and Site System Roles, and right click on your Primary site and select Add Site System Roles
    System Center 2012 R2 Configuration Manager - Administration - Servers and Site System Roles - Add Site System Roles
  3. Click Next >
    System Center 2012 R2 Configuration Manager - Add Site System Roles Wizard - General
  4. Click Next >
    System Center 2012 R2 Configuration Manager - Add Site System Roles Wizard - Proxy
  5. Check Endpoint Protection point
    System Center 2012 R2 Configuration Manager - Add Site System Roles Wizard - System Role Selection - Endpoint Protection point
  6. Click OK on the Configuration Manager dialog
    System Center 2012 R2 Configuration Manager - Add Site System Roles Wizard - System Role Selection - Endpoint Protection point - Confirm
  7. Click Next >
    System Center 2012 R2 Configuration Manager - Add Site System Roles Wizard - System Role Selection - Endpoint Protection point - Checked
  8. Check I accept the Endpoint Protection license terms and click Next >
    System Center 2012 R2 Configuration Manager - Add Site System Roles Wizard - System Role Selection - Endpoint Protection - Accept EULA
  9. Check Advanced membership and click Next >
    System Center 2012 R2 Configuration Manager - Add Site System Roles Wizard - System Role Selection - Microsoft Active Protection Service

    1. Note: MAPS can be joined with a basic or an advanced membership. Basic member reports contain the information described above. Advanced member reports are more comprehensive and may include additional details about the software Endpoint Protection detects, including the location of such software, file names, how the software operates, and how it has impacted your computer. These reports, along with reports from other Endpoint Protection users who are participating in MAPS, help Microsoft researchers discover new threats more rapidly. Malware definitions are then created for programs that meet the analysis criteria, and the updated definitions are made available to all users through Microsoft Update.  See http://technet.microsoft.com/library/hh508835.aspx for full details.
    2. My thoughts on this are to go with Advanced.  If you are using the AV product, may as well help contribute towards making the product detect anomalies more accurately (I'll turn my Microsoft fan-boyness off now :))
  10. Click Next >
    System Center 2012 R2 Configuration Manager - Add Site System Roles Wizard - Summary
  11. Click Close
    System Center 2012 R2 Configuration Manager - Add Site System Roles Wizard - Completion

 Configuring Endpoint Protection Alerting

  1. Email Alerting
  2. Device Collection Alerting

Configure SUP for Endpoint Protection

  1. Launch the System Center 2012 R2 Configuration Manager console
    System Center 2012 R2 Configuration Manager Console - Task Bar
  2. Select Administration, Overview, Site Configurion, Sites and select Settings, Configure Site Components, Software Update Point
    System Center 2012 R2 Configuration Manager - Administration - Site Configuration - Sites - Configure Site Components - SUP
  3. Select the Products tab and then check Forefront Endpoint Protection 2010 and click OK
    System Center 2012 R2 Configuration Manager - Software Update Point Components Properties - Forefront Endpoint Protection 2010
  4. Select Software Library, expand Software Updates and right click on All Software Updates and select Synchronize Software Updates
    System Center 2012 R2 Configuration Manager - Software Library - Software Updates - All Software Updates - Synchronize Software Updates
  5. Click Yes on the Run Synchronization dialog box
    System Center 2012 R2 Configuration Manager - Run Synchronization - check SMS_WSUS_SYNC_MANAGER for component status

Configure SUP to deliver Definition Updates using an Automatic Deployment Rule

  1. Create a new shared folder called EndpointProtection in your WSUS directory
    System Center 2012 R2 Configuration Manager - EndpointProtection Folder
  2. Share the folder with the Everyone group
    1. Right click on the folder and select Properties
      System Center 2012 R2 Configuration Manager - EndpointProtection Folder - Properties
    2. Select the Sharing tab and then click the Share... button
      System Center 2012 R2 Configuration Manager - EndpointProtection Folder - Properties - Sharing
    3. Type Everyone and then click Add.  Ensure the Permission level is Read and then click Share
      System Center 2012 R2 Configuration Manager - EndpointProtection Folder - Properties - Sharing - Everyone
  3. Launch the System Center 2012 R2 Configuration Manager console
    System Center 2012 R2 Configuration Manager Console - Task Bar
  4. Select Software Library, Expand Overview, Software Updates, and select Automatic Deployment Rules.  Right click and select Create Automatic Deployment Rule
    System Center 2012 R2 Configuration Manager - Software Library - Software Updates - Automatic Deployment Rules - Create
  5. Enter in a Name and Description for your Automatic Deployment Rule and then click on the Browse... button
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - General
  6. Select one of the Device Collections we made prior back and then click OK
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - General - Select Collection
  7. Click Next >
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - General - Collection
  8. Click Next >
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Deployment Settings
  9. Check Date Released or Revised and and Product, set Date Released or Revised to Last 1 day and Product to Forefront Endpoint Protection 2010 and click Next >
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Software Updates
  10. Check Run the rule on a schedule, click the Customize... button, and then select 1 days at 12:00AM, and click Next >
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Software Updates - Custom Schedule
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Evaluation Schedule
  11. Set Time based on UTC and set Installation deadline As soon as possible and click Next >
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Deployment Schedule
  12. Check Servers on Device restart behavior (this will prevent a server from restarting from an update), and click Next >
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - User Experience
  13. Check Generate an alert when the following conditions are met and click Next >
    1. NOTE: This is an optional step.  If you would like to set an alert to be triggered when X% of your clients do not have the latest virus definitions, use this option.  If you do not wish to be alerted leave the box unchecked and click Next >  In this particular example, after 15% of the clients have virus definitions out of date will receive an alert.
      System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Alerts
  14. Check Download software updates from distribution point and install, check Download and install software updates from the fallback content source location, and click Next >
    1. Optionally, you can check If software updates are not available on preferred sitribution point or remote distirbution point, download content from Microsoft Update, to always ensure your client has a source to download the latest virus defitions.
      System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Download Settings
  15. Enter Endpoint Protection Definition Updates for the Name, the following DescriptionThis new deployment package will contain our Endpoint Protection defition updates.  We will run this automatic deployment rule only once and then retire it.  We do this in order to create the Deployment Package.  In the next automatic deployment rule we will select this package instead of creating a new deployment package., and type in the share path to your sccm folder (\\sccm\EndpointProtection).  Click Next >
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Deployment Package
  16. Click Add, Distribution Point
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Deployment Package - Distribution Points
  17. Check your site and click OK
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Deployment Package - Distribution Points - Add
  18. Click Next >
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Deployment Package - Distribution Points - Added
  19. Ensure Download software updates from the Internet is checked and click Next >
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Download Location
  20. Check the languages you want to support and then click Next >
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Language Selection
  21. Click Save As Template..., click Browse... and enter Endpoint Protection Managed Servers and click Save
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Summary
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Summary - Save as Template
  22. Click Next >
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Summary - Next
  23. Click Close
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Completion
  24. Right click on your Endpoint Protection rule and select Disable
    System Center 2012 R2 Configuration Manager - Software Library - Software Updates - Automatic Deployment Rules - Endpoint Protection - Disable
  25. Repeat steps 3-23, using Endpoint Protection Managed Servers as a template in Step 4 for each of the Device Collection groups we created.
    System Center 2012 R2 Configuration Manager - Software Library - Software Updates - Automatic Deployment Rules - Endpoint Protection Rules

Configure custom antimalware policies

In this section we will configure how Endpoint Protection will function on the client machines.

  1. Launch the System Center 2012 R2 Configuration Manager console
    System Center 2012 R2 Configuration Manager Console - Task Bar
  2. Select Assets and Compliances, Endpoint Protection, and then click the Create Antimalware Policy button
    System Center 2012 R2 Configuration Manager - Overview - Endpoint Protection - Antimalware Policies - Create
  3. Set a Name and Description for your Endpoint Protection Antimalware Policy, and then check each of the boxes for the options you wish to configure.  Go through each of the tabs and customize how you wish the agent to run.  Then click OK
    System Center 2012 R2 Configuration Manager - Overview - Endpoint Protection - Antimalware Policies - Create - General
    System Center 2012 R2 Configuration Manager - Overview - Endpoint Protection - Antimalware Policies - Create - Definition updates
  4. Right click on your custom policy and click Deploy
    System Center 2012 R2 Configuration Manager - Overview - Endpoint Protection - Antimalware Policies - Deploy
  5. Select the group you wish to target (in this case, configuration manager), and click OK
    System Center 2012 R2 Configuration Manager - Overview - Endpoint Protection - Antimalware Policies - Deploy - Select Collection

Configure Custom Device Settings

In this section we will configure the client policy to tell the machine it is managed by Endpoint Protection.

  1. Launch the System Center 2012 R2 Configuration Manager console
    System Center 2012 R2 Configuration Manager Console - Task Bar
  2. Select Administration, Client Settings, and then click on Create Custom Client Device SettingsSystem Center 2012 R2 Configuration Manager - Overview - Client Settings - Create Custom Client Device Settings
  3. Enter in a Name (Custom Client Device Settings - Endpoint Protection Managed Servers - Configuration Manager), Description (Custom client device settings for servers related to configuration manager), and check Endpoint Protection
    System Center 2012 R2 Configuration Manager - Overview - Client Settings - Create Custom Client Device Settings - General Tab
  4. On the Endpoint Protection tab use the following settings and then click OK
    1. Manage Endpoint Protection client on client computeres: Yes
      Allow Endpoint Protection client installation and restarts outside maintenance windows.  Maintenance windows must be at least 30 minutes long for client installation: Yes
      System Center 2012 R2 Configuration Manager - Overview - Client Settings - Create Custom Client Device Settings - Endpoint Protection Tab
  5. Right click on your new Custom Client Device Settings policy and select Deploy
    System Center 2012 R2 Configuration Manager - Administration - Client Settings - Deploy Custom Client Device Settings
  6. Select the group of machines you want to deploy the agents to and select OK
    System Center 2012 R2 Configuration Manager - Administration - Client Settings - Deploy Custom Client Device Settings - Select Collection

Verify the client shows the policy

  1. Open the Endpoint Protection agent and select About
    System Center Endpoint Protection Client - About
  2. Verify you see your custom antimalware policy
    System Center Endpoint Protection Client - About - Custom Antimalware Policy