Step By Step SCCM 2012 Installation - Installation of Endpoint Protection

Home

The main intension to built System Center 2012 Endpoint Protection on Configuration Manager is to create a single infrastructure for deploying and managing endpoint protection. In previous version (SCCM 2007)System center Endpoint protection was not associated with sytem center configuration manager product. Some of the features that we achived by associating SCEP with configuration manager are mentioned below

1. Central administration for deploying and configuring the Endpoint Protection client.
2. Default antimalware policies can be deployed to groups of computers.
3. Security roles for managing antimalware polices can be managed/controlled
4. Security settings like Windows Firewall changes can be deployed to group of computers
5. Scan and status reports can be genrated easily by configuration manager
6. The endpoint protection client can be updated by monthly patch cycle using SCCM endpoint definition updates
7. Security roles for managing antimalware polices can be managed/controlled
8. Notification can be set via configuration manager for malware compliance computers
9. Scan and status reports can be genrated easily by configuration manager

How to setup and deploy System center Endpoint Protection?

The SCCM 2012 site role responsible for setting up Endpoint protection feature is Endpoint Protection Point . This role should be installed and configured in Central administration site or standalone primary site . In addition to this, Software update point should be configured to deliver definition updates if you want to use Configuration Manager Software updates to deliver definition and engine updates. With this entire prerequisite create client antimalware policy to manage Endpoint protection settings.

Deploying system center Endpoint protection has few steps as mentioned below

1. Install Endpoint Protection point SCCM site role

2. Create custom client policy for Endpoint protection

3. Create custom antimalware client policy

4. Sync the Software update to deliver updates

Read More

Step By Step SCCM 2012 Installation - Part 1: Installation of Endpoint Protection Point configuration Manager Site role

Installation of Endpoint Protection Point configuration Manager Site role

Select Add new site role

Mention the server Name, where you want to install EP role, this should be installed in standalone primary site or Central administration site.

Ignore this check box and hit Next , if you are not synchronising information from the internet .

Select The role , Endpoint Protection Point

Click OK,

Accept the license

Select Baisc Membership (it will send low level information to microsoft if found any errors)

Click Next and Finish.

We are done with Endpoint protection point role installation.

EPsetup.log – Log to verify the Endpoint protection setup installation. If installation succeeds ,you should be able to see log entry like “lnstallation was successful”

Thank you guys! Let me continue Part 2 and in my Next Post Creation of new Custom device  and antimalware settings for Endpoint Protection.

For Part 2 of the process click here

Read More

Step By Step SCCM 2012 Installation - Part 2: Creation of new custom device settings for Endpoint Protection

Home

Hi Guys, Hope you have gone through the part 1, Installation of Endpoint Protection Point configuration Manager Site role. 

Right click Client setting > Create new custom device settings

Select Endpoint Protection and click ok

Now ,open the properties of newly created client setting.

Select Endpoint protection tab and customise as below .

Click OK

we successfully created new client setting for Endpoint protection.

Now Deploy the newly created client setting to the collection ,where we are going to push system center endpoint protection .

Once you deployed , you should be able to see System center endpoint protection in client machine part of the deployed collection .

Of Part 3 of the process click here

Read More

Step By Step SCCM 2012 Installation - Part 3: Creation of new custom Antimalware Policy

Home

Right click Antimalware policy found in Assest and compliance tab, and create Antimalware Policy

Select all the settings and provide a name for the new settings.

Click properties of Newly created setting and change the definion updates and Scan settings as per your environment.

In Definiton updates, click set Source

Select Updates distributed from Configuration Manager and hit OK

for part 4 of the process click here

Read More

Step By Step SCCM 2012 Installation - Part 4: Pushing Endpoint Protection Updates

Home

Now its time to push updates for Endpoint Protection . Let us create Automatic Deploymnet rule for installing Endpoint protection updates in all necessary  client machines.  Before the creation of automatic deploymnet rule, we have to make sure the presence of definiation updates metadata in software updates. Else , we have to follow below procedure to sync WSUS against Microsoft catalog.

Select Administration > Sites > Configure Site Component > Select Software Update Point

Check Definition updates in Classification tab

In Product tab, Select Forefront Endpoint Protection 2010

Click Ok .

Now go to Software Library -> Software Updates-> right click All Software Updates -> click Synchronize software updates

Check for the Wsyncmgr.log

Make sure the Definition update for Microsoft Endpoint Protection 2010 availability in software updates . Once the WSUS synchronisation completes ,start the process of creating automatic deployment rule.

How to Create Automatic Deployment rule in configuration manager 2012 ?

Select  Software Library -> Software Updates -> Right click Automatic Deployment rule ->Create Automatic Deployment Rule.

Name the Rule and select the collection that you are planning to push updates.

Select the option to Automatically deploy all software updates found by this rule,and approve any license agreements.

Click Next

Select the property and search criteria as per our requirements.

Here, my intension is to deploy Forefront Endpoint Protection 2010 that is released in last 1 month. So, select set the corresponding property as highlighted in below figure.

Select Run the Rule after any Software update point synchronization.

Click Next

Click next and specify the schedule details for the deployment. Since this is lab environment, I have selected As Soon as possible.

Click Next

Select the necessary user Notification as per your requirements like, displaying in software center or hide in software center etc.

If you want to suppress the reboot after the update installation for workstation and server, please check the box appropriately.

Click Next

You can skip the alert column, if you are not interested.

Click Next

Select create a new deployment package and specify the source path for the package.

Make sure the source folder is shared.

Click Next

Select the Distribution group or Distribution point to distribute the package

Click Next

Click Next

You should be able to see the green colour icon and the successful message for the automatic deployment rule creation wizard.

After creation of rules, click the rule and Run Now.

After sometime, you can see the reports in Monitoring -> Endpoint Protection status->System Center Endpoint Protection point.

Here we come to the end of "Endpoint Protection Configuration in SCCM".

Thanks Guys!

Read More

Step By Step SCCM 2012 Installation - Creation of Boundary and Boundary Group

Home

Why to Create Boundary?

Boundary is a network location on the intranet where the device that we are planning to manage is present. It is not possible to use boundary without creating boundary group.Boundary group is nothing but collection of boundaries.Usually SCCM clients will identify the assigned site and download location (distribution point) by using boundaries when automatic site assignment is enabled. Boundaries can be created by using below options.

• Active Directory site
• IP subnet
• IPv6 Prefix
• IP address range

It is always preferred to go with creation of Active Directory site boundary , the least option should be the creation of IP Range Boundary, because the query associated in finding members of the IP range boundary will always use high memory when compare with other options.

From Technet

To support site assignment, you must configure the boundary group to specify an assigned site for clients to use during automatic site assignment. To support site system servers, you must specify one or more site systems. Prior to System Center 2012 Configuration Manager SP2, you can only specify site systems with the distribution point or state migration point site system role. With System Center 2012 Configuration Manager SP2 or later, you can also specify management points. Both the site assignment and site system server configurations are optional for boundary groups.

When you plan for boundary groups, consider creating one set of boundary groups to associate site system servers and a second set of boundary groups for automatic site assignment. This separation can help you avoid overlapping boundaries for site assignment. When you have overlapping boundaries and use automatic site assignment, the site to which a client is assigned might be unpredictable.

How to Create Boundary?

Select Administration → overview → Boundaries

Select Create Boundary

Specify the type of boundary, you are planning to create.

Here, I choose Active directory site boundary for my lab setup.

Browse the AD site name and click ok

Now we are done with boundary creation .

Next we will create new boundary group and associate the newly created boundary with the new boundary group.

How to Create Boundary Group?

Select Administration → Boundary group → Create Boundary group

Provide the name for your Boundary Group, select boundaries to add to this boundary group. As per my lab setup, I have selected AD site boundary. You must specify the boundary that you want to add to the boundary group.

Once added the boundary, select Alternate tab References

Add the site systems (Distribution Point, Management point, State Migration point) that are associated with the boundary group you are creating.

Click Ok. Now we are ready with Boundary group and site system associated with the boundary groups.

Read More

Step By Step SCCM 2012 Installation - Pre-requisite for SCCM 2012 Installation

Hope you have gone through the previous post of Active directory schema extension and publishing site information to AD.

Part - 4

Some windows specific roles and features need to be installed as a prerequisite for SCCM 2012.

Roles necessary

1. BITS (Background Intelligence Transfer Service) - BITS are nothing but a file transfer service that is used to transfer files from one machine to other. BITS use optimized bandwidth to copy the files, so you can use BITS to download large files without affecting other network applications. BITS transfers is more reliable when compare to other services.

From SCCM perspective, BITS play a major role while downloading application from BITS enabled distribution point (pull DP), Software updates are downloaded from a BITS Distribution Point. While doing a client push or client installation the client files is copied using BITS.

2. Remote differential compression – RDC is a type of synchronization algorithm, in simple words it allows applications to synchronize data between two machines in effective way .An RDC can synchronize data between any two or more computers across a network with a minimum amount of data transfer over the network.

3. .Net framework 3.5 and 4.5 – To support the SCCM Application features.

Features

Common HTTP Features

• Default Document
• Static Content.

Application Development

• ASP.NET 3.5
• .NET Extensibility 3.5
• ASP.NET 4.5
• .NET Extensibility 4.5
• ISAPI extensions
• Security – Windows Authentication.

IIS 6 Management Compatibility

• IIS Management Console
• IIS 6 Metabase Compatibility
• IIS 6 WMI Compatibility
• IIS Management Scripts and Tools.

Select the Roles

Select the sub features

Add the features and click Next

Clcik Install

Close the window, once the installation succeeds

Note:

While enabling .Net Framework 3.5 to install, you will be prompted to  specify Alternate source path where the installation files is present. So please navigate to the folder Sourcessxs , it will be available in the  drive where your server OS media is mounted.

Installing Windows Automated Deployment Toolkit   

The Windows Automated Installation Kit (Windows AIK) is a set of tools that support the configuration and the deployment of Windows operating systems. The advanced customization is not possible without installation of this toolkit. WAIK 10 is the latest version and supports multiple windows 10 image configuration and deployments. So installing WAIK kit is one the important prerequisite and we will see the installation part below.

https://www.microsoft.com/en-in/download/confirmation.aspx?id=30652

So installing WAIK kit is one the important prerequisite.

How to Install?

Just run the adksetup .click yes or No based on your willingness to join the Customer Experience Program.

Accept the License

For a lab setup ,

Selecting Application compatibility toolkit, Deployment tools, Windows pre installation environment is enough

Click install

You could See the installation progress window

After Installation Completes close the window.

Now you are ready to go with SCCM setup installation…..Click Here

Read More