Endpoint Services, MECM, Configure MECM Endpoint Protection
Configure MECM Endpoint Protection policies
Microsoft Endpoint Configuration Manager (MECM)
University of Illinois IT Pros leveraging MECM, hosted by Technology Services' Endpoint Services team
MECM client settings include Endpoint Protection policies for Windows 10 endpoints. If endpoints are already managed by MECM, the process is comprised of these steps:
- Configure client settings to install and manage the Endpoint Protection agent
- Configure desired anti-malware policies
- Deploy the policies if they are not already deployed
- Configure email notifications
If endpoints are not managed by MECM, they will first have to be provisioned for the MECM service (see 67714) before following these steps.
In the console, navigate to Administration→Client Settings. Right-click Client Settings and select Create Custom Client Device Settings to create a new policy, or right-click an existing policy and select Properties to modify it.
Add the Endpoint Protection node to the client policy by selecting the checkbox found in the center pane of the General category of the policy.
Once the Endpoint Protection client settings node is added, select it from the list on the left to modify the policy settings.
Changing the setting for Install Endpoint Protection client on client computers to Yes instructs any MECM managed endpoint for which this client policy applies to install the Endpoint Protection client.
Selecting Yes for the setting Managed Endpoint Protection client on client computers is required for MECM to manage Endpoint Protection.
Configure an Endpoint Protection Anti-malware Policy
The Endpoint Protection Anti-malware policy is used to determine the behavior of the Endpoint Protection client (scan schedule, on-demand settings, user restrictions, exceptions, etc.) Detailed explanation of policy elements can be found at:
Navigate to Assets and Compliance->Endpoint Protection. Right-click on Anti-malware Policies and select Create Anti-malware Policy. There are recommended Anti-malware policies for common scenarios available for import that can be found in the MECM Console install location:
C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\XmlStorage\EPTemplates
Name the policy using the standard
Department_Identifierprefix (i.e. "UIUC-DeptName"). You can choose to enter descriptive text that is readily visible in the MECM console. Check boxes for settings categories you wish to manage from this policy, unchecked boxes will defer those settings to a policy with a lower priority (the default policy being the lowest priority).
Once the policy is created, remember to pay attention to the Order value for each anti-malware policy you use (can be changed via the right-click menu). This value is used to determine priority when applied to endpoints (lower values have higher priority). Anti-malware policy is a resultant set of policies so if more than one applies, the order value is used to determine tiebreakers in conflicting settings. If a policy section is not managed (checkbox not selected and configured), then there is no conflict and the policy whose settings are defined for that section will apply. Read-only permissions are granted to everyone to review the default anti-malware policy.
Deploying the new policy to endpoints
- Navigate to the MECM client settings node or the anti-malware policies node to locate the policy to deploy. Right-Click on the desired policy and select 'Deploy'
In the wizard, select the device collection folder for your department and select the desired collection. Click OK to confirm the selection.
To confirm the deployments of a policy, select the policy in question, then click the deployments tab in the lower center console pane. Existing deployments can be deleted from here by right-clicking the deployment and selecting Delete.
Setting Email alerts for Endpoint Protection
Right click collection you wish to set alerts for and select Properties.
Click the Alerts tab and configure desired alerts and click Add, then check which alerts you wish to enable. Click OK and after configuring each alert, click OK where necessary to confirm changes.
In the Monitoring node, expand Alerts and right-click on Subscriptions to create a new subscription.
Check the boxes next to the alerts you wish to subscribe to and enter a Name using the standard (
campus_code-unit_identifier+email recipient description) and email address (or addresses separated by semicolon).
Check Endpoint Protection compliance
There are a few ways to verify the Endpoint Protection agent is managed and healthy.
When viewing the attributes of an endpoint in the console, the lower center pane will reflect the endpoint protection status within the Summary tab. In addition, there will be tabs to show policy status as well.
Here you see an endpoint that is managed but doesn’t yet have the Endpoint Protection agent.
Here you see an endpoint that is managed and Endpoint Protection is properly configured and managed.
Navigating to Monitoring→Security→Endpoint Protection Status→Microsoft Defender Status will display a dashboard summary of endpoint protection status of all endpoints in the selected collection. Drill-down reports are available from this dashboard to investigate endpoints missing Endpoint Protection, in a failed state, or otherwise unhealthy or at-risk.