Before you can use Endpoint Protection to manage security
and malware on System Center 2012
Configuration Manager client computers, you must perform the
configuration steps detailed in this topic.
Steps to Configure
Endpoint Protection in Configuration Manager
Use the following table for the steps, details, and
more information about how to configure Endpoint Protection.
| Steps |
Details |
More information |
|
Step 1: Create an Endpoint Protection point site
system role.
|
The Endpoint Protection point site system role must be
installed before you can use Endpoint Protection. It must be
installed on one site system server only, and it must be installed
at the top of the hierarchy on a central administration site or a
stand-alone primary site.
|
See Step 1: Create an Endpoint Protection
Point Site System Role in this topic.
|
|
Step 2: Configure alerts for
Endpoint Protection.
|
Alerts inform the administrator when specific events have
occurred, such as a malware infection. Alerts are displayed in the
Alerts node of the Monitoring workspace, or
optionally can be emailed to specified users.
|
See How to
Configure Alerts for Endpoint Protection in Configuration
Manager.
|
|
Step 3: Configure definition update sources for
Endpoint Protection clients.
|
Endpoint Protection can be configured to use various
sources to download definition updates.
|
See How to
Configure Definition Updates for Endpoint Protection in
Configuration Manager.
|
|
Step 4: Configure the default antimalware policy and
create any custom antimalware policies.
|
The default antimalware policy is applied when the
Endpoint Protection client is installed. Any custom policies
you have deployed are applied by default, within 60 minutes of
deploying the client. Ensure that you have configured antimalware
policies before you deploy the Endpoint Protection client.
|
See How to
Create and Deploy Antimalware Policies for Endpoint Protection in
Configuration Manager.
|
|
Step 5: Configure custom client settings for Endpoint
Protection.
|
Use custom client settings to configure Endpoint Protection
settings for collections of computers in your hierarchy.
 Important |
| Do not configure the default Endpoint Protection client
settings unless you are sure that you want these settings applied
to all computers in your hierarchy. |
|
See Step 5: Configure Custom Client
Settings for Endpoint Protection in this topic.
|
Supplemental Procedures to Configure
Endpoint Protection in Configuration Manager
Use the following information when the steps in the
preceding table require supplemental procedures.
Step 1: Create an Endpoint Protection
Point Site System Role
Use one of the following procedures depending on
whether you want to install a new site system server for
Endpoint Protection or use an existing site system server.
| Important |
| When you install an Endpoint Protection point, an
Endpoint Protection client is installed on the server hosting
the Endpoint Protection point. Services and scans are disabled
on this client to enable it to co-exist with any existing
antimalware solution that is installed on the server. If you later
enable this server for management by Endpoint Protection and
select the option to remove any third-party antimalware solution,
the third-party product will not be removed. You must uninstall
this product manually. |
To install and configure the Endpoint
Protection point site system role: New site system server
-
In the Configuration Manager console, click
Administration.
-
In the Administration workspace, expand Site
Configuration, and then click Servers and Site System
Roles.
-
On the Home tab, in the Create group,
click Create Site System Server.
-
On the General page, specify the general
settings for the site system, and then click Next.
-
On the System Role Selection page, select
Endpoint Protection point in the list of available roles,
and then click Next.
-
On the Endpoint Protection page, select the I
accept the Endpoint Protection license terms check box, and
then click Next.
| Important |
| You cannot use Endpoint Protection in Configuration
Manager unless you accept the license terms. |
-
On the Microsoft Active Protection Service page,
select the level of information that you want to send to Microsoft
to help develop new definitions, and then click Next.
 Note |
| This option configures the Microsoft Active Protection Service
settings that are used by default. You can then configure custom
settings for each antimalware policy you create. Join Microsoft
Active Protection Service, to help to keep your computers more
secure by supplying Microsoft with malware samples that can help
Microsoft to keep antimalware definitions more up-to-date.
Additionally, when you join Microsoft Active Protection Service,
the Endpoint Protection client can use the dynamic signature
service to download new definitions before they are published to
Windows Update. For more information, see How to Create and Deploy
Antimalware Policies for Endpoint Protection in Configuration
Manager. |
-
Complete the wizard.
To install and configure the Endpoint
Protection point site system role: Existing site system server
-
In the Configuration Manager console, click
Administration.
-
In the Administration workspace, expand Site
Configuration, click Servers and Site System Roles, and
then select the server that you want to use for
Endpoint Protection.
-
On the Home tab, in the Server group,
click Add Site System Roles.
-
On the General page, specify the general
settings for the site system, and then click Next.
-
On the System Role Selection page, select
Endpoint Protection point in the list of available roles,
and then click Next.
-
On the Endpoint Protection page, select the I
accept the Endpoint Protection license terms check box, and
then click Next.
| Important |
| You cannot use Endpoint Protection in Configuration
Manager unless you accept the license terms. |
-
On the Microsoft Active Protection Service page,
select the level of information that you want to send to Microsoft
to help develop new definitions, and then click Next.
-
Complete the wizard.
Step 5: Configure Custom Client Settings
for Endpoint Protection
This procedure configures custom client settings for
Endpoint Protection which can be deployed to collections of
computers in your hierarchy.
| Important |
| Do not configure the default Endpoint Protection client
settings unless you are sure that you want them applied to all
computers in your hierarchy. |
To enable Endpoint Protection and
configure custom client settings
-
In the Configuration Manager console, click
Administration.
-
In the Administration workspace, click Client
Settings.
-
On the Home tab, in the Create group,
click Create Custom Client Device Settings.
-
In the Create Custom Client Device Settings
dialog box, provide a name and a description for the group of
settings, and then select Endpoint Protection.
-
Configure the Endpoint Protection client settings
that you require. For a full list of Endpoint Protection client
settings that you can configure, see the section
Endpoint Protection in the topic About Client Settings in
Configuration Manager.
| Important |
| You must install the Endpoint Protection site system role
before you can configure client settings for
Endpoint Protection. |
-
Click OK to close the Create Custom Client
Device Settings dialog box. The new client settings are
displayed in the Client Settings node of the
Administration workspace.
-
Before the custom client settings can be used, you must
deploy them to a collection. Select the custom client settings you
want to deploy and then, in the Home tab, in the Client
Settings group, click Deploy.
-
In the Select Collection dialog box, choose the
collection to which you want to deploy the client settings and then
click OK. The new deployment is shown in the
Deployments tab of the details pane.
Client computers will be configured with these settings
when they next download client policy. To initiate policy retrieval
for a single client, see the Initiate
Policy Retrieval for a Configuration Manager Client section in
the How to
Manage Clients in Configuration Manager topic.
See Also
