SCCM, Installing SCEP or Windows Defender

Steps to make SCCM install SCEP or Windows Defender, Microsoft's antivirus software, in an automated way including optionally uninstalling many other antivirus programs in the process.

The System Center Configuration Manager (SCCM) client policy can be used to install System Center Endpoint Protection (SCEP) in supported OSes prior to Windows 10, or to enable Windows Defender on Windows 10. The SCEP installer can also uninstall prior AV products if that activity is enabled in the SCCM client policy.

If endpoints are already managed by SCCM, migrating to SCEP/Windows Defender is a straightforward process. The process is comprised of these steps:

  1. Configure the SCCM client policy to install and manage the SCEP agent
  2. Configure desired SCEP anti-malware policies
  3. Deploy the policies if they are not already deployed
  4. Configure email notifications
The process is the same across SCCM 2012 R2 and SCCM Current Branch (CB).

If endpoints are not managed by SCCM, they will first have to be provisioned for the SCCM service (see 67714) before following these steps.

Configure SCCM

  1. In the SCCM console, navigate to Administration→Client Settings. Right-click Client Settings and select Create Custom Client Device Settings to create a new policy, or right-click an existing policy and select Properties to modify it for SCEP deployment/management.

    Create custom client device settings menu choice in SCCM.
    Right-click to see the menu and select Properties.
  2. Add the Endpoint Protection node to the client policy by selecting the checkbox found in the center pane of the General category of the policy.

    Select Endpoint Protection node.
  3. Once the Endpoint Protection client settings node is added, select it from the list on the left to modify the policy settings.

    Configure endpoint protection settings.
  4. Changing the setting for Install Endpoint Protection client on client computers to Yes instructs any SCCM managed endpoint for which this client policy applies to install the SCEP client (Windows 7/8/8.1 endpoints), or to configure Windows Defender (Windows 10 endpoints).

    Selecting Yes for the setting Managed Endpoint Protection client on client computers is required for SCCM to manage SCEP/Windows Defender.

    Selecting Yes for the setting Automatically remove previously installed anti-malware software before Endpoint Protection is installed is recommended to ease migration to SCEP from any previously installed products. As referenced by https://technet.microsoft.com/en-us/library/gg682067.aspx#BKMK_EndpointProtectionDeviceSettings, the list of AV products supported by this setting includes the following:

    List of antivirus software to be removed.

Configure an Endpoint Protection Anti-malware Policy

To configure an Endpoint Protection Anti-malware Policy: The Endpoint Protection Anti-malware policy is used to determine the behavior of the SCEP/Windows Defender client (scan schedule, on-demand settings, user restrictions, exceptions, etc.) Detailed explanation of policy elements can be found at:

  1. Navigate to Assets and Compliance->Endpoint Protection. Right-click on Anti-malware Policies and select Create Anti-malware Policy. There are recommended Anti-malware policies for common scenarios available for import that can be found in the SCCM Console install location: C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\XmlStorage\EPTemplates

    Configure endpoint policy context menu.
  2. Name the policy using the standard Campus_Identifier-Department_Identifier prefix (i.e. "UIUC-Deptname"). You can choose to enter descriptive text that is readily visible in the SCCM console. Check boxes for settings categories you wish to manage from this policy, unchecked boxes will defer those settings to a policy with a lower priority (the default policy being the lowest priority).

    Naming AV policy
  3. Once the policy is created, remember to pay attention to the Order value for each anti-malware policy you use (can be changed via the right-click menu). This value is used to determine priority when applied to endpoints (lower values have higher priority). Anti-malware policy is a resultant set of policies so if more than one applies, the order value is used to determine tiebreakers in conflicting settings. If a policy section is not managed (checkbox not selected and configured), then there is no conflict and the policy whose settings are defined for that section will apply. Read-only perms are granted to everyone to review the default anti-malware policy.

Deploying the new policy to endpoints

Deploying SCCM and SCEP Policies to endpoints: An SCCM deployment is the association of SCCM policies or content to the basic organizational unit of SCCM manageable objects, called a Collection. Sometimes the deployment is of policies themselves (such as client settings or anti-malware policy) and other times the deployment itself is a policy to control the handling of content (such as applications or OS deployment task sequences).

  1. Navigate to the SCCM client settings node or the anti-malware policies node to locate the policy to deploy. Right-Click on the desired policy and select the Deploy option to start the deployment wizard. 1a-deploy-client-settings.png
    1b-deploy-antimalware-policies.png
  2. In the wizard, select the device collection folder for your department and select the desired collection. Click OK to confirm the selection.

    2a-wizarddevicecollections.png
  3. To confirm the deployments of a policy, select the policy in question, then click the deployments tab in the lower center console pane. Existing deployments can be deleted from here by right-clicking the deployment and selecting Delete.

    3a-clientsettings.png
    3b-antimalwarepolicies.png

Setting Email alerts for SCEP 2012

  1. Right click collection you wish to set alerts for and select Properties.

    1a-collectionpropertiescontext.png
  2. Click the Alerts tab and configure desired alerts and click Add, then check which alerts you wish to enable. Click Ok and after configuring each alert, click Ok where necessary to confirm changes.

    1a-collectionpropertiescontext.png
    1b-collectionalertspanel.png
  3. In the Monitoring node, expand Alerts and right-click on Subscriptions to create a new subscription.

    3a-createsubscription.png
  4. Check the boxes next to the alerts you wish to subscribe to and enter a Name using the standard (campus_code-unit_identifier+email recipient description) and email address (or addresses separated by semicolon).

    4a-newsubscriptionpanel.png

Check SCEP compliance

There are a few ways to verify SCCM is managing the endpoint and SCEP\Windows Defender is managed and healthy.

  1. When viewing the attributes of an endpoint in the console, the lower center pane will reflect the endpoint protection status within the Summary tab. In addition, there will be tabs to show policy status as well.

    Here you see an endpoint that is managed but doesn’t yet have SCEP managed.

    1b-unmanagedendpointtab.png

    Here you see an endpoint that is managed and SCEP is properly configured and managed.

    1c-managedendpointtab.png
  2. Navigating to Monitoring→Endpoint Protection Status→System Center Endpoint Protection Status (for SCCM 2012 R2) or Monitoring→Security→Endpoint Protection Status→System Center Endpoint Protection Status (for SCCM Current Branch) will display a dashboard summary of endpoint protection status of all endpoints in the selected collection. Drill-down reports are available from this dashboard to investigate endpoints missing SCEP, in a failed state, or otherwise unhealthy or at-risk.

    2a-unhealthyendpoint.png



Keywords:sccm scep "windows defender" configuring to install   Doc ID:67693
Owner:J.B. N.Group:University of Illinois Technology Services
Created:2016-10-10 07:57 CSTUpdated:2016-12-19 15:52 CST
Sites:University of Illinois Technology Services
CleanURL:https://answers.uillinois.edu/configuring-sccm-to-install-scep-or-windows-defender
Feedback:  0   0