Windows Server Update Services (WSUS) must be installed and configured for software updates synchronization if you want to use Configuration Manager software updates to deliver definition and engine updates.

See Prerequisites for Software Updates in Configuration Manager.

Some definition update methods require that client computers have Internet access.

If you use any of the following methods to update definitions on client computers, the client computer must be able to access the Internet.

• Updates distributed from Microsoft Update
  
  
• Updates distributed from Microsoft Malware Protection Center
  
  

Important
Clients download definition updates by using the built-in System account. You must configure a proxy server for this account to enable these clients to connect to the Internet. You can use Windows Group Policy to configure a proxy server on multiple computers.

An SMTP server if you want to send email alerts

See Step 1 (Optional): Configure Email Settings for Alerts in the How to Configure Alerts for Endpoint Protection in Configuration Manager topic.

Hotfix requirement to deploy Windows Firewall policies.

If you want to deploy Windows Firewall policies to computers running Windows Server 2008 and Windows Vista Service Pack 1, you must first install Hotfix KB971800 on these computers.

Your standalone primary or central administration site must be running System Center 2012 Configuration Manager and have the Endpoint Protection point site system role installed and configured.

Important
The Endpoint Protection point site system role must be installed before you can use Endpoint Protection. It must be installed on one site system server only, and it must be installed at the top of the hierarchy on a central administration site or a stand-alone primary site.

For more information about the requirements for the Endpoint Protection point site system role, see the Site System Requirements section of the Supported Configurations for Configuration Manager.

For more information about to install this site system role, see How to Configure Endpoint Protection in Configuration Manager.

A software update point site system role must be installed and configured to deliver definition updates if you want to use Configuration Manager software updates to deliver definition and engine updates.

For more information about the requirements for the software update point site system role, see the Site System Requirements section of the Supported Configurations for Configuration Manager.

For more information about how to install this site system role and configure it for Endpoint Protection, see Configuring Software Updates in Configuration Manager and How to Configure Endpoint Protection in Configuration Manager.

Client settings that install the Endpoint Protection client and configure Endpoint Protection

For information about the system requirements for the Endpoint Protection client, see the Computer Client Requirements in the Supported Configurations for Configuration Manager topic.

For more information about how to configure the client settings for Endpoint Protection, see Step 5: Configure Custom Client Settings for Endpoint Protection in the How to Configure Endpoint Protection in Configuration Manager topic.

The reporting services point site system role must be installed before Endpoint Protection reports can be displayed.

See Reporting in Configuration Manager.

Security permissions to manage Endpoint Protection

You must have the following security permissions to manage Endpoint Protection:

• To create and manage subscriptions to Endpoint Protection alerts: Create, Delete, Modify, Read, Set Security Scope for the Alert Subscription object.
  
  
• To create and modify alerts for Endpoint Protection: Create, Delete, Modify, Modify Report, Read, Run Report for the Alerts object.
  
  
• To create and modify antimalware policies: Create, Delete, Modify, Modify Default, Modify Report, Read, Read Default, Run Report, Set Security Scope for the Antimalware Policy object.
  
  
• To deploy antimalware and Windows Firewall policies to computers: Audit Security, Delete, Deploy Antimalware Policies, Deploy Firewall Policies, Enforce Security, Read, Read Resource for the Collection object.
  
  
• To view and manage Endpoint Protection in the Configuration Manager console: Read permissions for the Site object.
  
  
• To create and modify Windows Firewall policies: Create Policy, Delete Policy, Modify Policy, Read Policy, Read Settings for the Windows Firewall Policy object.
  
  

The Endpoint Protection Manager security role includes these permissions that are required to manage Endpoint Protection in Configuration Manager.

Note
To perform the following actions, you must be a member of the Full Administrator security role. Configure the Endpoint Protection point site system role. Configure email notification for Endpoint Protection alerts.

For more information, see Configure Role-Based Administration in the Configuring Security for Configuration Manager topic.