This will be the last post in my System Center Configuration Manager 2012 series. Here in Part VII, we will be pushing the client to servers, showing what the Endpoint Protection client looks like on the servers, configuring custom Reports, and then closing out the series.
Here is a summary of what we’ll be making sure happens between the SCCM server and the Clients:
– The SCCM Agent installs
– The Endpoint Protection software installs
– That all SCCM and SCEP Policies we defined earlier are enforced
– That the SCCM server sets the child server to Active
Open the SCCM console on your server and open the Assets and Compliance workspace. Then navigate to Overview and right-click Device Collections. Then select Create Device Collection. I named my Device Collection “Endpoint Protection Servers”. Then select your new folder and right-click and select Create Device Collection. This will launch the “Create Device Collection Wizard”. Now you need to name your Collection, I named mine “Endpoint Protection Managed Servers” and add what existing collections you want added to this group. I added the “All Desktop and Server Client” Collection as by default, all SCCM managed servers will be added to this collection.
The screenshots below show the process for doing this. Notice we will have a folder under the “Device Collections” section, and within that folder we are creating a Collection that can contain multiple device collections. For now we are just doing all servers, but you could break this down by Country, Datacenter location, Client Groups, Server Types, etc.
Now when the agent is installed on our servers, they will be a member of the “All Desktop and Server Clients” collection, and we can now run Reports based on our custom Collection Group we just created.
Installing the SCCM Agent
Now here is the part where we will be installing the agent. We will be pushing the installation to our servers. Navigate to Devices and find the server you want to push the agent to. Right click on the server and select Install Client.
Then in the wizard make sure you select the options as seen below:
Then finish out the wizard. The installation will begin immediately on the remote client. On the remote server, you can see the following items to know that the install is running:
You’ll see ccmsetup.exe running:
And you will also see a new folder here: %windir%\ccmsetup and within that folder, you’ll see several files, the Endpoint Protection installer, and the agent install log files among them:
The ccmsetup.log file will actually contain the complete information of the client installation from beginning to end. At the end of the log, you want to see this:
CcmSetup is exiting with return code 0]LOG]
This means that the installation was successful. Further you can see the information on the agent on the remote server by launching Control Panel and you should see Configuration Manager in the list of applets. Clicking the applet will give you a Properties window for the agent that will give you some information:
Now, notice how Endpoint Protection is installed and that it is applying our policy and that some settings cannot be changed locally:
If you look back in the SCCM console now, you will see that the server displays the Client: Yes code and is now Active.
Pro Tip: If you are removing your existing antivirus software and replacing it with System Center Endpoint Protection, it will require a reboot to finalize the removal of your old antivirus and will then install Endpoint Protection upon restart and then apply the AV policy.
There is one feature you need to understand before deploying the agent and Endpoint Protection to an existing server. If your servers require a password to remove the existing AV client, then this will need to be disabled prior to pushing the SCCM Agent. If running Symantec Endpoint Protection like my company was, you will need to disable the password upon removal policy, and wait until you servers have updated their Symantec Endpoint Policy or force a policy update on the server. You can find instructions here:
If you do not remove your existing antivirus password policy or do not want to use Endpoint Protection, you can still install the SCCM agent. You will just not be able to use any of the SCCM EP features.
The lowest time you can set the pending reboot after the Endpoint Protection client is installed is for 1 hour. So the server will reboot in 1 hour or you can reboot the server manually. In our walkthrough we set the “Suppress any required computer restarts after the Endpoint Protection client is installed” to True. This way the computer would only reboot by manual intervention or by the current update policy at a scheduled time. Configure this in the way you would like. The time allotted for the reboot is configured in the Client Settings section, on this page of the Client Settings:
Now that we have SCCM up and running and we have clients associated with the server, lets take a look at our Endpoint Protection Status on our servers.
Navigate to Monitoring workspace and select System Center Endpoint Protection. In the Collection drop-down, select the Endpoint Protection Managed Servers (or the collection name you chose). You will now have a real-time view of the Endpoint Protection status of all of your servers that are running the SCCM agent and are utilizing the policies:
Take a look through this interface to see the current status of Active clients protected, any recent malware outbreaks, and much more. Clicking on any of the blue text will send you back over to the Assets and Compliance workspace, and create a new list under the Devices section.
Now that we know where the basic information about our servers’ current Endpoint Protection is within SCCM, lets configure some specific reports that we can view and send to others in our company. Navigate over to Monitoring > Reports within Reports scroll down to Endpoint Protection folder. Here you can see we have six different reports we can run:
– Antimalware Activity Report
– Computer Malware Details
– Infected Computers
– Top Users By Threats
– User Threat List
To run one of these reports, just right-click the report and select Run. In the example below, I’m running the Antimalware Activity Report. The report wizard will launch and we need to select a Collection Name. You will notice that our Collection name is not in the list:
This is because each collection is given a Unique Identifier of 8 characters. To find the Collection ID, simply go to the Collection we created, Assets and Compliance workspace > Device Collections > Your Collection. Then right-click on the collection and select Properties. On the General tab, you will find your Collection ID:
So to finish running out the report, just select your collection value and run the report. On my test, I see that there have been 14 infections detected on 2 computers. I even have hyperlinks to see which Computers were involved:
In order to configure daily or weekly reports, that can be emailed we need to create a Subscription. In this example, let’s create a Subscription to the Antimalware Activity Report that runs every day at 8:00AM EST and emails the report to a AVemail@example.com.
Right-click the Anti-malware Activity Report and select Create Subscription. This will launch the Create Subscription Wizard. Choose Report delivered by: Email, enter in all the appropriate fields for the email. In my template I included a link to the Report Server and included the actual report. I also chose MHTML, as the Render Format. This way the people who receive this message have the option to view the report directly from the report server should they have an issue viewing it within the email.
This will use the smtp server that we configured earlier in this series. If you need to confirm your settings, browse here and set them as appropriate:
Next, you will have the option of how you want to schedule this report. You can even combine multiple reports to use a single Shared Schedule. In this example I want to run the report once a day, every day of the week, at 8:00AM EST.
Next, I will select the Collection Name and Parameters for the report. I want the report to include data from the last seven days.
Then confirm the settings in the Summary and complete the wizard. I setup a test Subscription and received a report from my SCCM server with information from the Antimalware Activity Report just as we created above. You would repeat this process for any other Endpoint Protection or other SCCM reports that you would like in the Reports folder to create scheduled reporting tasks.
I highly recommend you setup subscriptions for the Alert Categories on the Monitoring workspace, especially the ones marked Severity: Critical, just as you see in the screenshot below. This way, you are immediately alerted of any large scale issues, such as a Malware outbreak on your Collection. These alerts should be emailed to a Distribution Group of Administrators who can immediately take the right actions to identify and resolve the issues.
And with that, we are all finished with the installation and configuration of System Center Configuration Manager 2012 along with integrating System Center Endpoint Protection 2012 in a PKI based setup that is configured for alerts and reporting enterprise-wide.
I also recommend that you install the Endpoint Protection Client into your server images/templates, and/or include it in your MDT build procedures. Once you have all of your servers enterprise-wide setup in Configuration Manager, I recommend enabling Site-Wide installation of the Agent, so that any new servers into your enterprise automatically detect the agent install policy and install the software and apply your policies automatically, with the exception of Domain Controllers, which you will want to do manually.
Administration workspace, Site Configuration > Sites > right-click on your site, Client Installation Settings > Client Push Installation
What sparked this blog series?
Thanks to those of you who have read this series! My hope and reasoning behind this guide is that perhaps this information and my experience will help other System Administrators around the world who are looking to implement Configuration Manager and Endpoint Protection 2012 into their existing production environments; especially those who like me, needed to configure client and server Certificates with an internal Certification Authority chain. There seemed to be hardly any guides available on this implementation.
We are implementing System Center Configuration Manager 2012 along with Endpoint Protection Manager 2012 over @OrcsWeb. Throughout the process, I created a mountain of documentation and screenshots to chronicle the process and document our configuration. With some tweaking, a mirror development environment, and sometimes long-winded explanation in-between, I’ve created this series.
OrcsWeb is a Microsoft based Web Hosting company with Microsoft Certified Professionals who can offer you and your company Fully Managed Dedicated Cloud, Physical, or Hybrid server solutions. Anyone can host your website or your server, but with OrcsWeb what sets us apart is our zeal to create Raving Fans with Remarkable Service, Remarkable Support. Just take a look at the Complete Care Managed Service offerings available, and the Service and Support page for more information about OrcsWeb and what our clients are saying about us, or shoot a quick email to our Remarkable Sales team, tell them that Gabe sent you over, you’ll be happy you did!
If anyone has any questions on SCCM/SCEP or feel that there is anything missing in this series you’d like to see covered, contact me.