Microsoft System Center Endpoint Protection Cookbook: Over 31 simple yet incredibly effective recipes for installing and managing System Center 2016 Endpoint Protection, Second Edition

System Center Endpoint Protection is not a standalone product; it is integrated into the popular and great management and deployment product called SCCM, it's a dedicated role and the installation binary lies among the Configuration Manager client installation files. So you need both the System Center Configuration Manager Client and System Center Endpoint Protection to make this work. This provides great benefits when it comes to control, deployment and monitoring of the antimalware software in your organization. Every anti-virus or antimalware product needs a management client or module that can handle downloading and installation, and control and handle different actions to make sure that the antimalware product itself is operating as it should.

System Center Endpoint Protection has no built-in or dedicated management module of its own, so it is designed to be managed as well as licensed through the System Center Configuration Manager or Microsoft Intune.

Microsoft has always been good at making use of technology that's already available, and for the most part this gives more advantages than drawbacks. Every antimalware product needs a management client to monitor, set policies, deploy and update their product. Microsoft has not created a separate management agent for their Endpoint Protection because they had one already with SCCM. Given that it's being used today by approximately 70% of all businesses on the planet, it was an easy choice. So they made it work together with all the features in the same console that you use to manage your workstations, servers and devices. With this, you save resources such as processing and memory on your client as well as on the server side, and it simplifies management too. In most cases, businesses save money on their licenses as well, since they are already licensed to run this.

This is what the client GUI looks like. It's very smooth, clean, and easy to use, and gives clear indications if something is wrong. Green is good and Red is bad.

Endpoint Protection Client graphical user interface

For definition and engine updates it uses Windows Update with Microsoft's own definitions, so there is no need for any extra download components to make it work. This also has the benefit that it will be coordinated with other Windows Update installations so they don't encounter any conflicts during installation. Windows Update fetches the updates from either a local Windows Server Update Services (WSUS) or by SCCM. If it cannot reach those it will continue, after a given amount of time, to download it over the Internet directly from Microsoft.

With the use of Configuration Manager to handle Endpoint Protection, it will give you the following benefits as mentioned on http://slothx.net/wiki/SC2012_ConfigMgr_PDFDownload.pdf:

System Center Endpoint Protection has another nice feature when running virtualized environments, as many do these days: if you want to preserve disk IO as well as excessive CPU usage while antimalware is doing its scheduled scanning, you can set System Center Endpoint Protection to randomize the scanning start time so that they do not occur simultaneously on all guest machines that are hosted by the server.

Windows 10 is now supported (from version System Configuration Manager 2012 SP2), and we will cover that in more detail later in the book. SCCM manages Defender, which comes with Windows 10, and which is basically the same as Endpoint Protection.

First of all, it's for sure that you cannot have two antimalware products running on your workstations or servers. If that happens, you are likely to crash the operating system and, worst case, it won't start up again other than by booting in safe mode. If that's the case, you would have a huge job ahead of you because this would involve a manual approach to handle every machine.

Now that would be a worst case scenario, and in my experience it never happens because you plan, test and deploy in a controlled matter. Luckily, Microsoft has put in an automatic detection of a few other antimalware products and a fully automatic removal of those products as best it can. It is working pretty well in my experience, but I would rather use it as a fail-safe mechanism if your own removal plan should fail.

The current list of products that Microsoft will try to remove if they exist on any machine you're deploying Endpoint Protection to can be found at https://technet.microsoft.com/en-us/library/gg682067.aspx#BKMK_EndpointProtectionDeviceSettings.

This automatic uninstall setting is located in the client setting of the Configuration Manager and is turned ON by default when Enabling Endpoint Protection.

However, I encourage you to do some research in your organization, about what products are in use right now. It might be more than you might think; most people are in for a surprise or two on what's running, especially on the workstations. Most likely you will have a handful of different antimalware software running, so you need to do some digging around, and once you have a Configuration Manager with a full inventory of all your clients' antimalware software, that's not a big problem. You just need to have some knowledge about what to look for. When you have identified the different products, you need to plan how to uninstall and get rid of them in a safe way, whilst at the same time keeping the machine secure, since you don't want to leave the machine unprotected.

Secondly, you need to ensure that Endpoint Protection will be able to get updates. Now this is very important, and you have some options that may have an impact depending on what your network infrastructure looks like. Do you have many remote locations, do you have satellite connections, and do your laptops travel a lot?

The Endpoint Protection role needs to be installed on your Central Administration Site (CAS) if you have one, and it needs to be installed on your Primary Site servers as well.

In the following graphic you can see different scenarios with a CAS Central Administration Site Server on top, then a Primary Site followed by a Secondary Site. Following that, you might even have dedicated Distribution Points servers to smaller locations or clients. Secondary Sites are generally fading out unless you have very large branch offices or locations with several thousand clients. However, the scenario following is for very large businesses that need redundancy and security.

Large business SCCM hierarchy

The hierarchy for most businesses, where you have a Primary Site server on top and a Distribution Point server following placed at branch offices or locations around the world, is shown in the following figure:

Conventional business SCCM hierarchy

You can see a simple illustration of how Intune work in the following figure. Every client talks directly over the Internet to Azure in the Cloud. It has both upsides and downsides, but requires very little infrastructure and it's easy to maintain:

Principal network schematic picture of Microsoft Intune

First, start the Server Manager on your Windows Server, most likely at your primary site; or on the server that you will be using for the Software Update Point role for the SCCM hierarchy.

Windows Server Manager and status of Roles and Features Installed

The WSUS role should be installed. I recommend putting its database to the full SQL Server and not Internal Database. The SQL License is included with SCCM. Make sure Internal Database is not selected. You might want to install it as a separate instance on your SQL server for performance monitoring and balancing resources like memory, CPU and disk, but this is not a requirement. Remember to press Cancel on the last part of the Wizard when it wants you to configure the WSUS products and type of updates. Configuration Manager will take care of that part when setting up the software update role afterwards in Configuration Manager.

When WSUS is installed go into Configuration Manager Console and Administration.

Configuration Manager Console where you add Site System Roles

In Site Configuration | Servers and Site System Roles you would right click on the Server you want to use as the Software update point and click Add Site System Roles

From there it's pretty straight forward. Microsoft recommends using port 8530, and the WSUS Role installation in Server Manager suggests you use this. These are also the ports that are default when you're on Windows Server 2012 and 2012 R2. While on Windows Server 2008 and 2008 R2, the default ports are 80 and 443.

So the software update role in Configuration Manager uses and relies on the WSUS role in the Windows Server.

In the next chapter we will go through in more detail how to configure all the settings you need.

Regarding the planning phase, when it comes to Configuration Manager there are some external dependencies.

Basically the software update role within Configuration Manager utilizes and uses the WSUS role that comes with the Windows Server.

It is a good practice in Configuration Manager and all management systems when dealing with deployment to test, test, and test again, given that you want to run changes in a smooth manner with as few surprises and as little noise as possible.

I would also recommend that you create a separate client setting policy that enables and installs Endpoint Protection, and that you deploy to a dedicated collection for this purpose when you start to test and deploy to computers, as the following screenshot will show you.

Configuration Manager Client setting where you configure Endpoint Protection Installation settings

The setting on the picture preceding Disable alternate sources (such as Microsoft Windows Update, Microsoft Windows Server Update Services, or UNC shares) for the initial definition update on client computers are important to pay attention to. This is enabled by default, because it may have a huge impact on your network. As the initial download of definitions that each client needs right after installation would be around 150MB, you might not want to download it over a low bandwidth connection.

More about this in Chapter 4, Updates.

So you have a collection where you've deployed the required definition update and added the client setting that deploys the Endpoint Protection client, you have created and deployed the appropriate Endpoint Protection policies, and you've also deployed to that collection, so you're good to go. Then you can just add more and more computers to that collection and monitor the results over time. I would recommend picking different kinds of computers in your organization to make sure the first phase of the Endpoint Protection deployment captures as many different environments and different users in the early stage as possible. The same method is actually recommended when it comes to software updates on a daily or weekly basis.

Speaking of software updates, it's recommended that you keep definition updates in a separate package that does not contain other software updates. This keeps the size to a minimum and allows replication to distribution points to operate more quickly and efficiently.

Make sure you have made a plan for your business on how you are going to deploy and manage Endpoint Protection. Also, undertake the required assessment to find what kind of antimalware or antivirus products might be installed on the machines and plan how to handle this.

Use the following workflow as a reference to help you enable, configure, manage and monitor Endpoint Protection in System Center 2012 Configuration Manager Technet link: https://technet.microsoft.com/en-us/library/hh526775.aspx.

Now you might have another antimalware product in your environment from before, and you need a solution that can help you replace that. So you need a way to uninstall the product you want to get rid of and install Endpoint Protection in the same process to keep the clients secure. We will cover this more thoroughly in another chapter in this book.