Implementing Microsoft’s System Center Endpoint Protection

We are preparing for the migration from McAfee to Microsoft’s System Center Endpoint Protection and managing Windows 10’s Windows Defender.

Givens:

  • Configuration Manager version 1702
  • Single Primary site with secondaries and DPs
  • Timeline: November 2017

Assumptions:

  • Role to be added to the primary site server with ‘Advanced Membership’
  • Definition updates and client updates will be distributed using the SCCM Software Update feature only
  • Synchronize WSUS with Microsoft every 8 hours (3 per day)
  • Downloaded definitions will automatically be deployed as mandatory to all systems after the Auto Deployment Rule is run.
  • Deadline for install by clients is 2 hours after downloading (allow time for distribution points)

Process:

Administration \ Updates and Servicing \ Features:

First we had to add the Windows Defender Advanced Threat Protection feature. The role was added onto the Primary site server. Selected Advanced membership.

Administration \ Site Configuration \ Sites \ Primary Site: Configure Site Components \ Software Update Point

  • Classifications
    • Definition Updates
  • Products
    • Forefront \ Forefront Endpoint Protection 2010 (this is for Win 7/Server 2012)
    • Windows \ Windows Defender (this is for Windows 10/Server 2016)
  • Sync Schedule
    • Synchronize every 8 hours (do not exceed 3 times a day).

PAGE_BREAK: PageBreak

Software Library \ Automatic Deployment Rules: Create Auto Deployment Rule

  • General
    • Name: Endpoint Protection Definitions (SCEP)
    • ‘Add to an existing Software Update Group’ is asserted (otherwise we would have possibly 3 new Update Groups every day)
    • ‘Enable the deployment after this rule is run’ is asserted (otherwise the deployment will be created but not enabled and we must manually enable them when we want them deployed.)
  • Software Updates
    • Product “Forefront Endpoint Protection 2010” OR “Windows Defender”
    • No additional product rules for this to work!
  • Evaluation Schedule
    • Run the rule after any software update point synchronization (this facilitates an emergency manual update)
  • Deployment Schedule
    • Time: UTC
    • Available after 1 hour (allow time for the package to distribute)
    • Deadline ASAP
  • User Experience
    • Display in Software Center and only show notifications for computer restarts (this is great when testing)
    • Deadline behavior: Install update but do not restart
    • Device restart suppression: suppress on servers and workstations
  • Download Settings
    • Deployment options: Download from DP
    • Deployment options: Download from default boundary group
    • Allow clients to share
    • Did not check M.U. since Cloud clients will do this anyway
  • Deployment Package
    • Create a new deployment package
      • 2017 Q4 Endpoint Protection Definition Updates (SCEP)
      • High Priority
      • Enable binary differential replication
  • Set a calendar item to check the package and remove expired content

PAGE_BREAK: PageBreak

Administration \ Client Settings: Create new custom client device settings policy

  • General
    • Name: SCEP-Enabled-INSTALLS SCEP Agent
    • Desc: Endpoint Protection policy to install SCEP agent! Make sure you remove and exclude existing VirusScan first
    • Establish the Endpoint Device Settings
      • The Autoremove will not work in the case of our password locked installs.
      • Restarts are not required but I found the agent waiting until a maintenance window so I removed some restrictions.

Configure collection alerts

  • Assets and Compliance \ Device Collections
    • Create a device folder in Device Collections named !_Endpoint Protection (SCEP)
    • Create a collection for the SCCM Primary Site SCEP Policy
    • Create a collection for the SCCM Secondary Site SCEP Policy
    • Create a collection for the other SCCM Site Servers
    • Add the servers to these collections and add alerts.
  • Monitoring \ Alerts \ Subscriptions
    • Configure the SMTP server, port and sender address used by all reports.
    • Create New Subscription

PAGE_BREAK: PageBreak

  • Assets and Compliance \ Overview \ Endpoint Protection \ Antimalware Policies
    • Default Antimalware Policy (this policy only applies to clients that have the SCEP agent installed)
    • In Update Sources, if WSUS is chosen then you must also configure an auto deployment rule in WSUS so it can also download definitions. This would need to be on all WSUS servers. It would however, allow the ‘Update Now’ button to work.
      • The settings displayed below allow SCCM to download the definitions and make them available in an SCCM Update package and evokes a definition update on the SCCM client every few hours.
      • On a client check C:\Windows\WindowsUpdate.log for a line containing “* WSUS server:” every few hours to verify.

PAGE_BREAK: PageBreak

  • The deviations from default can be specified in custom policies. In the screen below we are altering the real-time protection policy and as expected, the exclusion settings.

That’s all for now.