Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager

Transcription

1 Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager

2 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication and is subject to change at any time without notice to you. This document and its contents are provided AS IS without warranty of any kind, and should not be interpreted as an offer or commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. The descriptions of other companies products in this proposal, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their respective manufacturers. This deliverable is provided, AS IS without warranty of any kind and MICROSOFT MAKES NO WARRANTIES, EXPRES OR IMPLIED, OR OTHERWISE. All trademarks are the property of their respective companies. Printed in the United States of America 2007 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of the actual companies and products mentioned herein may be the trademarks of their respective owners.

3 Objectives Prerequisites Estimated Time to Complete This Lab Computers used in this Lab After completing this lab, you will be able to: Configure Endpoint Protection in a Configuration Manager 2012 R2 environment Create and deploy Endpoint Protection policies Clean a malware infection Report status on Endpoint Protection Implement real-time actions in Configuration Manager 2012 R2 to quickly respond to client issues This lab requires an installed and functioning Configuration Manager 2012 R2 site server (Primary1 is the site server virtual machine image). This lab also requires at least one Configuration Manager 2012 R2 client (Client1 is the client computer in addition to the site server virtual machine being installed as a client). 75 Minutes Primary1 Client1 The password for the administrator account on all computers in this lab is: password. Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 1

4 1 ENABLING ENDPOINT PROTECTION IN CONFIGURATION MANAGER 2012 R2 In this exercise, you will configure Configuration Manager 2012 R2 to support System Center 2012 R2 Endpoint Protection. This feature is included in Configuration Manager 2012 R2 and provides security in addition to the normal software update management feature within Configuration Manager, providing enhanced security for the environment for monitoring and managing virus and malware protection features. You will begin by configuring the location for clients to download Endpoint Protection definition updates to use a network location instead of WSUS or Microsoft Update. Complete the following task on: Primary1 1. Start the Configuration Manager 2012 R2 console 2. Configure the default malware policy for definition location 1. On the Start menu, click Configuration Manager Console. NOTE: The System Center 2012 R2 Configuration Manager console window appears displaying the Assets and Compliance Overview page. 1. In the navigation pane, expand Endpoint Protection, and then click Antimalware Policies. NOTE: The list of antimalware policies appear in the results pane. Notice that the only policy is "Default Client Malware Policy", which by default applies to all clients. In the lab environment, you will configure the location for the client to acquire malware definitions to use a UNC path, as no Internet access is available in the lab environment, and no definitions have been imported into WSUS. This is necessary to provide a location for definitions for the site server after the Endpoint Protection point site system role is enabled later in this exercise, which installs the Endpoint Protection client agent on the site system. 2. In the results pane, click Default Client Malware Policy, and then on the Ribbon, click Properties. NOTE: The Default Antimalware Policy dialog box appears displaying the available default client malware settings. 3. In the navigation pane, click Definition updates. NOTE: The Default Antimalware Policy dialog box appears displaying the configurable settings for antimalware definition configuration appears in the results pane. 4. After Set sources and order for Endpoint Protection definition updates, click Set Source. NOTE: The Configure Definition Update Sources dialog box appears allowing you to configure the location(s) that clients can use to download Endpoint Protection definition updates. Notice that by default, the client will first check for definitions from Configuration Manager, then WSUS, then Microsoft Update, and finally the Microsoft Malware Protection Center for updated definitions. Notice also that access to definitions from a network path is not enabled. You can change the order of preference for definition download location by selecting the location, and clicking Up or Down as appropriate. 5. Click to clear Updates distributed from WSUS, Updates distributed from Microsoft Update, and Updates distributed from Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 2

5 Microsoft Malware Protection Center as the lab environment does not have access to the Internet, and update definitions have not been imported into the WSUS installation in the lab environment. NOTE: It is OK to leave the selection for downloading definitions from Configuration Manager. This will be useful for the client to get definition updates from a Configuration Manager distribution point when you have it integrated with the software updates feature of Configuration Manager. 6. Click to select Updates from UNC file shares, and then click OK. NOTE: The Default Antimalware Policy dialog box appears displaying the available definition update settings. Notice that the "Set sources and order for Endpoint Protection definition updates" setting now displays "2 sources selected". You now need to specify the UNC path to access update definitions from. Notice also that the default is that there is no UNC location specified. 7. After If UNC file shares are selected as a definition update source, specify the UNC paths, click Set Paths. NOTE: The Configure Definition Update UNC Paths dialog box appears allowing you to configure the UNC location(s) that clients can use to download Endpoint Protection definition updates. Notice that by default, no locations are specified. 8. In the UNC path box, type \\Primary1\EPOld and then click Add. NOTE: The Configure Definition Update UNC Paths dialog box appears displaying the UNC path for definition download. You can add multiple paths as necessary, however in the lab environment, we only need one path. 9. Click OK. NOTE: The Default Antimalware Policy dialog box appears displaying the available definition update settings. Notice that the "Set sources and order for Endpoint Protection definition updates" setting now displays "2 sources selected", and that a UNC path is now specified. 10. Click OK. NOTE: The list of malware policies appear in the results pane. As you modified the "Default Client Malware Policy", that is the only policy that appears. This will be used by all clients, unless overridden by a custom policy, which you will create later in this lab. Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 3

6 In the following procedure, you will enable the Endpoint Protection point site system role. You will then view log files and status messages related to the deployment of the Endpoint Protection point site system role to verify its installation. You will also view the Endpoint Protection status on the site system role using the System Center 2012 R2 Endpoint Protection client. Complete the following task on: Primary1 1. Configure an Endpoint Protection point site system role 1. Click the Administration workspace. Note: The System Center 2012 R2 Configuration Manager console displays the Administration workspace Overview page. 2. In the navigation pane, expand Site Configuration, and then click Sites. Note: The list of sites appears in the results pane. Notice that there is only one site available, that being the local site (MCM). 3. In the navigation pane, click Servers and Site System Roles. Note: The list of site systems appear in the results pane, with the installed roles for the selected site system displayed in the preview pane. Notice that the site only has one site system (Primary1), and that this site system does not have the "Endpoint Protection point" site system role installed. The Endpoint Protection point site system role does not really do anything, so it is fine to have co-located on the site server. We'll use a single server to host all roles to reduce the number of images that need to be started at one time. 4. On the Home tab of the Ribbon, click Add Site System Roles. Note: The Add Site System Roles Wizard General dialog box appears. Notice that the FQDN of the site server is displayed. This information was collected during Configuration Manger Setup as part of the prerequisite check for the site server. 5. Click Next to accept the default configuration of the account to use, to not require site server initiated connections, and to not publish an Internet FQDN. Note: The Add Site System Roles Wizard Proxy dialog box appears allowing you to configure a proxy if the site system role requires one to access the Internet. In your production environment, you may need to configure a proxy server and account to access the Internet. However in our lab environment, this is not necessary. 6. Click Next to not configure proxy settings. Note: The Add Site System Roles Wizard System Role Selection dialog box appears displaying the list of site system roles that can be assigned to this computer. Notice that "Endpoint Protection point" appears as an available site system role for this site system. 7. Under Available roles, click to select Endpoint Protection point. Note: A Configuration Manager message box appears indicating that Endpoint Protection is configured to use Configuration Manager's software update management feature to access definition files from. It also states that if the configuration of using Configuration Manager as a definition source is enabled, you should configure a software update point. 8. Click OK, and then click Next. Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 4

7 2. View the Endpoint Protection point installation log file 3. View the Endpoint Protection point status NOTE: The Add Site System Roles Wizard Endpoint Protection dialog box appears displaying the license terms for Endpoint Protection. System Center 2012 Endpoint Protection has specific licensing requirements in addition to the standard System Center 2012 Configuration Manager license requirements. You are only allowed to enable Endpoint protection in environments where the Endpoint Protection license has been acquired. 9. Click to select I accept the Endpoint Protection license terms, and then click Next. NOTE: The Add Site System Roles Wizard Microsoft Active Protection Service dialog box appears allowing you to configure the options for Microsoft Active Protection Service. If enabled, Microsoft Active Protection Service will collect, and send to Microsoft, information about installed applications, which may then be used to help create definitions for application software. As you are in a virtual environment, without Internet access, there is no need to enable this feature. Notice that if desired, you can choose either a basic or advanced membership in Microsoft Active Protection Service. In a production environment, it is recommended to join the Microsoft Active Protection Service. 10. Click Next to accept the default to join MAPS with a basic membership. Note: The Add Site System Roles Wizard Summary dialog box appears indicating that you have successfully completed the wizard and are ready to install this site system role. 11. Click Next. Note: The Add Site System Roles Wizard Completion dialog box appears indicating that the wizard completed successfully. 12. Click Close. Note: The System Center 2012 R2 Configuration Manager console window appears displaying the site systems and installed roles for the site. Notice that you did not create a new site system for this role and still only have the site server as a site system in the site. It will take a moment for the "Endpoint Protection point" site system role to be installed, though it is displayed in the list of site system roles immediately. You may need to refresh the list of site system roles on the site system to view the Endpoint Protection point site system role. 1. Open C:\Program Files\Microsoft Configuration Manager\Log s\ EPSetup.log. NOTE: Notepad appears displaying the contents of the Configuration Manager Endpoint Protection point site system role installation log. Notice that the log indicates that the required OS version was detected, and that the installation was successful. 2. Close Notepad. Note: The System Center 2012 R2 Configuration Manager console window appears displaying the Administration workspace and the list of site systems and installed roles. 1. Click the Monitoring workspace. Note: The Monitoring workspace appears displaying the Overview page. 2. In the navigation pane, expand System Status, and then click Site Status. Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 5

8 messages 4. View the Endpoint Protection status using the Microsoft Forefront Endpoint Protection client NOTE: The list of Configuration Manager 2012 site systems and their installed roles appears in the results pane. Notice that the Endpoint Protection point appears in the list with a status of OK. 3. In the navigation pane, click Component Status. NOTE: The list of Configuration Manager 2012 components and their current status appears in the results pane. 4. In the results pane, click SMS_ENDPOINT_PROTECTION_MANAGER, and then on the Ribbon, click Show Messages. NOTE: A new menu appears allowing you to specify the type of messages to display. 5. Click All. NOTE: The Status Messages: Set Viewing Period dialog box appears prompting for the age of status messages to display. 6. Click OK to view messages for the past 24 hours. NOTE: The Configuration Manager Status Message Viewer for <MCM> window appears displaying the status messages for the SMS_ENDPOINT_PROTECTION_MANAGER component for the most recent 24 hours. Notice a message with an ID of 500. This message indicates that the component was started. 7. Close the Configuration Manager Status Message Viewer for <MCM> window. NOTE: The list of Configuration Manager 2012 R2 components and their current status appears in the results pane. 1. On the Start menu, click System Center Endpoint Protection. NOTE: The System Center Endpoint Protection window appears. Notice that the status is "Computer status - At risk", which indicates that the computer is not fully protected at this point. Notice also that "Real time protection" is currently listed as "Disabled", that "Virus and spyware definitions" has a status of "Out of date", and that no scan schedule has been defined. You will resolve all of these issues with Configuration Manager 2012 and its integration with Endpoint Protection. 2. Close the System Center Endpoint Protection window. NOTE: The System Center 2012 R2 Configuration Manager console window appears displaying the components and their current status in the Monitoring workspace. In the following procedure, you will enable the Endpoint Protection client, which will allow scanning for malware and viruses on client computers. The Endpoint Protection client agent is disabled by default, and can only be enabled after the "Endpoint Protection point site system role" has been installed. Complete the following task on: Primary1 1. Enable the Endpoint 1. Click the Administration workspace. Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 6

9 Protection client NOTE: The Administration workspace appears displaying the list of site systems in the results pane, and the appropriate site system roles for the site system in the preview pane. Notice that the "Endpoint Protection point" site system role is listed as a role on the only site system in our site - "Primary1". 2. In the navigation pane, click Client Settings. NOTE: The list of client settings appears in the results pane. Notice that the only client setting is "Default Client Settings", which by default applies to all clients. In the lab environment, you will enable the Endpoint Protection client agent in the default client settings to allow scan and data from all clients. However, in your production environment, you could create a custom client setting for devices, enable Endpoint Protection, and then assign the custom client setting to a collection of systems if the agent is not to be installed on all clients managed by Configuration Manager, or you want to perform additional testing in production on a limited set of clients before enabling for all clients. 3. In the results pane, click Default Client Settings, and then on the Ribbon, click Properties. NOTE: The Default Settings dialog box appears displaying the available client settings. 4. In the navigation pane, click Endpoint Protection. NOTE: The configurable settings for Endpoint Protection appear in the results pane. Notice that by default, the Endpoint Protection client is not installed on clients. 5. In the Manage Endpoint Protection client on client computers box, click Yes. NOTE: Additional settings for Endpoint Protection become available for configuration once managing the Endpoint Protection client has been enabled. For the lab environment, you would also need to configure the last setting to allow download of the initial definition from the UNC path. Notice that the "Install Endpoint Protection client on client computers" is enabled. This will install the Endpoint Protection client agent on clients after the next system policy retrieval and evaluation cycle. 6. In the Disable alternate sources (such as Microsoft Windows Update, Microsoft Windows Server Update Services, or UNC shares) for the initial definition updates on client computers box, click No, and then click OK. NOTE: The list of client settings appears in the results pane. As you modified the "Default Client Settings", that is the only setting that appears. This setting, which will enable and configure the Endpoint Protection client, will be implemented on clients at their next system policy retrieval and evaluation cycle. Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 7

10 In the following exercise, you will force the clients to retrieve policies. This will cause the clients to install the Endpoint Protection client agent. For this policy retrieval process, you will use the traditional method of forcing policy retrieval from the client itself. Configuration Manager 2012 R2 includes the ability to force policy retrieval from the Configuration Manager Console through real-time actions. You will use that method later in this lab. Complete the following task on: Client1 and Primary1 1. Install the Endpoint Protection Client Agent 2. Verify the current status of the Microsoft Forefront Endpoint Protection client 1. In Control Panel, click System and Security, and then start Configuration Manager. NOTE: The Configuration Manager Properties dialog box appears. 2. Click the Actions tab. NOTE: The Configuration Manager Properties dialog box displays the available actions for the client. After Endpoint Protection has been enabled as part of the Default Client Settings, or a custom client setting, you need to retrieve policies to install Endpoint Protection on clients. 3. Click Machine Policy Retrieval & Evaluation Cycle, and then click Run Now. NOTE: The Configuration Manager client will request new policies, which will include the policy related to the Endpoint Protection agent installation. A Machine Policy Retrieval & Evaluation Cycle message box appears indicating the action was initiated, and may take several minutes to complete. 4. Click OK. NOTE: The Configuration Manager Properties dialog box appears. It will take a couple of minutes to install Endpoint Protection agent. 5. Click OK. NOTE: The System Center 2012 R2 Endpoint Protection agent is installed on the client computer. It will take a moment for the agent to install. The installation occurs locally, as the Endpoint Protection client agent installation program was previously downloaded to the computer during the installation of the Configuration Manager client. 1. On the Start menu, click System Center Endpoint Protection. NOTE: The System Center Endpoint Protection window appears displaying the current status of the Endpoint Protection client, which is "Protected". Notice that "Real-time protection" is now set to "On" - recall previously when you viewed this on the site server it was set to "Off". Also notice that the "Virus and spyware definitions" status is listed as being old (created x number of days ago). Finally notice that under "Scan details", it indicates that the schedule for quick scans is weekly, on Saturday, around 2:00pm, and that no scan has been performed yet. You will set a unique schedule in the next exercise to validate that a custom policy overrides the default policy, as well as initiate a scan using a newer definition. If your client is not protected yet, you will perform an additional update in the next exercise that will implement a new policy on the client computer that will complete the installation of a newer definition policy and protect the client. 2. Close the System Center Endpoint Protection window. Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 8

11 2 UPDATING THE ENDPOINT PROTECTION STATUS ON THE CONFIGURATION MANAGER 2012 R2 CLIENT In this exercise, you will implement a custom antimalware policy to point to a newer definition update than the client was installed with. You will force a download of the newer definition file, and then will force a scan of the client to get current status from the client computer both of these actions through the real-time actions feature of Configuration Manager 2012 R2. Complete the following task on: Primary1 1. Create a custom malware policy with a different definition download location 1. Click the Assets and Compliance workspace. NOTE: The Assets and Compliance workspace appears displaying the list of antimalware settings appear in the results pane. Notice that the only setting is "Default Client Malware Policy", which applies to all clients, unless overridden by a custom client antimalware policy. In the previous exercise, you configured the "Default Client Malware Policy" to specify a specific network location to download the initial malware definition from. You will now create a custom malware policy that specifies a different location from which to download an updated malware definition policy. 2. On the Ribbon, click Create Antimalware Policy. NOTE: The Create Antimalware Policy dialog box appears allowing you to configure a custom policy. 3. In the Name box, type Custom policy and then in the Description box, type Sets a new definition source location and scan schedule 4. In the list of settings in the results pane, click to select Scheduled scans and then click to select Definition updates. NOTE: The selected nodes appear in the navigation pane. 5. In the navigation pane, click Scheduled scans. NOTE: The Create Antimalware Policy dialog box appears allowing you to configure the scan schedule settings. 6. In the Scan day box, click Daily. 7. In the Scan time box, click 12 AM. NOTE: Neither of these settings are required for the lab environment. You are configuring them to allow additional settings for visual confirmation of the implementation of the custom policy. 8. In the navigation pane, click Definition updates. NOTE: The Create Antimalware Policy dialog box displays the current client update settings. Notice that the current settings are from the "Default Client Malware Settings" policy as previously configured, including the definition download from UNC path(s). You want to continue to use UNC locations, however want to specify a different path to use for updated definition files. 9. After If UNC file shares are selected as a definition update source, specify the UNC paths, click Set Paths. NOTE: The Configure Definition Update UNC Paths dialog box appears Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 9

12 allowing you to configure the UNC location(s) that clients can use to download Endpoint Protection definition updates. Notice that currently, the "\\Primary1\EPOld" path is specified. This is where the old definition was stored. The newer definition file is in a different location. 10. In the UNC path box, type \\Primary1\EPNew and then click Add. NOTE: The Configure Definition Update UNC Paths dialog box appears displaying both UNC paths for definition download. The client will check both paths, however in the lab environment, you will remove the old path and only have the client check the new path. 11. Under Name, click \\Primary1\EPOld, and then click Remove. NOTE: The Configure Definition Update UNC Paths dialog box appears displaying the new UNC paths for definition download. 12. Click OK. NOTE: The Create Antimalware Policy dialog box appears displaying the available policy settings. 13. Click OK. NOTE: The list of antimalware policies appear in the results pane. You have now created a custom policy that appears in addition to the default policy. Custom policies are implemented on clients after being deployed to collections of client computers, which you will do next. 14. In the results pane, click Custom policy, and then on the Ribbon, click Deploy. NOTE: The Select Collection dialog box appears displaying the available device collections that the custom policy can be assigned to. 15. Under Name, click Configuration Manager Clients, and then click OK. NOTE: The list of antimalware policies appear in the results pane. Notice that the custom policy is displayed as having been deployed to one collection. Your custom policy will now be implemented on the clients in the target collection when they next implement system policies. You will force that to occur in the next procedure. In the following procedure, you will force the clients to retrieve policies using the new real-time action. This will cause the clients to implement the custom malware policy settings for Endpoint Protection. If you prefer, you certainly can use the traditional method of forcing policy polling, however the lab directions are for the new real-time action. Complete the following task on: Primary1 1. Update the Endpoint Protection client settings through realtime actions 1. In the navigation pane, click Device Collections. NOTE: The list of collections for the site appears in the results pane. Notice that there are six collections available, including the one you just deployed the custom antimalware policy to. 2. In the results pane, click Configuration Manager Clients, and then on the Ribbon, click Client Notification. Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 10

13 2. View the updated Endpoint Protection client configuration NOTE: A new menu appears with two options Download Computer Policy and Download User Policy. The first action will force a Machine Policy Retrieval & Evaluation Cycle to occur on all online clients in the target collection. This is essentially the same process you implemented earlier at the two clients to force the installation of the System Center 2012 R2 Endpoint Protection client agent. 3. Click Download Computer Policy. NOTE: A Configuration Manager message box appears indicating that there are three clients in the target collection, and that the update computer policy action will be implemented as soon as possible. 4. Click OK. NOTE: The action has been implemented, and within moments the clients will have downloaded the new computer policy that dictates a new scan schedule and definition source update. You will view the updated configuration in the next task. 1. On the Start menu, click System Center Endpoint Protection. NOTE: The System Center Endpoint Protection window appears displaying the current status of the Endpoint Protection client. Notice that under "Scan details", it indicates that the scan schedule is now for daily quick scans, around midnight. You will recall that after agent installation, it was a weekly scan around 2:00am. This process has not initiated a definition update cycle which occurs automatically every eight hours. You will force it to occur in the next procedure. If your scan schedule has not changed to daily at midnight, it likely means that you downloaded policies prior to the site server having completed the policy process. Initiate another policy retrieval action, wait a moment, and check again. 2. Close the System Center Endpoint Protection window. In the following procedure, you will use the System Center 2012 R2 Configuration Manager console to initiate a definition download process on the clients now that they have the updated malware policy that points to a newer definition file. This is also a real-time action in Configuration Manager 2012 R2. Complete the following task on: Primary1 1. Force definition update downloads from the Configuration Manager console 1. Click the Assets and Compliance workspace. NOTE: The Assets and Compliance workspace appears displaying the antimalware policies in the site. 2. In the navigation pane, click Device Collections. NOTE: The list of collections appears in the results pane. Notice that there are six collections of devices. Four of these collections are built-in collections, with two custom collections. You will likely create custom collections in your environments for managing clients. 2. In the results pane, click Configuration Manager Clients, and then on the Ribbon, click Endpoint Protection. NOTE: A new menu appears. Notice that from the console you can initiate a Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 11

14 full or quick scan, as well as to force a definition download. 3. Click Download Definition. NOTE: A Download Definition message box appears indicating that this action will evaluate software update deployments, or an Endpoint Protection definition update. It also allows you to specify the definition update action (software updates or Endpoint Protection) and to set the randomization value. 4. Under Definition update source, click Endpoint Protection client source order. 5. In the Randomize client execution time (in minutes), set the value to 0 to force the action now, and then click OK. NOTE: The action is now delivered to the client. Within moments the clients should download new definition files. In a production environment, you likely do want to have a randomization value to spread the load of the action on the target clients. In the lab, given that there are only two clients available, you specified an immediate action with no randomization. In the following procedure, you will force the clients to retrieve policies. This will cause the clients to download the updated Endpoint Protection definition, using the new UNC path designated in the custom malware policy. Complete the following task on: Client1 and Primary1 1. View the updated Endpoint Protection client status 1. On the Start menu, click System Center Endpoint Protection. NOTE: The System Center Endpoint Protection window appears displaying the current status of the Endpoint Protection client, which now should be "Potentially unprotected". The reason for being Potentially unprotected is that the definitions are out of date. If your definition date and version has not changed to daily at midnight, it likely means that you downloaded policies prior to the site server having completed the policy process. Initiate another policy retrieval action, wait a moment, and check again. 2. Click the Update tab. NOTE: The System Center Endpoint Protection window displays the definition status, including definition versions, and dates when last created and checked. Notice that the Definitions last updated date and time are very recent. Unfortunately without having Internet access, it is impossible to keep the definitions up to date for these virtual images. So it is expected, for this lab environment, that the definitions will be out of date. 3. Close the System Center Endpoint Protection window. Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 12

15 In the following procedure, you will use the System Center 2012 R2 Configuration Manager console to initiate a quick scan process on the clients now that they have downloaded an updated definition file. The Endpoint Protection scans (both Quick and Full) are also real-time actions in Configuration Manager 2012 R2. Complete the following task on: Primary1 1. Force a quick scan from the Configuration Manager console 1. Click the Assets and Compliance workspace. NOTE: The Assets and Compliance workspace appears displaying the available device collections. 2. In the results pane, click Configuration Manager Clients, and then on the Ribbon, click Endpoint Protection. NOTE: A new menu appears. Notice that from the console you can initiate a full or quick scan, as well as to force a definition download. 3. Click Quick Scan. NOTE: A Configuration Manager message box appears indicating that this action will impact all managed clients in the target collection, and could result in client and network performance impact. This could be the case with collections that contain a large number of clients performing actions, such as scanning for compliance and sending state messages to the site, at the same time. 4. Click OK. NOTE: The System Center 2012 R2 Configuration Manager console appears displaying the device collections. In the RTM release of Configuration Manager 2012, clients would need to retrieve policies in order to process the request to perform a quick scan. In Configuration Manager 2012 SP1 and R2, this is a real-time action, so no further actions are necessary to complete the quick scan process. In the following procedure, you will verify that the clients are running a quick scan as initiated through the real-time actions of Configuration Manager 2012 R2. Complete the following task on: Client1 and Primary1 1. View the updated Endpoint Protection client status 1. On the Start menu, click System Center Endpoint Protection. NOTE: The System Center Endpoint Protection window appears displaying the current status of the Endpoint Protection client, which should be "Potentially unprotected". It is very likely that the client is running a quick scan process at the current time, and you will notice the scan occurring on the Home tab of the System Center Endpoint Protection window. When the scan process has completed, you will see under "Scan details" that the "Last scan" shows "Today" and the current time. The site server scan process will take significantly longer to run than the remote client computer does due to Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 13

16 the installed software and services on each computer (the site server computer image having a lot more software installed). 2. Close the System Center Endpoint Protection window. Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 14

17 3 PROTECTING AGAINST MALWARE INFECTIONS In this exercise, you will configure the site to generate alerts on malware and virus breakouts, including delivery for malware outbreaks, and then you will generate a malware infection, and clean it with Endpoint Protection. Complete the following task on: Primary1 1. View the site properties to generate alerts for malware breakouts 2. Configure collections to generate alerts 1. In the System Center 2012 R2 Configuration Manager console, click the Administration workspace. Note: The Administration workspace appears displaying the Default Client Settings. 2. In the navigation pane, expand Site Configuration, and then click Sites. NOTE: The list of available sites appears in the results pane. Notice that there is only one site available, that being the local site "MCM". 3. On the Ribbon, click Settings, and then click Configure Site Components. NOTE: A new menu appears with components that can be configured. Notice that there is a component for " Notification". 4. Click Notification. NOTE: The Notification Component Properties dialog box appears allowing you to configure settings for alert generation. If your environment has an SMTP server available, you can configure subscriptions to alerts to receive messages using the properties configured here. Notice that you can configure the FQDN of the SMTP server, the port to use, the authentication method, and the sending address. You then would enable notifications on the alerts of interest, which you will look at later in this exercise. This lab environment does not have an server configured, however you will configure the settings to experience how to configure them in your own environments. 5. Click to select Enable notification for alerts. 6. In the FQDN or IP Address of the SMTP server to send alerts box, type primary1.configmgrdom.local 7. In the Sender address for alerts box, type [email protected] and then click OK. NOTE: The local site appears in the results pane. In your production environment, you would configure appropriate values for the configuration for your own SMTP server implementation. 1. Click the Assets and Compliance workspace. Note: The Assets and Compliance workspace appears displaying the available collections in the results pane. 2. In the results pane, click Configuration Manager Clients, and then on the Ribbon, click Properties. Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 15

18 3. Configure alert subscriptions Note: The Configuration Manager Properties dialog box appears displaying the general properties of the collection. Notice that there are numerous tabs available to configure collection properties, including one for alert generation. 3. Click the Alerts tab. Note: The Configuration Manager Clients Properties dialog box appears displaying the alert properties of the collection. Notice that by default, there are no alerts configured for this collection. 4. Click View this collection in the Endpoint Protection dashboard, and then click Add. Note: The Add New Collection Alerts dialog box appears allowing you to configure alerts for client status as well as Endpoint Protection. Notice that for Endpoint Protection, there are four conditions that can be configured to generate alerts. In your production environment, you may want to enable all alert conditions. However in the lab environment, you will only enable the first condition, which is to generate an alert for any malware detection. 5. Under Endpoint Protection, click to select Malware is detected, and then click OK. Note: The Configuration Manager Client Properties dialog box appears allowing you to configure the specific conditions for this alert. Notice that the collection name is displayed as part of the Alert Name, and that you can configure the alert severity and the malware detection threshold. 6. Click OK to use the default values for the alert creation. Note: The list of collections appears in the results pane. You have now configured a collection to generate an alert when any malware is detected on a client. You also viewed how to enable generation for alerts, although did not enable it as there is no SMTP server in the lab environment. In the next procedure, you will configure an alert subscription to generate an when an antimalware alert is generated. 1. Click the Monitoring workspace. Note: The Monitoring workspace appears displaying the Component Status page. Notice that there is a node in the navigation pane for "Alerts". 2. In the navigation pane, expand Alerts, and then click All Alerts. Note: The alerts for the environment appear in the results pane. Notice that there are five alerts generated currently (though none have been triggered), one being the alert configured on the "Configuration Manager Clients" collection with a Type of Malware detection. The other four default alerts are for database replication issues, as well as database drive space issues, and Windows 8 sideloading activations. 3. In the navigation pane, click Subscriptions. Note: The alert subscriptions for the environment appear in the results pane. Notice that there are no alert subscriptions created currently. 4. On the Ribbon, click Create subscription. Note: The New Subscription dialog box appears allowing you to configure the recipients for the alerts selected for this subscription. You can add multiple addresses as recipients, using a semi-colon as the delimiter between addresses (with no spaces between the addresses). Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 16

19 5. In the Subscription name box, type Malware Outbreak 6. In the address box, type 7. Under Selected alerts, click to select Generate alert when malware detected Malware detection alert for collection: Configuration Manager Clients, and then click OK. Note: The alert subscriptions for the environment appear in the results pane. Notice that there is now one alert subscription available. You have now prepared your site for malware alerts. You will now generate malware in the next procedure. In the following procedure, you will attempt to access a file that will simulate a malware breakout. You will copy these files on the client computer, and then clean the malware with Endpoint Protection on the client. Complete the following task on: Client1 1. Generate malware on the client 2. View the updated Endpoint Protection client status 1. Start Windows Explorer, and then open the C:\MalwareFiles folder. NOTE: The contents of the C:\MalwareFiles folder appear. Notice that there are five files in this folder. These files are not real malware, however they contain public domain code to simulate malware for testing purposes. 2. Attempt to open Test1.txt. NOTE: A Notepad message box appears indicating that access is denied to this file. This is because malware is detected as a result of attempting to open the file. When the threat has been generated and detected, a System Center Endpoint Protection message box appears indicating that attention is required, as one potential threat has been detected, and suspended. The file is automatically cleaned, and no action is necessary. 3. Click OK, and then close Notepad. NOTE: System Center 2012 R2 Endpoint Protection removes the threat, and the System Center Endpoint Protection dialog box is closed automatically. When complete, the System Center Endpoint Protection dialog box appears indicating that the computer has been cleaned. Notice that Test1.txt has been removed (quarantined) as it was detected as containing a virus. 1. On the Start menu, click System Center Endpoint Protection. NOTE: The System Center Endpoint Protection window appears displaying the current status of the Endpoint Protection client, which displays as "Potentially unprotected". 2. Click the History tab. Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 17

20 NOTE: The System Center Endpoint Protection window appears allowing you to configure the type of items to display for the Endpoint Protection client, and to view details. You do not see any malware status on this tab, however you can view status by viewing the historical data for the client. 3. Click View details. NOTE: The System Center Endpoint Protection window displays historical data for this client. Notice that it displays the one threat generated by accessing one of the Eicar_Test_File files, including the "Alert level" of "Severe" as well as the "Action taken" of "Quarantined". Also notice the bottom portion of the window displays the generated description and recommended actions (the default data provided with the Test1.txt file definitions with this simulated virus). 4. Close the System Center Endpoint Protection window. NOTE: Later in this lab, you will use the Configuration Manager 2012 R2 realtime actions to restore the quarantined files, and allow this threat. In the next exercise, you will report on malware status. Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 18

21 4 MONITORING ENDPOINT PROTECTION STATUS IN THE CONFIGURATION MANAGER CONSOLE In this exercise, you will use the Configuration Manager console to view the alert generated and alert status for Endpoint Protection as a result of the malware outbreak. Complete the following task on: Primary1 1. View the generated alert related to the threat outbreak 2. View Endpoint Protection status in the Configuration Manager console 1. Click the Assets and Compliance workspace. NOTE: The Assets and Compliance Overview page appears displaying the available device collections in the results pane. 2. In the navigation pane, click the Overview node. NOTE: The Assets and Compliance Overview page appears. Notice that a critical alert has been generated with a "Category" of "Malware detection". Notice also that the alert description indicates that malware has been detected on a computer in the "Configuration Manager Clients" collection Click the Monitoring workspace. NOTE: The Monitoring workspace appears displaying the alert subscriptions in the results pane. Notice that there is one alert subscription available. If the lab environment had an SMTP server, and would have been delivered to the recipients configured in the alert subscription In the navigation pane, expand Alerts and click Active Alerts. NOTE: The Monitoring workspace appears displaying the active alerts in the site. Notice that there is one active alert. This is the same alert that appears in the Overview page of the Assets and Compliance workspace In the results pane, click Malware detection alert for collection: Configuration Manager Clients. NOTE: The summary information for the malware detection alert appears in the preview pane. Notice under "Status information" is the "Occurrence Count" of "1", which indicates that the alert has only been raised one time In the preview pane, click the Machines tab. NOTE: The list of computers that were involved in this alert appears in the preview pane. Notice that the same computer "Client1.configmgrdom.local" is listed once for the malware threat detected. You could modify alert properties, or close the alert manually if you desired to. You will now view the System Center 2012 R2 Endpoint Protection status in the Monitoring workspace. 1. In the navigation pane, expand Endpoint Protection Status. NOTE: The navigation pane expands and displays two dashboards for Endpoint Protection. The first dashboard ( System Center 2012 R2 Endpoint Protection Status ) is a client-centric view of the status of your clients in terms of definitions, client health, and malware. The second dashboard ( Malware Detected ) is a malware-centric view to view status of all detected malware. Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 19

22 2. In the navigation pane, click System Center 2012 R2 Endpoint Protection Status. NOTE: The System Center 2012 R2 Endpoint Protection Status appears in the results pane. Notice that there may out of date information on the protection status and malware remediation, depending on the client state message delivery and processing schedules. 3. In the Collection box, click Configuration Manager Clients. NOTE: This option displays the collection to display summarized data for the System Center 2012 R2 Endpoint Protection dashboard. "Configuration Manager Clients" should appear by default, assuming that it is the only collection configured to be displayed in the dashboard. If no collection appears, and the drop down list is empty, click a different node, and then click the System Center 2012 R2 Endpoint Protection Status node. 4. On the Home tab of the Ribbon, click Run Summarization. NOTE: The current status for Endpoint Protection is updated using the most recently processed state messages from the client computers in the site. You will need to refresh the Endpoint Protection Status page to view the updated data that was just summarized. The System Center 2012 R2 Endpoint Protection Status dashboard displays the following information displayed in two categories - "Security State" and "Operational State". For "Security State": Endpoint Protection Client Status - a quick summary of the status of clients - clients protected by Endpoint Protection, clients at risk, clients where the Endpoint Protection agent is not installed, clients on non-supported platforms, inactive Configuration Manager clients, and computers without the Configuration Manager client installed. In the lab environment, the status will likely be at risk due to out of date definition files for two of the clients (you don t have the third client in the collection). Malware remediation status - status of malware remediation failures, clients that require a full scan, clients where a reboot is required, clients where an offline scan is required, clients with settings modified by malware, and clients with malware remediation in the past 24 hours. In the lab environment, your environment should have one client with malware remediation in the last 24 hours. Top 5 malware by number of computers - this displays the top five malware detected in the past 24 hours, sorted by the number of clients affected. In the lab environment, your display should show the one virus generated by accessing the Eicar.Test_File file, and have one computer affected by that outbreak. Also notice that the "Operational State" status is: Operational status of clients - this view displays the status of clients that failed the installation of the Endpoint Protection agent, the number of clients that had issues applying the antimalware policy, the number of clients that need a reboot to complete agent installation, and the number of unhealthy clients. In the lab environment, you should have no issues. Definition Status on Computers - this view displays the status of the current definition file on individual clients, whether current, up to three days old, up to a week old, or older than a week, as well as Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 20

23 3. Generate reports on Endpoint Protection status any clients with no definitions installed. In the lab environment, you may have two clients with the signatures older than seven days (depending on the last time the lab environment was updated with new signature files) and one with no status as it is not an active client in the site as the virtual machine is not running. Having definitions older than seven days results in the client reporting that it is in a state of Potentially unprotected as you have noticed. Note that the System Center 2012 R2 Endpoint Protection Status dashboard is updated automatically every 20 minutes by default, though can be updated on demand (as you did earlier in this task). 5. Under Malware remediation status, click the blue bar in the chart after "Malware remediated in the last 24 hours". NOTE: The Assets and Compliance workspace appears displaying a sticky node under Devices titled "Configuration Manager Clients: Malware remediated in the past 24 hours". Notice that the results pane displays all computers with malware detected and remediated in the past 24 hours, which in the lab environment, should be "Client1". Notice that the results pane displays the status of Endpoint Protection on the client, with status for "Endpoint Protection Deployment State", "Endpoint Protection Policy Application State", " Endpoint Protection Definition Last Version", " Endpoint Protection Remediation Status", "Last Infection Time", and "Last Infected Threat". 6. In the preview pane, click the Antimalware Policies tab. NOTE: The current status for Endpoint Protection is displayed in the preview pane. This view is provides more details than does the results pane for Endpoint Protection status, including all antimalware policies deployed to the client. 7. In the preview pane, click the Malware Detail tab. NOTE: The status for Endpoint Protection malware is displayed in the preview pane. Notice that the client has detected, and successfully remediated, one virus. This is simply another way to identify systems that have been infected by malware or viruses, and view the details on the malware infection. 1. Click the Monitoring workspace. NOTE: The Monitoring workspace appears displaying the System Center 2012 R2 Endpoint Protection dashboard in the results pane. 2. In the navigation pane, expand Reporting, expand Reports, and then click Endpoint Protection. NOTE: The list of reports in the "Endpoint Protection" category appears in the results pane. Notice that there are six reports in this version of Configuration Manager 2012 for Endpoint Protection. The default view of reports is sorted by report name. 3. In the results pane, click Antimalware overall status and history, and then on the Ribbon, click Run. NOTE: The Antimalware overall status and history report window appears. This is a prompted report, and requires the collection to report status for, as well as the date range to report on. 4. After Collection Name, click Values. NOTE: The Parameter Value dialog box appears displaying the collection Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 21

24 available for reporting on. Notice that only two collections appear All Systems and Configuration Manager Clients. 5. Under Collection, click Configuration Manager Clients, and then click OK. NOTE: The Antimalware overall status and history report window appears displaying the collection to display status for, as well as the default date range to report on, which by default, is the most recent week up to today's date. 6. Click View Report. NOTE: The Antimalware overall status and history report window appears displaying the current status for computers in the "Configuration Manager Clients" collection, for the past week. Notice the following information displayed in the report: Overall Endpoint Protection status - status of clients in various categories, such as protected, at risk (two of our clients), etc. Malware remediation status - status of remediation of clients in various categories, such as cleaned (notice that there was a remediation in the past 24 hours) Operational status of Endpoint Protection clients - status of clients with operational issues, such as installation failed (there should be no operational issues in our lab environment) Definition status on computers - status of the Endpoint Protection definition, such as current (neither of our clients are current, based on the age of the definitions in the virtual machine images) Antimalware Policy Application status on computers - status of the Antimalware policy on clients, such as successful (should be both our clients) 7. Close the Antimalware overall status and history report window. NOTE: The list of reports in the "Endpoint Protection" category appears in the results pane. Notice that there are six reports in this version of Configuration Manager 2012 for Endpoint Protection. The default view of reports is sorted by report name. Since the Antimalware overall status and history report indicated that there was a remediation in the past 24 hours, you will now view that status in another report. 8. In the results pane, click Antimalware activity report, and then on the Ribbon, click Run. NOTE: The Antimalware activity report report window appears. This is a prompted report, and requires the collection to report malware activity for, as well as the date range to report on. 9. After Collection Name, click Values. NOTE: The Parameter Value dialog box appears displaying the collection available for reporting on. Notice that only two collections appear All Systems and Configuration Manager Clients. 10. Under Collection Name, click Configuration Manager Clients, and then click OK. NOTE: The Antimalware activity report report window appears displaying the collection to display malware activity for, as well as the default date range to report on, which by default, is the most recent week up to today's date. Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 22

25 11. Click View Report. NOTE: The Antimalware activity report report window appears displaying the data for antimalware activity, for computers in the "Configuration Manager Clients" collection, for the past week. Notice the following information displayed in the report: That there are no computers with failed or pending remediation, with one successful remediation That there was one threat, with the number of affected computers (one) and the number of incidents (one) 12. Under Total Remediations, click 1. NOTE: The Infected computers report window appears displaying the data for Infected Computers report. Notice that the report indicates that there was one incident on the computer Client1.ConfigMgrDom.local. 13. Under Computer Name, click Client1.ConfigMgrDom.local. NOTE: The Computer malware details report window appears displaying the data for Computer malware details report. Notice the details for the one computer that was infected. 14. Under Threat Name, click Virus:DOS/EICAR_Test_File. NOTE: The Malware details report window appears displaying the data for the one malware that was detected and cleaned on your client. Notice that the report provides details on the malware, as well as the incidents detected in both tabular and graphical format, as well as listing the computers infected by this malware. 15. Close the Malware details report window. NOTE: The list of reports in the "Endpoint Protection" category appears in the results pane. Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 23

26 5 IMPLEMENTING REAL-TIME ACTIONS TO ALLOW THREATS In this exercise, you will use the Configuration Manager console to allow the virus to be allowed on the client computer, and to restore the quarantined files. This would be a scenario if a real application was falsely identified as a threat, and blocked from running on the client computer. Complete the following task on: Primary1 1. Allow the threat and restore quarantined files 1. Click the Monitoring workspace. NOTE: The Monitoring workspace appears displaying the available Endpoint Protection reports in the results pane. You ran a number of these reports in the previous exercise. 2. In the navigation pane, expand Endpoint Protection Status, and then click the Malware Detected node. NOTE: The malware detected details appear in the results pane. Notice that is displays the malware that has been detected on all clients in all collections, as well as additional information on the malware/virus in the preview pane. 3. In the results pane, under Collection, click Configuration Manager Clients. NOTE: Notice the actions that are available on the Ribbon for the malware detected on clients in this collection. Malware Details this action will attempt to display information on this malware from published resources on the Internet Allow this threat this action will send a real-time action to the client to allow this threat to run on the computer (the false positive scenario) Restore files quarantined by this threat this action will send a realtime action to the client to restore any files that had been previously quarantined by the remediation of the threat View infected clients this action will create a sticky node in the Assets and Compliance workspace of the clients affected by this specific malware/virus 4. On the Ribbon, click Allow this threat. NOTE: An Allow this threat message box appears that this will create an antimalware policy to allow this threat, and the policy will be deployed to the Configuration Manager Clients collection. The status of this can be tracked in the Client Operations node in the Monitoring workspace. 5. Click OK. NOTE: The malware detected information appears in the results pane. 6. On the Ribbon, click Restore files quarantined by this threat. NOTE: A Restore quarantined files message box appears that this will restore files without a dependency on the allow or exclusion job (which you just ran). 7. Click OK. NOTE: The malware detected information appears in the results pane. Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 24

27 8. In the navigation pane, click Client Operations. NOTE: The list of real-time actions implemented in the site appears in the results pane. You will notice actions issued previously in the lab, including the Download Computer Policy, Download Definition, and Quick Scan actions. All those actions should have already been summarized so you should see that two of the three clients were successful in implementing those actions. The two new actions of Allow threat and Restore Quarantined Items likely have not been summarized yet. 9. In the results pane, under Operation Name, click Allow threat, and then on the Ribbon, click Run Summarization. NOTE: Any results for these actions from clients will be summarized. You will need to refresh the Client Operations node to display updated information. You may not have any updated status from clients yet. These are real-time actions, so you will see results fairly soon. You will now verify that the two real-time actions were implemented on the client, and that you can now access the quarantined file. In the following procedure, you will attempt to access a file that previously simulated a malware breakout. This file access should be successful now that the real-time actions have been implemented on the client. Complete the following task on: Client1 1. Generate malware on the client 2. View the updated Endpoint Protection client status 1. Start Windows Explorer, and then open the C:\MalwareFiles folder. NOTE: The contents of the C:\MalwareFiles folder appear. Notice that there are five files in this folder. Notice that Test1txt has been restored. This is an indication that the real-time actions have completed on the client. If Test1.txt has not been restored yet, wait until it has before continuing. 2. Attempt to open Test1.txt. NOTE: Notepad opens and displays the contents of the file. Recall that previously, an Access is denied message appeared. This is an indication that the real-time action to allow this threat has been implemented on the client. 3. Close Notepad, and then attempt to access any of the other files. NOTE: You should be able to access any of the files in the folder now, as the exclusion was on the threat name, which applies to all five of these files. 1. On the Start menu, click System Center Endpoint Protection. NOTE: The System Center Endpoint Protection window appears displaying the current status of the Endpoint Protection client, which displays as "Protected". 2. Click the History tab. NOTE: The System Center Endpoint Protection window appears allowing you to configure the type of items to display for the Endpoint Protection client, and to Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 25

28 view details. You do not see any malware status on this tab, however you can view status by viewing the historical data for the client. 3. Click View details. NOTE: The System Center Endpoint Protection window displays historical data for this client. Notice that the previous information regarding the threat for Eicar_Test_File has been removed as it is no longer a valid threat. 4. Close the System Center Endpoint Protection window. NOTE: Later in this lab, you will use the Configuration Manager 2012 R2 realtime actions to restore the quarantined files, and allow this threat. In the next exercise, you will report on malware status. You have now successfully implemented Endpoint Protection 2012 in a Configuration Manager 2012 R2 environment. You modified the default location to download definition files, enabled the Endpoint Protection point site system role, enabled the Endpoint Protection client agent, and installed the agent on the client computers. You then created a custom malware policy to set custom values for your client scan schedules, and definition download location. Finally you generated malware to be detected and remediated, including monitoring the status on the client as well as the site server. Reports were run to display status, as well as the status was viewed in the Endpoint Protection dashboard. System Center 2012 Endpoint Protection is a feature included with System Center 2012 Endpoint Protection, and as you have seen, very easy to implement. You also implemented new Configuration Manager 2012 R2 features for real-time actions and new Configuration Manager Console information regarding Endpoint Protection (new dashboard and reports). One final thing that you d very likely do in your production environments would be to create an automatic deployment rule to deploy any new definition updates automatically when detected. This would download the definitions, distribute them to the assigned distribution points, and allow the Endpoint Protection client to download the definitions from the Configuration Manager infrastructure just as Configuration Manager clients would implement security updates deployed through Configuration Manager. You can experience the creation of automatic deployment rules in the Managing Microsoft Software Updates with Configuration Manager 2012 hands-on lab. Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 26