SCCM 2012: Part VI – Endpoint Protection Manager Agent and Configuration Manager Agent Setup

Now that our hierarchy is configured and we have successfully installed and validated all of the Configuration Manager roles we will need, its time for us to configure the Agent and Endpoint Protection Policies.

We’ll configure the Endpoint Protection default Policy settings first. Navigate to Assets and Compliance > Endpoint Protection > Antimalware Policies. Right-click on the Default Client Antimalware Policy.

image

You will then be greeted by all the policy sections on the left hand side, and the explanation of each section as well as configurable options on the right. Go through each of the pages and set the options to what will work best for your situation.

Note: You can create custom Anti-malware policies if you would like that would apply to specific clients/servers.

In my environment I don’t want to run scheduled scans, I want to enable real-time protection, and set certain exemptions on folders, services, and file extensions. Here is how I configured these settings:

Scheduled Scans, I will not run a scheduled scan.
image

Scan Settings, I don’t want to scan email and email attachments, removable drives, network drives, or archived files. I don’t want any users to change CPU settings, though I will give the user full control of when scheduled scans run should I ever enable this option.
image

The Default Actions work fine.
image

Real-time Protection settings defaults are fine.
image

Exclusion settings, I will be excluding several types in all three sections:
image

Here is a list of the items I’ll be excluding, again keeping a server environment in mind. Also I will be leaving the default rules in-tact as well:

Folders:
%(WINDOWS)%SoftwareDistribution\Datastore
%allusersprofile%\
%(SYSTEM)%GroupPolicy\
C:\Program Files\Microsoft DPM\DPM\Volumes
C:\Virtual Machines

Services:
Mailservice.exe
DPMRA.exe
DPM.exe
sqlserver.exe
vmms.exe
vmwp.exe
vmswp.exe

File Extensions:
.avhd
.bak
.iso
.ldf
.mdf
.ndf
.trn
.vfd
.vhd
.vhdx
.vsv
.xml

The defaults for the Advanced section are fine. I don’t want a system restore point created before cleans, I don’t want any bothersome notifications on the server, I want to enforce the quarantined files and exclusion processes to be uniformly managed via policy.
image

I will not specify any Threat Overrides.
image

Microsoft Active Protection Service, will default to your membership setting during the Endpoint role configuration. I selected Basic Membership and that is fine. I do not want users to be able to modify this.
image

I will also leave the Definition Updates at default. Each server will check for updates three times daily by default, 8-hour intervals. My sources will be WSUS, Windows Update, and Microsoft Malware Protection Center. At this time my software update role is not configured, so including the Configuration Manager as a source should not happen.
image

Click OK to close the Default Antimalware Policysettings. Now we need to configure the email alert settings for Endpoint Protection.

Click on the Administration tab and then navigate to Site Configuration > Sites. Right-click on your site and click Configure Site Components > Email Notification. Fill in the page appropriately for your SMTP server.

image

image

Now all the client settings have been configured for System Center Endpoint Protection for your Configuration Manager clients. Now we’ll proceed to setting the Configuration Agent Policies.

Click on the Administration tab > Client Settings. Right-click on Default Client Settings and click Properties.

image

BITS, I will leave default, not throttling or limits.
image

Client Policy, again default is fine.
image

Compliance Settings, I’ll leave this to True for now, in case I ever want/need to configure Compliance settings.
image

Computer Agent, I will make some slight changes here. Change Add default App catalog site to trusted sites zone to True. Customized the Org name in Software Center. Make sure to leave Agent extensions manage the deployment of applications and software updates to False. Configuration Manager is not setup for deploying updates at this time, though we’ve installed the role as a futures option. Change PowerShell execution policy to Bypass.
image

Computer Restart, I left these default.
image

Endpoint Protection, important changes here. We set Manage Endpoint Protection client on client computers to True. We ensure all of the other fields are True as well. We want Endpoint Protection to auto-remove any existing AV on our clients and install EP. We also want the initial definitions to from WSUS, Windows update, or from Microsoft Antimalware Protection Center, whichever source is available with the most recent definitions is fine.
image

Hardware Inventory, running this once weekly is fine.
image

Network Access Protection (NAP), we are going to not utilize this feature.
image

Power Management, these being servers we do not want power management, and I’ve allowed users to exclude their device should it be enabled at any point.
image

Remote Tools, I enabled Remote Control on all Firewall exemption profiles (Domain, Private, Public). Users cannot change their policy, I allow Remote Control of unattended computer, I do not want to prompt user for permission, Local Administrators of the machine will have Remote Control permission. I want Full Control, I set Domain Admins as Permitted Viewers, a taskbar notification icon will popup in taskbar when a session is in use, I want to show the connection bar. These being servers, no Play a sound on client, Set the level of access for Remote Assistance to Full Control, I want to manage Remote Desktop settings, Allow the permitted viewers to connect by Remote Desktop, and I do not require NLA settings enabled.

Note – In order for this to work, the clients will need to have TCP ports 2701 and 2702 open to the SCCM server. I recommend setting this via a Group Policy Object (GPO) or adding to an existing GPO preferably at the root level of your domain.
image
image

image

Software Deployment, I am leaving this at default.
image

Software Inventory, defaults here are fine. If you want to Inventory specific software set this here.
image

Software Metering, default 7 days is fine for data collection.
image

Software Updates, we will leave this False for now. Management of Software Updates is not configured within SCCM, though role is installed for future.
image

State Messaging, 15 minute default is just fine.
image

User and Device Affinity, this being a server environment, defaults are fine.
image

And that’s it! You’ve configured the System Center Agent and Antimalware (Endpoint Protection) Policies. This is possibly the simplest part of this configuration to this point. Remember you can create custom Agent and Antimalware policies that you can assign to devices or groups of devices if you need to.

In Part VII, the final installment of this SCCM 2012 installation and initial configuration series, we will push the Configuration Manager Agent to a server within our domain and confirm the successful installation on both the client and in the SCCM console. I will explain what files are installed onto the client, where they are installed, and more.