Deploying and Configuring Endpoint Protection for System Center 2012 Configuration Manager R2

Nothing fancy here but just my way of deploying Endpoint Protection using System Center 2012 R2 Configuration Manager.  I have it broken down into six sections.  Deploying the Role, Creating the needed device collections, creating the needed antimalware policies, creating the needed client settings, creating the ADR for the definitions, and monitoring .  My way works for me and the size of clients that I work with.

Endpoint Protection Point Role

We need to install the Endpoint Protection Point Role first if you haven’t done this already.

  1. In the Configuration Manager console, click Administration.
  2. In the Administration workspace, expand Site Configuration, click Servers and Site System Roles, and then select the server that you want to use for the new site system roles.
  3. On the Home tab, in the Server group, click Add Site System Roles.
  4. On the General page, review the settings, and then click Next
  5. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only:
    On the Proxy page, specify settings for a proxy server if site system roles that run on this site system server require a proxy server to connect to locations on the Internet, and then click Next.
  6. On the System Role Selection page, select the site system roles that you want to add, and then click “Next”.
  7. Complete the wizard

The Endpoint Protection Point will need you to accept a Microsoft License agreement. Click the box and click “Next”. On the MAPS window since this is my lab environment I will always send data to Microsoft. In a production environment please make sure your organizations policies allow you to send data to Microsoft.

Click through the summary pages and install your site server roles You can monitor the installation using the Monitoring Workspace. Click System status, then select Status Message Queries and open the query "All Status Messages." This will give you some status messages that will show if the component installed or failed. If you want you can dig deeper by viewer the actually log files using CMTrace. I prefer the log files since it will give you more details.


Device Collections

I also setup a few different type of collections for my Endpoint deployments.  We will create two folders if not already created and collections in each.  One for inventory and another for configurations.  We can then deploy our client settings to the inventory based collections and our antimalware policies to our configuration based collections.

Inventory Collections

INV_All_Windows _Servers

Configuration Collections

CFG_Endpoint Protection – Domain Controllers
CFG_Endpoint Protection – SQL Servers
CFG_Endpoint Protection – File Servers
CFG_Endpoint Protection – Exchange Servers
CFG_Endpoint Protection – Workstations


Antimalware & Windows Firewall Policies

There are times you need to have settings configured based off of server roles, etc. You may need to disable real time  protection disabled on certain servers like your SQL or File servers, set different exclusions settings, etc.   I start out creating the following 5 policies that I will deploy to the configuration collections I have already created.

EP_Antimalware – Domain Controllers
EP_Antimalware – SQL Servers
EP_Antimalware – File Servers
EP_Antimalware – Exchange Servers
EP_Antimalware – Workstations

    1. In the Configuration Manager console, click Assets and Compliance.
    2. In the Assets and Compliance workspace, expand Endpoint Protection, and right click on Antimalware Policies.  Select Create Antimalware Policy.
    3. Name the policy “EP_Antimalware – Workstations”, and your description to what this policy will do.
    4. For my workstations I will select all the settings by placing a check mark in each.
    5. On the left column select each settings and configure to your needs.
    6. Click OK
    7. Right click on “EP_Antimalware – Workstations” client policy and select deploy.
    8. Select the “CFG_Endpoint Protection – Workstations” configuration collection we have already created.
    9. Repeat for each Antimalware policy you need or want to create.

Now we need to create a client setting for our Workstations and Servers in order to enable Endpoint Protection and deploy it to our clients.


Client Settings

I will create two new Client Setting just for Endpoint Protection.  I never use the Default Client Settings to configure any settings for our environment. I also separate Client settings out by Workstations and Servers and the type of settings that may need to be adjusted per collections.

Endpoint Protection – Client Settings – Servers
Endpoint Protection – Client Settings – Workstations

  1. In the Configuration Manager console, click Administration.
  2. In the Administration workspace, right click on Client Settings and select Create Custom Client Device Settings.
  3. Name the Setting “Endpoint Protection – Client Settings – Servers” and add a description for the purpose of this Client Setting.
  4. Select Endpoint Protection, place a check in the box.
  5. On the left column select Endpoint Protection.
  6. Under Device settings in the window to the right change the following settings to your specified needs.  To enable Endpoint protection you will need to at least change the first setting from No to Yes.
  7. Click OK
  8. Right click on the new Client Setting “Endpoint Protection – Client Settings – Servers” and click Deploy.
  9. Select the Inventory collection “INV_All_Windows _Servers” and click OK.
  10. Repeat for the Workstations.

Now that we have both policies created and deployed as soon as your client receives a policy update you should start to see the Endpoint Protection client installed.  Make sure you have configured your antimalware policies before doing this step.


Endpoint Protection Definitions

We will want to create an Automatic Deployment Rule for our Endpoint Protection Definitions.  Pretty much this is the only time I will use ADR for anything since it isn’t yet there to handle your full blown software update needs.

First thing is to make sure that your software update point is configured to download the Forefront Endpoint Protection 2010 product updates.  After you have verified this product is included in your Software Update sync then we will need to configure the ADR.

Configuring the ADR
  1. In the Configuration Manager console, click Software Library.
  2. In the Software Library workspace, expand Software updates folder.
  3. Right click on Automatic Deployment Rule and select Create Automatic Deployment Rule.
  4. For the name, I will name mine SU_Endpoint Protection Definitions. Type in a good description about this update.
  5. Select the Definitions Updates Template that was created with the installation of ConfigMgr.
  6. The Target Collection I will choose “All Desktop and Server Clients” for now.  You may have created a separate inventory collections that combines all your devices as well.  I will just use the out of the box collection.
  7. Select Add to an existing Software Update Group
  8. Check Enable the deployment after this rule is run
  9. Click Next.
  10. On the Specify the settings for this ADR keep the defaults unless you do want to use Wake-on-Lan.
  11. Click Next
  12. On the Select the property filters and search criteria window place a check mark in Date Released or Revised, Product, and Update classification.
  13. For Date Released or Revised select Last 1 Day
  14. For Product select Forefront Endpoint Protection 2010
  15. For Update classification select Definition Updates
    1. You can hit preview on this screen to verify that there are updates available and also verify if your Software Update point has been configured to download these update types and products needed.
  16. Click Next
  17. On the Specify the recurring schedule for this rule select “Run the rule on a schedule”
  18. I personally pick to run every 4 hours.  Better to run and not find an updated definition then not run for 2 days and miss a critical definition.
  19. Click OK
  20. Click Next
  21. On the Configure schedule details for this deployment window I leave it at UTC.  This is based off of your clients choice.  I select the bullets for both to run as soon as possible. 
  22. Click Next
  23. On the Specify the user experience for this deployment window leave Hide in Software Center and all notifications.
  24. Click Next
  25. Click Next
  26. Click Next
  27. Click Next
  28. On the Select Deployment Package for this automatic deployment rule, we will create a new deployment package located on our shared source drive.
  29. Select Create New.  I will name mine SU_Endpoint Protection
  30. Type in a good description for others to read!!!!!!!
  31. Package source is your source shared drive
  32. Sending Priority is High
  33. Click Next
  34. Add this to your Distribution Point Group (You should be using groups to better manage your DP!!!)  I am adding mine to Software Updates Distribution Group  If you don’t use groups then you need to select all your DP’s and add them here.
  35. Click OK
  36. Click Next
  37. Click Next
  38. Click Next
  39. Verify everything looks good in the summary.
  40. Click Next
  41. Click Close

You should have your ADR now created. Right click on it and click Run.  Verify that it ran successfully.  You should now have a new Software Update group called SU_Endpoint Protection Definitions.  If you don’t give it some time, close the console and reopen it.  After 5 minutes if you don’t then you need to trouble shoot your software update point.  You can double click that update group and see the definitions.



The first thing we want to do is enable some alerts from the collections that we have assigned the policies.  This will give us better notifications when a definition isn’t updated, or a computer gets a virus/malware. 

  1. In the Configuration Manager console, click Assets and Compliance.
  2. In the Assets and Compliance workspace, expand device collections.
  3. Expand our configuration folder (if you set this up this way.)
  4. Select our collection called “CFG_Endpoint Protection – Workstations” and right click and select properties.
  5. Select the Alerts Tab.
  6. Place a check in View this collection in the Endpoint Protection dashboard.  (It is already there since this collection has the antimalware policy deployed to it.)  Just select it anyway.
  7. Under Conditions, select add…
  8. Place a check mark next to everything under Endpoint protection.
  9. Click OK
  10. Change Alert Name if needed
  11. Keep critical alert status.
  12. Click OK.
  13. Repeat for every collection we have deployed our antimalware policies to above.


Now to monitor our devices we need to go to the Monitoring workspace and expand Endpoint protection status.  For malware detection you can click on Malware detection and it will list the types and versions, along with the computers infected by them.

Under System Center 2012 R2 Endpoint section you can see the list of collections and the status of each client.  From here you can dig down deeper in to reports.  You can get a lot of these reports also from the Reporting section.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s