Procedimientos Suplementarios para configurar Endpoint Protection en Configuration Manager

Step 1: Create an Endpoint Protection Point Site System Role

Use one of the following procedures depending on whether you want to install a new site system server for Endpoint Protection or use an existing site system server.

Important
When you install an Endpoint Protection point, an Endpoint Protection client is installed on the server hosting the Endpoint Protection point. Services and scans are disabled on this client to enable it to co-exist with any existing antimalware solution that is installed on the server. If you later enable this server for management by Endpoint Protection and select the option to remove any third-party antimalware solution, the third-party product will not be removed. You must uninstall this product manually.

To install and configure the Endpoint Protection point site system role: New site system server

  1. In the Configuration Manager console, click Administration.
  2. In theAdministration workspace, expand Site Configuration, and then click Servers and Site System Roles.
  3. On theHome tab, in the Create group, click Create Site System Server.
  4. On theGeneral page, specify the general settings for the site system, and then click Next.
  5. On theSystem Role Selection page, select Endpoint Protection point in the list of available roles, and then click Next.
  6. On the Endpoint Protection page, select the I accept the Endpoint Protection license terms check box, and then click Next.
Important
You cannot use Endpoint Protection in Configuration Manager unless you accept the license terms.
  1. On theMicrosoft Active Protection Service page, select the level of information that you want to send to Microsoft to help develop new definitions, and then click Next.
Note
This option configures the Microsoft Active Protection Service settings that are used by default. You can then configure custom settings for each antimalware policy you create. Join Microsoft Active Protection Service, to help to keep your computers more secure by supplying Microsoft with malware samples that can help Microsoft to keep antimalware definitions more up-to-date. Additionally, when you join Microsoft Active Protection Service, the Endpoint Protection client can use the dynamic signature service to download new definitions before they are published to Windows Update. For more information, see How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager.
  1. Complete the wizard.

To install and configure the Endpoint Protection point site system role: Existing site system server

  1. In the Configuration Manager console, clickAdministration.
  2. In theAdministration workspace, expand Site Configuration, click Servers and Site System Roles, and then select the server that you want to use for Endpoint Protection.
  3. On theHome tab, in the Server group, click Add Site System Roles.
  4. On theGeneral page, specify the general settings for the site system, and then click Next.
  5. On theSystem Role Selection page, select Endpoint Protection point in the list of available roles, and then click Next.
  6. On theEndpoint Protection page, select the I accept the Endpoint Protection license terms check box, and then click Next.
Important
You cannot use Endpoint Protection in Configuration Manager unless you accept the license terms.
  1. On theMicrosoft Active Protection Service page, select the level of information that you want to send to Microsoft to help develop new definitions, and then click Next.
Note
This option configures the Microsoft Active Protection Service settings that are used by default. You can configure custom settings for each antimalware policy you configure. For more information, see How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager.
  1. Complete the wizard.

Step 5: Configure Custom Client Settings for Endpoint Protection

This procedure configures custom client settings for Endpoint Protection which can be deployed to collections of computers in your hierarchy.

Important
Do not configure the default Endpoint Protection client settings unless you are sure that you want them applied to all computers in your hierarchy.

To enable Endpoint Protection and configure custom client settings

How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager

Potential Unwanted Application (PUA) is a threat classification based on reputation and research-driven identification. Most commonly, these PUA applications are unwanted application bundlers or their bundled applications .

You can protect your users from PUA by deploying an antimalware policy in your Microsoft System Center 2012 Endpoint Protection Configuration Manager. The protection policy setting is disabled by default. If enabled, this feature will block PUA at download and install time. However, you can exclude specific files or folders to meet the specific needs of your environment.

To create a configuration item to enable PUA protection

  1. In the Configuration Manager console, clickAssets and Compliance.
  2. In theAssets and Compliance workspace, open the Compliance Settings folder, right-click on Configuration Items, and then click Create Configuration Item.
  3. In theConfiguration Item wizard, select a name and the Windows Desktops and Server (custom) Configuration Item type before clicking Next. Select the targeted operating systems, and go to the next page. Click New to create a new setting.
  4. In theCreate Setting dialog box, select a name for the setting, and specify the following additional information:
    • Data type– Select the Integer type to set the value type to used
    • Hive– Select HKEY_LOCAL_MACHINE as the hive root
    • Key– Select the key according to your product version:
Product name Key
System Center Endpoint Protection Software\Policies\Microsoft\Microsoft Antimalware\MpEngine\
Forefront Endpoint Protection Software\Policies\Microsoft\Microsoft Antimalware\MpEngine\
Microsoft Security Essentials Software\Policies\Microsoft\Microsoft Antimalware\MpEngine\
Windows Defender Software\Policies\Microsoft\Windows Defender\MpEngine\

 

  • Value– Enter MpEnablePus as the registry value name to be configured
  • SelectThis registry value is associated with a 64-bit application

Click the Compliant Rules tab

  1. In theCompliant Rules tab, click the New button to create a rule.
  2. In theCreate Rule dialog box, specify the following information:
  • Enter aName for the rule
  • Select aRule type of Value
  • Select theEquals operator for the comparison
  • Select a value according to the PUA setting you would like to deploy:
Value Description
 0 (default) Potentially Unwanted Application protection is disabled
1 Potentially Unwanted Application protection is enabled. The applications with unwanted behaviour will be blocked at download and install-time.
  • SelectRemediate noncompliant rules when supported
  • SelectReport noncompliance if this setting instance is not found

Click OK to finish creating the rule.

  1. In theCreate Setting dialog box, click Apply. Click Next until you reach the summary dialog box. Validate the configuration preferences before clicking Next and Close. You have now created the Configuration Item.

Your Configuration Item can be added to a Configuration Baseline and deployed. See How to Create Configuration Baselines for Compliance Settings in Configuration Manager and How to Deploy Configuration Baselines in Configuration Manager for more information.

Fuente: Microsoft