Planning for the Endpoint Protection
Put on an architect's hat and let's see how to implement the Endpoint Protection role in your business.
Often there are actually very few considerations when you need to implement and engage Endpoint Protection in your business, especially if you already have Configuration Manager or Intune installed. There are a couple of important topics to understand in the planning phase: as in what do I need to consider, and why? Endpoint Protection utilizes the Configuration Manager client to transport the policies and actions it requires. That part of the operation flows very smoothly though the existing Configuration Manager hierarchy you are most likely to have set up. The heavy part regarding bandwidth utilization would be the definition package and engine update, depending on whether you already have a well-structured and organized software update point role in place or not, as the software will update two or three times a day. Then it needs to deliver these packages and transport them to the Distribution Point servers in your hierarchy. There are therefore a few things to consider. You will find more information and tips about some of these settings in further chapters of this book.
How to do it…
First of all, it's for sure that you cannot have two antimalware products running on your workstations or servers. If that happens, you are likely to crash the operating system and, worst case, it won't start up again other than by booting in safe mode. If that's the case, you would have a huge job ahead of you because this would involve a manual approach to handle every machine.
Now that would be a worst case scenario, and in my experience it never happens because you plan, test and deploy in a controlled matter. Luckily, Microsoft has put in an automatic detection of a few other antimalware products and a fully automatic removal of those products as best it can. It is working pretty well in my experience, but I would rather use it as a fail-safe mechanism if your own removal plan should fail.
The current list of products that Microsoft will try to remove if they exist on any machine you're deploying Endpoint Protection to can be found at https://technet.microsoft.com/en-us/library/gg682067.aspx#BKMK_EndpointProtectionDeviceSettings.
- Symantec Antivirus Corporate Edition version 10
- Symantec Endpoint Protection version 11
- Symantec Endpoint Protection Small Business Edition version 12
- McAfee VirusScan Enterprise version 8
- Trend Micro OfficeScan
- Microsoft Forefront Codename Stirling Beta 2
- Microsoft Forefront Codename Stirling Beta 3
- Microsoft Forefront Client Security v1
- Microsoft Security Essentials v1
- Microsoft Security Essentials 2010
- Microsoft Forefront Endpoint Protection 2010
- Microsoft Security Center Online v1
This automatic uninstall setting is located in the client setting of the Configuration Manager and is turned ON by default when Enabling Endpoint Protection.
However, I encourage you to do some research in your organization, about what products are in use right now. It might be more than you might think; most people are in for a surprise or two on what's running, especially on the workstations. Most likely you will have a handful of different antimalware software running, so you need to do some digging around, and once you have a Configuration Manager with a full inventory of all your clients' antimalware software, that's not a big problem. You just need to have some knowledge about what to look for. When you have identified the different products, you need to plan how to uninstall and get rid of them in a safe way, whilst at the same time keeping the machine secure, since you don't want to leave the machine unprotected.
Secondly, you need to ensure that Endpoint Protection will be able to get updates. Now this is very important, and you have some options that may have an impact depending on what your network infrastructure looks like. Do you have many remote locations, do you have satellite connections, and do your laptops travel a lot?
The Endpoint Protection role needs to be installed on your Central Administration Site (CAS) if you have one, and it needs to be installed on your Primary Site servers as well.
In the following graphic you can see different scenarios with a CAS Central Administration Site Server on top, then a Primary Site followed by a Secondary Site. Following that, you might even have dedicated Distribution Points servers to smaller locations or clients. Secondary Sites are generally fading out unless you have very large branch offices or locations with several thousand clients. However, the scenario following is for very large businesses that need redundancy and security.
Large business SCCM hierarchy
The hierarchy for most businesses, where you have a Primary Site server on top and a Distribution Point server following placed at branch offices or locations around the world, is shown in the following figure:
Conventional business SCCM hierarchy
You can see a simple illustration of how Intune work in the following figure. Every client talks directly over the Internet to Azure in the Cloud. It has both upsides and downsides, but requires very little infrastructure and it's easy to maintain:
Principal network schematic picture of Microsoft Intune
