5 min read

In this article by Nicolai Henriksen, the author of the book Microsoft System Center 1511 Endpoint Protection Cookbook, we will cover how you need to configure Endpoint Protection in Configuration Manager.

(For more resources related to this topic, see here.)

This is the part where you need to think through every setting you make so that it does the impact and good you want in your organization.

How to configure Endpoint Protection in Configuration Manager

In order to manage security and malware on your client computers with Endpoint Protection. There are a few steps you must setup and configure in order to get it working in System Center Configuration Manager (SCCM).

Getting ready

In this article we assume that you have SCCM in-place and working. And have setup and installed the Software Update Point Role with its prerequisites like Windows Server Update Services (WSUS).

Also you have planned and thought through what impact this has in your environment, a good understanding how this should and would work in your Configuration Manager hierarchy.

How to do it…

First we start with installing the Endpoint Protection Role from within the SCCM console. This role must be installed before you can use and configure Endpoint Protection.

It must only be installed on one site system server, and it must be installed on top of your hierarchy, meaning if you have a Central Administration Site (CAS) you install in there, or if you have a stand-alone primary site you install it there.

Be aware that when you install the Endpoint Protection Role on the site server it will also install the Endpoint Protection client on that same server. This is by default and cannot be changed. However services and scans are disabled so that you can still run any other existing anti-malware solution that you may already have in place. No real-time scanning or any other form of scanning will be performed by Endpoint Protection before you enable it with a policy. So be aware of this so that you don’t accidentally enable it while having another anti-malware solution installed.

Installing the Endpoint Protection Role is pretty easy and straight forward; these are the steps to manage that.

To install and configure Endpoint Protection Role you open the Configuration Manager console, Click Administration. And in the Administration workspace you expand Site Configuration and click on Servers and Site System Roles.

You click on Add Site System Roles in the picture shown below:

On the next screen I choose to use as default settings that will use the server’s computer Account to install the Role on the chosen server. In my case I have a single primary site server where all the Roles reside and this will require no other preparation. However, keep in mind that if you are adding Roles to other site system servers it will require that you add the primary site server’s computer Account to the local Administrators group, or you could use an installation account as shown in the following figure:

Let’s click Next >.

This is the page where we choose the Endpoint Protection Role that we want to install.

It will only list up the Roles that you have not already added to the chosen server.

Pay attention that it also warns you to have software updates and anti-malware definitions already in-place and deployed. The warring will show regardless weather you have this already in-place or not as shown in the next screenshot.

The next page on the wizard it about the Microsoft Active Protection Service membership.

I like to think of this as the cloud feature, and I encourage you to consider setting this to Advanced membership as that will give you and Microsoft a greater chance of dealing will the unknown type of malware. This will send more information from the infected client about the surroundings of the malware. And Microsoft can investigate the bits and pieces more thoroughly in their environment in the cloud service. If it turns out that this is infectious malware like a Trojan downloader for example, it will get further removal instructions directly and try its best to remove it automatically.

Now this feature will work either way on what you choose, but it will work even better if you choose to share some more information. Most other anti-virus and anti-malware products don’t ask about this, they just enable it. But Microsoft has chosen to let you decide. Because there could be situations that you might not want to share this at all.

You can always choose Do not join MAPS in this page and decide individually in each Endpoint Protection Policy how you want it. Setting it here simply makes this the default setting for every policy made afterwards.

Clicking Next > and Finish will start the installation of the Endpoint Protection Role and finish in a few minutes.

In the Monitoring | Components status shown below you can see two components starting with SMS_ENDPOINT_PROTECTION that will have a green icon on the left and will tell you that the Role is installed.

How it works…

So we the Endpoint Protection Role is installed in our SCCM hierarchy as simple as that. But there are more configurations to do that will be the next topic.

If you remember the Endpoint Protection client will always be installed on the site server that has the Endpoint Protection Role installed. But by default, it is with no scanning or real-time protection enabled, looks like this red icon on the task-bar on the right side as shown in the figure below.

Summary

In this article we learned that security is key aspect for any organization. Misconfiguration may have a very bad outcome as this has to do with security.

Resources for Article:

Further resources on this subject:

Packt

LEAVE A REPLY

Please enter your comment!
Please enter your name here