Best practices for Endpoint Protection in Configuration Manager

It is a good practice in Configuration Manager and all management systems when dealing with deployment to test, test, and test again, given that you want to run changes in a smooth manner with as few surprises and as little noise as possible.

I would also recommend that you create a separate client setting policy that enables and installs Endpoint Protection, and that you deploy to a dedicated collection for this purpose when you start to test and deploy to computers, as the following screenshot will show you.

Configuration Manager Client setting where you configure Endpoint Protection Installation settings

The setting on the picture preceding Disable alternate sources (such as Microsoft Windows Update, Microsoft Windows Server Update Services, or UNC shares) for the initial definition update on client computers are important to pay attention to. This is enabled by default, because it may have a huge impact on your network. As the initial download of definitions that each client needs right after installation would be around 150MB, you might not want to download it over a low bandwidth connection.

More about this in Chapter 4, Updates.

So you have a collection where you've deployed the required definition update and added the client setting that deploys the Endpoint Protection client, you have created and deployed the appropriate Endpoint Protection policies, and you've also deployed to that collection, so you're good to go. Then you can just add more and more computers to that collection and monitor the results over time. I would recommend picking different kinds of computers in your organization to make sure the first phase of the Endpoint Protection deployment captures as many different environments and different users in the early stage as possible. The same method is actually recommended when it comes to software updates on a daily or weekly basis.

Speaking of software updates, it's recommended that you keep definition updates in a separate package that does not contain other software updates. This keeps the size to a minimum and allows replication to distribution points to operate more quickly and efficiently.