Endpoint Services, MECM, Configure MECM Endpoint Protection

Overview

Configure MECM Endpoint Protection policies

Systems

Microsoft Endpoint Configuration Manager (MECM)

Intended Audience

University of Illinois IT Pros leveraging MECM, hosted by Technology Services' Endpoint Services team

For endpoints using CrowdStrike Falcon, please note that MECM Endpoint Protection must be disabled.
See the 'Disabling MECM Endpoint Protection Management' article for additional information.

General Information

MECM client settings include Endpoint Protection policies for Windows endpoints.  If endpoints are already managed by MECM, the process is comprised of these steps:

  1. Configure client settings to install and manage the Endpoint Protection agent
  2. Configure desired anti-malware policies
  3. Deploy the policies if they are not already deployed
  4. Configure email notifications

If endpoints are not managed by MECM, they will first have to be provisioned for the MECM service (see 67714) before following these steps.

Configure MECM

  1. In the console, navigate to Administration→Client Settings. Right-click Client Settings and select Create Custom Client Device Settings to create a new policy, or right-click an existing policy and select Properties to modify it.

    Create custom client device settings menu choice in SCCM.
    Right-click to see the menu and select Properties.
  2. Add the Endpoint Protection node to the client policy by selecting the checkbox found in the center pane of the General category of the policy.

    Select Endpoint Protection node.
  3. Once the Endpoint Protection client settings node is added, select it from the list on the left to modify the policy settings.

    Configure endpoint protection settings.
  4. Changing the setting for Install Endpoint Protection client on client computers to Yes instructs any MECM managed endpoint for which this client policy applies to install the Endpoint Protection client.

    Selecting Yes for the setting Managed Endpoint Protection client on client computers is required for MECM to manage Endpoint Protection.

Configure an Endpoint Protection Anti-malware Policy

The Endpoint Protection Anti-malware policy is used to determine the behavior of the Endpoint Protection client (scan schedule, on-demand settings, user restrictions, exceptions, etc.) Detailed explanation of policy elements can be found at:

  1. Navigate to Assets and Compliance->Endpoint Protection. Right-click on Anti-malware Policies and select Create Anti-malware Policy. There are recommended Anti-malware policies for common scenarios available for import that can be found in the MECM Console install location: C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\XmlStorage\EPTemplates

    Configure endpoint policy context menu.
  2. Name the policy using the standard Campus_Identifier-Department_Identifier prefix (i.e. "UIUC-DeptName"). You can choose to enter descriptive text that is readily visible in the MECM console. Check boxes for settings categories you wish to manage from this policy, unchecked boxes will defer those settings to a policy with a lower priority (the default policy being the lowest priority).

    Naming AV policy
  3. Once the policy is created, remember to pay attention to the Order value for each anti-malware policy you use (can be changed via the right-click menu). This value is used to determine priority when applied to endpoints (lower values have higher priority). Anti-malware policy is a resultant set of policies so if more than one applies, the order value is used to determine tiebreakers in conflicting settings. If a policy section is not managed (checkbox not selected and configured), then there is no conflict and the policy whose settings are defined for that section will apply. Read-only permissions are granted to everyone to review the default anti-malware policy.

Deploying the new policy to endpoints

  1. Navigate to the MECM client settings node or the anti-malware policies node to locate the policy to deploy. Right-Click on the desired policy and select 'Deploy'

    1a-deploy-client-settings.png

    1b-deploy-antimalware-policies.png
  2. In the wizard, select the device collection folder for your department and select the desired collection. Click OK to confirm the selection.

    2a-wizarddevicecollections.png
  3. To confirm the deployments of a policy, select the policy in question, then click the deployments tab in the lower center console pane. Existing deployments can be deleted from here by right-clicking the deployment and selecting Delete.

    3a-clientsettings.png
    3b-antimalwarepolicies.png

Setting Email alerts for Endpoint Protection

  1. Right click collection you wish to set alerts for and select Properties.

    1a-collectionpropertiescontext.png
  2. Click the Alerts tab and configure desired alerts and click Add, then check which alerts you wish to enable. Click OK and after configuring each alert, click OK where necessary to confirm changes.

    1a-collectionpropertiescontext.png
    1b-collectionalertspanel.png
  3. In the Monitoring node, expand Alerts and right-click on Subscriptions to create a new subscription.

    3a-createsubscription.png
  4. Check the boxes next to the alerts you wish to subscribe to and enter a Name using the standard (campus_code-unit_identifier+email recipient description) and email address (or addresses separated by semicolon).

    4a-newsubscriptionpanel.png

Check Endpoint Protection compliance

There are a few ways to verify the Endpoint Protection agent is managed and healthy.

  1. When viewing the attributes of an endpoint in the console, the lower center pane will reflect the endpoint protection status within the Summary tab. In addition, there will be tabs to show policy status as well.

    Here you see an endpoint that is managed but doesn’t yet have the Endpoint Protection agent.

    1b-unmanagedendpointtab.png

    Here you see an endpoint that is managed and Endpoint Protection is properly configured and managed.

    1c-managedendpointtab.png
  2. Navigating to Monitoring→Security→Endpoint Protection Status→Microsoft Defender Status will display a dashboard summary of endpoint protection status of all endpoints in the selected collection. Drill-down reports are available from this dashboard to investigate endpoints missing Endpoint Protection, in a failed state, or otherwise unhealthy or at-risk.

    2a-unhealthyendpoint.png


Contact the EPS team



Keywords:
scep "windows defender" EPS SCCM windows endpoint TechS-EPS-SCCM MECM 
Doc ID:
67693
Owned by:
EPS Distribution List in University of Illinois Technology Services
Created:
2016-10-10
Updated:
2024-09-09
Sites:
University of Illinois Technology Services