In the first part of this guide, we did look at the install of the System Center Endpoint Protection role. Since we have setup components at the SCCM level, yet SCCM won’t be able to communicate with clients until Endpoint Protection policies and Client settings are configured.
To start with the Endpoint Protection setup for client-side communication, we have to configure a few Endpoint Protection components which can be done in the below phases as follows.
- Configure custom client settings for Endpoint Protection
- Configure the default Antimalware policy and create custom Antimalware policies
Configure custom client settings for Endpoint Protection:
After the installation of the Endpoint Protection role, we will now create a Custom client device setting for Endpoint protection. You need to enable this setting to install the Endpoint Protection client on systems.
Note: Do not configure the default Endpoint Protection client settings unless you are sure that you want these settings applied to all computers in your hierarchy. We need to start with test machines
- In the Configuration Manager console, click Administration.
- In the Administration workspace, click Client Settings.
- On the Home tab, in the Create group, click Create Custom Client Device Settings.
- In the Create Custom Client Device Settings dialog box, provide a name “SCEP Win10 1909” and a description for the group of settings, and then select Endpoint Protection
On the left pane click Endpoint Protection setting, on the right side set Manage Endpoint Protection client on client computers to Yes. When you enable this setting the Configuration Manager can be used to manage the endpoint protection clients on the client computers. Below it there is another setting Install Endpoint Protection client on client computers when you enable this setting and if this device setting is deployed to the target collection, the endpoint protection client is installed on all the computers present inside the target collection. Likewise, you can suppress any restart required after installation of Endpoint Protection on the client machine. Click on OK.
- Next, deploy the custom client settings to a collection. Select the custom client settings you want to deploy. In the Home tab, in the Client Settings group, click Deploy.
- In the Select Collection dialog box, choose the collection to which you want to deploy the client settings and then click OK. The new deployment is shown in the Deployments tab of the details pane.
We will deploy Client Settings later once all steps are done listed above.
Beginning with Windows 10 and Windows Server 2016 computers, Windows Defender is already installed. so no additional installation to be seen on clients side, instaed you will see windows defended is managed by SCCM
Configure the default antimalware policy and create custom antimalware policies:
The default antimalware policy is applied when the Endpoint Protection client is installed. Any custom policies you have deployed are applied by default, within 60 minutes of deploying the client. Ensure that you have configured antimalware policies before you deploy the Endpoint Protection client.
- In the Configuration Manager console, click Assets and Compliance.
- In the Assets and Compliance workspace, expand Endpoint Protection, and then click Antimalware Policies.
- On the Home tab, in the Create group, click Create Antimalware Policy.
- In the General section of the Create Antimalware Policy dialog box, enter a name and a description for the policy.
- In the Create Antimalware Policy dialog box, configure the settings that you require for this antimalware policy, and then click OK. For a list of settings that you can configure.
- Verify that the new antimalware policy is displayed in the Antimalware Policies list.
List of Antimalware Policy Settings
Many of the antimalware settings are self-explanatory.
Scheduled Scans Settings
Scan type – You can specify one of two scan types to run on client computers:
- Quick scan– This type of scan checks the in-memory processes and folders where malware is typically found. It requires fewer resources than a full scan.
- Full Scan– This type of scan adds a full check of all local files and folders to the items scanned in the quick scan. This scan takes longer than a quick scan and uses more CPU processing and memory resources on client computers
Note: Quick scan to minimize the use of system resources on client computers.
You can use both Quick and Full scan on the client machine. For example, Quick scan daily and Full scan weekly/monthly.
- Scan email and email attachments – Set to Yes to turn on e-mail scanning.
- Scan removable storage devices such as USB drives – Set to Yes to scan removable drives during full scans.
- Scan network files – Set to Yes to scan network files.
- Scan mapped network drives when running a full scan – Set to Yes to scan any mapped network drives on client computers. Enabling this setting might significantly increase the scan time on client computers.The Scan network files setting must be set to Yes for this setting to be available to configure.
By default, this setting is set to No, meaning that a full scan will not access mapped network drives.
- Scan archived files – Set to Yes to scan archived files such as .zip or .rar files.
- Allow users to configure CPU usage during scans – Set to Yes to allow users to specify maximum percentage of CPU utilization during a scan. Scans will not always use the maximum load defined by users, but they cannot exceed it.
- User control of scheduled scans – Specify level of user control. Allow users to set Scan time only or Full control of antivirus scans on their devices.
Default Actions Settings
Select the action to take when malware is detected on client computers. The following actions can be applied, depending on the alert threat level of the detected malware.
- Recommended– Use the action recommended in the malware definition file.
- Quarantine– Quarantine the malware but do not remove it.
- Remove– Remove the malware from the computer.
- Allow – Do not remove or quarantine the malware
Real-time Protection Settings
- Enable real-time protection – Set to Yes to configure real-time protection settings for client computers.
- Monitor file and program activity on your computer – Set to Yes if you want Endpoint Protection to monitor when files and programs start to run on client computers
- Block Potentially Unwanted Applications at download and prior to installation – Potential Unwanted Applications (PUA) is a threat classification based on reputation and research-driven identification. Most commonly, these are unwanted application bundles or their bundled application
Excluded files and folders – Click Set to open the Configure File and Folder Exclusions dialog box and specify the names of the files and folders to exclude from Endpoint Protection scans.
Note: Importantly few SCCM files and folder has to be excluded on client and Server side make sure you have list ready for folder exclusions.
Security Intelligence updates:
Here, we will see the settings on how Endpoint Protection clients will receive definition updates.
Click on Set Source, we see a new window showing the options using which we can deploy the definition updates to the EP clients. Uncheck all the sources and select Updates distributed from Configuration Manager and click OK. This option uses Configuration Manager software updates to deliver definition and engine updates to computers in your hierarchy.
The next step is to deploy the custom antimalware policy to a collection. We should go through in detail steps in upcoming blogs.
Summarisation: It’s very important for us to understand that in order to make our system secure you need to configure Antimalware policies wisely and Client Setting too so that we make full use of Endpoint protection via SCCM. Upcoming blogs will be exciting to see how clients behave when policies applied on system.
Happy Sharing !!