Endpoint Protection now comes included with SCCM 2012. To use it, it simply needs to be activated in the SCCM client settings, and a policy created to manage it. This guide will focus on configuring these two items. The SCEP client installer is 25MB, and the XML files that control the policy are negligible in size. After install, the client consumes 23MB of space on the operating system.
There are several methods by which to install the SCEP client. The two most common methods are to activate the client using an SCCM client policy, or using the executable to either push it, or install it as part of a task sequence. This guide will explore activating it using the SCCM client.
Step 1: Activate the SCEP Client
Open your SCCM 2012 console. Select the Administration node, then Client Settings.
Select “Create Custom Client Device Settings” from the ribbon. In the client settings window, give your new set of settings a name and check the “Endpoint Protection” check box.
Check this box activates the Endpoint Protection settings, now shown in the left pane.
Select the Endpoint Protection pane on the left. Change the top option, “Manage Endpoint Protection client on client computers”, to yes.
Modify the rest of the settings as needed for your environment. If you want the client to automatically install with the SCCM client, be sure to leave the “Install Endpoint Protection client on client computers” set to yes. If you set “Automatically remove previously installed antimalware software before Endpoint Protection is installed” to yes, it will remove any antimalware that you have installed. The next three options all control whether or not the device will reboot after the SCEP client is installed. The final option controls whether or not alternate sources can be used for definition updates. Set this to yes if you want clients to able to use WSUS or Microsoft update to update definitions.
Select OK to save the policy.
These client settings can also be added to an existing set of client settings.
Step 2: Create Anti-Malware Policy
Select the “Assets and Compliance” node. Expand the Endpoint Protection tree, and select Antimalware polices.
I do not recommend deleting the Default Client Antimalware Policy. It is always good to have a set “default” settings that come from Microsoft. I also do not recommend editing this policy. The “Order” column reflects the priority of the policy. Order 1 is the highest priority policy. If policy 1 and policy 4 are both applied to a collection, the settings contained in policy 1 take more precedence then policies in Order 4.
Select “Create Antimalware Policy” from the ribbon. Give your policy a name, and check the settings that you want to configure. Any settings that you do not configure here will be configurable by the end user.
Configure all of these settings to fit your environment’s needs. A few highlights are setting up scheduled scans, configuring real-time protection, setting up exclusions, and how clients receive definition updates.
Setting up scheduled scans ensures that clients run either a quick or full scan at least once a week. This is essential in protecting client computers. I would recommend setting up a quick scan to run during off hours at least once a week. I would also recommend setting “Check for the latest definition updates before running a scan” to “Yes”. This setting ensures that your clients are running the most update to definitions. Another setting here to pay particular attention to is the “Limit CPU usage during scans to (%)”. Setting this will prevent SCEP from taking too much processing power.
I also recommend enabling “Real-time protection”. Setting this up allows SCEP to scan incoming traffic for potential infections. Keeping the default settings are sufficient.
Exclusions are also important to configure. Keep all of the default “Excluded files and folders”, because they are there to protect Configuration Manager. Excluding files, folders, or process prevents SCEP from removing them or preventing them from running. If you have problems with SCEP interfering, then this is where you come to exclude them from scans and real-time protection.
Definition updates are also critical to configure. Most of the default settings here are fine to keep with the exception of the highlighted option. Its default is set to 72 hours, but I think that potentially leaves the client unprotected. I prefer a 48-hour or even 24 hours window before it checks with Microsoft Update for updates.
Select OK to save the policy.
Step 3: Deploy Endpoint Protection and antimalware settings
After both the client settings and the antimalware policy are created, we need to deploy them to a collection. The same set of SCCM client settings can be applied to all devices that need to receive Endpoint Protection. If you need different antimalware policies for different computers, then create collections for these devices. I would encourage you to apply the antimalware policy first, then the SCCM client settings. This will ensure that devices have any specified exclusions before installing the Endpoint client.
To deploy the antimalware settings, select the policy and click Deploy from the ribbon. Select the collection that you want to deploy the policy too, and press OK.
The antimalware policy is now deployed to your collection.
To deploy the new client settings, go back to the Administration node. Select the Client Settings tree, and the client policy that you want to deploy.
Click Deploy in the ribbon. This brings up a similar window as deploying the antimalware policy. Select the collection that you want the client settings to apply too and press OK.
You have now deployed Endpoint Protection to your clients.