Book Image

Microsoft System Center Endpoint Protection Cookbook - Second Edition

By : Nicolai Henriksen
Book Image

Microsoft System Center Endpoint Protection Cookbook - Second Edition

By: Nicolai Henriksen

Overview of this book

System Center Configuration Manager is now used by over 70% of all the business in the world today and many have taken advantage engaging the System Center Endpoint Protection within that great product. Through this book, you will gain knowledge about System Center Endpoint Protection, and see how to work with it from System Center Configuration Manager from an objective perspective. We’ll show you several tips, tricks, and recipes to not only help you understand and resolve your daily challenges, but hopefully enhance the security level of your business. Different scenarios will be covered, such as planning and setting up Endpoint Protection, daily operations and maintenance tips, configuring Endpoint Protection for different servers and applications, as well as workstation computers. You’ll also see how to deal with malware and infected systems that are discovered. You’ll find out how perform OS deployment, Bitlocker, and Applocker, and discover what to do if there is an attack or outbreak. You’ll find out how to ensure good control and reporting, and great defense against threats and malware software. You’ll see the huge benefits when dealing with application deployments, and get to grips with OS deployments, software updates, and disk encryption such as Bitlocker. By the end, you will be fully aware of the benefits of the System Center 2016 Endpoint Protection anti-malware product, ready to ensure your business is watertight against any threat you could face.
Table of Contents (16 chapters)
Microsoft System Center Endpoint Protection Cookbook Second Edition
About the Author
About the Reviewer

Planning for the Endpoint Protection

Put on an architect's hat and let's see how to implement the Endpoint Protection role in your business.

Often there are actually very few considerations when you need to implement and engage Endpoint Protection in your business, especially if you already have Configuration Manager or Intune installed. There are a couple of important topics to understand in the planning phase: as in what do I need to consider, and why? Endpoint Protection utilizes the Configuration Manager client to transport the policies and actions it requires. That part of the operation flows very smoothly though the existing Configuration Manager hierarchy you are most likely to have set up. The heavy part regarding bandwidth utilization would be the definition package and engine update, depending on whether you already have a well-structured and organized software update point role in place or not, as the software will update two or three times a day. Then it needs to deliver these packages and transport them to the Distribution Point servers in your hierarchy. There are therefore a few things to consider. You will find more information and tips about some of these settings in further chapters of this book.

How to do it…

First of all, it's for sure that you cannot have two antimalware products running on your workstations or servers. If that happens, you are likely to crash the operating system and, worst case, it won't start up again other than by booting in safe mode. If that's the case, you would have a huge job ahead of you because this would involve a manual approach to handle every machine.

Now that would be a worst case scenario, and in my experience it never happens because you plan, test and deploy in a controlled matter. Luckily, Microsoft has put in an automatic detection of a few other antimalware products and a fully automatic removal of those products as best it can. It is working pretty well in my experience, but I would rather use it as a fail-safe mechanism if your own removal plan should fail.

The current list of products that Microsoft will try to remove if they exist on any machine you're deploying Endpoint Protection to can be found at

  • Symantec Antivirus Corporate Edition version 10

  • Symantec Endpoint Protection version 11

  • Symantec Endpoint Protection Small Business Edition version 12

  • McAfee VirusScan Enterprise version 8

  • Trend Micro OfficeScan

  • Microsoft Forefront Codename Stirling Beta 2

  • Microsoft Forefront Codename Stirling Beta 3

  • Microsoft Forefront Client Security v1

  • Microsoft Security Essentials v1

  • Microsoft Security Essentials 2010

  • Microsoft Forefront Endpoint Protection 2010

  • Microsoft Security Center Online v1

This automatic uninstall setting is located in the client setting of the Configuration Manager and is turned ON by default when Enabling Endpoint Protection.

However, I encourage you to do some research in your organization, about what products are in use right now. It might be more than you might think; most people are in for a surprise or two on what's running, especially on the workstations. Most likely you will have a handful of different antimalware software running, so you need to do some digging around, and once you have a Configuration Manager with a full inventory of all your clients' antimalware software, that's not a big problem. You just need to have some knowledge about what to look for. When you have identified the different products, you need to plan how to uninstall and get rid of them in a safe way, whilst at the same time keeping the machine secure, since you don't want to leave the machine unprotected.

Secondly, you need to ensure that Endpoint Protection will be able to get updates. Now this is very important, and you have some options that may have an impact depending on what your network infrastructure looks like. Do you have many remote locations, do you have satellite connections, and do your laptops travel a lot?

The Endpoint Protection role needs to be installed on your Central Administration Site (CAS) if you have one, and it needs to be installed on your Primary Site servers as well.

In the following graphic you can see different scenarios with a CAS Central Administration Site Server on top, then a Primary Site followed by a Secondary Site. Following that, you might even have dedicated Distribution Points servers to smaller locations or clients. Secondary Sites are generally fading out unless you have very large branch offices or locations with several thousand clients. However, the scenario following is for very large businesses that need redundancy and security.

Large business SCCM hierarchy

The hierarchy for most businesses, where you have a Primary Site server on top and a Distribution Point server following placed at branch offices or locations around the world, is shown in the following figure:

Conventional business SCCM hierarchy

You can see a simple illustration of how Intune work in the following figure. Every client talks directly over the Internet to Azure in the Cloud. It has both upsides and downsides, but requires very little infrastructure and it's easy to maintain:

Principal network schematic picture of Microsoft Intune