Jump to content


anyweb

using System Center 2012 Configuration Manager - Part 6. Adding the Endpoint Protection role, configure Alerts and custom Antimalware Policies.

Recommended Posts

Hello,

 

there is something I don't get. We have configured the server to be able to send email alert, but we haven't configured anywhere at which address it send these alert O_O

 

Have you created a subscription under the Alerts node on the Monitoring work area?

Share this post


Link to post
Share on other sites

For every infection identified by EndPoint on any machine, I am required to open an individual helpdesk ticket. I dont want to do this manually, ideally, SC would send a customized email to my helpdesk. Right now, it sends an email, but there are multiple infections per email. I need one per email.

1. How can I configure it so that I get one email to my helpdesk per each individual infection

2. How can I customize the subject to include <malware name> and <computer name>, and have other pertinent information in the body of the email, such as date, time, file location, current logged on user, etc?

Thanks,

Chuck

Share this post


Link to post
Share on other sites

Step 6, red warning after step for “Download settings” is missing a point.

The necessary requirements for the folder are:

  • Folder must exist and be shared with permissions as follows:
    • SMS Provider computer account and the user that is running the wizard to download the software updates must both have Write NTFS [and Change Share] permissions on the download location. For this tutorial it's "SMSAdmin" and the computer account for "CAS"
    • Everyone or at least Domain Users or Authenticated Users should have Read permissions

These requirments are described on TechNet at http://technet.microsoft.com/en-us/library/gg712304.aspx#BKMK_SUMSync and fixes the error due to lack of permissions as described in http://www.thelazysysadmin.net/2012/04/automatic-deployment-rules-download-failed-system-center-2012-configuration-manager/

I've had this error myself, and thought it would be useful for other to know about it.

Share this post


Link to post
Share on other sites

Thank you so much for the wonderful forum.

I seem to have everything working but have changed my mind about something and not finding a solution.

As part of the SCCM 2012 upgrade, I added Endpoint protection role and let it go on all the machines. Now that I see your post I want to start over and only install it on selected collections. How would I go about removing EP from all the clients? I removed the role but the clients still have EP installed. So far, only manual uninstall has worked.

Thank you,

Ed

Share this post


Link to post
Share on other sites

basically we use the first created ADR to create the Endpoint Protection Definition Updates package, once created, we then disable that ADR (because of the way we created it purely to create a NEW deployment package...) then we create another ADR practically matching the first except instead of creating a new package we point it to the package created in the first (now disabled) ADR.

 

does that help ?

 

Now my source folder \\sccm\sources\updates\Endpoint is more than 10gb, can we delete some of the files?

Share this post


Link to post
Share on other sites

To remove the client create a package with a program to uninstall the client. You can use a command line like this for the program: scepinstall.exe /u /s.

Thank You Peter.

I was expecting an easier process but this worked perfectly.

Share this post


Link to post
Share on other sites

Hi,

I have a problem with installing with Endpoint Protection on my client machine. I have installed on my SCCM 2012 R2 Server the Endpoint Protection and I see now on the desktop a green symbol of End Protection. But I have some questions:

1)How can I install or deploy Endpoint Protection on my others servers and my client machine?

2) After installing Endpoint Protection on my client machine or my Servers, should I see the green symbol too?

Thanks for help

Regards

Keywan

Share this post


Link to post
Share on other sites

 

Hi,

 

I have a problem with installing with Endpoint Protection on my client machine. I have installed on my SCCM 2012 R2 Server the Endpoint Protection and I see now on the desktop a green symbol of End Protection. But I have some questions:

 

1)How can I install or deploy Endpoint Protection on my others servers and my client machine?

 

2) After installing Endpoint Protection on my client machine or my Servers, should I see the green symbol too?

 

Thanks for help

 

Regards

 

Keywan

 

 

Have you followed the full guide? It shows how to deploy EndPoint to all your systems. At a high level, You need to specify client settings and target those EndPoint Protection client settings at a collectio nthat contains the devices you want to manage. Then, you need to think about Anti-Malware Policies and definition update mechanisms.

Share this post


Link to post
Share on other sites

I am just thinking out load here...

 

What is the advantage of creating 13 individual ADR rules? They each do the same thing except they point to a different collection. Would there be any benefit to creating a master collection named for example Endpoint Protection Updates and adding all the individual collections under it? This way you only have one ADR for Endpoint Protection. Since definitions are downloaded every day, I don't think having the ability to create unique schedules would be that beneficial. I am trying to simplify this down for admins as there are 4 basic components involved which can be confusing for some: Collection, Antimalware Policy, Client Setting and ADR. Please let me know if I am overlooking something.

Share this post


Link to post
Share on other sites

sure you can do it that way, use the Include rule.

not every customer will want all their servers updated the same way or time however hence having different ADR's can be beneficial (for reporting too...)

Share this post


Link to post
Share on other sites

I think having lots of ADRs for EP Definition updates is for the most part unnecessary (but depends on your situation). I have three ADRs for deploying EP updates. One for desktops, one for laptops and one for servers. I do this to allow for different download settings for EP updates. For example, I don't want any of our desktops to go to Microsoft Update to download definitions because that would put a heavy load on our WAN links that are already starved for bandwidth (As all internet/datacenter and a lot of the telco traffic goes through the main campus - not the design I would choose). They have to go to a DP. (I also control this through the Antimalware Policy) However, for servers, if they can't get the definition on a DP in the datacenter, I'm OK with them going to the internet because they have a lot more bandwidth available to them because they are all in the datacenter. Likewise, I allow sharing content on the local subnet (BrancheCache) for the desktop ADR because some are in small remote sites without a DP so that should cut down a bit on WAN utilization, but for server I don't need that because they have a local DP.

 

I think it's a really good idea though to have lots of collections (Really as many as you need for granularity) for deploying the Antimalware policies for servers. We have only two policies for desktops and laptops but we have at least 10 policies for different server workloads. I basically set up a collection for each of the in box antimalware policies for each Microsoft workload we have in the environment. We have those policies ordered in such a way that precedence applies the settings in the way we desire. We have a one-to-one correlation between an Antimalware Policy and a collection targeting that type of workload. Then we use global security groups (Of which computer objects are members) to define rules for the collections for the various workloads (SQL, Web, TMG, Exchange, etc) Because we have servers that run multiple workloads (Say SQL & Web) a computer object is in both the SQL and Web groups, and they will find their way into both those EP collections (Web & SQL 2008) and receive the cumulative effect of the antimalware policies created for those different workloads. The main policy differences are in what gets excluded from scanning.

Share this post


Link to post
Share on other sites

sure you can do it that way, use the Include rule.

not every customer will want all their servers updated the same way or time however hence having different ADR's can be beneficial (for reporting too...)

 

I didn't consider reporting. Good Point.

 

Thanks

Share this post


Link to post
Share on other sites

I appreciate your response.

 

Are you referring to ADRs or AntiMalware policies? "to allow for different download settings for EP updates" is in the Antimalware Policies not in ADRs unless I am mistaken. I see the benefit of many Antimalware Policies (for file/folder exceptions) but the 13 ADRs for EP seems redundant if you aren't making any changes to the ADRs. Since definitions are downloaded daily I am not sure how much tweaking you would want to do to an ADR between different server ADRs. ADRs for Sotware Updates are a different story. A point was made about reporting so I would take that into consideration.

 

Thanks Again

Share this post


Link to post
Share on other sites

There are settings in the ADR (any deployment really) that allow you to specify things like going to Microsoft Update or sharing content with clients in the same subnet

Share this post


Link to post
Share on other sites

Hi and firstly thankyou for your great guides they are very much appreciated.

 

I have installed config manager 2012 r2 as a primary site and successfully install the client and endpoint protectiion to client machines. I have created the sup and update endpoint def files ok. I have created the adr for deploying def updates as per your guides.

 

The issue i am having is with Endpoint clients receiving updates from configuration manager. Updating from Windows updates works fine.

 

Here is the info from mpcmdrun.log

 

MpCmdRun: Command Line: "c:\Program Files\Microsoft Security Client\MpCmdRun.exe" SignaturesUpdateService -ManagedUpdate
Start Time: ‎Fri ‎Nov ‎08 ‎2013 14:35:34
Start: Signatures Update Service
Update Started
Update failed with hr: 0x80070490
Update completed with hr: 0x80070490
End: Signatures Update Service
MpCmdRun: End Time: ‎Fri ‎Nov ‎08 ‎2013 14:35:35
Any help greatly appreciated
Thanks

Share this post


Link to post
Share on other sites

Using SCCM 2012 R2, the After running the ADR once, retire it by right clicking on the rule and select Disable (or delete) and create a new ADR except this time point the deployment package to the package which is now created called Endpoint Protection Definition Updates. part isn't necessary anymore as MS added a "Deployment Package" tab to the ADR properties window!

Share this post


Link to post
Share on other sites

Using SCCM 2012 R2, the After running the ADR once, retire it by right clicking on the rule and select Disable (or delete) and create a new ADR except this time point the deployment package to the package which is now created called Endpoint Protection Definition Updates. part isn't necessary anymore as MS added a "Deployment Package" tab to the ADR properties window!

 

 

when the guide was written (RTM) there was no such option. But I will amend it for everyones benefit.

Share this post


Link to post
Share on other sites

Endpoint is triggered by CCMTask Execute

I am getting an error that says WMI not ready on the EndpointprotectionAgent.log, where else can I look to get more details on this error?

Share this post


Link to post
Share on other sites

Can you clarify the relationship between an ADR and a custom malware policy, specifically the "defintion Updates" section of the custom policy. For example if the the ADR only runs once a day and a PC is not turned on during that time when does it download the latest signatures? Is it when it is turned on and the SMS service starts up or is it based on the "Check for Endpoint Protection Defintions" settings in the custom policy?

Share this post


Link to post
Share on other sites

The ADR has nothing to do with when the client scans for available updates. Those are two separate things. When the client scans, depends on the (custom) policy settings.

 

So if you deploy signatures via an ADR and the PC isn't on at that time does it use the configured schedule for the "Software Updates Deployment Evaluation Cycle" action to go looking for updates or does it use the Custom Malware policy settings? Or does it use both?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...