Introduction to Endpoint Protection in Configuration Manager

Endpoint Protection in System Center 2012 Configuration Manager allows you to manage antimalware policies and Windows Firewall security for client computers in your Configuration Manager hierarchy.

Important
You must be licensed to use Endpoint Protection to manage clients in your Configuration Manager hierarchy.

When you use Endpoint Protection with Configuration Manager, you have the following benefits:

You can configure antimalware policies and Windows Firewall settings to selected groups of computers, by using custom antimalware policies and client settings.
You can use Configuration Manager software updates to download the latest antimalware definition files to keep client computers up-to-date.
You can send email notifications, use in-console monitoring, and view reports to keep administrative users informed when malware is detected on client computers.

Endpoint Protection installs its own client in addition to the Configuration Manager client. The Endpoint Protection client has the following capabilities:

Malware and Spyware detection and remediation.
Rootkit detection and remediation.
Critical vulnerability assessment and automatic definition and engine updates.
Network vulnerability detection through Network Inspection System.
Integration with Microsoft Active Protection Services to report malware to Microsoft. When you join this service, the Endpoint Protection client can download the latest definitions from the Malware Protection Center when unidentified malware is detected on a computer.

Note
The Endpoint Protection client can be installed on a server that runs Hyper-V and on guest machines with supported operating systems. To prevent excessive CPU usage, Endpoint Protection actions have a built-in randomized delay so that they do not occur simultaneously on all guest machines that are hosted by the server.

In addition, Endpoint Protection in Configuration Manager allows you to manage Windows Firewall settings in the Configuration Manager console.

For an example scenario that shows how you might configure and manage Endpoint Protection and the Windows Firewall, see Example Scenario for Protecting Computers From Malware by Configuring Endpoint Protection in Configuration Manager.

Managing Malware with Endpoint Protection

Endpoint Protection in Configuration Manager allows you to create antimalware policies that contain settings for Endpoint Protection client configurations. You can then deploy these antimalware policies to client computers and monitor them in the System Center 2012 Endpoint Protection Status node in the Monitoring workspace, or by using Configuration Manager reports. See List of Antimalware Policy Settings for a list of the settings that you can configure.

For more information about how to create, deploy, and monitor antimalware policies, see How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager and How to Monitor Endpoint Protection in Configuration Manager.

For information about how to remediate malware that is found on client computers, see How to Manage Antimalware Policies and Firewall Settings for Endpoint Protection in Configuration Manager.

Managing Windows Firewall with Endpoint Protection

Endpoint Protection in Configuration Manager provides basic management of the Windows Firewall on client computers. For each network profile, you can configure the following settings:

Enable or disable the Windows Firewall.
Block incoming connections, including those in the list of allowed programs.
Notify the user when Windows Firewall blocks a new program.

Note
Endpoint Protection supports managing the Windows Firewall only.

For more information about how to create and deploy Windows Firewall policies for Endpoint Protection, see How to Create and Deploy Windows Firewall Policies for Endpoint Protection in Configuration Manager.

Endpoint Protection Workflow

Use the following diagram to help you understand the workflow to implement Endpoint Protection in your Configuration Manager hierarchy.

Endpoint Protection Client for Mac Computers and Linux Servers

System Center 2012 includes an Endpoint Protection client for Linux and for Mac computers. These clients are not supplied with Configuration Manager; instead, you must download the following products from the Microsoft Volume Licensing Service Center.

System Center 2012 Endpoint Protection for the Mac
System Center 2012 Endpoint Protection for Linux

Important
You must be a Microsoft Volume License customer to download the Endpoint Protection installation files for Linux and the Mac.

These products cannot be managed from the Configuration Manager console. However, a System Center Operations Manager management pack is supplied with the installation files, which allows you to manage the client for Linux by using Operations Manager.

For more information about how to install and manage the Endpoint Protection clients for Linux and Mac computers, use the documentation that accompanies these products, which is located in the Documentation folder.

What’s New in Configuration Manager

What’s New in Configuration Manager SP1

Note
The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide.

The following items are new or have changed for Endpoint Protection in Configuration Manager SP1:

You can now enable an Endpoint Protection client setting that commits the installation of the Endpoint Protection client on Windows Embedded devices that are write filter enabled. For more information about this client setting, see the Endpoint Protection section in the About Client Settings in Configuration Manager topic.

Additionally, definition updates that are deployed by software updates can be configured to write to the overlay on Windows Embedded devices, so that these updates install immediately, without a restart. For more information, see the Support for Windows Embedded Devices That Use Write Filters section in the Introduction to Software Updates in Configuration Manager topic.
You can now configure the Endpoint Protection client to install only during configured maintenance windows. The maintenance window must be at least 30 minutes long to allow installation to take place.
Endpoint Protection in Configuration Manager now uses client notification to initiate the following actions as soon as possible, instead of during the normal client policy polling interval:
- Force antimalware definition updates
- Run quick scans
- Run full scans
- Allow threats
- Exclude folders and files
- Restore quarantined files
Improvements to software updates to allow more frequent distribution of Endpoint Protection definition updates.
Multiple antimalware policies that are deployed to the same client computer are merged on the client. When two settings are in conflict, the highest priority option is used. Some settings are also merged, such as exclusion lists from separate antimalware policies. Client-side merge also honors the priority that you configured for each antimalware policy.
A software update deployment template named Definition Updates is included in the Deploy Software Updates Wizard and Automatic Deployment Rule Wizard. This template includes typical settings to use when you deploy definition software updates for Endpoint Protection.