using SCCM 2012 in a LAB - Part 5. Enable the Endpoint Protection Role and configure Endpoint Protection settings

[jbloehr]

For all those having 'download failed' issues, don't give full permission to 'Everyone' on the share (because this would allow anyone to mess with definition updates on the share, a potential security risk), rather do the following:

 

Open up the C:\sources share permissions and add:

SMSSERVER\Administrators with full permission

SMSSERVER\WSUS Administrators with full permission

 

Alternatively put your package in the auto generated 'c:\sources\WSUS\UpdateServicesPackages' instead of 'c:\sources\WSUS\updates\Endpoint' share, which has the proper permissions automatically generated for it from when you first setup the WSUS update point.

[Oneone]

How is everyone sorting out servers and rules?

 

Im currently thinking about doing different collections for different servers, then connect the collections to grups in AD.

 

So it looks something like this.

 

SQL Servers Group > SQL Servers Collection > Endpoint protection malware profile SQL Servers

 

TMG Servers Group > TMG Servers Collection > Endpoint protection malware profile TMG Servers

 

Is this a good setup? or would you guys do it differently? When i use this method i can just add the server i want in the appropriate group then the server will get the right profile.

 

Any thoughts ? suggestions?

[Peter van der Woude]

It's all about fitting it to your needs. The easiest way to deploy different policies to different machines is by using different collections. How you fill these collections doesn't really matter, as long as it makes sense to you. AD Groups can make it easier to manage when more settings for those specific servers depend on it...

[h4x0r]

Hi Anyweb,

Thanks for the guide...one clarifying question regarding the ADR for EP. Is there a special process involved to retire the rule, or are you just disabling the initial ADR and then creating the new one afterwards? Thanks!

[anyweb]

yes run it once then you'll have the deployment package created, then you can right click on it and choose Disable. You can reference that package (your Endpoint Protection Definition Updates package) in the new ADR created directly afterwards. i.e. you go through the same process twice, first time you Create a new deployment package, second time you point to that package

[Shekhar]

Followed the steps provide in this blog to configure the SCCM 2012 and Forefront 2010 but some of the clients are not updated and shows red and in SCCM it shows active client at risk please let me know the process of troubleshooting.

[anyweb]

check what antimalware policy is listed on the client

[Kerberrus]

I'm having some issues with deploying. Depending on clients, client can deploy or cannot + updates problem. So there are few questions:

1. Do i need to open some ports on clients\SC server to deploy SCEP?

2. I've already a working WSUS on other server. How to make friends WSUS on SERV1 and SCCM on SERV2? Should I add definition updates classification to my working WSUS server and make it auto approval ( how then it will updates clients) or make update point on SCCM and add updates there (also what to do with ports\additional settings)

[anyweb]

1. depends on if you mean for client push, if so, then yes.

2. WSUS needs to be installed on your ConfigMgr server when adding the sup role to it, so you could add the sup role to the server hosting wsus already, except that it's already configured and we don't want that at all. ConfigMgr needs to take control of your WSUS installation so if I was you i'd decide if i really wanted updates from WSUS or from Configmgr. If you choose ConfigMgr then you need to start again with WSUS (new install, do not configure WSUS).

[Kevin79]

I have SCEP deployed to some workstations and servers. I followed this guide for setting up the policies, with the only difference being that I currently have WSUS in use on a different server and have group policy setup to point my clients to that WSUS server. (WSUS is not SCCM integrated). My workstations and servers aren't consistently getting the updates. The Automatic Deployment Rules run fine but my clients never upgrade. How do I have them update from my SCCM server on a regular basis?