How does Endpoint Protection in Configuration Manager work
This will give you a good understanding as to how Endpoint Protection in Configuration Manager works, so that you will have a better understanding when you deploy and manage this in your environment.
Endpoint Protection together with Configuration Manager is a pretty powerful solution and you need to get it right so the harm done is minimum. The better solution you provide, and the better the job you do, the more proactive and productive your co-workers will be.
How to do it…
System Center Endpoint Protection is not a standalone product; it is integrated into the popular and great management and deployment product called SCCM, it's a dedicated role and the installation binary lies among the Configuration Manager client installation files. So you need both the System Center Configuration Manager Client and System Center Endpoint Protection to make this work. This provides great benefits when it comes to control, deployment and monitoring of the antimalware software in your organization. Every anti-virus or antimalware product needs a management client or module that can handle downloading and installation, and control and handle different actions to make sure that the antimalware product itself is operating as it should.
System Center Endpoint Protection has no built-in or dedicated management module of its own, so it is designed to be managed as well as licensed through the System Center Configuration Manager or Microsoft Intune.
Microsoft has always been good at making use of technology that's already available, and for the most part this gives more advantages than drawbacks. Every antimalware product needs a management client to monitor, set policies, deploy and update their product. Microsoft has not created a separate management agent for their Endpoint Protection because they had one already with SCCM. Given that it's being used today by approximately 70% of all businesses on the planet, it was an easy choice. So they made it work together with all the features in the same console that you use to manage your workstations, servers and devices. With this, you save resources such as processing and memory on your client as well as on the server side, and it simplifies management too. In most cases, businesses save money on their licenses as well, since they are already licensed to run this.
This is what the client GUI looks like. It's very smooth, clean, and easy to use, and gives clear indications if something is wrong. Green is good and Red is bad.
Endpoint Protection Client graphical user interface
For definition and engine updates it uses Windows Update with Microsoft's own definitions, so there is no need for any extra download components to make it work. This also has the benefit that it will be coordinated with other Windows Update installations so they don't encounter any conflicts during installation. Windows Update fetches the updates from either a local Windows Server Update Services (WSUS) or by SCCM. If it cannot reach those it will continue, after a given amount of time, to download it over the Internet directly from Microsoft.
With the use of Configuration Manager to handle Endpoint Protection, it will give you the following benefits as mentioned on http://slothx.net/wiki/SC2012_ConfigMgr_PDFDownload.pdf:
- Remediation of malware and spyware.
- Remediation of rootkit detection.
- Remediation of potentially unwanted software (this is a new feature in version 1602 of SCCM).
- Assessment of critical vulnerability with automatic updates of definition and engine.
- Network Inspection System vulnerability detection.
- Malware reported directly through Microsoft Active Protection Services. When you join and enable this service, it will trigger the client to download the latest definitions from the Malware Protection Center when unidentified malware is detected on a computer.
System Center Endpoint Protection has another nice feature when running virtualized environments, as many do these days: if you want to preserve disk IO as well as excessive CPU usage while antimalware is doing its scheduled scanning, you can set System Center Endpoint Protection to randomize the scanning start time so that they do not occur simultaneously on all guest machines that are hosted by the server.
Windows 10 is now supported (from version System Configuration Manager 2012 SP2), and we will cover that in more detail later in the book. SCCM manages Defender, which comes with Windows 10, and which is basically the same as Endpoint Protection.
What made Endpoint Protection that good
In my opinion, Microsoft made some very good investments over a large period of time. They launched a free antimalware product called Microsoft Security Essentials back in 2009-2010. The beta release was installed on millions of home computers, and boy did it did detect a lot of different kinds of malware. Many of the computers had not been protected for a long period of time because their previous antimalware product had expired, often the trial version that came installed with Windows when they bought it, and which was not working right or had not been updated for some reason. So Security Essentials had a couple of years to toughen up, so to say, and get stronger by learning what to deal with around the world. The users were happy; they got a free antimalware product that was getting better and better day by day.
The other aspect that has a huge impact on how well Endpoint Protection is working and how they got it to run so smoothly is that Microsoft has great knowledge of their own products. They know all the bits and pieces of how the operating system works and most of the applications that run on every machine and server on the planet. They have a very large Security Response Network Cloud Center that monitors all threats within a split second around the world and can instantly take action in the case of a massive outbreak.
