Microsoft System Center Endpoint Protection Cookbook - Second Edition

By Nicolai Henriksen
  • Instant online access to over 7,500+ books and videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. Planning and Getting Started with System Center Endpoint Protection

About this book

System Center Configuration Manager is now used by over 70% of all the business in the world today and many have taken advantage engaging the System Center Endpoint Protection within that great product.

Through this book, you will gain knowledge about System Center Endpoint Protection, and see how to work with it from System Center Configuration Manager from an objective perspective.

We’ll show you several tips, tricks, and recipes to not only help you understand and resolve your daily challenges, but hopefully enhance the security level of your business.

Different scenarios will be covered, such as planning and setting up Endpoint Protection, daily operations and maintenance tips, configuring Endpoint Protection for different servers and applications, as well as workstation computers. You’ll also see how to deal with malware and infected systems that are discovered. You’ll find out how perform OS deployment, Bitlocker, and Applocker, and discover what to do if there is an attack or outbreak.

You’ll find out how to ensure good control and reporting, and great defense against threats and malware software. You’ll see the huge benefits when dealing with application deployments, and get to grips with OS deployments, software updates, and disk encryption such as Bitlocker. By the end, you will be fully aware of the benefits of the System Center 2016 Endpoint Protection anti-malware product, ready to ensure your business is watertight against any threat you could face.

Publication date:
December 2016


Chapter 1. Planning and Getting Started with System Center Endpoint Protection

In this chapter, we will cover the following recipes:

  • How does Endpoint Protection in Configuration Manager work

  • Planning for Endpoint Protection

  • Prerequisites of the infrastructure

  • Best practices for Endpoint Protection in Configuration Manager

  • Administrating workflow for Endpoint Protection in Configuration Manager



System Center Endpoint Protection is Microsoft's antimalware product for small, large, and enterprise businesses.

It is not a free product, so you do need to be licensed to install and manage your clients with System Center Configuration Manager (SCCM) or Intune. It's very easy to set up and manage in both management systems, but Configuration Manager has more advanced features when it comes to policy configuring and adapting the antimalware product for your workstations and servers.

Endpoint Protection can also be installed on Mac OSX. Since SCCM also has a client agent for Mac OSX, you have a complete antimalware solution to handle and protect your Mac machines too. It's important not to forget this option, as incidents of attacks and malware keep rising on that platform as well. There is also Endpoint Protection support for Linux now.

If or when you're running in Microsoft Azure you now have the ability to enable Microsoft Endpoint Protection on your virtual machines or services running in Azure. Just a few clicks away, using some neat PowerShell scripts, you have the ability to enable and configure Endpoint Protection throughout the whole server park on several servers.

Microsoft has done a pretty good job on their antimalware product with System Center Endpoint Protection, and continues to improve greatly.

In my opinion, for over almost a decade (since back in the days when it was called Forefront) it has proven to be a worthy competitor to other well-known security, anti-virus and antimalware products on the market. I've worked with most of them and seen them in action. It strikes me that System Center Endpoint Protection works fast and effortlessly with minimum impact on the system compared to others. It is important to mention it has never let me or any of my customers down when it comes to handling malware. However, of course, if an administrator is very careless, they could easily get some nasty piece of software installed. The product has come a long way and is constantly improving. It is slightly false positive and is pretty good in proactive detection of unknown and mutated malware code. This is very important today, as that is the one thing hijackers and malware code writers usually do to try to hide or escape from security products.

Versioning in System Center Configuration Manager is new.

The 1511 build is the first and the base build of the new Configuration Manager platform. Microsoft will not brand it the 2016 version, because this will be continuously updated over the years to come with new builds, with the first two digits indicating the year and the second two the month it's released.

1602 is the latest baseline version you can install at the moment when setting up a new System Center Configuration Manager hierarchy in your business. From there you can upgrade from within the console pretty easily to the next version available through the update channel.

With each new build upgrade it's very likely there will be improvements and new features regarding Endpoint Protection as well. So it's even more important to keep your SCCM environment up-to-date when you have that role established.


How does Endpoint Protection in Configuration Manager work

This will give you a good understanding as to how Endpoint Protection in Configuration Manager works, so that you will have a better understanding when you deploy and manage this in your environment.

Endpoint Protection together with Configuration Manager is a pretty powerful solution and you need to get it right so the harm done is minimum. The better solution you provide, and the better the job you do, the more proactive and productive your co-workers will be.

How to do it…

System Center Endpoint Protection is not a standalone product; it is integrated into the popular and great management and deployment product called SCCM, it's a dedicated role and the installation binary lies among the Configuration Manager client installation files. So you need both the System Center Configuration Manager Client and System Center Endpoint Protection to make this work. This provides great benefits when it comes to control, deployment and monitoring of the antimalware software in your organization. Every anti-virus or antimalware product needs a management client or module that can handle downloading and installation, and control and handle different actions to make sure that the antimalware product itself is operating as it should.

System Center Endpoint Protection has no built-in or dedicated management module of its own, so it is designed to be managed as well as licensed through the System Center Configuration Manager or Microsoft Intune.

Microsoft has always been good at making use of technology that's already available, and for the most part this gives more advantages than drawbacks. Every antimalware product needs a management client to monitor, set policies, deploy and update their product. Microsoft has not created a separate management agent for their Endpoint Protection because they had one already with SCCM. Given that it's being used today by approximately 70% of all businesses on the planet, it was an easy choice. So they made it work together with all the features in the same console that you use to manage your workstations, servers and devices. With this, you save resources such as processing and memory on your client as well as on the server side, and it simplifies management too. In most cases, businesses save money on their licenses as well, since they are already licensed to run this.

This is what the client GUI looks like. It's very smooth, clean, and easy to use, and gives clear indications if something is wrong. Green is good and Red is bad.

Endpoint Protection Client graphical user interface

For definition and engine updates it uses Windows Update with Microsoft's own definitions, so there is no need for any extra download components to make it work. This also has the benefit that it will be coordinated with other Windows Update installations so they don't encounter any conflicts during installation. Windows Update fetches the updates from either a local Windows Server Update Services (WSUS) or by SCCM. If it cannot reach those it will continue, after a given amount of time, to download it over the Internet directly from Microsoft.

With the use of Configuration Manager to handle Endpoint Protection, it will give you the following benefits as mentioned on

  • Remediation of malware and spyware.

  • Remediation of rootkit detection.

  • Remediation of potentially unwanted software (this is a new feature in version 1602 of SCCM).

  • Assessment of critical vulnerability with automatic updates of definition and engine.

  • Network Inspection System vulnerability detection.

  • Malware reported directly through Microsoft Active Protection Services. When you join and enable this service, it will trigger the client to download the latest definitions from the Malware Protection Center when unidentified malware is detected on a computer.

System Center Endpoint Protection has another nice feature when running virtualized environments, as many do these days: if you want to preserve disk IO as well as excessive CPU usage while antimalware is doing its scheduled scanning, you can set System Center Endpoint Protection to randomize the scanning start time so that they do not occur simultaneously on all guest machines that are hosted by the server.

Windows 10 is now supported (from version System Configuration Manager 2012 SP2), and we will cover that in more detail later in the book. SCCM manages Defender, which comes with Windows 10, and which is basically the same as Endpoint Protection.

What made Endpoint Protection that good

In my opinion, Microsoft made some very good investments over a large period of time. They launched a free antimalware product called Microsoft Security Essentials back in 2009-2010. The beta release was installed on millions of home computers, and boy did it did detect a lot of different kinds of malware. Many of the computers had not been protected for a long period of time because their previous antimalware product had expired, often the trial version that came installed with Windows when they bought it, and which was not working right or had not been updated for some reason. So Security Essentials had a couple of years to toughen up, so to say, and get stronger by learning what to deal with around the world. The users were happy; they got a free antimalware product that was getting better and better day by day.

The other aspect that has a huge impact on how well Endpoint Protection is working and how they got it to run so smoothly is that Microsoft has great knowledge of their own products. They know all the bits and pieces of how the operating system works and most of the applications that run on every machine and server on the planet. They have a very large Security Response Network Cloud Center that monitors all threats within a split second around the world and can instantly take action in the case of a massive outbreak.


Planning for the Endpoint Protection

Put on an architect's hat and let's see how to implement the Endpoint Protection role in your business.

Often there are actually very few considerations when you need to implement and engage Endpoint Protection in your business, especially if you already have Configuration Manager or Intune installed. There are a couple of important topics to understand in the planning phase: as in what do I need to consider, and why? Endpoint Protection utilizes the Configuration Manager client to transport the policies and actions it requires. That part of the operation flows very smoothly though the existing Configuration Manager hierarchy you are most likely to have set up. The heavy part regarding bandwidth utilization would be the definition package and engine update, depending on whether you already have a well-structured and organized software update point role in place or not, as the software will update two or three times a day. Then it needs to deliver these packages and transport them to the Distribution Point servers in your hierarchy. There are therefore a few things to consider. You will find more information and tips about some of these settings in further chapters of this book.

How to do it…

First of all, it's for sure that you cannot have two antimalware products running on your workstations or servers. If that happens, you are likely to crash the operating system and, worst case, it won't start up again other than by booting in safe mode. If that's the case, you would have a huge job ahead of you because this would involve a manual approach to handle every machine.

Now that would be a worst case scenario, and in my experience it never happens because you plan, test and deploy in a controlled matter. Luckily, Microsoft has put in an automatic detection of a few other antimalware products and a fully automatic removal of those products as best it can. It is working pretty well in my experience, but I would rather use it as a fail-safe mechanism if your own removal plan should fail.

The current list of products that Microsoft will try to remove if they exist on any machine you're deploying Endpoint Protection to can be found at

  • Symantec Antivirus Corporate Edition version 10

  • Symantec Endpoint Protection version 11

  • Symantec Endpoint Protection Small Business Edition version 12

  • McAfee VirusScan Enterprise version 8

  • Trend Micro OfficeScan

  • Microsoft Forefront Codename Stirling Beta 2

  • Microsoft Forefront Codename Stirling Beta 3

  • Microsoft Forefront Client Security v1

  • Microsoft Security Essentials v1

  • Microsoft Security Essentials 2010

  • Microsoft Forefront Endpoint Protection 2010

  • Microsoft Security Center Online v1

This automatic uninstall setting is located in the client setting of the Configuration Manager and is turned ON by default when Enabling Endpoint Protection.

However, I encourage you to do some research in your organization, about what products are in use right now. It might be more than you might think; most people are in for a surprise or two on what's running, especially on the workstations. Most likely you will have a handful of different antimalware software running, so you need to do some digging around, and once you have a Configuration Manager with a full inventory of all your clients' antimalware software, that's not a big problem. You just need to have some knowledge about what to look for. When you have identified the different products, you need to plan how to uninstall and get rid of them in a safe way, whilst at the same time keeping the machine secure, since you don't want to leave the machine unprotected.

Secondly, you need to ensure that Endpoint Protection will be able to get updates. Now this is very important, and you have some options that may have an impact depending on what your network infrastructure looks like. Do you have many remote locations, do you have satellite connections, and do your laptops travel a lot?

The Endpoint Protection role needs to be installed on your Central Administration Site (CAS) if you have one, and it needs to be installed on your Primary Site servers as well.

In the following graphic you can see different scenarios with a CAS Central Administration Site Server on top, then a Primary Site followed by a Secondary Site. Following that, you might even have dedicated Distribution Points servers to smaller locations or clients. Secondary Sites are generally fading out unless you have very large branch offices or locations with several thousand clients. However, the scenario following is for very large businesses that need redundancy and security.

Large business SCCM hierarchy

The hierarchy for most businesses, where you have a Primary Site server on top and a Distribution Point server following placed at branch offices or locations around the world, is shown in the following figure:

Conventional business SCCM hierarchy

You can see a simple illustration of how Intune work in the following figure. Every client talks directly over the Internet to Azure in the Cloud. It has both upsides and downsides, but requires very little infrastructure and it's easy to maintain:

Principal network schematic picture of Microsoft Intune


Prerequisites of the infrastructure

Endpoint Protection in System Center 2012 Configuration Manager has external dependencies and requirements in the product to make it work. This depends somewhat on what platform you're running on, and what your infrastructure and network looks like. You will find some pointers and tips later in this book. Now, you are most likely to have a WSUS in your infrastructure already, but you cannot use this with Configuration Manager. You need to set up a new one, as re-using an existing old WSUS server is not supported nor recommended by Microsoft. SCCM will setup and configure the WSUS with the settings from the Software Update Point role and therefore needs to be a fresh new database and WSUS installation.

Getting ready

First, start the Server Manager on your Windows Server, most likely at your primary site; or on the server that you will be using for the Software Update Point role for the SCCM hierarchy.

Windows Server Manager and status of Roles and Features Installed

The WSUS role should be installed. I recommend putting its database to the full SQL Server and not Internal Database. The SQL License is included with SCCM. Make sure Internal Database is not selected. You might want to install it as a separate instance on your SQL server for performance monitoring and balancing resources like memory, CPU and disk, but this is not a requirement. Remember to press Cancel on the last part of the Wizard when it wants you to configure the WSUS products and type of updates. Configuration Manager will take care of that part when setting up the software update role afterwards in Configuration Manager.

When WSUS is installed go into Configuration Manager Console and Administration.

Configuration Manager Console where you add Site System Roles

In Site Configuration | Servers and Site System Roles you would right click on the Server you want to use as the Software update point and click Add Site System Roles

From there it's pretty straight forward. Microsoft recommends using port 8530, and the WSUS Role installation in Server Manager suggests you use this. These are also the ports that are default when you're on Windows Server 2012 and 2012 R2. While on Windows Server 2008 and 2008 R2, the default ports are 80 and 443.

So the software update role in Configuration Manager uses and relies on the WSUS role in the Windows Server.

In the next chapter we will go through in more detail how to configure all the settings you need.

How to do it…

Regarding the planning phase, when it comes to Configuration Manager there are some external dependencies.


Please see the Prerequisites at Microsoft Technet:

How it works…

Basically the software update role within Configuration Manager utilizes and uses the WSUS role that comes with the Windows Server.


Best practices for Endpoint Protection in Configuration Manager

Use the following best practices for Endpoint Protection in System Center 2012 Configuration Manager.

How to do it...

It is a good practice in Configuration Manager and all management systems when dealing with deployment to test, test, and test again, given that you want to run changes in a smooth manner with as few surprises and as little noise as possible.

I would also recommend that you create a separate client setting policy that enables and installs Endpoint Protection, and that you deploy to a dedicated collection for this purpose when you start to test and deploy to computers, as the following screenshot will show you.

Configuration Manager Client setting where you configure Endpoint Protection Installation settings

The setting on the picture preceding Disable alternate sources (such as Microsoft Windows Update, Microsoft Windows Server Update Services, or UNC shares) for the initial definition update on client computers are important to pay attention to. This is enabled by default, because it may have a huge impact on your network. As the initial download of definitions that each client needs right after installation would be around 150MB, you might not want to download it over a low bandwidth connection.

More about this in Chapter 4, Updates.

So you have a collection where you've deployed the required definition update and added the client setting that deploys the Endpoint Protection client, you have created and deployed the appropriate Endpoint Protection policies, and you've also deployed to that collection, so you're good to go. Then you can just add more and more computers to that collection and monitor the results over time. I would recommend picking different kinds of computers in your organization to make sure the first phase of the Endpoint Protection deployment captures as many different environments and different users in the early stage as possible. The same method is actually recommended when it comes to software updates on a daily or weekly basis.

Speaking of software updates, it's recommended that you keep definition updates in a separate package that does not contain other software updates. This keeps the size to a minimum and allows replication to distribution points to operate more quickly and efficiently.


Administrating workflow for Endpoint Protection in Configuration Manager

When administrating and working with Endpoint Protection in SCCM you can follow this workflow list to make sure you have everything covered. You will find settings regarding Endpoint Protection in different places in the Configuration Manager Console so that it also makes sense in the management tool. Administrators usually find this easy when they are used to working with Configuration Manager and it gives great benefits and flexibility.

Getting ready

Make sure you have made a plan for your business on how you are going to deploy and manage Endpoint Protection. Also, undertake the required assessment to find what kind of antimalware or antivirus products might be installed on the machines and plan how to handle this.

How to do it…

Use the following workflow as a reference to help you enable, configure, manage and monitor Endpoint Protection in System Center 2012 Configuration Manager Technet link:

Now you might have another antimalware product in your environment from before, and you need a solution that can help you replace that. So you need a way to uninstall the product you want to get rid of and install Endpoint Protection in the same process to keep the clients secure. We will cover this more thoroughly in another chapter in this book.

About the Author

  • Nicolai Henriksen

    Nicolai Henriksen works as a chief technical architect consultant presently and lives in Bergen, Norway, with his wife and three children.

    He has worked in the information technology consulting business for almost two decades, working and implementing systems in all kinds of various businesses from small to enterprises, mostly with products within the Microsoft family. But he has gained great experience and knowledge about many vendors and products.

    Nicolai's educational background started with electronic engineering, and he worked for a while as a technician. That has also been his great interest, besides computers.

    He started exploring computers in 1980 as a teenager and somehow then understood the meaning and future perspective that computer science had for the world.

    For the past 12 years, he has been dedicatedly working with System Center Configuration Manager in customer projects. Since 2012, Endpoint Protection got integrated into this great product and Nicolai says that by then the amount of companies using this product has increased enormously.

    Since 1990, when malware and computer viruses started to evolve, he started helping business to protect their computers with all kinds of antimalware products.

    This is the first book Nicolai has written, yet he has done several reviews on System Center books in the past couple of years, and has thought of writing a book for quite some time. It's not unlikely that we will see more books from Nicolai in the future.

    Nicolai also speaks in public conferences while he loves to teach and share his knowledge with others. The fact that people are willing to listen and you have burning desire to share without demanding anything back gives a great feeling according to him. He spends some time blogging, Twittering, and answering questions on Technet forums.

    In 2012, Nicolai was awarded the Microsoft Most Valuable Professional (MVP), which only a few people in the world have achieved. He then specialized in the popular and great management product called System Center Configuration Manager.

    Nicolai has been balancing a life as a family man with intense creativity and passion within computer science for many years.

    Browse publications by this author