Endpoint Protection in Configuration Manager 2012

With the release of Configuration Manager 2012 Release Candidate, Microsoft also integrated System Center Endpoint Protection (was Forefront Endpoint Protection) with Configuration Manager 2012. Very welcome enhancements if you ask me, let’s see how this works. Wally Mead showed us the feature last week, let’s see I remembered everything correctly 😉


System Center 2012 Endpoint Protection

Where Forefront Endpoint Protection 2010 could integrate with Configuration Manager 2007 SP2, in Configuration Manager Endpoint Protection is a Site Role that can be configured at the Central Administration Site or standalone Primary Site. You will find the Endpoint Protection feature in the console at the following places:

Workspace Description
Assets and compliance In the Assets and compliance workspace a separate Endpoint Protection node is present. Here you need to configure your Antimalware and Firewall Policies. By default a “Default Client Malware Policy” is present.
Software Library With the Automatic Deployment Rules in Software Updates you are able to create rules for antivirus signature file deployment.
Monitoring A special System Center 2012 End Protection Monitoring node is present to monitor the collections to where the Endpoint Protection client is pushed. In the reporting node several reports are published to report about state of your Endpoint protection environment and clients.
Administration At the client agent settings in the Administration workspace you are able to configure the Endpoint Protection Client. In the Security node you will find an Endpoint Protection Manager security role.

To be able to use the Endpoint Protection feature in Configuration Manager 2012 you need to have a Core CAL license and a license for an Endpoint Protection server.

Installing the Endpoint Protection Feature

So the first step is to install the Endpoint Protection site role at your CAS or standalone Primary Site. While installing this role you need to accept the Endpoint Protection license and join the Microsoft Active Protection Service, or not.

Configuring Antimalware policy

Next you need to prepare your antimalware policies, you are able to use and change the default one or create policies especially for groups of computers (collections).

Configure the following settings like shown in the figures:

Schedule scansScan settingsDefault actions


Realtime protection


Exclusion settings


Advanced settings


Thread overides


Microsoft Active Protection Service Settings


Definition Updates

 Good to know is that you are able to configure the following update sources for the Endpoint Protection clients. You are able to change the order of the update sources.

  • Configuration Manager
  • WSUS
  • Microsoft Update (online)
  • Microsoft Malware Protection Center
  • UNC file shares

If one selected source is not available the next source in the row will be woken up from suspension and will retrieve the updates.

After creating a antimalware policy deploy this policy to the collection where you want to install the Endpoint Protection Client.

Installing Endpoint Protection Client

We are not going to configure Automatic Deployment Rules in this blog so the next step is installing the Endpoint Protection clients. This is done by enabling the Endpoint Protection Client Settings, there is no need to deploy the installation source of the Endpoint Protection client since it is already in c:windowsccmsetup like show below.

The Endpoint Protection Client is already there

Enabling the client settings will trigger the installation of the Endpoint Protection Client, and if it applicable remove 5 other antivirus software. Which versions and brands are not known at this moment. It will remove the Forefront Endpoint Protection 2010 client for sure, since it was on my systems while deploying the new client settings.

Custom Client device settings

After the installation and updating of the Endpoint Protection client you have a by Configuration Manager 2012 managed Endpoint Protection client.

The Endpoint Protection client

Monitoring and Managing the Endpoint Protection Environment

You are able to monitor the Endpoint Protection Environment through the reports, dashboards and alerts. Especially for Endpoint Protection alerting via email has been build, so if there is a virus out break you can be alerted by email.

One of the dashboards

The links on dashboard will bring you to sticky nodes that groups computers real-time  per subject depending on the link you were clicking.

Sticky nodes

 After all clients are manageable you are able to select a client and choose to initiate a definition download, quick scan or full scan per device.

Managing clients

Firewall policies

Like mentioned earlier the Endpoint Protection site role will also enable some basic support to manage your firewall policies. You are able to enable or disable the firewall per profile (domain, public, private) en configure those profiles to block or allow incoming and outgoing traffic.

Firewall settings

Configuration Manager 2012 Community Evaluation Program

If you want to see the Endpoint Protection Site Role in action, mark the 16th of November (9am Pacific Time / US Canada) in your calendar. The next Community Evaluation Program webcast is about this subject.


If you ask me the integration of System Center 2012 Endpoint Protection is a very welcome and mature feature which allows you to manage a safe and clean environment. I hope that the management of Firewall policies, which is now basic, will be enhanced. Nevertheless this feature is a must have for every Configuration Manager 2012 implementation! 🙂


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Changes in Release Candidate since Configuration Manager 2012 Beta2

Next Post

International version of Configuration Manager 2012 RC1 released

Related Posts