SCCM, Installing SCEP or Windows Defender
Steps to make SCCM install SCEP or Windows Defender, Microsoft's antivirus software, in an automated way including optionally uninstalling many other antivirus programs in the process.
The System Center Configuration Manager (SCCM) client policy can be used to install System Center Endpoint Protection (SCEP) in supported OSes prior to Windows 10, or to enable Windows Defender on Windows 10. The SCEP installer can also uninstall prior AV products if that activity is enabled in the SCCM client policy.
If endpoints are already managed by SCCM, migrating to SCEP/Windows Defender is a straightforward process. The process is comprised of these steps:
- Configure the SCCM client policy to install and manage the SCEP agent
- Configure desired SCEP anti-malware policies
- Deploy the policies if they are not already deployed
- Configure email notifications
If endpoints are not managed by SCCM, they will first have to be provisioned for the SCCM service (see 67714) before following these steps.
In the SCCM console, navigate to Administration→Client Settings. Right-click Client Settings and select Create Custom Client Device Settings to create a new policy, or right-click an existing policy and select Properties to modify it for SCEP deployment/management.
Add the Endpoint Protection node to the client policy by selecting the checkbox found in the center pane of the General category of the policy.
Once the Endpoint Protection client settings node is added, select it from the list on the left to modify the policy settings.
Changing the setting for Install Endpoint Protection client on client computers to Yes instructs any SCCM managed endpoint for which this client policy applies to install the SCEP client (Windows 7/8/8.1 endpoints), or to configure Windows Defender (Windows 10 endpoints).
Selecting Yes for the setting Managed Endpoint Protection client on client computers is required for SCCM to manage SCEP/Windows Defender.
Selecting Yes for the setting Automatically remove previously installed anti-malware software before Endpoint Protection is installed is recommended to ease migration to SCEP from any previously installed products. As referenced by https://technet.microsoft.com/en-us/library/gg682067.aspx#BKMK_EndpointProtectionDeviceSettings, the list of AV products supported by this setting includes the following:
Configure an Endpoint Protection Anti-malware Policy
To configure an Endpoint Protection Anti-malware Policy: The Endpoint Protection Anti-malware policy is used to determine the behavior of the SCEP/Windows Defender client (scan schedule, on-demand settings, user restrictions, exceptions, etc.) Detailed explanation of policy elements can be found at:
- https://technet.microsoft.com/en-us/library/mt613199.aspx#BKMK_List for SCCM Current Branch
- https://technet.microsoft.com/en-us/library/hh508785.aspx#BKMK_List for SCCM 2012 R2
Navigate to Assets and Compliance->Endpoint Protection. Right-click on Anti-malware Policies and select Create Anti-malware Policy. There are recommended Anti-malware policies for common scenarios available for import that can be found in the SCCM Console install location:
C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\XmlStorage\EPTemplates
Name the policy using the standard
Department_Identifierprefix (i.e. "UIUC-Deptname"). You can choose to enter descriptive text that is readily visible in the SCCM console. Check boxes for settings categories you wish to manage from this policy, unchecked boxes will defer those settings to a policy with a lower priority (the default policy being the lowest priority).
Once the policy is created, remember to pay attention to the Order value for each anti-malware policy you use (can be changed via the right-click menu). This value is used to determine priority when applied to endpoints (lower values have higher priority). Anti-malware policy is a resultant set of policies so if more than one applies, the order value is used to determine tiebreakers in conflicting settings. If a policy section is not managed (checkbox not selected and configured), then there is no conflict and the policy whose settings are defined for that section will apply. Read-only perms are granted to everyone to review the default anti-malware policy.
Deploying the new policy to endpoints
Deploying SCCM and SCEP Policies to endpoints: An SCCM deployment is the association of SCCM policies or content to the basic organizational unit of SCCM manageable objects, called a Collection. Sometimes the deployment is of policies themselves (such as client settings or anti-malware policy) and other times the deployment itself is a policy to control the handling of content (such as applications or OS deployment task sequences).
- Navigate to the SCCM client settings node or the anti-malware policies node to locate the policy to deploy. Right-Click on the desired policy and select the Deploy option to start the deployment wizard.
In the wizard, select the device collection folder for your department and select the desired collection. Click OK to confirm the selection.
To confirm the deployments of a policy, select the policy in question, then click the deployments tab in the lower center console pane. Existing deployments can be deleted from here by right-clicking the deployment and selecting Delete.
Setting Email alerts for SCEP 2012
Right click collection you wish to set alerts for and select Properties.
Click the Alerts tab and configure desired alerts and click Add, then check which alerts you wish to enable. Click Ok and after configuring each alert, click Ok where necessary to confirm changes.
In the Monitoring node, expand Alerts and right-click on Subscriptions to create a new subscription.
Check the boxes next to the alerts you wish to subscribe to and enter a Name using the standard (
campus_code-unit_identifier+email recipient description) and email address (or addresses separated by semicolon).
Check SCEP compliance
There are a few ways to verify SCCM is managing the endpoint and SCEP\Windows Defender is managed and healthy.
When viewing the attributes of an endpoint in the console, the lower center pane will reflect the endpoint protection status within the Summary tab. In addition, there will be tabs to show policy status as well.
Here you see an endpoint that is managed but doesn’t yet have SCEP managed.
Here you see an endpoint that is managed and SCEP is properly configured and managed.
Navigating to Monitoring→Endpoint Protection Status→System Center Endpoint Protection Status (for SCCM 2012 R2) or Monitoring→Security→Endpoint Protection Status→System Center Endpoint Protection Status (for SCCM Current Branch) will display a dashboard summary of endpoint protection status of all endpoints in the selected collection. Drill-down reports are available from this dashboard to investigate endpoints missing SCEP, in a failed state, or otherwise unhealthy or at-risk.