How to / Nasıl yaparım:
Enabling the EP Role
To install and configure the Endpoint Protection Point Role for the Central Administration Site:
1. In the Configuration Manager console, click Administration.
2. In the Administration workspace, expand Site Configuration and click Servers and Site System Roles.
3. On the Home tab, double click Add Site System Roles. The Add Site System Roles Wizard opens.
5. On the General page, specify the general settings for the site system server and click Next.
6. On the System Role Selection page, select Endpoint Protection Point from the list of available roles, and then click Next.
7. On the Enrollment Proxy Point page, make sure the information is correct, and then click Next.
8. On the Specify Endpoint Protection License Page, accept the license and click Next.
License agreement is required to use System Center Endpoint Protection product.
9. On the Specify Microsoft Spynet membership type, choose membership type and click Next.
On this page, the Admin chooses his overall Spynet settings, which are applied to all out-of-box AM policies.
10. On the Confirm Settings page, click Next.
11. On the Completion Page, click Close.
Verify that the Endpoint Protection Point role has been added as a Site Server Role:
3. In the Dashboard area at the bottom, you should see the Endpoint Protection Point listed as one of the Site System Roles.
Enable EP Client
· Install SCEP on clients – Yes
· Remove previously installed antimalware software – Yes
· Suppress reboot is required after the client is installed – No
· Postpone restart no longer than “9 hours”
· Disable alternate sources – No
Enabling the System Center Endpoint Protection (SCEP) Client
2. Click on “Client Settings”.
3. On the Home tab, click on “Create Custom Client Device Settings”.
4. The “Custom Device Settings” property screen comes up.
5. Enter “Endpoint Protection Settings” as the Name.
6. Enter “Endpoint Client Protection Settings for the domain” as the Description.
7. Check the “Endpoint Protection” box.
8. Click on “Endpoint Protection”.
9. For “Manage Endpoint Protection client on client computers”, toggle this setting to “True”.
10. For “Install Endpoint Protection on clients”, verify this setting is set to “True”.
11. For “Automatically remove previously installed antimalware software before Endpoint Protection is installed”, verify this setting is set to “True”.
12. For “Suppress any required computer restarts after End Point client installed”, toggle this setting to “False”.
13. For “Allowed period of time users can postpone a required restart to complete the Endpoint Protection client is installed” change this setting to “9”.
14. For “Disable alternate sources”, toggle this setting to “False”.
15. Click on OK.
· In the Configuration Manager console, click Administration.
· Click on “Endpoint Client Protection Settings”.
· Right click on “Endpoint Protection Settings” and select Properties.
· Click on “Endpoint Protection” and verify your settings are there.
· Click OK to close.
Create a Custom AntiMalware Policy
When you enable Endpoint Protection, a default antimalware policy is applied to client computers and you can use additional policy templates that are supplied or create your own custom antimalware policies to customize the settings for your environment.
If you create a new antimalware policy for a collection, this antimalware policy overrides the default antimalware policy.
1. In the Configuration Manager console, click Assets and Compliance.
2. In the Assets and Compliance workspace, click Endpoint Protection, and then click Antimalware Policies.
3. On the Home tab, in the Create group, click Create Antimalware Policy.
4. In the General section of the Create Antimalware Policy dialog box, specify a name and description for the policy.
5. In the Create Antimalware Policy dialog box, configure the settings that you require for this antimalware policy, and then click OK.
6. Verify that the new antimalware policy displays in the Antimalware policies list.
3. In the Home tab, in the Create group, click Import.
4. In the Open dialog box, browse to the policy file that you want to import, and then click Open.
5. In the Create Antimalware Policy dialog box, review the settings to use, and then click OK.
3. In the Antimalware Policies list, select the antimalware policy that you want to deploy and then, on the Home tab, in the Deployment group, click Deploy. In the Select Collection dialog box, select the device collection that you want to deploy the antimalware policy to, and then click OK
Create ADR for Definitions
You can configure Configuration Manager software updates to deliver definition updates to client computers by configuring automatic deployment rules. Before you start, ensure that you have configured Configuration Manager software updates. For more information, see Software Updates in Configuration Manager.
1. In the Configuration Manager console, click Software Library.
2. In the Software Library workspace, expand Software Updates and then click Automatic Deployment Rules.
3. On the Home tab, in the Create group, click Create Automatic Deployment Rule.
4. On the General page of the Create Automatic Deployment Rule Wizard, specify the following information:
· Name: Specify a unique name “FEP Definition ADR” for the automatic deployment rule.
· Collection: Choose the collection of client computers that you want to deploy definition updates to.
Note You cannot deploy definition updates to a collection of users.
5. Select Add to an existing Software Update Group.
6. Select Enable the deployment after this rule is run, and then click Next.
7. On the Deployment Settings page of the wizard, from the Detail level drop-down list, select Minimal, and then click Next.
Choose Minimal to reduce the number of state messages returned by definition deployment. This configuration helps to reduce the CPU processing usage on the Configuration Manager servers.
8. On the Software Updates page of the wizard, select “Update Classification” and “Product” from the Property filters list.
9. In the Search criteria list, click on Product and select <Forefront Endpoint Protecti\on 2010>, and then Okay, for <Update Classification> from the “items to find” drop-down list select “<Definition Updates>” and <Updates> Click Next.
10. On the Evaluation Schedule page of the wizard, select Enable rule to run on a schedule and then configure the schedule at which definition updates will be downloaded. Set the rule to run every 8 hours after each software update point synchronization. Click OK and then Click NEXT.
11. On the Deployment Schedule page of the wizard, configure the following settings:
· Time based on: Select UTC if you want all clients in the hierarchy to install the latest definitions at the same time. This setting is a recommended best practice.
· Specific time: Specify the time for the automatic deployment rule to run. You must allow a minimum of 1 hour to ensure that content for the deployment has time to reach distribution points in your hierarchy. Some definition updates might also include antimalware engine updates, which might take longer to reach distribution points.
· Installation deadline – Select As soon as possible.
Software update deadlines are randomized over a 2 hour period to prevent all clients from requesting an update at the same time.
12. Click Next.
Software updates that have been deployed by using an automatic deployment rule are automatically deployed to new clients added to the target collection.
Deployments can be enabled or disabled at any time for the automatic deployment rule.
13. On the User Experience page of the wizard, select Hide in Software Center and all notifications from the User notifications drop-down list to ensure that definition updates install silently. Click Next.
14. On the Alert page, accept the defaults. Click Next.
15. On the Download Settings page, accept the defaults. Click Next.
You have to create a share on a machine for the package to be downloaded to.
16. On the Deployment Package page, select “Create a new deployment package”.
- Name enter “ SCEP Definitions”
- Description – enter “Deployment Package for SCEP Definitions
17. Browse to the share that you created to hold the package. Click Next.
18. On the “Distribution Points” page, click on Add.
19. On the “Add Distribution Points” page, check the Distribution Point that you will use. Click OK. Click Next.
20. On the ”Download Location” page, click Next.
21. On the “Language Selection” page, uncheck everything except “English”. Click Next.
22. On “Confirm the settings” page, click Next.
23. On the “Completion” page, click Close.