How to Configure Endpoint Protection in Configuration Manager

 

Updated: March 24, 2016

Applies To: System Center 2012 R2 Endpoint Protection, System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 Endpoint Protection SP1, System Center 2012 Endpoint Protection, System Center 2012 R2 Configuration Manager SP1

Before you can use Endpoint Protection to manage security and malware on System Center 2012 Configuration Manager client computers, you must perform the configuration steps detailed in this topic.

Steps to Configure Endpoint Protection in Configuration Manager

Use the following table for the steps, details, and more information about how to configure Endpoint Protection.

Important

If you manage endpoint protection for Windows 10 computers, then you must configure System Center 2012 Configuration Manager to update and distribute malware definitions for Windows Defender. Because Windows Defender is included in Windows 10, an endpoint protection agent does not need to be deployed to client computers.

Steps

Details

More information

Step 1: Create an Endpoint Protection point site system role.

The Endpoint Protection point site system role must be installed before you can use Endpoint Protection. It must be installed on one site system server only, and it must be installed at the top of the hierarchy on a central administration site or a stand-alone primary site.

See Step 1: Create an Endpoint Protection Point Site System Role in this topic.

Step 2: Configure alerts for Endpoint Protection.

Alerts inform the administrator when specific events have occurred, such as a malware infection. Alerts are displayed in the Alerts node of the Monitoring workspace, or optionally can be emailed to specified users.

See How to Configure Alerts for Endpoint Protection in Configuration Manager.

Step 3: Configure definition update sources for Endpoint Protection clients.

Endpoint Protection can be configured to use various sources to download definition updates.

See How to Configure Definition Updates for Endpoint Protection in Configuration Manager.

Step 4: Configure the default antimalware policy and create any custom antimalware policies.

The default antimalware policy is applied when the Endpoint Protection client is installed. Any custom policies you have deployed are applied by default, within 60 minutes of deploying the client. Ensure that you have configured antimalware policies before you deploy the Endpoint Protection client.

See How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager.

Step 5: Configure custom client settings for Endpoint Protection.

Use custom client settings to configure Endpoint Protection settings for collections of computers in your hierarchy.

Important

Do not configure the default Endpoint Protection client settings unless you are sure that you want these settings applied to all computers in your hierarchy.

See Step 5: Configure Custom Client Settings for Endpoint Protection in this topic.

Supplemental Procedures to Configure Endpoint Protection in Configuration Manager

Use the following information when the steps in the preceding table require supplemental procedures.

Step 1: Create an Endpoint Protection Point Site System Role

Use one of the following procedures depending on whether you want to install a new site system server for Endpoint Protection or use an existing site system server.

Important

When you install an Endpoint Protection point, an Endpoint Protection client is installed on the server hosting the Endpoint Protection point. Services and scans are disabled on this client to enable it to co-exist with any existing antimalware solution that is installed on the server. If you later enable this server for management by Endpoint Protection and select the option to remove any third-party antimalware solution, the third-party product will not be removed. You must uninstall this product manually.

To install and configure the Endpoint Protection point site system role: New site system server

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles.

  3. On the Home tab, in the Create group, click Create Site System Server.

  4. On the General page, specify the general settings for the site system, and then click Next.

  5. On the System Role Selection page, select Endpoint Protection point in the list of available roles, and then click Next.

  6. On the Endpoint Protection page, select the I accept the Endpoint Protection license terms check box, and then click Next.

    Important

    You cannot use Endpoint Protection in Configuration Manager unless you accept the license terms.

  7. On the Microsoft Active Protection Service page, select the level of information that you want to send to Microsoft to help develop new definitions, and then click Next.

    Note

    This option configures the Microsoft Active Protection Service settings that are used by default. You can then configure custom settings for each antimalware policy you create. Join Microsoft Active Protection Service, to help to keep your computers more secure by supplying Microsoft with malware samples that can help Microsoft to keep antimalware definitions more up-to-date. Additionally, when you join Microsoft Active Protection Service, the Endpoint Protection client can use the dynamic signature service to download new definitions before they are published to Windows Update. For more information, see How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager.

  8. Complete the wizard.

To install and configure the Endpoint Protection point site system role: Existing site system server

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, click Servers and Site System Roles, and then select the server that you want to use for Endpoint Protection.

  3. On the Home tab, in the Server group, click Add Site System Roles.

  4. On the General page, specify the general settings for the site system, and then click Next.

  5. On the System Role Selection page, select Endpoint Protection point in the list of available roles, and then click Next.

  6. On the Endpoint Protection page, select the I accept the Endpoint Protection license terms check box, and then click Next.

    Important

    You cannot use Endpoint Protection in Configuration Manager unless you accept the license terms.

  7. On the Microsoft Active Protection Service page, select the level of information that you want to send to Microsoft to help develop new definitions, and then click Next.

    Note

    This option configures the Microsoft Active Protection Service settings that are used by default. You can configure custom settings for each antimalware policy you configure. For more information, see How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager.

  8. Complete the wizard.

Step 5: Configure Custom Client Settings for Endpoint Protection

This procedure configures custom client settings for Endpoint Protection which can be deployed to collections of computers in your hierarchy.

Important

Do not configure the default Endpoint Protection client settings unless you are sure that you want them applied to all computers in your hierarchy.

To enable Endpoint Protection and configure custom client settings

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, click Client Settings.

  3. On the Home tab, in the Create group, click Create Custom Client Device Settings.

  4. In the Create Custom Client Device Settings dialog box, provide a name and a description for the group of settings, and then select Endpoint Protection.

  5. Configure the Endpoint Protection client settings that you require. For a full list of Endpoint Protection client settings that you can configure, see the section Endpoint Protection in the topic About Client Settings in Configuration Manager.

    Important

    You must install the Endpoint Protection site system role before you can configure client settings for Endpoint Protection.

  6. Click OK to close the Create Custom Client Device Settings dialog box. The new client settings are displayed in the Client Settings node of the Administration workspace.

  7. Before the custom client settings can be used, you must deploy them to a collection. Select the custom client settings you want to deploy and then, in the Home tab, in the Client Settings group, click Deploy.

  8. In the Select Collection dialog box, choose the collection to which you want to deploy the client settings and then click OK. The new deployment is shown in the Deployments tab of the details pane.

Client computers will be configured with these settings when they next download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic.

How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager

Potential Unwanted Application (PUA) is a threat classification based on reputation and research-driven identification. Most commonly, these PUA applications are unwanted application bundlers or their bundled applications .

You can protect your users from PUA by deploying an antimalware policy in your Microsoft System Center 2012 Endpoint Protection Configuration Manager. The protection policy setting is disabled by default. If enabled, this feature will block PUA at download and install time. However, you can exclude specific files or folders to meet the specific needs of your environment.

To create a configuration item to enable PUA protection

  1. In the Configuration Manager console, click Assets and Compliance.

  2. In the Assets and Compliance workspace, open the Compliance Settings folder, right-click on Configuration Items, and then click Create Configuration Item.

  3. In the Configuration Item wizard, select a name and the Windows Desktops and Server (custom) Configuration Item type before clicking Next. Select the targeted operating systems, and go to the next page. Click New to create a new setting.

  4. In the Create Setting dialog box, select a name for the setting, and specify the following additional information:

    - **Data type** – Select the **Integer** type to set the value type to used
    
    - **Hive** - Select HKEY\_LOCAL\_MACHINE as the hive root
    
    - **Key** – Select the key according to your product version:
    
      <table>
      <colgroup>
      <col style="width: 50%" />
      <col style="width: 50%" />
      </colgroup>
      <thead>
      <tr class="header">
      <th><p>Product name</p></th>
      <th><p>Key</p></th>
      </tr>
      </thead>
      <tbody>
      <tr class="odd">
      <td> 
      <p>System Center Endpoint Protection</p></td>
      <td><p>Software\Policies\Microsoft\Microsoft Antimalware\MpEngine</p></td>
      </tr>
      <tr class="even">
      <td><p>Forefront Endpoint Protection</p></td>
      <td><p>Software\Policies\Microsoft\Microsoft Antimalware\MpEngine</p></td>
      </tr>
      <tr class="odd">
      <td><p>Microsoft Security Essentials</p></td>
      <td><p>Software\Policies\Microsoft\Microsoft Antimalware\MpEngine</p></td>
      </tr>
      <tr class="even">
      <td><p>Windows Defender</p></td>
      <td><p>Software\Policies\Microsoft\Windows Defender\MpEngine</p></td>
      </tr>
      </tbody>
      </table>
    
    - **Value** – Enter MpEnablePus as the registry value name to be configured
    
    - Select **This registry value is associated with a 64-bit application**
    

    Click the Compliant Rules tab

  5. In the Compliant Rules tab, click the New button to create a rule.

  6. In the Create Rule dialog box, specify the following information:

    - Enter a **Name** for the rule
    
    - Select a **Rule type** of **Value**
    
    - Select the **Equals** operator for the comparison
    
    - Select a value according to the PUA setting you would like to deploy:
    
      <table>
      <colgroup>
      <col style="width: 50%" />
      <col style="width: 50%" />
      </colgroup>
      <tbody>
      <tr class="odd">
      <td><p>Value</p></td>
      <td><p>Description</p></td>
      </tr>
      <tr class="even">
      <td> 
      <p>0 (default)</p></td>
      <td><p>Potentially Unwanted Application protection is disabled</p></td>
      </tr>
      <tr class="odd">
      <td><p>1</p></td>
      <td><p>Potentially Unwanted Application protection is enabled. The applications with unwanted behaviour will be blocked at download and install-time.</p></td>
      </tr>
      </tbody>
      </table>
    
    - Select **Remediate noncompliant rules when supported**
    
    - Select **Report noncompliance if this setting instance is not found**
    

    Click OK to finish creating the rule.

  7. In the Create Setting dialog box, click Apply. Click Next until you reach the summary dialog box. Validate the configuration preferences before clicking Next and Close. You have now created the Configuration Item.

Your Configuration Item can be added to a Configuration Baseline and deployed. See How to Create Configuration Baselines for Compliance Settings in Configuration Manager and How to Deploy Configuration Baselines in Configuration Manager for more information. When deploying your Configuration Baseline, select Remediate noncompliant rules when supported so that the Configuration Item registry key change will be applied.

To exclude specific files or folders

Note

Be careful when you add exclusions because it can reduce the security of the affected computers.

If you believe that an application was incorrectly identified as PUA, submit the file to the Malware Protection Center for evaluation. Include PUA and the detection name in the comments field.