Introduction to Endpoint Protection in Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 R2 Endpoint Protection, System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 Endpoint Protection SP1, System Center 2012 Endpoint Protection, System Center 2012 R2 Configuration Manager SP1

Endpoint Protection in System Center 2012 Configuration Manager allows you to manage antimalware policies and Windows Firewall security for client computers in your Configuration Manager hierarchy.

Important

You must be licensed to use Endpoint Protection to manage clients in your Configuration Manager hierarchy.

When you use Endpoint Protection with Configuration Manager, you have the following benefits:

  • You can configure antimalware policies and Windows Firewall settings to selected groups of computers, by using custom antimalware policies and client settings.

  • You can use Configuration Manager software updates to download the latest antimalware definition files to keep client computers up-to-date.

  • You can send email notifications, use in-console monitoring, and view reports to keep administrative users informed when malware is detected on client computers.

Endpoint Protection installs its own client in addition to the Configuration Manager client. The Endpoint Protection client has the following capabilities:

  • Malware and Spyware detection and remediation.

  • Rootkit detection and remediation.

  • Critical vulnerability assessment and automatic definition and engine updates.

  • Network vulnerability detection through Network Inspection System.

  • Integration with Microsoft Active Protection Services to report malware to Microsoft. When you join this service, the Endpoint Protection client can download the latest definitions from the Malware Protection Center when unidentified malware is detected on a computer.

Note

The Endpoint Protection client can be installed on a server that runs Hyper-V and on guest machines with supported operating systems. To prevent excessive CPU usage, Endpoint Protection actions have a built-in randomized delay so that they do not occur simultaneously on all guest machines that are hosted by the server.

In addition, Endpoint Protection in Configuration Manager allows you to manage Windows Firewall settings in the Configuration Manager console.

For an example scenario that shows how you might configure and manage Endpoint Protection and the Windows Firewall, see Example Scenario for Protecting Computers From Malware by Configuring Endpoint Protection in Configuration Manager.

Managing Malware with Endpoint Protection

Endpoint Protection in Configuration Manager allows you to create antimalware policies that contain settings for Endpoint Protection client configurations. You can then deploy these antimalware policies to client computers and monitor them in the System Center 2012 Endpoint Protection Status node in the Monitoring workspace, or by using Configuration Manager reports. See List of Antimalware Policy Settings for a list of the settings that you can configure.

For more information about how to create, deploy, and monitor antimalware policies, see How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager and How to Monitor Endpoint Protection in Configuration Manager.

For information about how to remediate malware that is found on client computers, see How to Manage Antimalware Policies and Firewall Settings for Endpoint Protection in Configuration Manager.

Managing Windows Firewall with Endpoint Protection

Endpoint Protection in Configuration Manager provides basic management of the Windows Firewall on client computers. For each network profile, you can configure the following settings:

  • Enable or disable the Windows Firewall.

  • Block incoming connections, including those in the list of allowed programs.

  • Notify the user when Windows Firewall blocks a new program.

Note

Endpoint Protection supports managing the Windows Firewall only.

For more information about how to create and deploy Windows Firewall policies for Endpoint Protection, see How to Create and Deploy Windows Firewall Policies for Endpoint Protection in Configuration Manager.

Endpoint Protection Workflow

Use the following diagram to help you understand the workflow to implement Endpoint Protection in your Configuration Manager hierarchy.

Endpoint Protection process flow

Endpoint Protection Client for Mac Computers and Linux Servers

System Center 2012 includes an Endpoint Protection client for Linux and for Mac computers. These clients are not supplied with Configuration Manager; instead, you must download the following products from the Microsoft Volume Licensing Service Center.

  • System Center 2012 Endpoint Protection for the Mac

  • System Center 2012 Endpoint Protection for Linux

Important

You must be a Microsoft Volume License customer to download the Endpoint Protection installation files for Linux and the Mac.

These products cannot be managed from the Configuration Manager console. However, a System Center Operations Manager management pack is supplied with the installation files, which allows you to manage the client for Linux by using Operations Manager.

For more information about how to install and manage the Endpoint Protection clients for Linux and Mac computers, use the documentation that accompanies these products, which is located in the Documentation folder.

What’s New in Configuration Manager 2012

Note

The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide.

System Center 2012 Endpoint Protection is now integrated with System Center 2012 Configuration Manager. The following items are new or have changed for Endpoint Protection since Forefront Endpoint Protection 2010:

  • Because Endpoint Protection is now fully integrated with Configuration Manager, you do not have to run a separate setup program to install an Endpoint Protection server. Instead, select the Endpoint Protection point as one of the available Configuration Manager site system roles.

  • You can install the Endpoint Protection client by using Configuration Manager client settings, or you can manage the existing Endpoint Protection clients. You do not use a package and program to install the Endpoint Protection client.

  • The Endpoint Protection Manager role-based administration security role provides an administrative user with the minimum permissions that are required to manage Endpoint Protection in the hierarchy.

  • Endpoint Protection in Configuration Manager provides new reports that integrate with Configuration Manager reporting. For example, you can now identify the users who have computers that most frequently report security threats.

  • You can use Configuration Manager software updates to automatically update definitions and the definition engine by using automatic deployment rules.

  • You can configure multiple malware alert types to notify you when Endpoint Protection detects malware on computers. You can also configure subscriptions to notify you about these alerts by using email.

  • The Endpoint Protection dashboard is integrated with the Configuration Manager console. You do not have to install the dashboard separately. To view the Endpoint Protection dashboard, click the System Center 2012 Endpoint Protection Status node in the Monitoring workspace.

What’s New in Configuration Manager 2012 SP1

Note

The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide.

The following items are new or have changed for Endpoint Protection in Configuration Manager SP1:

  • You can now enable an Endpoint Protection client setting that commits the installation of the Endpoint Protection client on Windows Embedded devices that are write filter enabled. For more information about this client setting, see the Endpoint Protection section in the About Client Settings in Configuration Manager topic.

    Additionally, definition updates that are deployed by software updates can be configured to write to the overlay on Windows Embedded devices, so that these updates install immediately, without a restart. For more information, see the Support for Windows Embedded Devices That Use Write Filters section in the Introduction to Software Updates in Configuration Manager topic.

  • You can now configure the Endpoint Protection client to install only during configured maintenance windows. The maintenance window must be at least 30 minutes long to allow installation to take place.

  • Endpoint Protection in Configuration Manager now uses client notification to initiate the following actions as soon as possible, instead of during the normal client policy polling interval:

    • Force antimalware definition updates

    • Run quick scans

    • Run full scans

    • Allow threats

    • Exclude folders and files

    • Restore quarantined files

  • Improvements to software updates to allow more frequent distribution of Endpoint Protection definition updates.

  • Multiple antimalware policies that are deployed to the same client computer are merged on the client. When two settings are in conflict, the highest priority option is used. Some settings are also merged, such as exclusion lists from separate antimalware policies. Client-side merge also honors the priority that you configured for each antimalware policy.

  • A software update deployment template named Definition Updates is included in the Deploy Software Updates Wizard and Automatic Deployment Rule Wizard. This template includes typical settings to use when you deploy definition software updates for Endpoint Protection.

What’s New in Configuration Manager 2012 SP2

Configuration Manager SP2 adds management of the built-in Windows Defender antimalware agent in Windows 10 Technical Preview. You do not need deploy the System Center Endpoint Protection agent to Windows 10 client computers.