Step by step guide installing Endpoint Protection role in SCCM 1511

We required to install Endpoint Protection Point role only if we manage the clients using System Center Endpoint Protection.

Endpoint Protection in System Center 2012 Configuration Manager allows you to manage antimalware policies and Windows Firewall security for client computers in your Configuration Manager hierarchy.

Before installing Endpoint Protection point, it is Important to remember that we must be licensed to use Endpoint Protection to manage clients in Configuration Manager hierarchy.

When we install an Endpoint Protection point, an Endpoint Protection client is installed on the server hosting the Endpoint Protection point. We need only single instance of Endpoint Protection site system role in the hierarchy.

Requirements for Endpoint Protection Point:

Windows Features:	·         None
Windows Roles:	·         WSUS (If SUP is not in place)
Configuration:	·         SUP Configuration ·         Client Settings configuration ·         Antimalware Configuration

Installing Endpoint Protection Point:

Open the SCCM console, Navigate to Administration / Site Configuration / Servers and Site System Roles. Right click on Servers and Site System Roles then click on Create Site System Server;

 Enter the server name on Select a server to use as a s site system, then pick the site code from the dropdown menu. 
Select Use the site server’s computer account to install this site system under Site System Installation Account then click next;

Click next On Specify Internet proxy server window;

On the Site System Role tab, select Endpoint Protection Point;

When Endpoint Protection point site role is selected, you will receive an information pop-up window advising configure the updates and antimalware policies. Click OK on the message and click next;

Accept Endpoint Protection license terms then click Next;

Choose your options carefully on Microsoft Active Protection Service (MAPS) membership types.

For the lab I have selected to not to Select Do not join MAPS, click next;

On the Summary tab, review your settings and click next;

Wait for the setup to complete and click Close

SUP Configuration:

After the installation, you must add Endpoint Protection definition files in your Software Update Point.

Open the SCCM console, navigate to Administration / Site Configuration / Servers and Site System Roles. Click the Configure Site Components button and select Software Update Point;

This will open Software Update Point Component Properties;

On the properties go to Product tabs, check Forefront Endpoint Protection 2010 and click Ok

Configure the client settings for EPP:

Open Configuration Manager console then go to Administration Then Client Settings. Right click on Client Settings, then select Create Custom Client Device Settings;

In the Create Custom Client Device Settings dialog box, provide a name and a description for the group of settings, and then select Endpoint Protection;

Configure the Endpoint Protection client settings as required;

Click OK to close the Create Custom Client Device Settings dialogue box. The new client settings are displayed in the Client Settings node of the Administration workspace.
Right click on SCEP – Client Settings then select deploy;

In the Select Collection dialogue box, choose the target device collection then click OK to deploy the client settings. 

Now we need to create antimalware policy to the collection so to protect the client devices from malware and other threats. 

These antimalware policies include information about the scan schedule, the types of files and folders to scan, and the actions to take when malware is detected. When you enable Endpoint Protection, a default antimalware policy is applied to client computers.

To create a new antimalware policy Open Configuration Manager console, then go to \Assets and Compliance\Overview\Endpoint Protection\Antimalware Policies;

Right click on Antimalware Policies then click on Create Antimalware Policy;

Give a desired name and select appropriate tabs to configure the custom settings as required then click OK;

Right click on the new custom antimalware policy (Workstation Policy) then select Deploy;

In the Select Collection dialogue box, choose the target device collection then click OK to deploy the custom antimalware policies. 

Thats it!!. We have successfully configured all the relevant components to use System Center Endpoint Protection to manage client devices.

Click here for complete SCCM 1511 Current Branch setup step by step guide.

Click here for complete SCCM 1511 Current Branch step by step guide, step by step migration guide, step by step monitoring and health check guide and step by step SCCM Current Branch servicing guide.