SCCM 2012 – Enabling the Endpoint Protection Role

Endpoint protection is pretty sweet, and the integration with SCCM Console is very well done. Nice work MS guys!

This is basically a dump from my internal documentation. It might be a little unpolished, but sometimes it’s better to ship a product then continue fretting about perfection…

Install EPP Role on the CAS

  1. Navigate to Administration -> Sites -> Site Server and System Roles
  2. Right-click the CAS and choose “Add site server role.”
  3. On the System Role Selection screen choose ‘Endpoint Protection Point’ and click Next.
  4. On the Endpoint Protection screen accept the license terms.
  5. On the Microsoft Active Protection screen review the information and make a choice.

Create EPP Collectons

  1. Download the script named prep-site-server-wsus.ps1 from my Github page.
  2. Modify the variables at the top of the script to match your Org’s name and site code.
  3. Run the script ON THE SITE SERVER, using your admin account.

Configure and Deploy Custom Anti-Malware Policies

  1. Navigate to Assets and Compliance -> Endpoint Protection -> Antimalware Policies.
  2. Right-click -> Import.
  3. In the import dialog, navigate to “C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\XmlStorage\EPTemplates”.
  4. For each Endpoint Collection that was created, there should be a custom anti-malware setting found in the folder that can be imported. Choose to import an .xml template that matches a collection you’re interested in working on.
  5. Right-click the imported EPP Policy and choose ‘Deploy’.
  6. Deploy the policy to the collection that matches the policy name best.
  7. Repeat this process for all of your EPP collections.

Configure Client Settings

  1. Navigate to Administration -> Client Settings.
  2. Right-click and choose to create a new client settings package.
  3. On the ‘General’ screen, name the new package and check the box labeled ‘Endpoint Protection’.
  4. On the Endpoint Protection screen, set the following settings
    Manage Endpoint Protection client on client computers: True
    Install Endpoint Portection client on client computers: True
    Automatically remove previously installed antimalware software: True
    Suppress any required computer restarts: True
    Disable alternate sources for the initial update: False
  5. Click OK to save changes.
  6. Right-click the new client settings package and choose ‘deploy’.
  7. Deploy the client settings to a collection of your computers.

Endpoint should now be uninstalling your previous virus scanner, and installing the EPP. Wooo!

Advertisements