Book Image

Microsoft System Center Endpoint Protection Cookbook - Second Edition

By : Nicolai Henriksen
Book Image

Microsoft System Center Endpoint Protection Cookbook - Second Edition

By: Nicolai Henriksen

Overview of this book

System Center Configuration Manager is now used by over 70% of all the business in the world today and many have taken advantage engaging the System Center Endpoint Protection within that great product. Through this book, you will gain knowledge about System Center Endpoint Protection, and see how to work with it from System Center Configuration Manager from an objective perspective. We’ll show you several tips, tricks, and recipes to not only help you understand and resolve your daily challenges, but hopefully enhance the security level of your business. Different scenarios will be covered, such as planning and setting up Endpoint Protection, daily operations and maintenance tips, configuring Endpoint Protection for different servers and applications, as well as workstation computers. You’ll also see how to deal with malware and infected systems that are discovered. You’ll find out how perform OS deployment, Bitlocker, and Applocker, and discover what to do if there is an attack or outbreak. You’ll find out how to ensure good control and reporting, and great defense against threats and malware software. You’ll see the huge benefits when dealing with application deployments, and get to grips with OS deployments, software updates, and disk encryption such as Bitlocker. By the end, you will be fully aware of the benefits of the System Center 2016 Endpoint Protection anti-malware product, ready to ensure your business is watertight against any threat you could face.
Table of Contents (16 chapters)
Microsoft System Center Endpoint Protection Cookbook Second Edition
About the Author
About the Reviewer

How does Endpoint Protection in Configuration Manager work

This will give you a good understanding as to how Endpoint Protection in Configuration Manager works, so that you will have a better understanding when you deploy and manage this in your environment.

Endpoint Protection together with Configuration Manager is a pretty powerful solution and you need to get it right so the harm done is minimum. The better solution you provide, and the better the job you do, the more proactive and productive your co-workers will be.

How to do it…

System Center Endpoint Protection is not a standalone product; it is integrated into the popular and great management and deployment product called SCCM, it's a dedicated role and the installation binary lies among the Configuration Manager client installation files. So you need both the System Center Configuration Manager Client and System Center Endpoint Protection to make this work. This provides great benefits when it comes to control, deployment and monitoring of the antimalware software in your organization. Every anti-virus or antimalware product needs a management client or module that can handle downloading and installation, and control and handle different actions to make sure that the antimalware product itself is operating as it should.

System Center Endpoint Protection has no built-in or dedicated management module of its own, so it is designed to be managed as well as licensed through the System Center Configuration Manager or Microsoft Intune.

Microsoft has always been good at making use of technology that's already available, and for the most part this gives more advantages than drawbacks. Every antimalware product needs a management client to monitor, set policies, deploy and update their product. Microsoft has not created a separate management agent for their Endpoint Protection because they had one already with SCCM. Given that it's being used today by approximately 70% of all businesses on the planet, it was an easy choice. So they made it work together with all the features in the same console that you use to manage your workstations, servers and devices. With this, you save resources such as processing and memory on your client as well as on the server side, and it simplifies management too. In most cases, businesses save money on their licenses as well, since they are already licensed to run this.

This is what the client GUI looks like. It's very smooth, clean, and easy to use, and gives clear indications if something is wrong. Green is good and Red is bad.

Endpoint Protection Client graphical user interface

For definition and engine updates it uses Windows Update with Microsoft's own definitions, so there is no need for any extra download components to make it work. This also has the benefit that it will be coordinated with other Windows Update installations so they don't encounter any conflicts during installation. Windows Update fetches the updates from either a local Windows Server Update Services (WSUS) or by SCCM. If it cannot reach those it will continue, after a given amount of time, to download it over the Internet directly from Microsoft.

With the use of Configuration Manager to handle Endpoint Protection, it will give you the following benefits as mentioned on

  • Remediation of malware and spyware.

  • Remediation of rootkit detection.

  • Remediation of potentially unwanted software (this is a new feature in version 1602 of SCCM).

  • Assessment of critical vulnerability with automatic updates of definition and engine.

  • Network Inspection System vulnerability detection.

  • Malware reported directly through Microsoft Active Protection Services. When you join and enable this service, it will trigger the client to download the latest definitions from the Malware Protection Center when unidentified malware is detected on a computer.

System Center Endpoint Protection has another nice feature when running virtualized environments, as many do these days: if you want to preserve disk IO as well as excessive CPU usage while antimalware is doing its scheduled scanning, you can set System Center Endpoint Protection to randomize the scanning start time so that they do not occur simultaneously on all guest machines that are hosted by the server.

Windows 10 is now supported (from version System Configuration Manager 2012 SP2), and we will cover that in more detail later in the book. SCCM manages Defender, which comes with Windows 10, and which is basically the same as Endpoint Protection.

What made Endpoint Protection that good

In my opinion, Microsoft made some very good investments over a large period of time. They launched a free antimalware product called Microsoft Security Essentials back in 2009-2010. The beta release was installed on millions of home computers, and boy did it did detect a lot of different kinds of malware. Many of the computers had not been protected for a long period of time because their previous antimalware product had expired, often the trial version that came installed with Windows when they bought it, and which was not working right or had not been updated for some reason. So Security Essentials had a couple of years to toughen up, so to say, and get stronger by learning what to deal with around the world. The users were happy; they got a free antimalware product that was getting better and better day by day.

The other aspect that has a huge impact on how well Endpoint Protection is working and how they got it to run so smoothly is that Microsoft has great knowledge of their own products. They know all the bits and pieces of how the operating system works and most of the applications that run on every machine and server on the planet. They have a very large Security Response Network Cloud Center that monitors all threats within a split second around the world and can instantly take action in the case of a massive outbreak.