Administering System Center

2012 R2 Configuration Manager

Module 7 Implementing Endpoint Protection by Using SC 2012 CM

Student Lab Manual
1 8. 0 8. 2 0 1 5

Contents
Lab: Implementing Endpoint Protection ....................................................................................................................... 3
Exercise 1: Configuring the Endpoint Protection Point and Client Settings ........................................................ 3
Task 1: Pr epa r ing the Site for Endpoint Pr otection Definitions Upda te .......................................... 3
Task 2: Add Endpoint Pr otection Point ...................................................................................................... 6
Task 3: Configure Client Settings ........................................................................................................................ 10
Task 4: Install Endpoint Protection on the client machine ................................................................................... 12
Exercise 2: Configuring and Deploying Endpoint Protection Policies ................................................................ 17
Task 1: Cr ea te Antim a lwar e Policy for server s ...................................................................................... 17
Task 2: Cr ea te Antim a lwar e Policy for wor ksta tions ........................................................................... 22
Task 3: Deploy Antima lwar e Policy to collections ................................................................................ 25
Task 4: Cr ea te AD R for Endpoint Pr otection Definitions .................................................................... 27
Task 5: For ce the Endpoint Pr otection policy on client com puter .................................................. 37
Task 6 : Endpoint Pr otection in Action .................................................................................................... 45
Task 7 : Cr ea te a nd Deploy W indows Fir ewa ll Policy ........................................................................... 47
Exercise 3: Monitoring Endpoint Protection ...................................................................................................... 53
Task 1: C onfig ur e Aler t on W or ksta tions C ollection ............................................................................ 53
Task 2: M onitor ing Endpoint Pr otection ................................................................................................. 58

Module 7 Implementing Endpoint Protection by Using

System Center 2012 R2 Configuration Manager
________________________________________________
Student Lab Manual

Virtual Machines
na-dc-01
na-sccm-01
na-cli-01

Domain Controller
Configuration Manager
server
Client Computer

Domain Info
Domain name
Credentials

dnosi.cv
Administrator / Pa$$w0rd

System Administration
Ernndia Lima

Lab: Implementing Endpoint Protection

Exercise 1: Configuring the Endpoint Protection Point and Client Settings
Task 1: Preparing the Site for Endpoint Protection Definitions Update

1. On the configuration manager server na-sccm-01 login with dnosi\administrator /

Pa$$w0rd

2. On the Configuration Manager server,na-sccm-01, right click on Start and click Search

3. Type Configuration Manager and click on Configuration Manager Console

4. On the Configuration Manager Console, click Administration workspace, expand Site

Configuration and click Sites. Select NAC-NOSi Academy and in the ribbon click
Settings, Configure Site Components and then Software Update Point

5. Click Products tab and select Forefront Endpoint Protection 2010. Click OK.

6. Navigate to Software Library, expand Software Updates, right click on All Software
Updates and select Synchronize Software Updates

7. Click Yes

Task 2: Add Endpoint Protection Point

1. On the SCCM Console, click in Administration workspace, expand Site Configuration

and click Servers and Site System Roles

2. Click Next

3. Accept the Default and click Next

4. Select Endpoint Protection point and click Next

Note: Click Yes in the Warning message

5. Accept the license agreement and click Next

6. Click Next

7. Click Next

8. Click Close

Task 3: Configure Client Settings

1. On the SCCM Console, click in Administration workspace, click Client Settings. Ritgh
click on NOSiAcademy Client Device Settings and click Properties

2. Select Endpoint Protection

3. On the left hand click Endpoint Protection and configure the settings like show the
picture bellow anc click OK.

Task 4: Install Endpoint Protection on the client machine

1. Logon on the na-cli-01 with dnosi\administrator and Pa$$w0rd

2. From Desktop rithg click Start and select Control Panel

3. Click Configuration Manager

4. Click Actions tab and select Machine Policy Retrieval & Evaluation Cycle and then
click Run Now. Click OK

5. From Desktop rithg click Start and select Control Panel

6. Type Endpoint Protection and click System Center Endpoint Protection

Note: If the System Center Endpoint Protection icon doesnt appear in the first time,
type multiple times antil appear.

7. There is the first look of the Endpoint Protetion when installed

Exercise 2: Configuring and Deploying Endpoint Protection Policies

Task 1: Create Antimalware Policy for servers

1. On the SCCM console, click Assets and Compliance, expand Endpoint Protection and
right click on Antimalware Policies, select Create Antimalware Policy

2. In the field Name type NOSiAcademy Servers Antimalware Policy and select ALL
options

3. Click Scheduled Scans and complete the following information:

a. Scan type: Full Scan
b. Scan day: Thursday

c. Scan time: 10:00PM

d. Run a daily quick scan on client computers: Yes
e. Daily quick schedule time: 9:00PM
f. Check for the latest definition updates before running a scan: Yes
g. Start a schedule scan only when the computer is idle: No

4. Click Scan settings and complete the following information:

a. Scan removable storage devices such as USB drive: Yes
b. Scan network drives when running a full scan: Yes
c. Allow Users to configure CPU usage during scans: Yes
d. User Control of scheduled scans: Full Control

5. Click Default actions and complete the following information:

a. Severe: Recommended
b. High: Recommended
c. Medium: Remove
d. Low: Quarantine

6. Click Real-time protection, and select Yes near to Allow users on client computers to
configure real-time protection settings

7. Click Exclusion settings, click Set near to Excluded files and folders

8. Click OK

9. Click Set near to Excluded file types

10. Type .bat and click Add. Type .bak and click Add. Click OK.

11.Click Advanced and complete the following information:

a. Show notification messages on the client computer when the user need to run a
full scan, updates definitions or run windows defender offline: Yes
b. Allow users to configure the settings for quarantined file deletion: Yes
c. Allow users to exclude files and folders, file types and processes: Yes
d. Allow all users to view the full History results: Yes
e. Enable reparse point scanning: Yes
f. Randomize scheduled scan and definition update start times: Yes

12. Click Definition updates and accept the default and click OK

Task 2: Create Antimalware Policy for workstations

1. On the SCCM console, click Assets and Compliance, expand Endpoint Protection and
right click on Antimalware Policies, select Create Antimalware Policy

2. In the field Name type NOSiAcademy Workstations Antimalware Policy and select
ALL options

3. Click Scheduled Scans and complete the following information:

a. Scan type: Full Scan
b. Scan day: Thursday
c. Scan time: 12:00PM
d. Run a daily quick scan on client computers: Yes
e. Daily quick schedule time: 12:00PM
f. Check for the latest definition updates before running a scan: Yes
g. Start a schedule scan only when the computer is idle: No

h. Limit CPU usage during scans (%): 30

4. Click Scan settings and complete the following information:

a. Scan email and email attachments: Yes
b. Scan removable storage devices such as USB drive: Yes
e. Scan network drives when running a full scan: Yes

5. Click Default actions and complete the following information:

a. Severe: Recommended
b. High: Recommended
c. Medium: Remove
d. Low: Quarantine

6. Click Definition updates change the Check for Endpoint Protection definitions daily
at: option to 12:00PM. Click OK.

Task 3: Deploy Antimalware Policy to collections

1. On the SCCM console, click Assets and Compliance, expand Endpoint Protection and
click on Antimalware Policies. Right click on NOSiAcademy Servers Antimalware
Policy and click Deploy

2. Select Servers Collection and click OK

3. Right click on NOSiAcademy Workstations Antimalware Policy and click Deploy

4. Select Workstations Collection and click OK

Task 4: Create ADR for Endpoint Protection Definitions

1. On the Configuration Manager Console, click Software Library, expand Software

Updates, right click Automatic Deployment Rules and select Create Automatic
Deployment Rule

2. Type Endpoint Protection Definition Updates in the Name dialog box. Near the
Collection click Browse and select All Systems and click OK and then Next.

3. Accept Default values and click Next

4. Select Product and Update Classification

5. Click <items to find> near Product and select Forefront Endpoint Protection 2010 and
click OK

6. Click <items to find> near Product Classification and select Definition Updates and
click OK

7. Click Next

8. Click Run the rule on a schedule and click Customize. Click Custom Interval and select
8 Hours on the Recur every dialog box. Click OK and then Next.

9. Select As soon as possible in the Installation Deadline and click Next

10.In the User notifications select Display in Software Center and show all notifications.
In the Deadline behavior select Software Installation and click Next

11.Accept default and click Next

12.In the Deployment options select Download software updates from distribution
point and install and click Next

13.Select Create a new deployment package and type Endpoint Protection Definition
Updates in the name field. In the Package Source type \\na-sccm01\SourceUpdates\EndpointProtection and click Next

14.Click Add and then Distribution Point. Select na-sccm-01.dnosi.cv and click OK

15.Click Next

16.Click Next

17.Click Next

18.Click Next

19.Click Close

20.Click Software Library workspace, click Automatic Deployment Rule and right click on
Endpoint Protection Definition Updates and select Run Now

21.Click OK

Task 5: Force the Endpoint Protection policy on client computer

1. Logon on the na-cli-01 with dnosi\administrator and Pa$$w0rd

2. From Desktop rithg click Start and select Control Panel

3. Click Configuration Manager

4. Click Actions tab and select Machine Policy Retrieval & Evaluation Cycle and then
click Run Now. Click OK twice

5. Click Actions tab and select Software Updates Scan Cycle and then click Run Now.
Click OK twice

6. Click Actions tab and select Software Updates Deployment Evaluation Cycle and then
click Run Now. Click OK twice

7. From Desktop rithg click Start and select Control Panel

8. Type Endpoint Protection and click System Center Endpoint Protection

9. This is the first look of System Center Endpoint Protection

10.From Desktop rithg click Start and select Search

11.Type Software Center anc click Software Center icon

12.Review the endpoint protection definition updates and select all and click Install
Selected

13.Open System Center Endpoint Protection again and notice that is now up-to-date.

14.Click Settings.
Note: All options that we configure in the EP antimalware workstation policy are
displayed in this section.

Task 6 : Endpoint Protection in Action

1. From the client machine na-cli-01, navigate to C:\Files

2. Double click on sample_virus to open it

3. Remove <remove> entry in the begin and in the end of the first line

4. Close the file and click Yes to save the file

5. On the System Center Endpoint Protection, make sure Quick is selected in the Home
page and click Scan now

6. Click Malware Detected

7. Click History, select All Detected Items and then click View Details
Note: Notice that the antimalware was Removed (Action taken)

Task 7 : Create and Deploy Windows Firewall Policy

1. On the SCCM console, click Assets and Compliance, expand Endpoint Protection and
click on Windows Firewall Policies, in the ribbon click Create Windows Firewall Policy

2. Type in the Name box: NOSiAcademy Windows Firewall Policy and click Next

3. Select Yes in the Enable Windows Firewall - Domain Profile and Notify the user
when Windows Firewall blocks a new programs Domain profile

4. Click Next

5. Click Close

6. Right click on the NOSiAcademy Windows Firewall Policy and click Deploy

7. Click Browse and select Workstations Collection and click OK twice.

Exercise 3: Monitoring Endpoint Protection

Task 1: Configure Alert on Workstations Collection

1. On the SCCM console, click Assets and Compliance, click Device Collections and right
click on Workstations Collection and select Properties

2. Select View this collection in the Endpoint Protection dashboard and click Add

3. Select all four options under Endpoint Protection and click OK

4. Select Malware outbreak and change the value to 5 near to Percentage of computers
with malware detected

5. Select Repeated malware detection and change the value to 24 near to Interval of
detection (hours)

6. Select Multiple malware detection and change the value to 4 near to Interval of
detection (hours)

7. Click Monitoring workspace, expand Alerts and click All Alerts

Note: All Alerts about Endpoint Protection are listed in this section.

Task 2: Monitoring Endpoint Protection

1. On the SCCM console, click Monitoring workspace, expand Endpoint Protection

Status and click System Center 2012 R2 Endpoint Protection
Note: Review the Status of the machines in the Server Collections

2. Near to Collection select Workstations collection

Note: Review the Status of the machines in the Workstations Collection

3. Click Malware Detected

Note: In this section is listed all malware that was detected by Endpoint Protection

4. Expand Reporting, click Reports and type endpoint protection on the Search box and
click Search

5. Right click Antimalware activity report and click Run

6. On the Collection Name click Values and select Workstations Collection. Click OK.

7. Click View Report

8. Scroll down and up to explore the report information